Data Processing Agreement

Background

This Data Processing Agreement (“DPA”) forms part of the Membership Services Agreement (“MSA”) between SME Tools Ltd (“SME Tools”) and the Customer named in the applicable Order Form.

The Customer is the Controller of Personal Data processed in connection with the Services. SME Tools acts as the Processor of that Personal Data, processing it solely on behalf of and on the documented instructions of the Customer.

This DPA sets out the terms on which SME Tools will process Personal Data on the Customer’s behalf, in accordance with applicable Data Protection Legislation. It supplements and forms part of the MSA. In the event of any conflict between this DPA and the MSA, this DPA shall prevail in respect of data protection matters.

The Customer retains ownership of all Personal Data it provides to SME Tools or which SME Tools processes on its behalf. SME Tools acquires no rights in that Personal Data beyond those strictly necessary to perform the Services.

1. Definitions

In this DPA, the following terms have the following meanings. Capitalised terms not defined here have the meaning given in the MSA or Membership Terms.

  • “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

  • “Data Protection Legislation” means all applicable laws and regulations relating to the processing of Personal Data and privacy, including (as applicable): the UK General Data Protection Regulation (UK GDPR) as defined in the Data Protection Act 2018; the EU General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR); the Data Protection Act 2018; the Privacy and Electronic Communications Regulations 2003; and any successor or replacement legislation, as amended from time to time.

  • “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

  • “DPA” means this Data Processing Agreement including its Appendices.

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Legislation.

  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

  • “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

  • “Processing” has the meaning given in applicable Data Protection Legislation and “process” and “processed” shall be construed accordingly.

  • “Restricted Transfer” means a transfer of Personal Data to a country or territory outside the United Kingdom or the European Economic Area, as applicable, which is not subject to an adequacy decision.

  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission under Decision 2021/914/EU, as may be updated from time to time.

  • “Sub-processor” means any Processor engaged by SME Tools to process Personal Data on behalf of the Customer.

  • “UK Addendum” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office under s.119A of the Data Protection Act 2018, as may be updated from time to time.

2. Data Protection Compliance

Each Party shall comply with its respective obligations under applicable Data Protection Legislation in connection with the processing of Personal Data under this DPA.

SME Tools shall process Personal Data only on the documented instructions of the Customer, as set out in this DPA, the MSA and any applicable Order Form, unless required to do so by applicable law. In such a case, SME Tools shall inform the Customer of that legal requirement before processing, unless the law prohibits such notification.

SME Tools shall promptly notify the Customer if, in its opinion, any instruction from the Customer infringes applicable Data Protection Legislation.

3. Customer Obligations as Controller

The Customer warrants and represents that it has all necessary rights, consents and lawful bases to transfer Personal Data to SME Tools for processing under this DPA, and that such processing by SME Tools in accordance with the Customer’s instructions will not breach applicable Data Protection Legislation.

The Customer is solely responsible for:

  • the accuracy, quality and lawfulness of the Personal Data it provides to SME Tools;

  • establishing and maintaining the lawful basis for processing under applicable Data Protection Legislation;

  • responding to Data Subject requests in respect of Personal Data for which the Customer is Controller; and

  • ensuring that any instructions it gives to SME Tools comply with applicable Data Protection Legislation.

The Customer shall indemnify and hold SME Tools harmless from and against any claims, losses, costs or liabilities arising from the Customer’s failure to comply with its obligations as Controller under this clause.

4. SME Tools Obligations as Processor

SME Tools shall, in relation to Personal Data processed on behalf of the Customer:

  • process Personal Data only on documented instructions from the Customer, except where required by applicable law;

  • ensure that all Personnel authorised to process Personal Data are subject to binding confidentiality obligations;

  • implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as further described in clause 5;

  • not engage any Sub-processor without the general written authorisation of the Customer, as described in clause 6;

  • taking into account the nature of the processing, assist the Customer in responding to Data Subject requests, to the extent reasonably practicable;

  • assist the Customer in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to SME Tools;

  • at the Customer’s election, delete or return all Personal Data to the Customer on termination or expiry of the MSA, and delete existing copies unless retention is required by applicable law; and

  • make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and permit and contribute to audits and inspections conducted by the Customer or an auditor appointed by the Customer, on reasonable notice and subject to reasonable confidentiality obligations.

 

5. Security Measures

SME Tools shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing. These measures shall include, as appropriate:

  • pseudonymisation and encryption of Personal Data;

  • the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  • the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

SME Tools shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Personal Data processed on the Customer’s behalf. Such notification shall include, to the extent available at the time:

  • a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;

  • the name and contact details of SME Tools’ data protection contact;

  • the likely consequences of the Personal Data Breach; and

  • the measures taken or proposed to address the Personal Data Breach.

SME Tools shall cooperate with the Customer and take such reasonable steps as the Customer may direct to investigate, mitigate and remediate any Personal Data Breach.

6. Sub-Processors

The Customer grants SME Tools general written authorisation to engage Sub-processors to assist in providing the Services. By entering into the MSA and this DPA, the Customer acknowledges and accepts the use of Sub-processors.

