GDPR StatusCake Data Processing Agreement
This StatusCake Customer Data Processing Agreement (the “StatusCake DPA”) sets out the respective duties and obligations of TrafficCake Limited t/a StatusCake.com (“StatusCake”) and users of our website and the StatusCake service (“Customers”) under the European Data Protection Regulation (“GDPR”) which comes into effect on 25th May 2018.
Any capitalised terms not defined in this StatusCake DPA will have the meaning as set out in the StatusCake Terms.
Each Customer enters into this StatusCake DPA on behalf of itself, and as where required by law, also in the name of and behalf of any Group Member.
StatusCake and the Customer (each a “Party” together the “Parties”) agree that:
It is agreed
1. DEFINITIONS AND INTERPRETATION
1.1 In this Agreement, unless otherwise stated or unless the context otherwise requires, each capitalised term will have the meaning set out below:
“Business Day” means a day (other than a Saturday or a Sunday or a public holiday) on which commercial banks are open for business in the United Kingdom;
“Controller” means an entity that determines the purposes and means of the processing of Personal Data;
“Group Member” means, in relation to a Party to this Agreement, any person or entity controlling, controlled by or under common control with such Party, for the time being;
“Processor” means the entity that processes any Personal Data on behalf of the Controller; and
“Processing” has the meaning given to it in the GDPR; the terms “process”, “processes; and “processed” will be interpreted accordingly.
1.2 In this StatusCake DPA, unless otherwise stated or unless the context otherwise requires:
(i) any recitals and schedules form part of the agreement and references to the agreement includes them;
(ii) references to recitals, clauses, schedules and appendices are to recitals and clauses of, and schedules and appendices to the agreement, references in a schedule to a part or section are to parts or sections of that schedule;
(iii) references to the agreement or any other document are to the agreement or that document as in force for the time being and as amended from time-to-time in accordance with the agreement or that document (as the case may be);
(iv) use of the words ‘includes’ or ‘including’ means without limitation;
(v) words importing a gender include every gender, references to the singular include the plural and vice versa and words denoting persons include individuals and bodies corporate, partnerships, unincorporated associations and other bodies (in each case, wherever resident and for whatever purpose) and vice versa; and
(vi) any Reference to a statute or statutory provision shall be construed as including a reference to any subordinate legislation made from time to time under that statute or provision.
1.3 The headings and contents table in this StatusCake DPA are for convenience only and do not affect its interpretation.
1.4 Each Party agrees that it shall act in good faith to one another, and that neither Party will act, or exercise any of its rights or its discretion under this Agreement in an arbitrary or capricious manner.
2. Effective Date and Term
2.1 This StatusCake DPA applies only to the extent that StatusCake:
(i) processes Personal Data on behalf of the Customer in the course of providing the Services; and
(ii) such Personal Data is subject to the data protection laws of: (a) the European Union; (b) the European Economic Area; (c) Switzerland; and/or (d) the United Kingdom.
2.2 The Parties agree that they will at all times comply with this StatusCake DPA in connection with Personal Data.
3. Role of the Parties
3.1 As between StatusCake and the Customer, the Customer is the Controller of Personal Data and StatusCake agrees that it will only process Personal Data as a Processor on behalf of the Customer.
3.2 Nothing in the StatusCake Terms prevents StatusCake from using or sharing any data that StatusCake would otherwise collect and process independently of the Customer’s use of the Service.
4. Customer Obligations
4.1 The Customer agrees and accepts that:
(i) it will comply with all of its obligations as a Controller under applicable data protection laws in respect of: (i) its processing of Personal Data; and (ii) any processing instructions it issues to StatusCake; and
(ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under applicable data protection laws for StatusCake to process Personal Data and provide the Services pursuant to StatusCake Terms.
5. StatusCake Processing of Personal Data
5.1 As a Processor StatusCake will only process Personal Data for the following purposes:
(i) processing to perform the Services in accordance with the StatusCake Terms;
(ii) processing to perform any steps necessary in order to fulfil its obligations and/or performance of the Terms; and
(iii) to comply with other reasonable instructions provided by Customer to the extent they are consistent with the StatusCake Terms and only in accordance with Customer’s documented lawful instructions.
