Data Processing Schedule
- The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller and the Provider is the Processor. The Data Processing Information sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data and categories of Data Subject.
- The Customer warrants to the Provider that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider and lawful collection of the Personal Data by the Provider on behalf of the Customer for the duration and purposes of this Agreement.
- The Provider shall only process the Customer Personal Data on the documented instructions of the Customer (including with regard to transfers of the Customer Personal Data to any place outside the European Economic Area), as set out in these Terms and Conditions or any other document agreed by the parties in writing.
- Notwithstanding any other provision of the Agreement, the Provider may process the Customer Personal Data if and to the extent that the Provider is required to do so by applicable law. In such a case, the Provider shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- The Provider shall promptly inform the Customer if, in the opinion of the Provider, an instruction of the Customer relating to the processing of the Customer Personal Data infringes applicable law.
- Subject to Paragraph 7 below, the Provider shall not transfer any Customer Personal Data outside of the EEA unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (a) the Customer or the Provider has provided appropriate safeguards in relation to the transfer; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Provider complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Customer Personal Data that is transferred; and (d) the Provider complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Customer Personal Data;
- The Customer hereby authorises the Provider to make the following transfers of Customer Personal Data:
(a) the Provider may transfer the Customer Personal Data internally to its own employees, offices and facilities, providing that such transfers must be protected by appropriate safeguards, namely firewalls, encryption at rest, and encryption in transit (TLS); and (b) the Provider may transfer the Customer Personal Data to its sub-Processors in the EEA jurisdictions, provided that such transfers must be protected by any appropriate safeguards identified herein.
- The Provider shall ensure that persons who have access to and/or are authorised to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- The Provider and the Customer shall each implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
- As of the Effective Date, the Customer consents to the Provider appointing the third parties identified in Part 5 of the Data Processing Information as third party Processors of Customer Personal Data under this Agreement. Where the Provider wishes to add or replace any third-party Processor of the Customer Personal Data, the Provider shall inform the Customer at least 7 days in advance of any intended changes, and if the Customer objects to any such changes before their implementation, then the Customer may terminate the Agreement on 7 days' written notice to the Provider, providing that such notice must be given within the period of following the date that the Provider informed the Customer of the intended changes. The Provider shall ensure that each third party Processor is subject to equivalent legal obligations as those imposed on the Provider by this Schedule.
- The Provider shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer's obligation to respond to requests exercising a Data Subject's rights under the Data Protection Laws.
- The Provider shall , the notification of Personal Data Breaches to the supervisory authority, the communication of Personal Data Breaches to the Data Subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Paragraph 12.
- The Provider must notify the Customer of any Personal Data Breach affecting the Customer Personal Data without undue delay and, in any case, not later than 24 hours after the Provider becomes aware of the breach.
- the compliance of the Provider with its obligations under this Schedule and the Data Protection Laws. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Paragraph 14.
- The Provider shall, at the choice of the Customer, delete or return all of the Customer Personal Data to the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.
- The Provider shall maintain complete and accurate records and information to demonstrate its compliance with this Schedule and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of the Provider's processing of Customer
- If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under the Agreement, then the parties shall use their best endeavours promptly to agree such variations to the Agreement as may be necessary to remedy such non-compliance.
- The parties may, by agreement in writing, revise this Schedule by replacing it with any applicable Controller to Processor standard clauses or similar terms adopted under the Data Protection Laws or forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Agreement).
Appendix: Data Processing Information
- Categories of Data Subject
The customers, donors, volunteers, beneficiaries, supporters, and other contacts of the Customer. The Customer may share other categories of Data Subject not included in this list, and these categories should fall under the scope of this Agreement unless agreed in writing otherwise.
- Types of Personal Data
Names, postal addresses, email addresses, dates of birth, gender, job information, links to social media profiles, interests, supporter preferences. Financial information, attendance of events, marketing information. The Customer may share other types of Personal Data not included in this list, and these types should fall under the scope of this Agreement unless agreed in writing otherwise.
- Processing by the Provider
(a) Scope of processing
The Customer shall only supply to the Provider, and the Provider shall only process, in each case under or in relation to the Agreement: (a) the Personal Data of Data Subjects falling within the categories specified in Part 1 above (or such other categories as may be agreed by the parties in writing); and (b) Personal Data of the types specified in Part 2 above (or such other types as may be agreed by the parties in writing).
(b) Nature of processing
The Provider shall only process the Customer Personal Data for the purposes specified in Part 3 of the Data Processing Information.
(c) Purposes of processing
Provision of the Hosted Services, data migration, product development, customer support, and training.
(d) Duration of the processing
During the Term and for not more than 30 days following the end of the Term, subject to the other provisions of this Schedule.
- Security measures for Personal Data
The Provider employs extensive security measures for securing Personal Data, including encryption, password security, firewalls, and two-factor authentication.
- Sub-Processors of Personal Data
The full list of sub-Processors is available on the Provider's website.