Data Processing Agreement
The following additional definitions shall apply in this DPA:
Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical measures: as defined in the Data Protection Legislation.
Customer Personal Data: the personal data which Relative Insight collects from its Customers and Authorised Users to enable them to use the Services and its website.
Data Protection Legislation: all applicable laws and regulations relating to the processing, protection, or privacy of Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. (In the UK and EU this shall include the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended or replaced from time to time.)
End Customer: the third parties referred to or otherwise featured in the Customer Data including without limitation the Customers’ end customers, users, survey participants and reviewers.
End Customer Personal Data: the personal data of the End Customers.
GDPR: means as applicable the UK GDPR which has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018) and the EU GDPR which means the General Data Protection Regulation ((EU) 2016/679);
Purpose: the purposes for which the End Customer Personal Data is processed as referred to in this DPA.
- Both parties will comply with all applicable requirements of the Data Protection Legislation and this DPA is in addition to and does not relieve, remove or replace, a party’s obligations or rights under the same.
- The parties have determined that, for the purposes of Data Protection Legislation:
3.1 Relative Insight shall act as controller in respect of the processing activities for the Customer Personal Data set out in Part 1 of the Annex; and
3.2 Relative Insight shall act as a processor on behalf of the Customer in respect of the processing activities for the End Customer Personal Data set out in Part 2 of the Annex.
3.4 With respect to the End Customer Personal Data, the Customer will ensure that:
3.4.1 the End Customer Personal data (including any special category data) whether obtained by the Customer or Relative Insight (on the Customer’s instructions) has been fairly and lawfully obtained with all necessary and appropriate consents in place and is accurate and up to date;
3.4.2 the End Customer Personal Data does not include personal data of children;
3.4.3 the Customer has included appropriate information in its fair processing notice to cover the processing under this Agreement and this notice has been communicated or made available to the End Customers;
3.5 In relation to the End Customer Personal Data, the Annex sets out the subject matter, nature, Purpose and duration of the processing and the types of personal data and categories of data subject being processed.
3.6 Relative Insight shall, in relation to the End Customer Personal Data:
3.6.1 process that End Customer Personal Data only on the documented instructions of the Customer, unless Relative Insight is required by Data Protection Legislation to otherwise process that End Customer Personal Data. Where Relative Insight is relying on Data Protection Legislation as the basis for processing End Customer Processor Data, Relative Insight shall notify the Customer of this before performing the processing unless the same prohibits it from notifying the Customer on important grounds of public interest. Relative Insight shall inform the Customer if, in the opinion of Relative Insight, the instructions of the Customer infringe Data Protection Legislation;
3.6.3 ensure that any personnel engaged and authorised by Relative Insight to process End Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
3.6.4 assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to Relative Insight), and at the Customer’s reasonable cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
3.6.5 notify the Customer without undue delay on becoming aware of a personal data breach involving the End Customer Personal Data; and
3.6.6 maintain records to demonstrate its compliance with this DPA and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this purpose, on reasonable written notice.
3.7 The Customer hereby provides its prior, general authorisation for Relative Insight to appoint the Sub-Processors to process the End Customer Personal Data, provided that Relative Insight:
3.7.1 shall ensure that the terms on which it appoints such Sub-Processors comply with Data Protection Legislation, and are consistent with the obligations imposed on Relative Insight in this DPA;
3.7.2 shall remain responsible for the acts and omissions of any Sub-Processor as if they were the acts and omissions of Relative Insight; and
3.7.3 shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Customer the opportunity to object (acting promptly, reasonably and in good faith towards Relative Insight) to such changes. If the Customer does not provide any objection within 7 days of the notice from Relative Insight regarding the proposed change to the Sub-Processors, without limiting any of its right or remedies under the Data Protection Legislation, the Customer shall be deemed to have consented to such changes. Where the Customer objects, Relative Insight will take reasonable steps to accommodate the Customer’s objection but if mutual agreement cannot be reached, either party may terminate the Agreement on written notice to the other party.
3.7.4 transfer End Customer Personal Data outside of the UK as required for the Purpose, provided that Relative Insight shall ensure that all such transfers are effected in accordance with Data Protection Legislation. For these purposes, the Customer shall promptly comply with any reasonable request of Relative Insight, including where applicable any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).
3.8 Subject to clauses 12.2 and 12.3, Relative Insight’s total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), restitution, non-fraudulent misrepresentation or otherwise, arising in connection with any breach of this DPA shall be limited to a multiple of two times the value of the total fees paid or payable by the Customer to Relative Insight during the 12 months immediately preceding the date on which the claim arose.
Annex – Details of Processing
Part 1 Where Relative Insight acts as a controller of the Customer Personal Data
Types of personal data and processing activities:
Part 2 Where Relative Insight acts as a processor of the End Customer Personal Data
Particulars of processing:
- Subject matter
To provide the Services to the Customer for the duration of the Subscription Term.
- Nature and duration of the processing
- Purpose of processing
The provision of the Services.
- Types of Personal Data
All types of personal data as uploaded to the Software by the Customer, excluding personal data relating to children.
- Categories of Data Subject
White Cross Business Park,
Lancaster. LA1 4XQ
+44 (0)1524 928190
Studio 225, Metal Box Factory,
30 Great Guildford Street,
London. SE1 0HS
+44 (0)20 3794 5476
1100 Ludlow Street
+1 267 703 2304