Data Processing Addendum
The terms and conditions below and the data processing details in Annex A constitute this “Data Processing Addendum” or “DPA”. This DPA forms part of any ordering document or agreement between the parties under which the Processor provides services to the Controller (an “Agreement”).
1. Definitions and Interpretation. Unless the context requires otherwise, the following definitions and rules of interpretation apply in this DPA:
“Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing shall have the meaning as defined in the Data Protection Legislation, and their cognate terms shall be construed accordingly.
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time which applies to a party including the EU GDPR, the UK GDPR and the UK Data Protection Act 2018, in each case as amended, updated or replaced from time to time.
“Data Subject Request” means a Data Subject request to access, correct, amend, transfer or delete that person’s Personal Data consistent with that person’s rights under the Data Protection Legislation;
“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679)."Existing Sub-processor" means each Sub-processor appointed by Sylvera to Process Personal Data as at the Effective Date;
"IDTA" means the International Data Transfer Agreement, as issued under Section 119A(1) of the Data Protection Act 2018, and in force 21 March 2022, as may be updated by the Information Commissioner's Office from time to time;
"New Sub-processor" means any Sub-processor to which Sylvera wishes to delegate the Processing of Personal Data;
"Restricted Country" means a country or territory outside the United Kingdom that is not a country or territory that the United Kingdom has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the UK GDPR;
"Restricted Transfer" means a transfer of Personal Data to a Restricted Country where such transfer would be prohibited without a legal basis under Chapter V of the UK GDPR; and
"Sub-processor" means any Processor appointed by or on behalf of Sylvera to Process Personal Data.
“UK GDPR” means the EU GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 (as amended by the European Union (Withdrawal) Act 2020) and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as further amended from time to time).
Any capitalised terms used in this DPA but not defined shall have the meaning given to them in the Agreement.
“Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing shall have the meaning as defined in the Data Protection Legislation, and their cognate terms shall be construed accordingly.
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time which applies to a party including the EU GDPR, the UK GDPR and the UK Data Protection Act 2018, in each case as amended, updated or replaced from time to time.
“Data Subject Request” means a Data Subject request to access, correct, amend, transfer or delete that person’s Personal Data consistent with that person’s rights under the Data Protection Legislation;
“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679)."Existing Sub-processor" means each Sub-processor appointed by Sylvera to Process Personal Data as at the Effective Date;
"IDTA" means the International Data Transfer Agreement, as issued under Section 119A(1) of the Data Protection Act 2018, and in force 21 March 2022, as may be updated by the Information Commissioner's Office from time to time;
"New Sub-processor" means any Sub-processor to which Sylvera wishes to delegate the Processing of Personal Data;
"Restricted Country" means a country or territory outside the United Kingdom that is not a country or territory that the United Kingdom has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the UK GDPR;
"Restricted Transfer" means a transfer of Personal Data to a Restricted Country where such transfer would be prohibited without a legal basis under Chapter V of the UK GDPR; and
"Sub-processor" means any Processor appointed by or on behalf of Sylvera to Process Personal Data.
“UK GDPR” means the EU GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 (as amended by the European Union (Withdrawal) Act 2020) and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as further amended from time to time).
Any capitalised terms used in this DPA but not defined shall have the meaning given to them in the Agreement.
2. Data Processing Obligations. The parties acknowledge and agree that for the purposes of the Data Protection Legislation, in respect of the Processing of any Personal Data by Sylvera under the Agreement, the Customer is the Controller and Sylvera is the Processor of such Personal Data and the Processing activities undertaken by Sylvera are set out in Annex A.
3. Each party will comply with all applicable requirements of the Data Protection Legislation when Processing Personal Data. This is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
4. The Customer instructs Sylvera (and authorises Sylvera to instruct each Sub-processor) to Process Personal Data, including to transfer Personal Data outside of the United Kingdom, as reasonably necessary to provide the Services.
