1.1
In addition to the terms already defined in the Master Terms of Service, in this Schedule, unless the context otherwise requires, the following words shall have the following meanings
The terms 'Controller', 'Processor', 'Data Subject', 'Personal Data', 'processing', 'technical and organisational measures' and 'transfer' (in the context of transfers of Personal Data) shall have the meanings given to them in the DP Laws;
'Data Subject Request' means a request from a Data Subject to exercise its rights under the DP Laws in respect of that Data Subject's Personal Data;
'DP Laws' means all applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including: (i) EU General Data Protection Regulation 2016/679 ('GDPR'); (ii) the retained EU law version of the GDPR as defined in the DPA ('UK GDPR'); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ('DPA'); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); and (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time;
'DP Regulator' means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the DP Laws;
'End-User' means a customer of the Customer;
'End-User Personal Data' means the Personal Data of End-Users;
'Permitted Region' means the European Economic Area and the United Kingdom;
'Security Breach' means any actual loss, unauthorised or unlawful processing, destruction, damage, alteration, or unauthorised disclosure of, or access to End-User Personal Data (accidental or otherwise), which should be reported to the applicable DP Regulator in accordance with DP Laws;
'Sub-processor' means another processor of End-User Personal Data engaged by Mltpl.
2.1
The Customer and Mltpl will each act as Controller with respect to the processing of End-User Personal Data in connection with the provision of Services, each party shall each comply with this paragraph 2 and paragraphs 3, 4, and 6 of this Data Processing Agreement in respect of such processing
2.2
Where a party is processing End-User Personal Data (as a Processor) on behalf of the other party (as a Controller), the parties shall comply with this paragraph 2 and paragraphs 5 and 6 of this Data Processing Agreement (in their roles as Processor and Controller accordingly) in respect of such processing.
2.3
In performance of its obligations under the Master Terms of Service, each party shall comply with the provisions of the DP Laws and not do, cause or permit anything to be done which may result in a breach by the other party of the DP Laws in connection with the processing of End-User Personal Data under the Master Terms of Service.
2.4
The Customer will not: (a) make representations or other statements with respect to End-User Personal Data that are contrary to or otherwise inconsistent with Mltpl's privacy policy, or (b) interfere with any independent efforts by Mltpl to provide privacy notices to End-Users pursuant to the DP Laws or obtain consent (or otherwise satisfy another lawful ground for processing) to process End-User Personal Data in accordance with Mltpl's privacy policy.
2.5
The parties agree that for Business Contact Information, each party shall be the Controller of the other party's Business Contact Information and may use the other party's Business Contact Information for contract management, payment processing, service offering, and business development purposes related to the Master Terms of Service and such other purposes as set out in the using party's privacy policy (copies of which shall be made available upon request). For the purposes of this paragraph, 'Business Contact Information' means the names, mailing addresses, email addresses, and phone numbers regarding the other party's employees or consultants.
2.6
To the extent the Customer is not sole Controller of any Personal Data, it warrants that it has full authority and authorisation of all relevant Controllers to instruct Mltpl to process the Personal Data in accordance with the Master Terms of Service.
2.7
The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Personal Data made in the use of any of the Services will be a processing instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). The Customer shall ensure that its users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledge that if any Personal Data is deleted pursuant to any such command Mltpl is under no obligation to seek to restore it.
2.8
Subject to the Master Terms of Service, the processing of the Personal Data by Mltpl under the Master Terms of Service shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Appendix 1.
3.1
This paragraph 3 only applies in respect of the processing activities under the Master Terms of Service for which both parties are Controllers of End-User Personal Data, and references in this paragraph 3 to End-User Personal Data shall be construed accordingly.
3.2
Each party shall cooperate with the other party and provide such information and assistance as the other party may reasonably require to enable the other party to:
(a) comply with its obligations under the DP Laws in respect of the End-User Personal Data shared under the Master Terms of Service; and
(b) deal with and respond to all investigations and requests for information relating to the End-User Personal Data processed under the Master Terms of Service from a Data Subject or from a DP Regulator (including Data Subject Requests).
