(Last updated: April 2019)
This Data Processing Addendum amends any underlying agreement only to the extent required for the Processing of Personal Data
1.1. Controller: Further defined as the natural or legal person, public authority, agency or other body which determines the purposes and means of the Processing of Personal Data.
1.2. EU: The European Union
1.3. GDPR: General Data Protection Regulation of the EU
1.4. Member State:A member state of the EU
1.5. Personal Data:Any information relating to an identified or identifiable natural person (Data Subject) that is available to the Processor or a Subprocessor as a direct or indirect result of the provision of services by the Processor to the Controller
1.6. Personal Data Breach:A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed
1.7. Processing:Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means and whether or not on behalf of the Controller, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
1.8. Processor: Further defined as the natural or legal person, public authority, agency or other body who Processes Personal Data on behalf of the Controller
1.9. Standard Data Protection Clauses:Clauses that can be used as appropriate safeguards when transferring Personal Data to countries without an adequate level of protection; as further defined in article 46(2)(c) GDPR and article 46(2)(d) GDPR
1.10. Subprocessor:A natural or legal person, public authority, agency or body other than the Data Subject who, under contract with the Processor, indirectly Processes Personal Data on behalf of the Controller
1.11. Supervisory Authority:An independent public authority which is established by a Member State pursuant to Article 51 of the GDPR
The definitions in this article should, as far as possible, be interpreted in line with the GDPR.
2.1. The Controller has engaged the Processor to perform and deliver certain services which may require the Processor to Process Personal Data on behalf of the Controller.
2.2. Appendix A is an integral part of this agreement and contains details about the Processing of Personal Data by the Processor.
2.3. Appendix B is an integral part of this agreement and contains contact details of the main contact persons of both Parties and the data protection officers of both Parties (if appointed).
2.4. The Processor shall comply with applicable laws and regulations.
3.1. The Processor agrees that it shall only carry out Processing of Personal Data on instructions of the Controller as set out in this agreement or as otherwise notified by the Controller to the Processor during the term of this agreement. All instructions for the Processing of Personal Data by the Processor must be in writing.
3.2. The Processor may Process the Personal Data outside of the instructions of the Controller if the Processor is required to do so by EU or Member State laws or regulations to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless those laws or regulations prohibit such information on important grounds of public interest.
4.1. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, among other measures, as appropriate:
4.2. The Processor shall in assessing the appropriate level of security take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
4.3. The Processor shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data does not Process them except on instructions from the Controller, unless he or she is required to do so by EU or Member State laws or regulations. The Processor will obligate those natural persons to inform it of any Processing outside of the instructions of the Controller based on such a requirement; any information received by the Processor under this obligation will be relayed to the Controller.
5.1. The Processor shall designate, as the case may be, a Data Protection Officer as prescribed in the GDPR.
5.2. The Processor shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. The Processor shall ensure the reliability and integrity of any employees who have access to Personal Data and that all employees involved in the Processing of Personal Data have undergone adequate training in the care, protection and handling of Personal Data.
6.1. The Processor shall promptly refer to the Controller, any queries from Data Subjects whose Personal Data is being Processed, the Supervisory Authority or any other law enforcement authority, for the Controller to resolve.
6.2. The Processor shall at no additional cost, promptly provide such information and assistance to the Controller as the Controller may reasonably require to allow it to comply with requirements of the GDPR, including, but not limited to, information and assistance relating to Data Subjects access to Personal Data, Personal Data Breaches, data protection impact assessments or any relevant information or assessment notices served by the Supervisory Authority.
6.3. The Processor, upon request, makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this agreement. With regards to this clause, the Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.
7.1. The Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR, such as the rights to access and erasure.
8.1. The Processor shall notify the Controller of any Personal Data Breach, as soon as it becomes aware or has a reasonable suspicion of any Personal Data Breach and keep the Controller informed of any related actions or developments.
8.2. In the case of a Personal Data Breach the Processor will assist the Controller in meeting its obligations under article 33 and 34 of the GDPR to inform the competent Supervisory Authority and Data Subjects.
9.1. The Processor will not Process or permit the Processing of Personal Data outside the EU unless:
9.2. The Processor will not use Standard Data Protection Clauses to legitimize the transfer of Personal Data outside of the EU, unless, and only in so far as, it is explicitly allowed by the European Commission and/or Supervisory Authority to amend and merge the Standard Data Protection Clauses with other clauses.
10.1. The Processor may only subcontract the Processing of Personal Data under this agreement to a Subprocessor if the Processor:
10.2. The Controller has the right to receive a copy, upon request, of all data processing agreements with Subprocessors that are related to the Processing of Personal Data.
10.3. The Controller may require the Processor by notice in writing to cease or suspend the Subcontracting of the Processing of Personal Data to the Subprocessor if, in the Controller's reasonable opinion, the Subprocessor is unable to comply with the terms of the Subcontractor’s agreement with the Processor.
