Data Processing Agreement

1. DEFINITIONS

The following additional definitions shall apply in this DPA:

Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical measures:  as defined in the Data Protection Legislation.

Customer Personal Data: the personal data which Relative Insight collects from its Customers and Authorised Users to enable them to use the Services and its website.

Data Protection Legislation: all applicable laws and regulations relating to the processing, protection, or privacy of Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. (In the UK and EU this shall include the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended or replaced from time to time.)

End Customer: the third parties referred to or otherwise featured in the Customer Data including without limitation the Customers’ end customers, users, survey participants and reviewers.

End Customer Personal Data: the personal data of the End Customers.

GDPR: means as applicable the UK GDPR which has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018) and the EU GDPR which means the General Data Protection Regulation ((EU) 2016/679);

Purpose: the purposes for which the End Customer Personal Data is processed as referred to in this DPA.

Sub-processors: Relative Insight’s sub-contractors referred to in its Privacy Policy which will process End Customer Personal Data on its behalf.

2. Both parties will comply with all applicable requirements of the Data Protection Legislation and this DPA is in addition to and does not relieve, remove or replace, a party’s obligations or rights under the same.
3. The parties have determined that, for the purposes of Data Protection Legislation:

3.1 Relative Insight shall act as controller in respect of the processing activities for the Customer Personal Data set out in Part 1 of the Annex; and

3.2 Relative Insight shall act as a processor on behalf of the Customer in respect of the processing activities for the End Customer Personal Data set out in Part 2 of the Annex.

3.3 With respect to the Customer Personal Data, by entering into this agreement, the Customer consents to (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by Relative Insight in connection with the processing of the Customer Personal Data, provided these are in compliance with the then-current version of Relative Insight’s privacy policy available at https://relativeinsight.com/privacy-policy/  (Privacy Policy).

3.4 With respect to the End Customer Personal Data, the Customer will ensure that:

3.4.1 the End Customer Personal data (including any special category data) whether obtained by the Customer or Relative Insight (on the Customer’s instructions) has been fairly and lawfully obtained with all necessary and appropriate consents in place and is accurate and up to date;

3.4.2 the End Customer Personal Data does not include personal data of children;

3.4.3 the Customer has included appropriate information in its fair processing notice to cover the processing under this Agreement and this notice has been communicated or made available to the End Customers;

3.4.4 the Customer is lawfully able to disclose the End Customer Personal Data to Relative Insight so that it can be lawfully processed by Relative Insight in accordance with the Privacy Policy and the terms of this Agreement.

3.5 In relation to the End Customer Personal Data, the Annex sets out the subject matter, nature, Purpose and duration of the processing and the types of personal data and categories of data subject being processed.

3.6 Relative Insight shall, in relation to the End Customer Personal Data:

3.6.1 process that End Customer Personal Data only on the documented instructions of the Customer, unless Relative Insight is required by Data Protection Legislation to otherwise process that End Customer Personal Data. Where Relative Insight is relying on Data Protection Legislation as the basis for processing End Customer Processor Data, Relative Insight shall notify the Customer of this before performing the processing unless the same prohibits it from notifying the Customer on important grounds of public interest. Relative Insight shall inform the Customer if, in the opinion of Relative Insight, the instructions of the Customer infringe Data Protection Legislation;

3.6.2 implement the technical and organisational measures described in the Privacy Policy to protect against unauthorised or unlawful processing of the End Customer Personal Data and against accidental loss or destruction of, or damage to, End Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

3.6.3 ensure that any personnel engaged and authorised by Relative Insight to process End Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;

3.6.4 assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to Relative Insight), and at the Customer’s reasonable cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

3.6.5 notify the Customer without undue delay on becoming aware of a personal data breach involving the End Customer Personal Data; and

3.6.6 maintain records to demonstrate its compliance with this DPA and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this purpose, on reasonable written notice.

3.7 The Customer hereby provides its prior, general authorisation for Relative Insight to appoint the Sub-Processors to process the End Customer Personal Data, provided that Relative Insight:

3.7.1 shall ensure that the terms on which it appoints such Sub-Processors comply with Data Protection Legislation, and are consistent with the obligations imposed on Relative Insight in this DPA;

3.7.2 shall remain responsible for the acts and omissions of any Sub-Processor as if they were the acts and omissions of Relative Insight; and

3.7.3 shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Customer the opportunity to object (acting promptly, reasonably and in good faith towards Relative Insight) to such changes. If the Customer does not provide any objection within 7 days of the notice from Relative Insight regarding the proposed change to the Sub-Processors, without limiting any of its right or remedies under the Data Protection Legislation, the Customer shall be deemed to have consented to such changes. Where the Customer objects, Relative Insight will take reasonable steps to accommodate the Customer’s objection but if mutual agreement cannot be reached, either party may terminate the Agreement on written notice to the other party.

3.7.4 transfer End Customer Personal Data outside of the UK as required for the Purpose, provided that Relative Insight shall ensure that all such transfers are effected in accordance with Data Protection Legislation. For these purposes, the Customer shall promptly comply with any reasonable request of Relative Insight, including where applicable any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).

3.8 Subject to clauses 12.2 and 12.3, Relative Insight’s total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), restitution, non-fraudulent misrepresentation or otherwise, arising in connection with any breach of this DPA shall be limited to a multiple of two times the value of the total fees paid or payable by the Customer to Relative Insight during the 12 months immediately preceding the date on which the claim arose.

Annex – Details of Processing

Part 1   Where Relative Insight acts as a controller of the Customer Personal Data

Types of personal data and processing activities:

Please see the following section of the Privacy Policy – ‘Processing to enable use of the Services’ under ‘How do we use your personal data?’

Part 2   Where Relative Insight acts as a processor of the End Customer Personal Data

Particulars of processing:

• Subject matter
  To provide the Services to the Customer for the duration of the Subscription Term.

• Nature and duration of the processing
  As described in the Privacy Policy.

• Purpose of processing
  The provision of the Services.

• Types of Personal Data
  All types of personal data as uploaded to the Software by the Customer, excluding personal data relating to children.

• Categories of Data Subject
  End Customers