The Clik Data Processing Agreement (“DPA”), reflects the parties’ agreement with respect to the terms governing data protection under the Clik Terms of Service. This DPA amends the Terms Of Service and is effective from 1st August 2023, when it will form a part of the Terms Of Service.
The term of this DPA shall follow the Terms Of Service. Capitalised words not otherwise defined in this DPA shall have the meaning set out in the Terms Of Service.
Definitions
Data Protection Legislation | means: (i) to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data (including without limitation the UK GDPR, the Data Protection Act 2018 (and regulations made under it) (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and (ii) to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which Clik or the Customer is subject, which relates to the protection of Personal Data. |
EU GDPR | means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. |
Standard Contractual Clauses | means the Information Commissioner Office’s (ICO) International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK, or such alternative clauses as may be approved by the European Commission or by the UK from time to time |
UK GDPR | has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 |
Valid Transfer Mechanism | a mechanism governing the transfer of personal data outside of the UK and European Economic Area which is an appropriate safeguard as required by Article 46 of the UK GDPR and/or EU GDPR (as applicable) , including (without limitation) transfers to countries that have been designated as adequate by the an adequacy regulation of the UK government or an adequacy decision of the European Commission, use of Standard Contractual Clauses, use of approved binding corporate rules, and/or reliance on the EU-US Data Privacy Framework (for transfers to the US) |
2. Data Protection
2.1. General: If Clik processes any personal data supplied to it by or on behalf of Customer for the purposes of this agreement, the provisions of clauses 2.2 and 2.3 shall apply to that personal data. For the purposes of this agreement “personal data”, “data controller”, “data processor”, “processing” and “data subject” shall have the respective meanings given in the Data Protection Legislation. For these purposes the parties acknowledge that the Customer is the controller and Clik is the processor, and the Customer retains control of the personal data and remains responsible for its compliance obligations under the applicable Data Protection Legislation.
2.2. Processing of Personal Data – Customer Obligations: Where the Customer expects that Clik will process personal data, the Customer shall:
2.2.1 ensure that the personal data is accurate and up-to-date, and remains so during the period of the processing;
2.2.2 ensure that a lawful basis under the Data Protection Legislation applies (including if consent is the lawful basis that that all necessary consents have been obtained) for the supply of the personal data and its processing by Clik, and that it has provided all required privacy notices, and if requested by Clik shall promptly provide written confirmation of the same;
2.2.3 not do anything in connection with the personal data that would or might cause Clik to be in breach of any Data Protection Legislation or other law and/or to incur liability to any data subject, regulatory authority, or other third party;
2.2.4 procure that no third party shall extract any Customer data unless Clik has consented to such extraction by such third party and Customer has entered into an agreement with such third party to limit the use of the Customer data subject to such extraction to the purposes agreed in advance with Clik; and
2.2.5 not, and shall not permit any third party to, write, upload, amend, or alter, any Customer data and other data stored on Clik’s databases other than directly via the Clik software or a Clik approved interface, or otherwise with Clik’s prior written consent.