5.2 The Parties agree that this StatusCake DPA and the StatusCake Terms set out the Customer’s complete and final instructions to StatusCake in relation to the processing of Personal Data. There will be no processing of Personal Data outside the scope of these instructions without the prior written agreement of both the Parties.
6. Nature of the Data
6.2 Customer Data may be:
(i) stored and processed as necessary so as to provide, maintain and improve the StatusCake Service provided to the Customer;
(ii) stored and processed to provide customer and technical support to Customer; and/or
(iii) stored and processed and disclosed as required by law or otherwise set forth in the StatusCake Terms.
7. StatusCake Data
7.1 The Customer acknowledges that StatusCake has the right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, including by way of example only but not limited to, StatusCake account management, invoicing and billing, technical support, StatusCake product development, aggregated / anonymised data, sales and marketing activities (the “StatusCake Data”).
7.2 To the extent any of the StatusCake Data may be considered Personal Data under applicable laws, then StatusCake will be the Controller of such data and accordingly shall process such data in compliance with Applicable Data Protection Laws.
8. Applicability of the Statuscake DPA
8.1 The Parties acknowledge and agree that this StatusCake DPA will only apply where, and to the extent, that:
(i) StatusCake processes Personal Data on behalf of the Customer;
(ii) that processing takes place in in the course of providing the StatusCake Services to the Customer; and
(iii) the Personal Data being processed is subject to Applicable Data Protection Laws.
8.2 The Parties agree that they will at all times comply with the terms and conditions of this StatusCake DPA in connection with Personal Data.
9. Role of the Parties
9.1 As and between the Parties the Customer is the Controller of Personal Data and StatusCake agrees to process any Personal Data only as a Processor on behalf of the Customer.
9.2 Nothing in this StatusCake DPA or the StatusCake Terms shall restrict or prohibit StatusCake from using or sharing any data that StatusCake would otherwise collect and process independently of Customer’s use of the Services.
10. Customer Obligations
10.1 Customer agrees that at all times it will:
(i) comply with all of its obligations as a Controller under Applicable Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to StatusCake; and
(ii) seek to provide notice, and obtain any and all consents necessary under Applicable Data Protection Laws so that StatusCake may processes any Personal Data to enable it to provide the Services under the StatusCake Terms and this StatusCake DPA.
11. StatusCake Obligations
11.1 StatusCake, as Processor, agrees that at all times it will only process Personal Data for the following reasons:
(i) to perform the Services in accordance with the StatusCake Terms;
(ii) to meet its obligations and carry out performance of the StatusCaker Terms; and
(iii) to comply with other reasonable instructions provided by Customer PROVIDED ALWAYS THAT such Customer instructions are consistent with the StatusCake Terms and only in accordance with the Customer’s documented lawful instructions.
11.2 The Parties agree and accept that this StatusCake DPA and the StatusCake Terms set out the Customer’s complete and final instructions to StatusCake in relation to the processing of Personal Data.
11.3 Any processing outside the scope of the Customer’s instructions will require the prior written agreement of the Parties.
12.1 Customer agrees that from time-to-time StatusCake has the right, but not the obligation, to engage Sub-processors to process Personal Data on the Customer’s behalf. Where any such Sub-processor is used these will be set out in Schedule 1 (Appointed Sub-Processors) to this StatusCake DPA.
12.2 The Customer should review this StatusCake DPA and its schedules on a regular basis to keep up-to-date with any Sub-processor’s who have been added or removed from Schedule 1 (Appointed Sub-Processors). The customer can ask to be automatically notified of any changes to Sub-processors by emailing the StatusCake DPA Office.
12.3 In the event that StatusCake does appoint a sub-processor, then StatusCake will:
(i) enter into a written agreement with the Sub-processor on such terms as are necessary under Applicable Data Protection Laws to protect any Personal; and will
(ii) remain responsible for its compliance with the obligations of this StatusCake DPA along with the acts or omissions of the Sub-processor that cause StatusCake to breach any of its obligations under this StatusCake DPA.
12.4 In the event the Customer objects to the appointment of a Sub-processor, then the Customer will notify StatusCake in writing within five (5) Business Days of the appointment of a new Sub-processor setting out its reasonable grounds for any such objection (“Customer Sub-Processor Notification”).
