Data Processing Terms
These data protection terms and conditions (“these terms”, “Data Processing Terms” or “Data Processing Agreement”) form part of the Terms of Service between you (Controller) and us (Processor).
PARTIES
(1) Wellconnect Ltd (company number 13672481), a limited company registered in England & Wales, registered office at 71-75 Shelton Street, London, England, WC2H 9JQ (“Processor”);
and
(2) The business entering into the Master Agreement with the Processor (“Controller”).
BACKGROUND
(A) The parties have entered into an agreement pursuant to which the Processor will provide certain services (“Services”) to the Controller (“Master Agreement” or “Terms of Service”).
(B) In performing the Services, the Processor will be required to process personal data on behalf of the Controller. This Data Processing Agreement sets out the specific terms on which the parties agree to handle personal data under the Master Agreement.
TERMS
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in these Data Processing Terms.
1.1 Definitions:
1 CCPA means California Civil Code Sec. 1798.100 et seq. as amended (also known as the California Consumer Privacy Act of 2018), including the California Privacy Rights Act amendments to the CCPA.
2 California Personal Information means Personal Data that is subject to the protection of the CCPA.
3 Controller, Processor, Data Subject, Personal Data, Data Exporter, Data Importer, Personal Data Breach, Business Purpose and Processing: have the meanings given in the Data Protection Legislation in the relevant jurisdiction.
4 Data Protection Legislation means all applicable worldwide legislation relating to the Processing of Personal Data, including but not limited to, the European Data Protection Laws, the CCPA, and other US laws; in each case as amended, repealed, consolidated or replaced from time to time and, where applicable the guidance and codes of practice issued by the data protection authorities or others in connection with such laws, all as amended from time to time.
5 Europe means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
6 European Data means Personal Data that is subject to the protection of European Data Protection Laws.
7 European Data Protection Legislation means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, the GDPR; (ii) Directive 2002/58/EC concerning the Processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced.
8 GDPR means the General Data Protection Regulation ((EU) 2016/679), and the retained UK version of the same;
9 Records: has the meaning given in Clause 12.
10 Standard Contractual Clauses means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 as they may be amended, superseded or replaced; UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 as they may be amended, superseded, or replaced.
11 UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 These terms is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of these terms.
1.3 In the case of conflict or ambiguity between the Master Agreement and these terms, the provisions of these terms will prevail.
2. Personal data types and processing purposes
The Controller and the Processor agree and acknowledge that for the purpose of the Data Protection Legislation the Controller retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Processor. Schedule 1 sets out the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Processor may process the Personal Data to fulfil the Business Purposes.
3. Processor's obligations
3.1 The Processor will only process the Personal Data in accordance with the Controller's written instructions. The Processor will not process the Personal Data for any other purpose or in a way that does not comply with these terms or the Data Protection Legislation.
3.2 The Processor must comply promptly with any Controller written instructions requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 The Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Controller or these terms specifically authorises the disclosure, or as required by law or by any regulator and in such a case, the Processor must first inform the Controller of such legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the law prohibits the giving of such notice.
3.4 The Processor will reasonably assist the Controller, at no additional cost to the Controller, with meeting the Controller's compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor's processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with any relevant regulator under the Data Protection Legislation.
4. Processor's employees and sub-contractors
4.1 The Processor will ensure that all individuals who have access to Personal Data are made subject to appropriate conditions of confidentiality and have undertaken appropriate training in the laws and best practice relating to the handling of Personal Data.
5. Security
5.1 The Processor must at all times appropriate technical and organisational measures to ensure a level of security appropriate to the risk of accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data, including as appropriate: (i) pseudonymisation and encryption of Personal Data; (ii) ensuring the ongoing confidentiality, integrity, availability and resilience of the Processor’s systems; (iii) the ability to restore Personal Data in a timely manner in the event of an incident; and (iv) regular testing of all security measures.
6. Personal data breach
6.1 In the event of any accidental, unauthorised or unlawful processing of any part of Personal Data, including a Personal Data Breach or suspected a Personal Data Breach, the Processor will immediately notify the Controller and fully co-operate with the Controller to remedy the issue as soon as reasonably practicable such co-operation will include but not be limited to:
(a) assisting with any investigation;
(b) providing the Controller with physical access to any facilities and operations affected;
(c) facilitating interviews with the Processor’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
(d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Controller; and
(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
6.2 The Controller will also reimburse the Processor for actual reasonable expenses that the Processor incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Controller caused the same, including all costs associated with complying with clause 6.1.
