Data Processing Agreement

Data Protection

For the purposes of this Agreement, “controller”, “processor”, “data subject”, "Personal Data" and "process" shall have the meanings set out in the UK GDPR and "process" and "processed" when used in relation to the processing of Client’s Data, will be construed accordingly, and will include both manual and automatic processing. Any reference to "Personal Data" includes a reference to "special categories of personal data”, as applicable, whereby " special categories of personal data " means Client’s Data that incorporates such categories of data as are listed in Article 9(1) of the UK GDPR. The Parties shall each process Personal Data under this Agreement. The Parties acknowledge that the factual arrangement between them dictates the classification of each Party in respect of the Data Protection Legislation. Notwithstanding the foregoing, the Parties anticipate that each Party shall act as a Controller in its own right as further set out in Schedule 1 (Data Processing Particulars.) For the avoidance of doubt, the parties are not joint controllers for the purposes of Article 26 of the UK GDPR. In this sense, the Parties acknowledge and agree that:

1. Client is acting as a Controller in its own right in relation to the Client Supplied Personal Data that is processed by the Counterparty, in the course of providing market and research services to Client; and
2. when the Counterparty is collecting survey responses from respondents and/or Personal data in the course of providing the Services to Client, the Counterparty is acting as the Controller in its own right of survey responses and/or the collection of personal data which is not transferred back to the Client unless otherwise agreed with participants’ consent.

The Parties acknowledge that Personal Data provided to the Counterparty will only be used for the purposes outlined in Schedule One (Permitted Purpose). The Parties acknowledge that in the event of any conflict between the provisions of this Agreement and other agreements governing the processing of personal data, the provisions herein shall prevail. Each of the Parties acknowledges and agrees that Schedule 1 (Data Processing Particulars) is an accurate description of the Data Processing Particulars. Where a Party is acting as a Controller in relation to this Agreement, it shall comply with its obligations under the Data Protection Legislation and that Party shall ensure that it records due notification to any relevant Regulator, such notice to include its use and processing of the Personal Data. Where the Counterparty is acting as a processor in relation to this Agreement it shall:

• comply with its obligations under the Data Protection Legislation.
• process the Personal Data strictly in accordance with the Client’s instructions for the processing of the Client Supplied Personal Data and only for the purposes of providing the Services or as otherwise instructed in writing by the Client.
• notify the Client if it believes that any instruction issued by the Client is not compliant with applicable Data Protection Legislation.
• keep and maintain a record of processing as required under Article 30 (2) of the UK GDPR.
• ensure that access to the Personal Data is limited to only those employees who require access to it for the purpose of providing the Services and that all such employees have undergone training in the law of data protection, their duty of confidentiality and in the care and handling of Personal Data.
• assist the Client promptly with all subject information requests which may be received from Data Subjects relating to the Client Supplied Personal Data.
• employ appropriate operational and technological processes and procedures to keep the Personal Data safe from unauthorised use or access, loss, destruction, theft or disclosure.
• not disclose the Personal Data to a third party in any circumstances other than at the specific written request of the Client, unless the disclosure is required by law.
• notify the Client of any information security incident that may impact the processing of the Personal Data within 24 (twenty-four) hours of discovering or becoming aware of any such incident.
• not keep the Personal Data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the Services.

Where a Party collects Personal Data which it subsequently transfers to the other Party, it shall:

• ensure that it is not subject to any prohibition or restriction which would:
  • prevent or restrict it from disclosing or transferring the Personal Data to the other Party, as required under this Agreement; or
  • prevent or restrict the other Party from processing the Personal Data as envisaged under this Agreement;
• ensure that all fair processing notices have been given (and/or, as applicable, valid consents obtained that have not been withdrawn) and are sufficient in scope and kept up-to-date in order to meet the Transparency Requirements to enable each Party to process the Personal Data in order to obtain the benefit of its rights, and to fulfil its obligations, under this Agreement in accordance with the Data Protection Legislation. For the avoidance of doubt, the Parties do not warrant to each other that any use of transferred Personal Data outside the scope of this Agreement shall be compliant with the Data Protection Legislation;
• ensure that the Personal Data is:
  • adequate, relevant and limited to what is necessary in relation to the Permitted Purpose; and
  • accurate and, where necessary, up to date; having taking every reasonable step to ensure that any inaccurate Personal Data, (having regard to the Permitted Purpose), has been erased or rectified.
• ensure that the Personal Data is transferred between the Parties by a secure means.

Each Party shall not, by its acts or omissions, cause the other Party to breach its respective obligations under the Data Protection Legislation, namely when one of the Parties has the duty to preserve the anonymity of the respondents.

Each Party shall indemnify and keep the other fully indemnified from and against any and all losses, fines, liabilities, damages, costs, claims, amounts paid in settlement and expenses (including legal fees, disbursements, costs of investigation, litigation, settlement, judgment, interest and penalties) that are sustained or suffered or incurred by, awarded against or agreed to be paid by, the other Party as a result of, or arising from, a breach by each Party of its obligations under this acgreement (Data Protection) and/or the Data Protection Legislation, including, in particular, pursuant to: any monetary penalties or fines levied by any Regulatory Body on the other Party; the costs of any investigative, corrective or compensatory action required by any Regulatory Body, or of defending proposed or actual enforcement taken by any Regulatory Body; any losses suffered or incurred by, awarded against, or agreed to be paid by the other Party, pursuant to a claim, action or challenge made by a third party against the other Party, (including by a data subject); and any losses suffered or incurred, awarded against or agreed to be paid by the other Party.

Where relevant, each Party shall notify the other promptly (and in any event within seventy-two (72) hours) following its receipt of any Data Subject Request or Regulatory Body Correspondence, which relates directly or indirectly to the processing of Personal Data under this Agreement or to either Party's compliance with the Data Protection Legislation, and together with such notices, or Regulatory Body Correspondence and reasonable details of circumstances giving rise to it. Each Party shall: only disclose such Personal Data in response to any Data Subject Request or Regulatory Body Correspondence where it has obtained the other party’s prior written consent; and provide the other Party with all reasonable co-operation and assistance required in relation to any such Data Subject Request or Regulatory Body Correspondence.