Data Processing Agreement
Home > Legal > Terms and conditions > Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement, Professional Services Agreement, Partner Agreement, End User Licence Agreement or any other agreement pertaining to the delivery of services (‘Agreement’) between Concentra Consulting Limited and Affiliates (“Supplier”) and the Customer named in such Agreement to reflect the Parties’ agreement with regard to the Processing of Customer Data. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates.
In the course of providing the Services to Customer pursuant to the Agreement, Supplier may Process Customer Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Customer Data, each acting reasonably and in good faith.
If the entity signing this DPA is not a party to an effective Agreement with Supplier, this DPA shall not be valid or legally binding. In the event of a conflict between the terms and conditions of this DPA and the Agreement, the terms and conditions of this DPA shall prevail to the extent of such conflict.
This DPA has been pre-signed on behalf of Supplier as the Processor.
Unless specified otherwise below, capitalised words and expressions contained with this document have the same meaning as set out in the Agreement:
- “Affiliate” means, with respect to a Party, any entity controlling, controlled by or under common control with such Party with “control” meaning the power (whether direct or indirect) to direct or cause the direction of an entity’s affairs, whether by means of holding shares, possessing voting power, exercising contractual powers or otherwise and within “controlling” and “controlled” being construed accordingly;
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
- “Controller” means the entity which determines the purposes and means of the Processing of Customer Data.
- “Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms.
- “Customer Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as Customer Data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
- “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, Norway, the United Kingdom, the United States and its states, Canada and Australia applicable to the Processing of Customer Data under the Agreement as amended from time to time.
- “Data Subject” means the identified or identifiable person to whom Customer Data relates.
- “Europe” means the European Union, the European Economic Area, Switzerland and the United Kingdom.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
- “Processing” or “Process” means any operation or set of operations which is performed upon Customer Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means the entity which Processes Customer Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
- “Public Authority” means a government agency or law enforcement authority, including judicial authorities.
- “Sub-processor” means any Processor engaged by Supplier.
2. Processing of Customer Data
- Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Data, Customer is a Controller, Supplier is a Processor and that Supplier will engage Sub-processors pursuant to the requirements set forth in section 5 “Sub-processors” below.
- Customer’s Processing of Customer Data. In its use of the Services, Customer shall Process Customer Data in accordance with the requirements of Data Protection Laws.
- Supplier’s Processing of Customer Data. Supplier shall treat Customer Data as Confidential Information and shall Process Customer Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; (iii) improving the Services and (iv) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
- Details of the Processing. The subject-matter of Processing of Customer Data by Supplier is the performance of the Services pursuant to the Agreement. The duration of the Processing will be for the Term of the Agreement and following the termination or the expiry of the Agreement until all Customer Data is deleted from the Supplier’s information technology by Supplier. The retention of aggregated information collated from the Customer and other customers of the relating to the access to, and use of, the Services (“Usage Data”) by Processor will not prolong the term of these Personal Data Processing Provisions in the event that all other Customer Data has been deleted by Supplier. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Description of Processing/Transfer) to this DPA.
3. Rights of Data Subjects
- Supplier shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject such as a Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Supplier shall not respond to a Data Subject Request itself, except that Customer authorizes Supplier to redirect the Data Subject Request as necessary to allow Customer to respond directly. Taking into account the nature of the Processing, Supplier shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Supplier’s provision of such assistance.
4. Supplier Personnel
- Confidentiality. Supplier shall ensure that its personnel engaged in the Processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Supplier shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
- Reliability. Supplier shall take commercially reasonable steps to ensure the reliability of any Supplier personnel engaged in the Processing of Customer Data.
- Limitation of Access. Supplier shall not access Customer Data without Customer’s express consent. Supplier shall ensure that Supplier’s access to Customer Data is limited to those personnel performing Services in accordance with the Agreement.
- Data Protection Officer. Supplier has appointed a data protection officer. The appointed person may be reached at email@example.com.
- Appointment of Sub-processors. Customer acknowledges and agrees that (a) Supplier’s Affiliates may be retained as Sub-processors; and (b) Supplier and Supplier’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Supplier or a Supplier Affiliate has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in the Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.
