DATA PROCESSING AGREEMENT

For the purposes of the Data Protection Legislation, the parties hereby acknowledge and agree YBOO Limited (a private limited company incorporated in England and Wales with number 10666836 whose registered office is at Unit A Of H, Bridge Mills, Holmfirth, West Yorkshire, England, HD9 3TW) is the data processor (the “Processor”) and the client (as defined in the Principal Agreement) is the data controller (the “Controller”).

Unless otherwise stated, all defined terms have the meaning given in Annex 1 (Definitions and Interpretation).

  1. Purpose
    • This Data Processing Agreement (the “DPA”) sets out the basis on which the Processor shall process the Controller Personal Data pursuant to the Principal Agreement, and defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
    • The Processor may process the Controller Personal Data from time to time in the course of performing its obligations under the Principal Agreement, and the necessary purposes of the processing as set out in therein (“Agreed Purposes”) shall set out the Processor’s instructions for processing the Controller Personal Data.
    • The Processor shall only be entitled to process Controller Personal Data for the Agreed Purposes, and in accordance with the Processor’s instructions for processing, for the Term.
  2. Term and Termination

This DPA shall commence on the Commencement Date, and shall automatically terminate on expiry or earlier termination of the Principal Agreement (the “Term”).

  1. Authority to process Controller Personal Data
    • In consideration of payment by the Controller to the Processor of £1, receipt of which the Processor hereby acknowledges and accepts, the Controller hereby instructs the Processor (and authorises the Processor to instruct each Subprocessor) to process the Controller Personal Data strictly in accordance with the terms of this DPA, and only so far as is reasonably necessary for the Agreed Purposes and consistent with the Principal Agreement.
    • The parties shall process the Controller Personal Data strictly in accordance with the applicable Data Protection Legislation.
    • For the avoidance of doubt, the Controller’s instructions for the processing of Controller Personal Data shall comply with the applicable Data Protection Legislation, and the Processor reserves the right to refuse such instructions if the Processor considers they are not in compliance with the applicable Data Protection Legislation.
    • Notwithstanding the generality of clauses 2 and 3.3, the Controller warrants and represents to the Processor that any and all Controller Personal Data has been obtained in accordance with the applicable Data Protection Legislation, and is accurate and up to date.
  2. Security and Confidentiality
    • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Controller Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    • In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by processing, in particular from a Data Security Breach.
    • Without prejudice to the generality of Clause 1, the Processor shall implement appropriate technical and organisational measures to protect the Controller Personal Data against unauthorised or unlawful processing and against accidental loss destruction, damage, alternation or disclosure, including but not limited to:
      • ensuring IT equipment, including portable equipment is kept in lockable areas when unattended;
  • The Processor shall ensure all employees and authorised subcontractors are informed of the confidential nature of the Controller Personal Data and the terms of this DPA.
  1. Data Security Breaches
    • The Processor shall notify the Controller without undue delay upon becoming aware of a Data Security Breach, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects and/or the relevant supervisory authority of the Data Security Breach under the Data Protection Legislation.
    • The Processor shall co-operate with the Controller in and shall take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Data Security Breach.
  2. Data Protection Impact Assessment and Prior Consultation

The Processor shall provide assistance to the Controller with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which the Controller reasonably considers to be required under the applicable Data Protection Legislation, to the extent the Controller does not otherwise have access to the relevant information and to the extent such information is available to the Processor.

  1. Data Subject Rights
    • Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures for the fulfilment of the Controllers’ obligations to respond to requests for exercising the data subject’s rights under the Data Protection Legislation.
    • Without prejudice to the generality of Clause 1, the Processor shall:
      • notify the Controller without undue delay if the Processor receives a request from a data subject under the Data Protection Legislation in respect of the Controller Personal Data, including copies of the request and, where relevant, notes of any meeting, correspondence or phone calls relating to the request; and
      • ensure it does not respond to that request except on the documented instructions of the Controller or as required by the Data Protection Legislation to which the Processor is subject, in which case the Processor shall to the extent permitted by the Data Protection Legislation inform the Controller of that legal requirement before the Processor responds to the request.
  1. Deletion or Return of Controller Personal Data
    • Subject to clause 2, the Processor shall upon completion of the contractual work as laid down in the Principal Agreement or when requested by the Controller, and within a reasonable time which shall not exceed delete thirty (30) days, either:
      • return a complete copy of the Controller Personal Data in its possession to the Controller by secure file transfer in such format as is reasonably notified by the Controller to the Processor in writing; or
      • delete and procure the deletion of all copies of the Controller Personal Data in its possession,

as instructed by the Controller in writing.