5. Sylvera’s Processing obligations
5.1 To the extent that Sylvera Processes any Personal Data on behalf of the Customer in connection with Sylvera's performance of the Services, Sylvera shall:
5.1.1 only Process such Personal Data in accordance with the written instructions of the Customer as set out in the Agreement unless Sylvera is required by applicable law to otherwise Process that Personal Data, in which case Sylvera shall inform the Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest;
5.1.2 require all personnel who have access to and/or Process Personal Data to keep the Personal Data confidential;
5.1.2 require all personnel who have access to and/or Process Personal Data to keep the Personal Data confidential;
5.1.3 notify the Customer without undue delay if it suffers a Personal Data Breach providing the Customer with sufficient information which allows the Customer to meet its obligations to report a Personal Data breach under the Data Protection Legislation;
5.1.4 notify the Customer without undue delay if it receives any Data Subject Request relating to the Personal Data, and shall: (i) not respond to the Data Subject Request without the Customer’s prior written consent and in accordance with the Customer’s instructions; and (ii) shall provide such assistance as the Customer may reasonably require in respect of such Personal Data in order for the Customer to comply and respond to the Data Subject Request in accordance with the Data Protection Legislation;
5.1.6 on the Customer's written request, provide reasonable assistance to the Customer in inputting into and carrying out data protection impact assessments and prior consultations with supervisory authorities, which the Customer reasonably considers to be required under the Data Protection Legislation in each case solely in relation to the Processing of Personal Data by Sylvera under the Agreement and taking into account the nature of the Processing and information available to Sylvera; and
5.2 To the extent legally permitted, the Customer shall be responsible for any costs arising from Sylvera’s provision of assistance beyond the existing functionality of the Services.
5.3 The Customer provides general authorisation to Sylvera's use of Sub-processors to perform Processing activities with Personal Data on behalf of the Customer in accordance with this paragraph 5. Sylvera's website (currently posted at www.Sylvera.com) lists Existing Sub-processors that are currently engaged by Sylvera. Where Sylvera engages a New Sub-processor, or makes a change to an Existing Sub-processor, Sylvera will update the list on the applicable website. The Customer shall regularly review the website to monitor any such changes.
5.4 If the Customer raises objections to Sylvera's appointment of a new Sub-processor on reasonable grounds, Sylvera shall either (i) alter its plans to use the Sub-processor with respect to the Processing of Personal Data; or (ii) take corrective steps to remove the Customer’s objections. If none of the above options are reasonably available and such objections cannot be reasonably resolved by the parties within thirty (30) days of the objection by the Customer, either party may elect to terminate the Agreement on thirty (30) days' written notice to the other party.
5.5 In relation to each Sub-processor appointed by Sylvera, Sylvera shall:
5.5.1 ensure that such Sub-processor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on Sylvera under this DPA to the extent required by Data Protection Legislation; and
5.5.2 ensure that Sylvera shall be liable for the acts and omissions of such Sub-processors in relation to the Processing of such Personal Data.
5.6 With respect to any Restricted Transfer from Sylvera to a Sub-processor in a Restricted Country, Sylvera shall not cause or permit such transfer or Processing without ensuring that the IDTA is entered into as required by applicable Data Protection Legislation, or an alternate safeguard is implemented pursuant to Article 46 of the UK GDPR.
5.7 Upon termination or expiry of the Agreement, at the written request of the Customer, Sylvera shall cease all Processing of any Personal Data Processed on the Customer’s behalf under the Agreement and shall return or destroy all such Personal Data, unless Sylvera is required by applicable laws to store the Personal Data or to retain the Personal Data in accordance with Sylvera's data retention policies.
5.8 In order to demonstrate Sylvera’s compliance with the Data Protection Legislation and the terms of this DPA, Sylvera shall: upon reasonable request with not less than 4 weeks' notice, and provided that the Customer shall not make more than one request in any rolling 12 month period, provide the Customer with a copy of Sylvera's most recent audit results undertaken by a third party auditor to demonstrate Sylvera's compliance with its obligations under this DPA and shall make available to the Customer all information reasonably requested by the Customer, at the cost of the Customer, to demonstrate its compliance with the requirements of this DPA.
6. Obligations of The Customer
6.1 The Customer shall:
6.1.1 ensure that the Personal Data is accurate and up-to-date, and remains so during the period of the Processing;
6.1.2 have at all times during the Term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data;
6.1.3 provide clear and comprehensible written instructions to Sylvera for the Processing of Personal Data to be carried out under the Agreement;
6.1.4 not do anything in connection with the Personal Data that would or might cause Sylvera to be in breach of any Data Protection Legislation or other law and/or to incur liability to any data subject; and
6.1.5 ensure that it has all the necessary licences, permissions, consents, authority and notices in place to enable lawful transfer of Personal Data to Sylvera for the duration and purposes of the Agreement and, if requested in writing by Sylvera, shall promptly provide written confirmation of the same.
Annex A
1. Nature and Purpose of Processing. The nature and purpose of the Processing are as set out in the Agreement.
2. Subject Matter and Duration of Procession. The subject matter of the Processing of Personal Data is set out in the Agreement and Sylvera will Process Personal Data for the Term of the Agreement.
3. Categories of Data Subjects. Authorised Users of Sylvera's Software and Services including the employees, representatives, contractors and agents of the Customer.
4. Type of Personal Data. Personal details including name and contact information, user activity details and user preferences, device details, browser history details, location details and electronic identification data including IP address and information collected through cookies.