Data Process Agreement
Effective Date: 29/03/2022
DATA PROCESSING AGREEMENT
This Data Processing Agreement (“Agreement”) is entered into by and between THIRTY-ONE CIRCLES LTD incorporated and registered in England and Wales with company number 13999453 whose registered office is at The Gallery, 14 Upland Road, London, England, SE22 9EE (“Thirty-One Circles” or “Supplier” or the “Data Processor”) and the entity or person placing an Order for or accessing the Services (“Company” or the “Data Controller”)
(hereinafter collectively referred to as the “Parties”).
- the Supplier and the Company entered into on an Agreement (hereinafter: the “Agreement”) concerning the provision, by the Supplier, of the service(s) relating to a Thirty-One Circles platform subscription (hereinafter: the “Services”);
- the provision of the aforementioned services by the Supplier involves the processing by the latter, on behalf of the Company, of data subjects’ Personal Data, of which the Company is the Data Controller (hereinafter: “Personal Data”), better described in Annex 1: Scope of the data processing.
- the Supplier declares that it has the relevant experience, technical skills and resources which enable it to implement adequate technical and organisational measures to ensure compliance with applicable legislation on the protection of personal data and the protection of the interested parties/data subjects;
- with the present Data Processing Agreement, the Parties intend to regulate the processing and protection of Personal Data in compliance with applicable laws and regulations, as applicable in the United Kingdom (“UK”) including EU Regulation 2016/679 of 27 April 2016, on the protection of persons with regard to the processing of personal data – the EU GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018, as modified by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”); (iii) the Data Protection Act 2018; (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); (v) all other applicable data protection and privacy legislation in force in the UK and European Economic Area (“Data Protection Legislation”).;
- hereinafter, the Company and the Supplier are also qualified as Data Controller and Data Processor respectively;
- for the purposes of this Data Processing Agreement, the terms “Data Controller”, “Data Processor”, “data subject / interested party”, “data processing / processing of personal data” and “Supervisory Authority” shall have the meaning attributed to them, respectively, by the UK GDPR.
Now therefore (and the preambles form an integral and substantial part of this Data Processing Agreement), the Parties agree to and stipulate the following:
1.1 The Parties expressly acknowledge and accept that, with reference to the processing of Personal Data, the Company performs the role of Data Controller. As such, it is solely responsible for the correctness and legitimacy of the Personal Data, for its use under the Agreement and the legitimacy of the methods with which such data was acquired.
1.2 The Company appoints the Supplier, pursuant to Article 28 of the UK GDPR, as Data Processor for the Personal Data processing connected to the provision of the Services.
- scope of the data processing
The purpose of the Personal Data processing by the Supplier is the provision of the Services under the Agreement. The nature of the data processing, the type of Personal Data processed and the categories of Data Subjects are better described in Annex 1: Scope of the data processing.
- General obligations of the Data Processor
3.1 The Personal Data shall be processed by the Data Processor in accordance with applicable rules on the processing of personal data, with this Data Processing Agreement, with any reasonable instructions received in writing by the Company, provided that these instructions are consistent with the terms of this Data Processing Agreement, and only and exclusively insofar as this is strictly necessary for the provision of the Services covered by the Agreement, expressly excluding any other and different use.
3.2 The only possible exception from the prohibition referred to in the preceding paragraph 3.1 is the existence of a legal obligation, or the reasoned request by an Administrative or judicial authority, including the Information Commissioner’s Office (“ICO”) or applicable Supervisory Authorities (hereinafter: “Authority”), in which case the Data Processor, within the limits permitted by law or by the Authority’s provisions, shall inform the Company of its need to process the Personal Data differently or outside the limits of the provisions set out in this Data Processing Agreement.
3.3 It is expressly understood that the Personal Data under the ownership of the Company:
- shall not be disclosed, even in part, to third parties, without the Company's written consent;
- may not be transferred, for any reason whatsoever, outside the UK, without the Company's prior written consent. For all such transfers, the Data Processor will apply Company’s instructions.
3.4 The Data Processor undertakes to create, update and transmit to the Company, upon written request from the latter, the register of data processing activities carried out by the Data Processor on behalf of the Company, including all the information required by law.
