Data Processing Agreement
Data Processing Agreement
This Data Processing Agreement (the “DPA”) is made by and between:
(1) THRIVE LEARNING LIMITED incorporated and registered in England and Wales with company number 10988277 whose registered office is at Red Brick Barn, 61 Caythorpe Road, Caythorpe, Nottingham, England, NG14 7EB (Supplier)
(2) [FULL COMPANY NAME] incorporated and registered in England and Wales with company number [NUMBER] whose registered office is at [REGISTERED OFFICE ADDRESS] (Customer)
Each of THRIVE and Customer are referred to as a “Party” and, jointly, as the “Parties”.
(A) The Customer has entered into, or will enter into, an agreement with Supplier for the supply of products and/or services (the “Services”). Supplier’s provision of the products and/or services involves the processing of personal data by Supplier on behalf of the Customer.
(B) The Parties have entered into this DPA to comply with the requirements of Data Protection Legislation (as defined below).
The Parties therefore agree as follows:
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this DPA.
Agreement: the agreement between the Customer and the Supplier for the provision of the Services, incorporating this DPA.
Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).
Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
EEA: the European Economic Area.
Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Supplier on behalf of the Customer as a result of, or in connection with, the provision of the services under the Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Records: has the meaning given to it in Clause 10.
Term: the term of this DPA as defined in Clause 11.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 Interpretation: (a) This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA; (b) A reference to writing or written includes email but not fax.
- Processing of personal Data
2.1 The Customer is controller of the Personal Data processed under this DPA (hereinafter “Personal Data”) and Supplier is the processor of such Personal Data.
2.2 Each party undertakes to the other party to comply with all obligations laid down in the Data Protection Legislation, applicable to that party from time to time.
2.3 The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Supplier. The categories of Personal Data subject to this DPA are specified in Appendix 1, which forms part of this DPA. Without prejudice to this list, any other personal data processed by the Supplier on behalf of the Customer in the course of performing the Agreement, shall be subject to this DPA.
- Controller’s instructions
3.1 The Supplier shall only process Personal Data on documented instructions from the Customer, or otherwise in accordance with this DPA.
3.2 The Supplier shall immediately inform the Customer in writing (including by email), if at any time, in its opinion, instructions are deficient and/or if any instructions are contrary to the Data Protection Legislation.
3.3 Subject to clause 3.2, if the Supplier cannot comply with the Customer’s instructions for whatever reason, it shall promptly inform the Customer of its inability to comply, in which case the Customer is entitled to suspend or terminate the Agreement without any penalty.
- Obligations of the Data processor
4.1 The Supplier shall ensure that its personnel and sub-contractors shall have access to the Personal Data in order to meet Supplier's obligations under this DPA and /or the Agreement. Those employees and/or sub-contractors shall have appropriate training and instructions regarding processing of personal data and confidentiality. The Supplier shall keep the Personal Data confidential, save where such disclosure is required by law, or pursuant to an order of the court or other body of competent jurisdiction.
4.2 The Supplier shall , taking into account the nature of the processing, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with the Data Protection Legislation.
4.3 The Supplier shall reasonably assist the Customer in ensuring compliance with its obligations pursuant to the Data Protection Legislation, taking into account the nature of the processing and the information available to the Supplier.
4.4 Upon request, the Supplier shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and the Data Protection Legislation.
- Personal data breaches
5.1 The Supplier shall promptly, and in no case later than 36 hours of having become aware, notify the Customer of any Personal Data Breach.
5.2 The Supplier shall provide the Customer with all available information pertaining to such Personal Data Breach within 72 hours, including at least the following matters, taking into account the nature of the processing and the information available to the Supplier:
(a) The nature of the Personal Data including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
(b) the likely consequences of the Personal Data Breach;
(c) the measures taken or proposed to be taken by the by Supplier, as well as any measures suggested to be taken by the Customer (if the case), to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Supplier will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to:
(a) assisting with any investigation;
(b) providing the Customer with physical access to any facilities and operations affected;
(c) facilitating interviews with the Supplier's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
(d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
5.4 The Supplier will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law.
5.5 The Supplier agrees that the Customer has the sole right to determine:
(a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
5.6 The Supplier will cover all reasonable expenses associated with the performance of the obligations under clause 5.2 to clause 5.4 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this DPA and/or the Agreement, in which case the Customer will cover all reasonable expenses, directly incurred by it.
5.7 The Supplier will also reimburse the Customer for actual reasonable directly incurred expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Supplier caused such, including all costs of notice and any remedy as set out in clause 5.4.
- Data access requests
6.1 The Supplier shall promptly notify the Customer and shall as soon as practicable provide the Customer with all information pertinent thereto, in case of: (i) any third party (including organisations or associations) requests or complaints regarding the processing of Personal Data by Supplier on behalf of the Customer; or (ii) any supervisory authority or government requests for access to, information about, audit concerning, or any other regulatory action (including only notice of intent) concerning the processing of Personal Data undertaken by Supplier, pursuant to the Agreement. In the event the Supplier directly receives such a request or complaint, the Supplier shall within three business days , notify the Customer and shall in no event respond directly, unless with the Customer’s prior written instruction, or save where the Supplier is required to do so as required by law.