3.3
If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of End-User Personal Data by the other party or to either party's compliance with the DP Laws, it shall promptly notify the other party and it shall provide the other party with reasonable cooperation and assistance in relation to any such complaint, notice or communication.
3.4
Each party shall:
(a) implement and maintain appropriate and adequate technical and organisational measures to ensure an appropriate level of security against the risks of unauthorised or unlawful processing, accidental loss, disclosure, access to, alteration, destruction of, or damage to End-User Personal Data;
(b) maintain records of all processing operations under its responsibility that contain at least the minimum information required by the DP Laws, and shall make such information available to any DP Regulator on request;
(c) promptly notify the other party and cooperate with the other party if it believes that it is in breach of, or may no longer be able to comply with, any of the terms of this Data Processing Agreement (including if it believes that compliance with this Data Processing Agreement or an instruction under it would or does infringe any DP Law); and
(d) notify the other party without undue delay if it becomes aware of a Security Breach affecting the End-User Personal Data, and provide the other party with reasonable cooperation and assistance in relation to the Security Breach on request by that other party to enable it to comply with its obligations under Articles 33 and 34 of the GDPR or (where applicable) the UK GDPR.
4.1
This paragraph 4 only applies in respect of the processing activities under the Master Terms of Service for which both parties are Controllers of End-User Personal Data, and references in this paragraph 4 to End-User Personal Data shall be construed accordingly.
4.2
Prior to one party (the 'Disclosing Party') transferring End-User Personal Data to the other party (the 'Receiving Party'):
(a) the Disclosing Party shall:
(i) either:
(1) obtain all necessary consents to transfer the End-User Personal Data to the Receiving Party; or
(2) secure another lawful basis, in accordance with the DP Laws, to process the End-User Personal Data and to share such End-User Personal Data with the Receiving Party for the purposes of providing or receiving the Services envisaged by the Master Terms of Service; and
(ii) provide appropriate privacy notices (of the Disclosing Party) to the relevant Data Subjects (as required by the DP Laws) to enable it to share the End-User Personal Data with the Receiving Party for the purposes of providing the Services envisaged by the Master Terms of Service; and
(b) the Receiving Party shall:
(i) ensure that it has an appropriate lawful basis, in accordance with the DP Laws, to receive and process the End-User Personal Data; and
(ii) provide appropriate privacy notices (of the Receiving Party) to the relevant Data Subjects (as required by the DP Laws) to enable it to receive and process the End-User Personal Data.
5.1
This paragraph 5 only applies in respect of the processing activities under the Master Terms of Service for which one party is a Processor and the other party is a Controller of End-User Personal Data, and references in this paragraph 5 to End-User Personal Data shall be construed accordingly.
5.2
A party acting as a Processor in respect of the processing of End-User Personal Data shall:
(a) process the End-User Personal Data: (i) only in accordance with the Controller's written instructions from time to time, unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, the Processor shall notify the Controller of the relevant legal requirement before processing the End-User Personal Data); and (ii) only for the duration of the Master Terms of Service;
(b) not process the End-User Personal Data for any purpose other than those set out in the Master Terms of Service or otherwise expressly authorised by the Controller;
(c) take reasonable steps to ensure the reliability of all its personnel (including subcontractors) who have access to the End-User Personal Data, and ensure that any such personnel (including subcontractors) are committed to binding written contractual obligations of confidentiality when processing the End-User Personal Data;
(d) implement and maintain appropriate technical and organisational measures and procedures to ensure an appropriate level of security for the End-User Personal Data, including protecting the End-User Personal Data against the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access;
(e) not transfer, access or process End-User Personal Data outside the Permitted Region without the prior written consent of the Controller (and, if the Controller so consents, the Processor shall take such steps as are reasonably required by the Controller to ensure that the relevant transfer, access or processing complies with the DP Laws);
(f) inform the Controller within 24 hours if the End-User Personal Data is (while within the Processor's or its subcontractors' possession or control) subject to a Security Breach or is lost or destroyed or becomes damaged, corrupted or unusable;
