Data Processing Agreement
Last updated: 4 September 2021
In consideration of you, the customer, engaging the services of Akiko Design to process personal data on your behalf, we shall comply with the security, confidentiality and other obligations imposed on us under this agreement and any applicable data protection legislation.
Parties to this agreement:
(1) The Customer (or you), being the legal person or entity that has requested the Services in accordance with the Order (the “Controller”);
(2) Akiko Design Ltd, incorporated and registered in England and Wales with company number 08328550 whose registered office is at Suite 13 Bramley Business Centre, Station Road, Bramley, Guildford, Surrey GU5 0AZ (the “Processor”).
Background and Scope
(A) The Controller determines the purposes and means of processing Personal Data in connection with its business activities;
(B) The Processor processes Personal Data on behalf of the Controller;
(C) The Controller wishes to engage the services of the Processor to process personal data on its behalf;
(D) The UK GDPR provides that, where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the UK GDPR and ensure the protection of the rights of the data subject;
(E) The UK GDPR further provides that the Processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes;
(F) The UK GDPR further provides that, the Processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by law;
(G) In compliance with the above-mentioned provisions of the UK GDPR the Controller and Processor wish to enter into this processing agreement.
The parties hereby mutually agree the following:
- Definitions and Interpretation
- Processing Details
- Obligations of the Processor
- Obligations for Both Parties
- Engaging a Sub-processor
- Audits and Inspections
- Term and Termination
- Intellectual Property Rights
- Governing Law
- Entire Agreement
- Appendix 1
- Appendix 2
1. Definitions and Interpretation
1.1 In this agreement the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified:
“Appendix 1” means the appendix to this agreement and which forms part of this agreement;
“Appendix 2” means the appendix to this agreement and which forms part of this agreement;
“UK GDPR” hereafter referred to as the Regulation, means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018;
“Controller, data controller, processor, data processor, data subject, personal data, special categories of personal data, personal data breach, supervisory authority, processing and appropriate technical and organisational measures”: as set out in the Data Protection Legislation in force at the time;
“Confidential Information” means all information disclosed by a party to the other party pursuant to this agreement which is either designated as proprietary and/or confidential, or by its nature or the nature of the circumstances surrounding disclosure, should reasonably be understood to be confidential, including (but not limited to), information on products, customer lists, price lists and financial information;
“Data Protection Legislation” means the data protection and privacy legislation which is in force in the UK and it includes the Data Protection Act 2018, the UK GDPR and the Privacy and Electronic Communications Regulations 2003;
“Order” means the request to purchase Services from Akiko Design Ltd subject to the terms of this agreement;
“Services” means services provided by Akiko Design Ltd to The Controller under this agreement, including but not limited to, the provision of some or all of the following: corporate branding and design, website design and development, website maintenance and support, hosting and consultancy;
“Sub-contract” and “sub-contracting” shall mean the process by which either party arranges for a third party to carry out its obligations under this agreement;
“Sub-processor” means the party to whom the obligations are sub-contracted.
2.1 In consideration of the Controller engaging the services of the Processor to process personal data on its behalf, the Processor shall comply with the security, confidentiality and other obligations imposed on it under this agreement and any applicable Data Protection Legislation.
3. Processing Details
3.1 The Controller may submit Personal Data to the Processor, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
• Prospects, customers, business partners and suppliers of the Controller (who are natural persons);
• Employees, agents, advisors, freelancers of the Controller (who are natural persons)
It may include, but is not limited to Personal Data relating to the following categories of data subjects:
• First and Last Name, Position, Employer, Contact Information (company, email, phone, physical business address), ID Data, Professional Life Data, Personal Life Data, Localisation Data.
The Processor will hold any such Personal Data until such a time they are asked to remove or take any other action in accordance with UK GDPR by the Controller, an individual or company.
3.2 Without prejudice to the generality of clause 5.2, the Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Processor for the duration and purposes of this agreement.
4. A) Obligations of the Processor
The Processor agrees to:
4.1 Process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2 Take into account the nature of the processing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the Regulation. In addition the Processor shall:
4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and
4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subject, in which case the Processor shall, to the extent permitted by Data Protection Legislation, inform the Controller of that legal requirement before the Processor responds to the request.
