The Clik Data Processing Agreement (“DPA”), that includes the Standard Contractual Clauses adopted by the European Commission, as applicable, reflects the parties’ agreement with respect to the terms governing the Data Protection under the Clik Terms of Service. This DPA is an amendment to the Terms Of Service and is effective from 25th May 2018, whereupon this DPA will form a part of the Terms Of Service.
The term of this DPA shall follow the Terms Of Service. Terms not otherwise defined herein shall have the meaning as set forth in the Terms Of Service.
Definitions
| Data Protection Legislation | means the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any replacement legislation coming into effect from time to time including (without limitation) the GDPR. |
| GDPR | means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. |
| Valid Transfer Mechanism | a mechanism governing the transfer of personal data outside of the European Union which is recognised by the European Commission as providing adequate protection for personal data, including (without limitation) transfers to countries that have been designated as adequate by the European Commission, use of model contract clauses approved by the European Commission, use of approved binding corporate rules and reliance on Privacy Shield certification (for transfers to the US). |
2. Data Protection
2.1. General: If Clik processes any personal data supplied to it by or on behalf of Customer for the purposes of this agreement, the provisions of clauses 2.2 and 2.3 shall apply to that personal data. For the purposes of this agreement “personal data”, “data controller”, “data processor” and “data subject” shall have the respective meanings given in the Data Protection Legislation.
2.2. Processing of Personal Data – Customer Obligations: Where the Customer expects that Clik will process personal data, the Customer shall:
2.2.1 ensure that the personal data is accurate and up-to-date, and remains so during the period of the processing;
2.2.2 ensure that all necessary consents under the Data Protection Legislation have been obtained for the supply of the personal data and its processing by Clik, and if requested by Clik shall promptly provide written confirmation of the same; and
2.2.3 not do anything in connection with the personal data that would or might cause Clik to be in breach of any Data Protection Legislation or other law and/or to incur liability to any data subject;
2.2.4 procure that no third party shall extract any Customer data unless Clik has consented to such extraction by such third party and Customer has entered into an agreement with such third party to limit the use of the Customer data subject to such extraction to the purposes agreed in advance with Clik; and
2.2.5 not, and shall not permit any third party to, write, upload, amend, or alter, any Customer data and other data stored on Clik’s databases other than directly via the Clik software or a Clik approved interface, or otherwise with Clik’s prior written consent.
2.3 Processing of Personal Data – Clik Obligations: To the extent that Clik processes personal data on behalf of the Customer in connection with this agreement, Clik shall:
2.3.1 solely process the personal data for the purposes of fulfilling its obligations in this agreement and in compliance with the Customer’s written instructions as set out in this agreement;
2.3.2 ensure that any persons used by Clik to process personal data are required to treat the personal data confidentially;
2.3.3. take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data taking into account the nature of the processing and harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the personal data to be protected including without limitation, all such measures that may be required to ensure compliance with Article 32 of the GDPR;
2.3.4 from 25 May 2018, taking into account the nature of the data processing activities undertaken by Clik and the information available to Clik:
a) provide all reasonable possible assistance and co-operation to enable the Customer to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation;
b) notify the Customer as soon as reasonably practicable if Clik or any sub-contractor engaged by on behalf of Clik suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is processed in connection with this agreement;
c) following a notification under clause 2.3.4(b), provide reasonable co-operation, information and assistance to the Customer as may be necessary to enable the Customer to notify relevant supervisory authorities and data subjects of the data security breach to the extent such notification is required under the Data Protection Legislation;
2.3.5 assist the Customer with carrying out data protection impact assessments and consulting with relevant supervisory authorities where such assessments and/or consultation are required pursuant to the Data Protection Legislation, provided that the scope of such assistance shall be agreed by the parties in advance and the Customer shall pay Clik’s reasonable costs incurred in providing such assistance;
2.3.6 upon termination of this agreement, at the choice of the Customer, delete or return all personal data to the Customer and delete existing copies, except that Clik shall be permitted to retain back-up copies of data in accordance with Clik’s normal back-up procedures;
2.3.7 upon reasonable request with not less than 4 weeks’ notice, and provided that the Customer shall not make more than one request in any rolling 12 month period, make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this clause [2] and allow for and contribute to audits, including inspections, conducted by or on behalf of the Customer.
2.4 Permitted Subcontractors and Transfers of Data:
In performing its obligations under this agreement Clik may appoint one or more of its Affiliates or another third party as sub-processors, Clik as data processor remains responsible to the Customer for the actions of its sub-processors and shall remain bound by its obligations under clause 2.3 above. A list of sub-processors used by Clik is maintained below. Customer acknowledges that such sub-processors may be located outside the European Economic Area, in which case the Customer authorises Clik to transfer personal data to or access personal data from such locations provided that Clik has put in place and maintains a Valid Transfer Mechanism in relation to such transfers.
2.5 Anonymous Data Analytics: Subject always to its duties under this clause 2 Clik may from time to time use data processed by any product or service supplied by Clik under this agreement to produce statistical analyses, market data and predictive models (“Analytics”). No personal data will be used for the purposes of Analytics.
Data Processing Activities
| Categories of data | Names / Addresses / Contact details / Signatures / Location Data. |
| Categories of Data Subjects | Controllers Contacts, Controllers Employees and Controllers suppliers. |
| Processing Operations | The processing operations include collecting, storing and allowing for retrieval of data. |
| Purposes | The purpose is to allow the personal data to be delivered to an engineer to carry out a service. |
| Duration | Personal Data will be processed for the duration of the agreement with the controller. |
| Sub-Processors | Zendesk: Used for support purposes and logging faults which could include personal details of a data subject.
Mobifi: Used to transport text messages. This will log text messages sent from you the data controller to the data subject via Clik Service. |
Appendix
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Subject” means an individual who is the subject of personal data.
“Sub-Processors” A third party data processor Clik will use to achieve the service we provide.