(g) inform the Controller within 24 hours in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the End-User Personal Data, or to either party's compliance with the Data Protection Legislation;
(h) only appoint a third party (including any subcontractors) to process the End-User Personal Data with the prior written consent of the Controller, and notwithstanding any such appointment the Processor shall be liable for the acts and omissions of any such third party as if they were the acts and omissions of the Processor;
(i) return or irretrievably delete (in accordance with its obligations under this Schedule) the End-User Personal Data on termination or expiry of the Master Terms of Service, and not make any further use of the End-User Personal Data (except to the extent applicable laws require continued storage of the End-User Personal Data by the Processor and the Processor has notified the Controller accordingly, in which case the provisions of this paragraph 5 shall continue to apply to such End-User Personal Data);
(j) provide to the Controller and any DP Regulator all information and assistance necessary or desirable to demonstrate or ensure compliance with the obligations in this paragraph 5 and/or the DP Laws;
(k) permit the Controller or its representatives to access any relevant premises, personnel or records of the Processor on reasonable notice to audit and otherwise verify compliance with this paragraph 5;
(l) take such steps as are reasonably required to assist the Controller in ensuring compliance with its obligations under Articles 30 to 36 (inclusive) of the GDPR or (where applicable) UK GDPR;
(m) notify the Controller within two (2) business days if it receives a Data Subject Request; and
(n) provide the Controller with its full cooperation and assistance in relation to any Data Subject Request which the Controller receives.
5.3
Where (and to the extent that) Mltpl is a Processor under the Master Terms of Service, for the purposes of paragraph 5.2(h), the Customer, as Controller, hereby grants to Mltpl general authorisation to appoint Sub-processors for the purposes of providing the Services envisaged by the Master Terms of Service. In appointing Sub-processors, Mltpl shall respect the conditions referred to in Article 28(2) GDPR (or, where applicable, the UK GDPR). If Mltpl appoints a Sub-processor, Mltpl will put a written contract in place between it and the Sub-processor that specifies the Sub-processor's processing activities and imposes on the Sub-processor substantially similar terms, appropriate to the sub-processing they will undertake. If that Sub-processor fails to fulfil its obligations under DP Laws, Mltpl shall remain liable to Customer for the performance of that Sub-processor's obligations.
6.1
Each party agrees that there shall be no cross-border transfer of End-User Personal Data: (i) by a Disclosing Party from within the UK to a Receiving Party within the EEA or any other third country; or (ii) by a Disclosing Party from within the EEA to a Receiving Party within the UK or any other third country. If a party entity becomes aware that End-User Personal Data will need to be shared by a Disclosing Party to a Receiving Party in a third country and a change to this Data Processing Agreement is necessary, either:
(a) to comply with the DP Laws (or an anticipated change to the DP Laws); or
(b) as a result of any decisions of a DP Regulator,
then, prior to the transfer of End-User Personal Data the parties shall, negotiate in good faith with a view to agreeing and entering into such documentation and/or and implementing such consequential amendments to this Data Processing Agreement as are necessary to continue to ensure that each party remains compliant with the provision of the DP Laws.
performance of respective rights and obligations under the Master Terms of Service and delivery and receipt of the Services under the Master Terms of Service.
until the earlier of final termination or final expiry of the Master Terms of Service, except as otherwise expressly stated in the Master Terms of Service.
processing in accordance with the rights and obligations of the parties under the Master Terms of Service;
processing as reasonably required to provide the Services;
processing as initiated, requested or instructed by Customer (including its authorised users) in connection with their use of the Services, in each case in a manner consistent with the Master Terms of Service; and/or
in relation to each Service, otherwise in accordance with the nature and purpose identified in any Additional Services Terms.
in respect of Customer's authorised users:
full name; employer; email address; phone number; device hardware and software information; IP address.
in respect of End-User's data including:
full name; email address; financial information; device hardware and software information; IP address.
Customer's authorised users in respect of their use of the Services
End-User in respect of receiving the supply of services from the Customer
Not applicable