4.3 Take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to the Processor in the context of this agreement, as required under the Data Protection Legislation. Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement.
4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor of its own direct responsibilities and liabilities under the UK GDPR.
4. B) Additional Obligations of the Processor
The Processor further agrees, by taking into account the nature of processing and the information available to the Processor, to:
4.7 Assist the Controller in meeting its obligation to keep personal data secure;
4.8 Assist the Controller in meeting its obligation to notify personal data breaches to the supervisory authority, this includes:
4.8.1 Notifying the Controller without undue delay upon the Processor or any Sub-processor becoming aware of a Personal Data Breach affecting Controller Personal Data.
4.8.2 Such notification shall as a minimum:
a) Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
b) Communicate the name and contact details of Processor’s data protection officer or other relevant contact from whom more information may be obtained;
c) Describe the likely consequences of the Personal Data Breach; and
d) Describe the measures taken or proposed to be taken to address the Personal Data Breach.
4.8.3 In addition, to co-operate with the Controller and to take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
4.9 Assist the Controller in meeting its obligation to advise data subjects when there has been a personal data breach;
4.10 Assist the Controller in meeting its obligation to carry out data protection impact assessments (DPIAs); and
4.11 Assist the Controller in meeting its obligation to consult with the supervisory authority where a DPIA indicates there is an unmitigated high risk to the processing.
5. Other Obligations for Both Parties
5.1 The Controller and Processor shall take steps to ensure that any natural person acting under the authority of the Controller or the processor who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by law.
5.2 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 5.2 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
6.1 The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
6.2 In particular, the Processor agrees that, save with the prior written authorisation of the Controller, it shall not disclose any personal data supplied to the Processor by, for, or on behalf of, the Controller to any third party.
6.3 The Processor shall not make any use of any personal data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller and as agreed in this agreement.
6.4 The obligations in clauses 6.1, 6.2 and 6.3 above shall continue for a period of five years after the cessation of the provision of services by the Processor to the Controller.
6.5 Nothing in this agreement shall prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties shall however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.
7. Engaging a Sub-processor
7.1 By entering into this agreement, the Controller hereby permits the Processor to appoint Sub-processors of Personal Data and, for the term that this agreement is in force, shall have a general right to appoint Sub-processors of Personal Data. The Processor will provide the Controller with prior notification before appointing any Sub-processors of any Personal Data that are in addition to those noted in Appendix 2.
7.2 The Processor will update the Controller of the use of any new Sub-processor prior to the adoption of the Sub-processor and transfer of the Controller’s Data or provision of any form of access to the Controller’s Data, thereby giving the Controller the opportunity to object to such change and to terminate the agreement as a result of this change. The Controller must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established. The Controller’s continued use of the Services constitutes approval for the use of this new Sub-processor and is confirmation by the Controller that the use of all Sub-processors is lawful under the applicable Data Protection Laws.
7.3 Where the Processor engages a Sub-processor for carrying out its obligations under this agreement or other legal act, it shall do so only by way of a written agreement with the Sub-processor which imposes at least the same level of protection for the Controller as set out in this agreement or other legal act, including but not limited to providing sufficient guarantees in relation to the security of the processing on the Sub-processor as are imposed on the Processor under this agreement.
7.4 The Processor agrees to provide to the Controller for review such copies of the written agreement between the Processor and the Sub-processor (which may be redacted to remove confidential commercial information not relevant to the requirements of this agreement) as the Controller may request from time to time.
7.5 For the avoidance of doubt, where the Sub-processor fails to fulfil its data protection obligations, the Processor will be liable to the Controller for the fulfilment of that other processor’s obligations.
8. Audits and Inspections
The Processor agrees to:
8.1 Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this agreement and the Data Protection Legislation;
8.2 Allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
8.3 The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to this section 8 infringes the Data Protection Legislation.
9. Term and Termination
9.1 This agreement will commence from the date of the order and shall continue in full force and effect until the agreement is terminated in accordance with the Terms & Conditions for Supply of Services.