- security-related obligations
4.1 The Data Processor shall adopt and maintain suitable technical and organisational measures to protect the security, confidentiality and integrity of the Personal Data, taking into account, inter alia, of the type of data processing, the purposes, the context and the specific circumstances in which the data processing takes place, as well as the applicable technology and implementation costs.
4.2 The Data Processor undertakes to adopt the necessary physical, organisational and logical measures referred to in Annex 2: Security measures. These measures may be changed only on condition that a security level which is at least equivalent to that existing at the time this Data Processing Agreement is signed, is maintained.
4.3 Any developments and/or changes of security measures, to be applied during the Agreement to address the changing needs of the Company and/or due to changes and updates to applicable legislation on the protection of personal data, including changes and updates needed for the purpose of adapting to the provisions of the UK GDPR, shall be adopted and implemented by the Supplier and/or its subcontractors, at the Company's responsibility and expense and upon express request and indication by the latter, as well as on the basis of an impact assessment which shall be its responsibility to carry out as Data Controller, if necessary with the collaboration of the Supplier.
- persons authorised to process the data
5.1 Without prejudice to the provisions of Section 11 below, the Data Processor guarantees that access to the Personal Data shall be limited to its own employees and collaborators, whose access to the Personal Data is necessary for the execution of the relevant Services and on condition that the individuals involved are appropriately instructed with regard to the processing of Personal Data and to the technical and organisational security measures required to protect the Personal Data.
5.2 The Data Processor shall also be required to attend to their training, monitor their actions and, on specific request, provide the Company with an updated list of said employees and collaborators.
- Personal Data Breaches (so-called “Data Breach”)
The Data Processor undertakes to inform the Data Controller, without undue delay, of any suspected or actual security breach or data breach, which may involve the accidental or illicit destruction, loss, modification, unauthorised disclosure or access to Personal Data transmitted, stored or otherwise processed, as well as to provide all necessary support to the Data Controller concerning the fulfilment of its obligation to notify the aforementioned breaches to the Authority, pursuant to Article 33 of the UK GDPR or to communicate them to the data subjects, pursuant to Article 34 of the UK GDPR.
- Impact assessment (so-called “Data Protection Impact Assessment”)
The Data Processor undertakes to provide the Data Controller with each and every element useful to the latter for the purpose of carrying out the impact assessment on data protection, where it is required to carry out such an assessment pursuant to Article 35 of the UK GDPR, as well as all necessary collaboration in carrying out any prior consultation with the ICO pursuant to Article 36 of the UK GDPR.
- Relations with the Authorities
The Data Processor, at the Data Controller's request, undertakes to assist the latter in the event of defence proceedings before the ICO or the Judicial Authority, including by allowing the prompt presentation of privacy forms and supporting documents which fall within the competence of the Data Processor.
- Requests from data subjects/interested parties
9.1 To the extent permitted by law, the Data Processor shall inform the Company of any request received from a data subject to exercise his/her rights of access, modification, limitation of data processing, deletion, portability of data, opposition to the processing of data or the right not to be subject to decision-making processes based solely on automated processing, attaching a copy of the request to the communication.
9.2 In view of the nature of the data processing, the Data Processor shall assist the Company by way of appropriate technical and organisational measures, to the extent possible, in the fulfilment of the Company’s obligation to respond to requests from data subjects, in compliance with applicable standards.
9.3 It is expressly understood that the Data Processor shall not follow up on requests received pursuant to the preceding paragraph 9.1, without the prior written consent of the Company.
- additional obligations
10.1 The Data Processor shall provide the Data Controller with all the information needed to demonstrate compliance with the obligations laid down in the applicable legislation and/or the Data Controller’s instructions referred to in this Data Processing Agreement; moreover, it shall allow the Data Controller to exercise the appropriate control and inspection powers, providing all reasonable collaboration in the audit activities carried out by the Data Controller or by another body appointed or authorised by it, which shall not be a competing company of the Data Processor, with the aim of verifying the fulfilment of the obligations and instructions referred to in this Data Processing Agreement. It is understood that any audit conducted pursuant to this paragraph 10.1 shall be carried out in such a way as not to interfere with the Data Processor’s normal course of business and by providing at least 20 working days prior notice.