2.3 Processing of Personal Data – Clik Obligations: To the extent that Clik processes personal data on behalf of the Customer in connection with this agreement, Clik shall:
2.3.1 solely process the personal data for the purposes of fulfilling its obligations in this agreement and in compliance with the Customer’s written instructions as set out in this agreement (and shall promptly notify the Customer if, in its opinion, the Customer’s instructions do not comply with the Data Protection Legislation, provided always that any such notification does not constitute legal advice, and the Customer remains solely responsible for determining the legality of its instructions);
2.3.2 ensure that any persons used by Clik to process personal data are required to treat the personal data confidentially;
2.3.3. take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data taking into account the nature of the processing and harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the personal data to be protected including without limitation, all such measures that may be required to ensure compliance with the Data Protection Legislation;
2.3.4 provide all reasonable possible assistance and co-operation to enable the Customer to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation;
2.3.5 notify the Customer as soon as reasonably practicable (and in any event within two business days) if Clik or any sub-contractor engaged by or on behalf of Clik suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is processed in connection with this agreement;
2.3.6 following a notification under clause 2.3.5, provide reasonable co-operation, information and assistance to the Customer as may be necessary to enable the Customer to notify relevant supervisory authorities and data subjects of the data security breach to the extent such notification is required under the Data Protection Legislation;
2.3.7 assist the Customer with carrying out data protection impact assessments and consulting with relevant supervisory authorities where such assessments and/or consultation are required pursuant to the Data Protection Legislation, provided that the parties acknowledge that the processing undertaken by Clik will not constitute processing for which a data protection impact assessment is required and accordingly that if the Customer requests a change to the processing that requires a data protection impact assessment the scope of such assistance shall be agreed by the parties in advance and the Customer shall pay Clik’s reasonable costs incurred in providing such assistance;
2.3.8 upon termination of this agreement, at the choice of the Customer, delete or return all personal data to the Customer and delete existing copies, except that Clik shall be permitted to retain back-up copies of data in accordance with Clik’s normal back-up procedures and for no longer than is necessary for adherence with those procedures;
2.3.9 upon reasonable request with not less than 4 weeks’ written notice, and provided that the Customer shall not make more than one request in any rolling 12 month period (other than in the event of a breach or where required by a supervisory authority), make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this clause 2 and allow for and contribute to audits, including inspections, conducted by or on behalf of the Customer subject to: (a) the Customer taking all reasonable steps to minimise disruption to Clik’s business in the conduct of any such audit or inspection; (b) to the extent reasonably possible the Customer relying on information provided to it by Clik (including the provision of evidence of any appropriate independent third party certification) rather than conducting physical audit or inspection; (c) any person conducting any such audit or inspection agreeing suitable confidentiality undertakings directly with Clik, and to comply with all reasonable Clik policies required for access to Clik’s premises; and (d) the audit or inspection not permitting the Customer access any confidential information of third parties in the control or possession of Clik.
2.4 Permitted Subcontractors and Transfers of Data:In performing its obligations under this agreement Clik may appoint one or more of its Affiliates or another third party as sub-processors, in which case Clik as data processor remains responsible to the Customer for the actions of its sub-processors and shall remain bound by its obligations under clause 2.3 above. A list of sub-processors used by Clik is set out below. The Customer acknowledges that such sub-processors may be located outside the European Economic Area, in which case the Customer authorises Clik to transfer personal data to or access personal data from such locations provided that Clik has put in place and maintains a Valid Transfer Mechanism in relation to such transfers. If any such transfer requires execution of Standard Contractual Clauses in order to comply with the Data Protection Legislation, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses, and take all other actions required to legitimise the transfer. The Customer authorises Clik to enter into Standard Contractual Clauses with any of Clik’s sub-processors in the Customer’s name and on its behalf, which Clik will make available to the Customer on request.
2.5 Anonymous Data Analytics: Subject always to its duties under this clause 2 Clik may from time to time use data processed by any product or service supplied by Clik under this agreement to produce statistical analyses, market data and predictive models (“Analytics”). No personal data will be used for the purposes of Analytics (other than to the extent used in an aggregated and anonymised fashion that prevents reconstitution to the original personal data).
Data Processing Activities
Categories of data | Names / Addresses / Contact details / Signatures |
Categories of Data Subjects | Controllers Contacts, Controllers Employees and Controllers suppliers. |
Processing Operations | The processing operations include collecting, storing and allowing for retrieval of data |
Purposes | Personal Data will be Processed for the purposes of providing the services set out and otherwise agreed to in the Clik Terms of Service. |
Duration | Personal Data will be processed for the duration of the agreement with Clik |
Sub-Processors | Zendesk: Used for support purposes and logging faults which could include personal details of a data subject. Address: 1019 Market Street San Francisco CA 94103 USA Privacy Policy (zendesk.co.uk) Mobifi: Used to transport text messages. Address: Woodlands 415 Limpsfield Road Warlingham Surrey United Kingdom CR6 9HA http://www.mobifi.com/privacy-policy |