An up-to-date list of current Sub-processors is maintained at sme.tools/legal/documentation. SME Tools may update its Sub-processors from time to time as reasonably required to operate and improve the Services. SME Tools will update the Sub-processor list at sme.tools/legal/documentation when Sub-processors are added or replaced.

Where a change of Sub-processor relates to a service that is itself the subject of an Order Form (for example, a managed third-party security service), such a change constitutes a material change to the Services and will be handled in accordance with the notice and variation provisions of the MSA. SME Tools will seek the Customer’s agreement before implementing such a change.

SME Tools shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. SME Tools remains liable to the Customer for the acts and omissions of its Sub-processors to the same extent as if SME Tools had performed the processing itself.

7. Data Subject Rights

SME Tools shall, taking into account the nature of the processing, provide reasonable assistance to the Customer to enable it to comply with requests from Data Subjects exercising their rights under applicable Data Protection Legislation, including rights of access, rectification, erasure, restriction, portability and objection.

Where a Data Subject contacts SME Tools directly with a request relating to Personal Data for which the Customer is the Controller, SME Tools shall promptly forward such request to the Customer and shall not respond to the Data Subject directly except with the Customer’s prior written consent or as required by law.

8. International Transfers

SME Tools shall not make any Restricted Transfer of Personal Data except in accordance with applicable Data Protection Legislation and subject to appropriate transfer mechanisms being in place.

The Parties agree that, to the extent that SME Tools makes any Restricted Transfer of Personal Data in connection with the Services, the transfer mechanisms set out in Appendix 1 (EU Standard Contractual Clauses) and Appendix 2 (UK Addendum) shall apply, as applicable.

SME Tools selects Sub-processors on the basis of their ability to provide appropriate levels of security and privacy protection. Where Sub-processors are located outside the UK or EEA, SME Tools shall ensure that appropriate safeguards are in place in accordance with applicable Data Protection Legislation.

9. Term and Termination

This DPA shall remain in force for the duration of the MSA and any applicable Order Form under which SME Tools processes Personal Data on behalf of the Customer.

On termination or expiry of the MSA, SME Tools shall, at the Customer’s written election, either return all Personal Data to the Customer or securely delete it, in each case within a reasonable time period, unless applicable law requires continued retention. SME Tools shall certify in writing to the Customer that it has complied with this obligation upon request.

10. Governing Law

This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the law of England and Wales. Each Party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales.

Appendix 1: EU Standard Contractual Clauses

Where SME Tools makes a Restricted Transfer of Personal Data from the European Economic Area to a third country, the Standard Contractual Clauses approved by the European Commission under Decision 2021/914/EU (Module 3: Processor to Sub-Processor, or such other Module as is applicable to the nature of the transfer) shall apply between SME Tools and the relevant Sub-processor.

For transfers from the EEA where the Customer is a Controller and SME Tools is the Processor, the SCCs (Module 2: Controller to Processor) shall apply as between the Customer and SME Tools, with:

  • the Customer as ‘data exporter’; and

  • SME Tools as ‘data importer’.

 

The details of the processing (nature and purpose, types of Personal Data, categories of Data Subjects and duration) shall be as set out in the MSA, the applicable Order Form, and the Sub-processor list at sme.tools/legal/documentation.

The optional clauses and Annexes of the SCCs shall be completed as follows:

  • Clause 7 (Docking clause): included.

  • Clause 11 (Redress): the optional language regarding independent dispute resolution bodies is not included.

  • Clause 17 (Governing law): the SCCs shall be governed by the law of Ireland.

  • Clause 18 (Choice of forum): disputes shall be resolved before the courts of Ireland.

  • Annex I: the details of the processing are as set out in the MSA and applicable Order Form.

  • Annex II: the technical and organisational measures are as described in clause 5 of this DPA and updated from time to time at sme.tools/legal/documentation.

  • Annex III: the list of Sub-processors is maintained at sme.tools/legal/documentation.

 

Appendix 2: UK Addendum

Where SME Tools makes a Restricted Transfer of Personal Data from the United Kingdom to a third country, the UK Addendum issued by the UK Information Commissioner’s Office under s.119A of the Data Protection Act 2018 shall apply to supplement the EU SCCs set out in Appendix 1, to the extent required to make those SCCs lawful under UK law.

The UK Addendum shall be completed as follows:

  • Table 1 (Parties): as set out in the MSA and applicable Order Form.

  • Table 2 (Selected SCCs, Modules and Selected Clauses): the EU SCCs as set out in Appendix 1 of this DPA.

  • Table 3 (Appendix Information): as set out in Appendix 1 of this DPA and at sme.tools/legal/documentation.

  • Table 4 (Ending this Addendum when the Approved Addendum changes): either Party may end the UK Addendum in accordance with the terms of the UK Addendum itself.

In the event of any conflict between the EU SCCs and the UK Addendum in respect of UK transfers, the UK Addendum shall prevail.