10.2 The Data Processor undertakes to:
- collaborate, if requested by the Company, with other Data Processors, in order to harmonise and coordinate the end-to-end data processing process;
- promptly inform the Data Controller of any issues that are relevant for legal purposes and in particular, by way of example and without limitation, in cases where it becomes aware, in any way, that applicable legislation on personal data protection has been breached, or that the data processing presents specific risks to the rights, the fundamental freedoms and/or the dignity of the data subject, and if, in its opinion, an instruction violates national or UK legislation on data protection.
- Sub-Data Processors
11.1 The Supplier may use additional Data Processors to process the Personal Data owned by the Company (hereinafter: “Sub-Data Processors”), only if the Company has given its prior written consent. It is hereby noted that the subcontracting of the service or part thereof is authorised in relation to the companies of the Data Processor’s Group.
11.2 The Data Processor undertakes to impose in writing to its Sub-Data Processors, by way of appropriate binding agreements, the same obligations regarding the protection of Personal Data with which the Data Processor is required to comply by virtue of this Data Processing Agreement, in particular with regard to security requirements.
11.3 The Data Processor expressly undertakes to inform the Company of any changes concerning the addition or replacement of the Sub-Data Processors; moreover, the Company shall have the right to oppose these changes, communicating its objection in writing within 15 (fifteen) calendar days from the Data Processor’s notification. The Data Processor shall not resort to the Sub-Data Processors to which the Company has objected. In the absence of any objections by the Company, the changes shall be deemed to have been accepted.
11.4 It is expressly understood that the Data Processor shall remain directly accountable to the Company with regard to the actions and omissions of its Sub-Data Processors.
The Data Processor shall be liable for all damages resulting from breaches of or non-compliance with the instructions referred to in this Data Processing Agreement, any subsequent ones transmitted in writing by the Company, as well as with the provisions of the UK GDPR specifically directed to the Data Processor, within the limits of 100% of the value of the Services Agreement. It is understood that under no circumstances shall the Data Processor, and more generally any company belonging to the Data Processor’s Group, as well as its agents, employees and/or authorised representatives, be liable to the Company for: (i) any indirect, incidental, special, punitive and/or consequential damage of any kind; (ii) any lost profits (whether direct or indirect); (iii) any loss of income (direct or indirect); or (iv) any damage to the latter’s reputation, in connection with or arising out of this Agreement.
- return and deletion of personal data
Upon the expiry of the Agreement and/or termination of the Services or, in any case, in the event of termination, for any reason, of the effectiveness of this Data Processing Agreement, except where a legal obligation or national and/or Community regulation exists that foresees the retention of the Personal Data, the Data Processor shall interrupt all data processing operations relating to the Personal Data in question and provide, at the Data Controller’s discretion, for the immediate return of Personal Data to the same or for its full deletion, in both cases, providing a written statement that no copy thereof is held by the Data Processor. In the event of a written request by the Data Controller, the Data Processor shall specify the technical mechanisms and procedures used for the deletion/destruction of the data.
This Data Processing Agreement shall be effective from the date on which it is signed by the Parties and shall be valid until the termination of the Agreement for any reason and/or, in any case, of the Services, or until the premature termination for any reason by the Data Controller, it being understood that, even after termination of the Agreement or Services or revocation thereof, the Data Processor shall maintain the maximum confidentiality of the data and information relating to the Data Controller of which it has become aware while fulfilling its obligations.
- data protection officer (so-called “DPO”)
The Data Processor shall appoint a Data Protection Officer, pursuant to Article 37 of the UK GDPR and undertakes to inform the Company of such appointment.
- GOVERNING LAW
This Agreement shall be governed by the laws of England and Wales and shall be subject to the exclusive jurisdiction of the English courts.
SCOPE OF THE DATA PROCESSING
This Annex is an integral part of the Contract for the appointment of the Data Processor.
Data Processing Details
Processing of the Protected Data by the Supplier under this DPA shall be the subject matter, duration nature and purposes involve the type of Personal Data and categories of Data subjects as set out in Schedule 1
Subject matter of Processing
Processing the current Data Controller’s analytics data, CRM data and website users (and where applicable app users).
- Online identifiers (User-ID and equivalent),
- Behavioral Data linked to the identifiers
- Matching Data – (email, hashed email)
Nature and purpose of the Processing :
The Supplier will analyze the provided data to provide audience insights and audience segments for advertising targeting. During this process it will help manage compliance based on the data subject’s consent recorded.