12.5 Following a Customer Sub-Processor Notification, the Parties shall discuss in good faith a commercially reasonable resolution so as to address the Customers concerns. In the event that no agreement can be reached, and it is not possible for the Customer to make use of the Services without the use of the Sub-processor, then either Party may terminate the Services and the StatusCake Terms.
13. Security of StatusCake Services & Networks
13.1 StatusCake has, and will at all times, ensure that it has appropriate organisation and technical measures in place to protect all Customer Personal Data from any security incidents, and to ensure that Personal Data is at all times secure and kept confidential.
13.2 StatusCake ensures that any individual who is authorised by StatusCake to process the Customer Personal Data, including by way of example only its staff and subcontractors, are under a contractual duty of confidentiality, and where applicable, statutory duty.
13.3 In the event that StatusCake becomes aware of any unlawful and/or unauthorised security breach that results in the access to, the loss of, alteration to, and/or disclosure of Customer Personal Data (a “Security Incident”), then StatusCake will notify the Customer as soon as reasonably possible following the Security Incident and will provide the Customer with information as it becomes known, and to the extent as is reasonable to disclose.
14. International Transfers
14.1 StatusCake stores and processes Customer Data in data centres located within the European Union.
14.2 StatusCake agrees that it has, and will at all times, implement appropriate safeguards to protect Customer Personal Data, wherever it is processed, in accordance with Applicable Data Protection Laws.
14.3 Notwithstanding clauses 14.1 and 14.2 above, to the extent that StatusCake does processes or transfer (directly or via onward transfer) Customer Personal Data under this StatusCake DPA from the European Union, the European Economic Area and/or Switzerland, in or to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws.
14.4 The Parties agree and accept that StatusCake will be deemed, by virtue of its self-certification, to provide appropriate safeguards for such data, and that StatusCake will in such circumstances process such data in compliance with the Privacy Shield Principles.
14.5 Customer hereby authorises any transfer of Customer Personal Data to, or access to Customer Personal Data from, such destinations outside the European Union, the European Economic Area and/or Switzerland subject to the steps and measures set out in this clause 14 having been taken.
15. Return or Deletion of Data
15.1 Upon deletion of a Customer’s StatusCake account all Customer Personal Data will be deleted. In the event that a Customer is unsure whether they have deleted their account, and therefore any Customer Personal Data, they should contact the StatusCake DPA Office.
15.2 Nothing in this clause 15 will restrict or prohibit StatusCake from retaining data where it is required by applicable law to do so.
16.1 Severance. The various provisions and sub-provisions of this StatusCake DPA are severable and if any provision or sub-provision or identifiable part of this StatusCake DPA is held to be invalid or unenforceable by any court of competent jurisdiction then such invalidity or unenforceability shall not affect the validity or enforceability of the remaining provisions or sub-provisions or identifiable parts of this StatusCake DPA.
16.2 Waiver. The waiver by either Party of any breach of any term of StatusCake DPA shall not prevent the subsequent enforcement of that term and shall not be deemed a waiver of any subsequent breach.
16.3 Third Party Rights. A person who is not a party to this StatusCake DPA has no rights under the Contracts (Rights of Third Parties) Act 1999 (the “RoTPA”) to enforce any term of this but this does not affect any right or remedy of a third party which exists or is available apart from under the RoTPA.
16.4 In no event will either Party seek to limit its liability in respect of any individual’s data protection rights whether under this StatusCake DPA or otherwise.
17. Entire Agreement
17.1 This StatusCake DPA sets out the entire agreement and understanding between the Parties, and supersedes all proposals and prior agreements, arrangements and understandings between the Parties, relating to its subject matter.
17.2 Each Party agrees that it shall have no remedies in respect of any representation or warranty (whether made innocently or negligently) that is not set out in this StatusCake DPA.
17.3 Notwithstanding the foregoing this StatusCake DPA is a part of, and is incorporated into the StatusCake Terms.
18. GOVERNING LAW AND JURISDICTION
18.1 This StatusCake DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and will be interpreted in accordance with English law and the Parties shall irrevocably submit to the exclusive jurisdiction of the English courts.
Signed for and on behalf of: TRAFFICCAKE LIMITED t/a StatusCake.com Name: James Barnes Title: Director, TrafficCake Limited
Date: 16th May 2018
Schedule 1 (Appointed Sub-Processors)
Not Applicable – There are no Sub-Processors