6.3 The Processor will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Controller's written consent, except when required to do so by law.
6.4 The Processor will notify the Controller without undue delay on becoming aware of a Personal Data Breach involving any Personal Data.
7. CCPA & transfers of personal data
7.1 The parties agree that if the CCPA applies, the Controller is a “business” and the Processor is a “service provider” as defined under the CCPA. The Processor will not retain, use, or disclose the California Personal Information it collects pursuant to these terms for any purposes other than for the Business Purposes specified in these terms, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in these terms, or as otherwise permitted by the CCPA; and (b) the Processor will not retain, use, or disclose the California Personal Information it collects pursuant to these terms outside of the direct business relationship between the Processor and the Controller, unless otherwise permitted by the CCPA. The Processor will not “sell” or “share” California Personal Information as those terms are defined in the CCPA or combine the California Personal Information with personal information obtained from sources other than the Controller, except to the extent permitted by the CCPA. From time to time, the Controller may ask for, and the Processor will provide, reasonable evidence of its compliance with this Section 7.1.
7.2 The Controller acknowledges that in connection with the performance of the Service, the Processor is a recipient of European Data in the United States. Subject to clause 7.3, the parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of these terms as set out below.
7.3 In relation to European Data that is subject to the GDPR (i) the Controller is the "data exporter" and the Processor is the "data importer"; (ii) the Module Two terms apply to the extent the Controller is a Controller of European Data and the Module Three terms apply to the extent the Controller is a Processor of European Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of these terms; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of these terms; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
7.4 In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (1) and the following modifications
(i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of these terms;
(ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of these terms and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
7.5 In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (1) and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".
7.6 If the Processor cannot comply with its obligations under the Standard Contractual Clauses or is breach of any warranties under the Standard Contractual Clauses or UK Addendum (as applicable) for any reason, and the Controller intends to suspend the transfer of European Data to the Processor or terminate the Standard Contractual Clauses, or UK Addendum, the Controller agrees to provide the Processor with reasonable notice to enable the Processor to cure such non-compliance and reasonably cooperate with the Processor to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If the Processor has not or cannot cure the non-compliance, the Controller may suspend or terminate the affected part of the Services in accordance with the Master Agreement without liability to either party (but without prejudice to any fees the Controller have incurred prior to such suspension or termination).
8. Sub-processors
8.1 The Processor may only authorise a third-party sub-processor to process the Personal Data if:
(a) the Processor enters into or is a party to a written contract with the sub-processor that contains terms substantially the same as those set out in these terms, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Controller's written request, provides the Controller with copies of the relevant excerpts from such contracts;
(b) the Processor maintains control over all of the Personal Data it entrusts to the sub-processor; and
(c) the sub-processor’s contract terminates automatically on termination of these terms for any reason.
9. Complaints, data subject requests and third-party rights
9.1 The Processor must notify the Controller immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
9.2 The Processor must notify the Controller within two working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.3 The Processor will give the Controller, at no additional cost to the Controller, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.4 The Processor must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Controller's written instructions, or as required by law.
10. Term and termination
10.1 These terms will remain in full force and effect so long as:
(a) the Master Agreement remains in effect; or
(b) the Processor retains any of the Personal Data related to the Master Agreement in its possession or control (Term).
10.2 Any provision of these terms that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.
10.3 The Processor’s failure to comply with these terms constitutes a material breach of the Master Agreement. If such non-compliance is not capable of remedy, or is not remedied within 14 days of a written request from the Controller, the Controller may (i) suspend or terminate the affected part of the Services under the Master Agreement without liability to either party; or (ii) terminate the Master Agreement with immediate effect on written notice, without further liability or obligation of either party.
11. Data return and destruction
11.1 At the Controller's request, the Processor will give the Controller, or a third-party nominated in writing by the Controller, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Controller.
11.2 On termination of the Master Agreement for any reason or expiry of its term, the Processor will securely delete or destroy or, if directed in writing by the Controller, return and not retain, all or any of the Personal Data related to these terms in its possession or control.
12. Records
12.1 The Processor will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data , including but not limited to, the access, control and security of the Personal Data and will ensure that the Records are sufficient to enable the Controller to verify the Processor's compliance with its obligations under these terms and the Processor will provide the Controller with copies of the Records upon request.