9.2 Either Party shall have the right to terminate the Agreement, partially or entirely, forthwith by sending a written notice of termination to the other Party specifying the reasons for the termination, if any of the following events occur:
9.2.1 The other party materially breaches any of its obligations under this agreement;
9.2.2 The other party breaches any of its obligations under this agreement and, notwithstanding a written request from the non-breaching party to remedy such a breach, fails to comply with such a request within a period of thirty (30) days following such notice;
9.2.3 An event of force majeure prevails for a period exceeding three (3) months; or
9.2.4 The other party becomes insolvent or enters liquidation, a petition in bankruptcy is filed for it or a receiver is appointed.
9.3 Upon the termination or expiry of this agreement, any rights and obligations of the parties, accrued prior to the termination or expiry thereof shall continue to exist.
9.4 Within thirty (30) days following termination of this agreement the Processor shall, at the direction of the Controller, either (a) return all personal data passed to the Processor by the Controller for processing, or (b) on receipt of instructions from the Controller, destroy all such data unless the Processor is prohibited from doing so by any applicable law.
9.5 The Processor may retain Controller Personal Data to the extent required by Data Protection Legislation and only to the extent and for such period as required by Data Protection Legislation and always provided that the Processor and any sub-processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the Data Protection Legislation requiring its storage and for no other purpose.
9.6 The Processor shall provide written certification to Controller that it and any sub-processor has fully complied with this section 10 within thirty (30) of the termination date.
10. Intellectual Property Rights
10.1 The Processor is and shall remain the owner of any materials used or made available in the context of the delivery of the services.
10.2 The Processor grants to the Controller a limited, personal, non-exclusive, non-transferable right to use any material provided in the context of the delivery of the services. This license is valid for the duration of the agreement.
10.3 The Controller is and shall remain the owner of any personal data supplied or made available to the Processor in the context of this agreement.
10.4 The Controller grants to the Processor a limited, personal, non-exclusive, non-transferable right to use any personal data provided only in the context of the delivery of the services. This license is valid for the duration of the agreement.
11. Governing Law
11.1 This agreement shall be governed by and construed exclusively in accordance with the laws of England and Wales.
12. Entire Agreement
12.1 This agreement contains the entire agreement and understanding between the parties with respect to the subject matter hereof and supersedes and replaces all prior agreements or understandings, whether written or oral, with respect to the same subject matter that are still in force between the parties.
12.2 Any amendments to this agreement, as well as any additions or deletions, must be agreed in writing by both the parties.
12.3 Whenever possible, the provisions of this agreement shall be interpreted in such a manner as to be valid and enforceable under the applicable law stated as per clause 11 above.
13.1 Should any provision of this agreement be invalid or unenforceable, then the remainder of this agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
14. Appendix 1
Technical and Organisational Measures
In compliance with its obligations under clause 4 with regard to the processing of personal data on behalf of the Controller, the Processor, as a minimum requirement, shall implement appropriate technical and organisational measures to comply with the requirements of the Regulation. This includes the requirements stated in the Data Protection Legislation being:
• The pseudonymisation and encryption of personal data;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
14. Appendix 2
Akiko Design Ltd utilises a small number of Data Sub-processors in order to provide Services to the Controller. The following list of Data Sub-processors that may be used to provide Services will be updated from time to time to reflect the current operational position:
Email, Marketing and Communications
- Microsoft Ltd – provision of Akiko Design email services used for communications with the Controller
- HubSpot, Inc – provision of Akiko Design’s CRM System
- Campaign Monitor Pty Ltd – provision of bulk emailing services
- MailChimp – provision of bulk emailing services
Servers and Hosting
- Memset Ltd – provision of servers for website hosting and backup storage
- Kinsta, Inc – provision of servers for website hosting and backup storage
- Amazon Web Services, Inc – provision of servers for website hosting and backup storage
- Mailgun Technologies, Inc – provision of email services for delivering website generated email
- SendGrid, Inc – provision of email services for delivering website generated email
- GoDaddy Operating Company, LLC – provision of domain registration and SSL services
- 123 Reg Ltd – provision of domain registration services
- Cloudflare, Inc – provision of DNS management services
- ManageWP, LLC – provision of WordPress management tools and security features
- Incsub, LLC (WPMU) – provision of WordPress management tools and security features
- Active Collab, LLC – provision of project management tools