Data Processing Addendum
Our Data Processing Addendum is present on this page for your reference. You may request a signed copy if you wish by contacting us at email@example.com.
Version: 1.0 / 24th May 2018, 10:30AM
Please read the Data Processing Addendum (“DPA") carefully as they form a contract between You ("Customer") and Us ("SCRUMPY"). As referenced in our terms of services available at https://www.scrumpy.co.uk/terms ("Terms"), this DPA will apply where We are processors of EU personal data.The capitalised terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail.
The short explanation:
We take a great deal of care and try our utmost to protect the Personal Data you entrust to us and will store & process the Personal Data you entrust with us in accordance with the law.
The long bit:
Relationship of the parties: Customer (the controller) appoints SCRUMPY as a processor to process the personal data forming part of the Service Data (the "Data") for the purposes described in the Terms (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to SCRUMPY for processing.
International transfers: SCRUMPY shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
Confidentiality of processing: SCRUMPY shall ensure that any person it authorises to process the Data (an "Authorised Person") shall protect the Data in accordance with SCRUMPY's obligations under the Terms.
Security: The processor shall implement technical and organisational measures to protect the Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").
Subcontracting: Customer consents to SCRUMPY engaging third party subprocessors to process the Data for the Permitted Purpose provided that:
- SCRUMPY maintains an up-to-date list of its subprocessors at https://www.scrumpy.co.uk/terms which it shall update with details of any change in subprocessors prior to any such change.
- SCRUMPY imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law.
- SCRUMPY remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor. Customer may object to SCRUMPY's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, SCRUMPY will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Terms (without prejudice to any fees incurred by Customer prior to suspension or termination).
Cooperation and data subjects' rights: SCRUMPY shall provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to:
- any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable);
- any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to SCRUMPY, SCRUMPY shall promptly inform Customer providing full details of the same.
Data Protection Impact Assessment: If SCRUMPY believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
Security incidents: If it becomes aware of a confirmed Security Incident, SCRUMPY shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. SCRUMPY shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
Deletion of Data: Customer may export all personal data prior to the termination of the Customer’s Account. In any event, following the termination of Customer’s Account by either party, data on Customer’s Account will be retained for a period of 14 days from such termination within which Customer may contact Provider to export Service Data. Beyond each such Data Retention Period, Processor reserves the right to delete all Personal Data in the normal course of operation. This requirement shall not apply to the extent that SCRUMPY is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data SCRUMPY shall securely protect from any further processing except to the extent required by such law.