13. Audit
13.1 Except as otherwise required by applicable Data Protection Legislation, the Processor shall, upon reasonable prior written notice, permit the Controller (or its mandated auditors, subject to confidentiality) to audit its compliance with these terms once per 12-month period, during normal business hours and in a manner that does not unreasonably disrupt the Processor’s business operations. The Processor shall provide all reasonably necessary assistance and access to documentation or systems used for processing Personal Data.
14. Warranties
14.1 The Processor warrants and represents that:
(a) its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf have received the required training on the Data Protection Legislation;
(b) it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments; and (c) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Master Agreement's contracted services.
14.2 The Controller warrants and represents that the Processor's expected use of the Personal Data for the Business Purposes and/or as specifically instructed by the Controller and/or otherwise in accordance with these terms will comply with the Data Protection Legislation and will not expose the Processor to any liability in respect of such use.
15. Limitation of Liability
15.1 Any limitation of liability set forth in the Master Agreement shall apply to these terms.
SCHEDULE 1
Personal Data processing purposes and details
Subject matter of processing:
The provision, configuration and ongoing operation of the Platform and related products and services by the Processor in accordance with the Master Agreement (Terms of Service) and any other agreements between the parties. The processing of personal data is limited to what is necessary for the delivery, support and maintenance of those products and services.
Types of Personal Data:
– Identity Data includes first name, last name, any previous names, username or similar identifier, marital status, title, place of birth, date of birth and gender; job title, profession and photograph; and information contained in a curriculum vitae or profile on social media.
– Contact Data includes billing address, delivery address, previous addresses, email address and telephone numbers, business address, business email addresses and telephone numbers.
– Financial Data includes bank account and payment card details.
– Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
– Technical Data includes information about how you use our website, products and services, and device-specific data such as device’s IP address (captured and stored in an anonymized format), device screen resolution, device type (unique device identifiers), operating system and browser type, geographic location (country only), and user interactions (mouse events (movements, location and clicks) and keypresses and log data (referring URL and domain, pages visited, geographic location (country only)), preferred language used to display the webpage and date and time when website pages were accessed).
– Profile Data includes usernames and passwords, purchases or orders made, interests, preferences, feedback and survey responses.
– Usage Data includes information about how you use our Website, products and services.
– Marketing and Communications Data includes preferences in receiving marketing and communication preferences.
– Aggregated Data We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from personal data but is not considered personal data in law as this data will not directly or indirectly reveal a person’s identity. For example, we may aggregate Usage Data to calculate the percentage of users accessing a specific Website feature.
– Special Categories of Personal Data (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health, and genetic and biometric data.
Categories of Data Subject:
Officers, directors and board members; Employees (current, former and prospective); Job applicants and candidates; Contractors, freelancers and consultants; Subcontractors and agents; Temporary and agency staff; Clients/customers; Prospective clients/customers (leads, newsletter subscribers, etc.); Suppliers, vendors and service providers; Website and application users; Social media users and followers; Visitors to premises; Event attendees and webinar participants; Business contacts and networking leads; Partners, affiliates and resellers; Investors and shareholders; Users of customer support services; Licensees or end users of software/services; Survey or research participants; Third parties referenced in data (e.g. referees, emergency contacts); Beneficiaries or dependents (e.g. for employee benefit processing).
Nature and purpose of the processing:
To provide the Services to the Controller pursuant to the Master Agreement (the “Purpose”), including the following, as applicable and as agreed from time to time.
Hosting, storage and backup; Email and communications (including marketing and transactional messaging); CRM setup, configuration and management; Marketing automation and campaign tracking; Lead capture and form processing; Website and landing page development and optimisation; Chatbots, live chat and messaging services; Call tracking and recording; Appointment scheduling and calendar management; Analytics and reporting;
Funnel and customer journey implementation; Social media integration; API and workflow automation; Technical support and helpdesk services; User account and access management; Payment integration support; Contact tagging and segmentation; SMS and voice broadcast management; Embedded third-party services; Survey and feedback collection; Sales pipeline and task tracking; Data import, cleansing and syncing; Compliance support (e.g. DSARs); Digital strategy and consultancy services; Platform maintenance and security monitoring.
Duration of the processing:
The duration of the processing shall correspond to the duration of the Master Agreement between the parties, and a reasonable time following termination or expiry of the Agreement to allow for any applicable post-termination handover or related procedures to be completed.
SCHEDULE 2