  • The Processor may retain the Controller Personal Data to the extent required by the Data Protection Legislation, and only to the extent and for such period as required by such Data Protection Legislation, provided always the Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the Data Protection Legislation requiring its storage and for no other purpose.
  • The Processor shall provide written certification to Controller that it has fully complied with this Clause 8 at the request of the Controller.
  1. Audit Rights
    • The Controller has the right to carry out inspections, or to have them carried out by an auditor to be designated in each individual case, to satisfy itself the Processor is complying with its obligations under this DPA, provided the Controller provides written notice to the Processor at least five (5) Business Days prior to such inspection. These rights of the Controller shall not extend to facilities which are operated by Subprocessors, subcontractors or any third parties which the Processor may use in connection with the Agreed Purposes and/or to comply with its obligations in the Principal Agreement
    • The Processor shall ensure that the Controller is able to verify compliance with the obligations of the Processor in accordance with the Data Protection Legislation. The Processor undertakes to provide to the Controller all necessary information on request within a reasonable timeframe.
  2. Restricted Transfers
    • The Processor shall not transfer the Controller Personal Data to countries outside the EEA unless the Processor obtains the prior written consent of the Controller and in seeking such consent, complies with the following obligations:
      • provides the Controller with details of the following in writing:
        • the Controller Personal Data which will be processed and/or transferred outside the EEA;
        • the country or countries in which the Controller Personal Data will be processed and/or to which the Controller Personal Data will be transferred outside the EEA; and
        • any Subprocessor who will be processing and/or transferring Controller Personal Data outside the EEA;
      • ensures it has regard to and shall comply with the Data Protection Legislation and the current government and Information Commissioner Office’s policies, procedures, guidance and codes of practice on, and any approval processes in connection with, the processing and/or transfers of the Controller Personal Data outside the EEA and/or overseas generally; and
      • complies with such other instructions and shall carry out such actions as the Controller may notify in writing including entering into Standard Contractual Clauses.
  1. Subprocessing
    • The Controller agrees to the commissioning of the following Subprocessors on the condition of a contractual agreement in accordance with Data Protection Legislation:
Subprocessor Address / Country Service

 

  • Outsourcing to further Subprocessors or changing any existing Subprocessors is permissible if the Processor informs the Controller of the identity of the Subprocessor and the scope of the planned subprocessing in writing, and the Controller does not object to the planned subprocessing in writing within [three (3)] Business Days from receipt of such notice. The Controller shall not unreasonably object to the planned subprocessing.
  • The Processor shall ensure the agreement between the Processor and the relevant Subprocessor is governed by a written contract including terms which offer at least the same level of protection for the Controller as those set out in this DPA and meets the requirements of Article 28 (3) of the GDPR.
  1. Indemnification

The Controller will indemnify and keep indemnified the Processor in respect of all liabilities, costs and expenses suffered or incurred by the Processor arising from any breach by the Controller of its obligations under the Data Protection legislation, and/or this DPA.

  1. Roles and responsibilities

Each party shall nominate a single point of contact within their organisation who can be contacted in respect of queries or complaints regarding the Data Protection Legislation and/or compliance under the terms of this DPA.

  1. General Terms
    • In the event of inconsistencies between the provisions of this DPA and the Principal Agreement, the provisions of this DPA shall prevail.
    • Subject to clause 3, either party may propose any amendments to this DPA which it reasonably considers to be necessary to address the requirements of any Data Protection Legislation. The parties shall work together in good faith to agree and effect such amendment within fourteen (14) days of the other party being notified of the proposed amendment.
    • No variation of this DPA shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
    • No person who is not a party to this DPA shall have any right to enforce this DPA pursuant to the Contracts (Rights of Third Parties) Act 1999.
    • Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    • No failure or delay by a party to exercise any right or remedy provided under this DPA or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
    • Notices
      • Any notice or other communication given to a party under or in connection with this DPA shall be in writing and shall be:
        • delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
        • sent by email to the specified email address.
      • Any notice or communication shall be deemed to have been received:
        • if delivered by hand, on signature of a delivery receipt;
        • if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service; or
        • if sent by email, at 9.00 am on the next Business Day after transmission.

This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

  • This DPA may be executed in any number of counterparts, each of which when executed shall together constitute one agreement. No counterpart shall be effective unless each party has executed and delivered at least one counterpart.
  • This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this DPA or its subject matter or formation.