Categories of Data Subjects
Customers user of Website and App
Types of Personal Data
Amazon Web Services
Analysis to create audience segments and load these to the Customer's Onwards Platforms
Online identifiers, Behavioral Data, Matching Data
Google Cloud Platform
Analysis to create audience segments and load these to the Customer's Onwards Platforms
Online identifiers, Behavioral Data, Matching Data
Based on the activities supplied, as applicable to the purpose of the Agreement, the Data Processor and any authorised Sub-Data Processors, shall respect the following security measures.
- Asset management: where the service offered by the Supplier provides for the management of IT assets, an inventory of the assets used for the data processing and a list of the types of data processed shall be defined and maintained.
- At the end of the working relationship and in the case of the reuse, disposal or sale of electronic devices or storage media to third parties, procedures for the secure deletion and destruction of data processed on behalf of the Company shall be provided for, in agreement with the Data Controller (e.g. demagnetisation or physical destruction). Secure disposal modes shall also be adopted for paper documentation.
- Physical security: adequate security measures shall be adopted where activities conducted on behalf of the Company are carried out at the Supplier’s premises.
- Logical access control: the processing of unauthorised information shall be prevented through the definition of correct user access methods. If the Supplier requires access to the Company's resources, within the context of the activities it performs, it shall comply with the authorisation procedures defined by the Company in question. If the Supplier has the power to autonomously manage users, within the scope of the service offered:
- Access to the information shall be restricted through the adoption of appropriate technical and organisational controls.
- Access to the information and resources shall be restricted according to the principles of: “need to know”; “least privilege”; “separation of duties”, where possible.
- A user identification and authentication process must be implemented to access data stored in the various systems and the relevant authorisations must be configured in compliance with the principles of the previous point.
- System administrator users with special privileges must be managed with particular care and in compliance with applicable legal provisions.
- A user management process that includes all stages of the credential life cycle, from creation to deactivation, must be defined and documented.
- Policies for managing passwords, which provide mechanisms for changing passwords and ensuring the complexity thereof must be adopted. Passwords must be stored and transmitted securely.
- Infrastructure systems must be appropriately protected and segregated, whenever possible, so as to minimise the possibility of unauthorised logical access. Particular attention shall be given to systems that have connections with the outside world.
- Operational management of systems, networks and telecommunications: within the context of information systems management carried out on behalf of the Company, where provided under the Agreement, an adequate level of information system security shall be ensured during the operating phase, in order to adequately protect the data processed.
- Appropriate measures shall be taken to ensure the prevention and detection of potentially harmful software (e.g. viruses, malware, etc.).
- Plans and procedures must be defined for managing operating system, software and data backups, where such activities are planned.
- The constant monitoring of patches released for the systems used must be guaranteed; moreover, a process must be defined for evaluating and, if deemed necessary, applying the new security patches.
- The network must be appropriately designed to ensure that data is protected. IT systems used and maintained within the scope of the activities carried out for the Company must be protected at perimeter level, from any unauthorised access.
- Development, maintenance and acquisition of IT systems: IT systems (applications, operating systems, middleware, etc.), must be developed or acquired and maintained over time, in such a way as to preserve the confidentiality, integrity and availability of data.
- Where the services provided by the Supplier concern design and development activities, security requirements shall be appropriately considered, implemented and verified, including in accordance with the principles of Privacy by design/by default.
- Security measures adopted in the case of subcontracting: If authorised by the Company, the subcontracting of activities must be conducted ensuring that the security requirements that govern the relationships are correctly defined and respected.
- Security incident management: In the event of an incident, the prompt detection, communication to the Company and, if applicable, the management of any damage or impact, shall be guaranteed in the shortest time possible, including in agreement with what has been defined in the Data Breach Notification process.
 The need to know principle requires that data access rights are assigned consistently and not exceeding the specific corporate role; an individual must not view any data not deemed useful to the correct and efficient performance of their job.
 The least privilege principle requires that access privileges which do not exceed the specific company role are assigned (e.g. if for a given task specific data must only be consulted or viewed, no access rights should be granted to allow the modification of such data).
 The separation of duties (SOD) principle requires that the authorisation and the conduct of an action are not the responsibility of the same person.