- List of Current Sub-processors and Notification of New Sub-processors. The current list of Sub-processors engaged in Processing Customer Data for the performance of each applicable Service, including a description of their processing activities and countries of location, is listed under the Sub-processor List which can be found on Supplier’s Trust Center webpage (“Sub-processor List”). Customer hereby consents to these Sub-processors, their locations and processing activities as it pertains to their Customer Data. Supplier shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Customer Data in connection with the provision of the applicable Services.
- Objection Right for New Sub-processors. Customer may object to Supplier’s use of a new Sub-processor by notifying Supplier promptly in writing within thirty (30) days of receipt of Supplier’s notice in accordance with the mechanism set out in section 5.2. If Customer objects to a new Sub-processor as permitted in the preceding sentence, Supplier will: (i) use reasonable efforts to make available to Customer a change in the Services; (ii) or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Data by the objected-to new Sub-processor without unreasonably burdening Customer; 0r (iii) continue to provide the Services without the objected-to new Sub-processor.
- Liability. Supplier shall be liable for the acts and omissions of its Sub-processors to the same extent Supplier would be liable if performing the services of each Sub-processor directly under the terms of this DPA, unless otherwise set forth in the Agreement.
- Controls for the Protection of Customer Data. Supplier shall maintain proper administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Customer Data, as described in the Documentation. Those safeguards will include, but will not be limited to, measures designed to prevent unauthorized access to or disclosure of Customer Data (other than by Customer or Users). The terms of our security provisions (‘Security Provisions’) found at https://www.orgvue.com/legal/terms-and-conditions/orgvue-security-provisions/ are hereby incorporated by reference.
- Audit. Supplier shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA as set forth in this section.
- Third-Party Certifications and Audits. Supplier has obtained the third-party certifications and audits set out in our Trust Center found at compliance | orgvue.
- Data Protection Impact Assessment. Upon Customer’s written request, Supplier shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Supplier.
7. Customer Data Incident Management and Notification
- Supplier maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Customer Data, transmitted, stored or otherwise Processed by Supplier or its Sub-processors of which Supplier becomes aware (a “Customer Data Incident”). Supplier shall make reasonable efforts to identify the cause of such Customer Data Incident and take such steps as Supplier deems necessary and reasonable to remediate the cause of such a Customer Data Incident to the extent the remediation is within Supplier’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
8. Return and Deletion of Customer Data
- Supplier shall delete all Customer Data within 90 days of expiry or termination of the Services unless Supplier is legally obliged to store Persona Data for a longer period.
9. Europe Specific Provisions
- Definitions. For the purposes of this section 9 these terms shall be defined as follows:
” Standard Contractual Clauses” means the applicable standardised and pre-approved model data protection that allow controllers and processors to comply with their obligations under European Data Protection Laws.
- GDPR. Supplier will Process Customer Data in accordance with the GDPR requirements directly applicable to Supplier’s provision of its Services.
- Customer Instructions. Supplier shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the GDPR and/or (ii) if Supplier is unable to follow Customer’s instructions for the Processing of Customer Data.
- Transfer mechanisms for data transfers. If, in the performance of the Services, Customer Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations of Europe, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the Data Protection Laws and Regulations of Europe and the Standard Contractual Clauses. Whereas Customer and/or its Authorized Affiliate is a Controller of Customer Data and Supplier is a Processor in respect of that Customer Data. The Parties shall comply with the Standard Contractual Clauses.
Schedule 1: description of processing/transfer
Customer Data shall be processed under the Agreement as set out below.
Subject matter and duration of the Processing:
The subject matter is the provision of the Services by Supplier to the Customer under the Agreement and any improvements by the Supplier to the Services for the Term of the Agreement. The duration will be for the Term and following the termination or the expiry of the Agreement until all Customer Data is deleted from the Supplier’s information technology by Supplier. The retention of aggregated Usage Data by Supplier will not prolong the term of these Customer Data Processing Provisions in the event that all other Customer Data has been deleted by Supplier.
Nature and purpose of the Processing:
Customer Data will be Processed for purposes of providing the Services in accordance with the Agreement and also for the purpose of improving the Services.
Type of Customer Data:
Customer Data Processed in providing the Services may include the following categories of data: names, user IDs, email addresses, job titles, salary, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by Users via the Services.
Categories of Data Subject:
Customer Data submitted, stored, sent or received via the Services may relate to Users and the Customer’s employees and contractors as the Data Subjects.