- Use of Subprocessors
7.1 The Supplier may continue to use those sub-processors already engaged by Supplier as at the date of this DPA, an up-to-date list of which is publicly available at: https://www.thrivelearning.com/privacy-policy/sub-processors-list/
7.2 The Customer shall authorise the Supplier to engage additional third party processors (sub-processors) to process the Customer’s Personal Data in order to deliver the Services. The parties intend that the Supplier shall have general authorisation to appoint sub processors as defined in Article 28 of the GDPR, based on the specific criteria set out in this clause.
7.3 If the Supplier wishes to engage additional sub-processors, it shall inform the Customer of any intended changes by giving the Customer at least 30 days prior written notice of the changes, to provide the Customer with the opportunity to object.
7.4 During the 30 day notification period, the Customer is able to present any objections to the sub-processor’s introduction. In the event of such an objection, the Parties will work in good faith to attempt to mutually resolve the matter.
7.5 If the Customer does not object to the change(s) within thirty (30) days of the date of its receipt of notice, then the amendment(s) in the notice and the use of the new Sub-processor will be deemed accepted by the Customer.
7.6 The Supplier shall ensure that appropriate data protection obligations as set out in this DPA are imposed on any sub-processors, aiming to ensure at least equivalence with the Supplier’s own controls.
- Transfer of data to third countries or international organisations
8.1 Supplier may only transfer Personal Data without written customer permission to a location outside of the EEA, provided it complies with the Criteria and the provisions of this clause 8 (in each case a “Transfer”).
8.2 The Supplier may effect a Transfer where:
(a) a UK data adequacy decision exists for the relevant destination country, or;
(b) it has implemented a Transfer solution compliant with GDPR, which for example may include a derogation pursuant to Article 49 of the GDPR applies or an appropriate Transfer Mechanism under UK or EU GDPR is used such as an International Data Transfer Agreement, and;
(c) the transfer is made to a sub processor acting as an employer-of-record for the Supplier personnel, and individuals with access are operating directly and exclusively under the Supplier’s governance and controls.
- Audit Rights And Locations
9.1 The Supplier shall permit the Customer and its third party representatives to audit the Supplier’s compliance with this DPA on at least 5 days’ notice during the term. The Supplier will provide the Customer and give the Customer and its third party representatives all necessary assistance to conduct the audits.
9.2 The Customer's auditors and other representatives shall comply with Supplier's reasonable work rules, policies, procedures, security requirements and standards when conducting site visits.
9.3 Where the Customer’s requests require more than 1 business day to fulfil, the Supplier may charge a reasonable fee for supporting audits.
10.1 The Supplier shall keep detailed and up to date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing and a general description of the technical and organisational security measures referred to in this DPA (Records).
10.2 The Supplier shall ensure that the Records are sufficient to enable the Customer to verify the Supplier’s compliance with its obligations under this DPA and the Data Protection Legislation.
- Contract term and termination
11.1 Subject to the remaining provisions of this clause 11.1, the Supplier shall, at the election of the Customer, delete or return any Personal Data processed on behalf of the Customer to the Customer after the end of the provision of Services, and delete any accessible copies. Note that backups are maintained for up to 6 months.
- Breach and Liability
12.1 Breaches of this DPA shall be treated as breaches of the Agreement.
12.2 The liability limits in the Agreement shall apply in respect of any breaches of this DPA.
- General Provisions
13.1 Attachments. The Appendices attached to this DPA are part of this DPA. In case of a conflict between the terms of such Appendices and the terms of this DPA, the terms of this DPA shall prevail.
13.2 Amendment and Waiver. No amendment of this DPA will be effective unless it is in writing and signed by both Parties. A waiver of any default is not a waiver of any later default and will not affect the validity of this DPA.
13.3 Assignment. Neither Party may assign any rights or delegate any obligations under this DPA without the other Party’s written consent.
13.4 Severability. In case individual provisions of this DPA are ineffective, become ineffective, or are unenforceable, the remaining provisions shall remain unaffected. The Parties negotiate in good faith to agree replacement provisions that may be ineffective or unenforceable.
13.5 Governing Law and Jurisdiction. The provisions of this DPA shall be governed by and construed in accordance with the laws of England and Wales. The parties hereby submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute or claim (whether contractual or non-contractual).
This Agreement has been entered into on the date stated below.
Signed by [NAME OF DIRECTOR]
Signed by [NAME OF DIRECTOR]
- Appendix to DPA. PROCESSING INSTRUCTIONS
1. Categories of personal data
The Supplier will process the following types of personal data:
(a) Full name, login name, e-mail address and preferred language;
(b) Employer, job role; Line Manager
2. Categories of data subjects
The personal data concern the following categories of data subjects:
(a) Customer employees
3. Duration of processing
The data will be processed and retained for the duration of the Agreement. Where a user account has been deactivated, personal data will be anonymised (removal of all personal data) and the information will be used for statistical purposes.
4. Subject matter, nature and purpose of processing
Collection, Capturing, Analysis and Storage of PII to provide a Learning and Development SaaS Platform.
5. Subprocessors and Place of processing
A full and current list of sub-processors, their functions, and locations is available at: https://www.thrivelearning.com/privacy-policy/sub-processors-list/.
6. Technical and organisational security measures
The Supplier shall implement the technical and organisational security measures available at https://www.thrivelearning.com/security-controls/