10.4 A current list of Subprocessors is provided in Appendix B.
11.1. Upon reasonable request of the Controller, the Processor agrees to submit its data Processing facilities, data files and documentation needed for Processing Personal Data (and/or those of its agents, affiliates and Subprocessors) to reviewing, auditing and/or certifying by the Controller (or any independent or impartial inspection agents or auditors, selected by the Controller and not reasonably objected to by the Processor) to ascertain compliance with the warranties and undertakings in this agreement, with reasonable notice and during regular business hours. With regards to this clause, the Processor shall immediately inform the Controller if, in its opinion, a request infringes the GDPR or other EU or Member State data protection provisions.
12.1. If any part of Personal Data ceases to be required by the Processor for the performance of its obligations under this agreement, or on termination or expiry of the agreement (whichever is earlier), the Processor shall at the express choice of the Controller (but not otherwise), either return to the Controller all Personal Data that has been obtained or collected in providing the services under this agreement, or delete or destroy all copies of the Personal Data in the Processor's possession or control and certify to the Controller that it has done so, unless EU or Member State laws or regulations imposed upon the Processor prevents the return or destruction of all or part of the Personal Data. In that case, the Processor shall continue to ensure the confidentiality of Personal Data in its possession and will not actively Process such data any further.
13.1. Each Party to this agreement will indemnify the other against all losses, liabilities, damages, fines (including those from Supervisory Authorities), claims, costs (including legal and other professional costs) and expenses which the other may suffer or incur arising out of or in connection with the failure of the indemnifying Party to comply with any of its obligations in this agreement.
14.1. This Agreement can only be amended by a written and signed agreement between the Parties.
15.1. This agreement will be effective from the later of (a) 25th May 2018; or (b) the date on which the parties agree to the underlying agreement.15.2. This agreement will terminate automatically upon termination of the underlying agreement.
The Processor may need to Process the following Personal Data relating to employees, contractors, suppliers and customers of the Controller while delivering services:
Name, Email Address, Phone Number, Address, Username and IP Address.
The Personal Data may need to be Processed for the following purposes:
We may use the following subprocessors to assist in providing our services.
We use Datto to deliver, manage and maintain your backup, continuity and disaster recovery services. The Personal Data we process in Datto may include names and email addresses. You can find out more about Datto GDPR compliance here.
We use DeliverySlip to deliver, manage and maintain your Secure Email Suite services. The Personal Data we process in DeliverySlip may include names and email addresses. You can find out more about DeliverySlip GDPR compliance here.
We use Google G Suite to manage our email, calendars and contacts; to store our files in Google Drive; to communicate using Hangouts; and to retain and delete data using Google Vault. The Personal Data we process in Google may include names, email address, phone numbers and addresses. You can find out more about Google GDPR compliance here.
We use IT Glue to manage and maintain technical documentation. The Personal Data we process in IT Glue may include names, email address, phone numbers, addresses, usernames and IP addresses. You can find out more about IT Glue GDPR compliance here.
We use Kaseya BMS to manage our contractual arrangements with clients and the services that we provide. The Personal Data we process in Kaseya BMS may include names, email address, phone numbers, addresses and usernames. You can find out more about Kaseya BMS GDPR compliance here.
We use Mailchimp to send service announcements to clients. The Personal Data we process in Mailchimp may include names and email addresses. You can find out more about Mailchimp GDPR compliance here.
We use Microsoft to deliver, manage and maintain your Office 365 services. The Personal Data we process in Microsoft may include names, email addresses and usernames. You can find out more about Microsoft GDPR compliance in their Online Services Terms (OST), which can be downloaded here.
We use NinjaRMM to monitor your computers. The Personal Data we process in NinjaRMM may include names, usernames and IP addresses. You can find out more about NinjaRMM GDPR compliance here.
We use Quotient to provide online quotations. The Personal Data we process in Quotient may include names and email addresses. You can find out more about Quotient GDPR compliance here.
We use Reflexion to deliver, manage and maintain your email protection and archival services. The Personal Data we process in Reflexion may include names and email addresses. You can find out more about Reflexion GDPR compliance here.
We use SkyKick to deliver, manage and maintain your cloud backup for Office 365 services. The Personal Data we process may include names and email addresses. You can find out more about Skykick GDPR compliance here.
We use Vade Secure to deliver, manage and maintain your email security for Office 365 services.The Personal Data we process may include names and email addresses. You can find out more about Vade Secure compliance here.
We use Xero to manage our financial accounting information, including invoicing. The Personal Data we process in Xero may include names, email address, phone numbers and addresses. You can find out more about Xero GDPR compliance here.
Morley IT Solutions
Basepoint Business Centre
Metcalf Way, Crawley
RH11 7XX
01293 850520 | hello@morleyit.com
© Copyright 2021 Morley IT Solutions | Legal | Email Protection | Start Support