Online Data Processing Agreement
This Data Processing Agreement (the ”DPA” or “Agreement”) forms part of Smoothwall’s Main Agreement for the provision of safeguarding services to (available at www.smoothwall.com/education/legal) between your organization (or the ”Customer”) if the Customer is located in the European Union (”EU”), European Economic Area (”EEA”), or Switzerland, and Smoothwall Ltd (“Smoothwall”). For purposes of this DPA, the Customer in this DPA shall be ascribed the same meaning as the Customer in the Main Agreement.
In the event of any conflict between this DPA and the Main Agreement regarding the processing of Personal Data, this DPA will control to the extent of the conflict. All capitalized terms used but not defined in this DPA shall have the meaning ascribed to them in the Main Agreement. For avoidance of doubt, this DPA shall not apply to Customers located outside of the EEA or Switzerland.
In the course of providing our Products under the Main Agreement, Smoothwall may process certain Personal Data (as such term is defined below) on behalf of the Customer, and where Smoothwall processes Personal Data on behalf of the Customer, the parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
- Customer as defined in the Main Agreement; and
- Smoothwall Limited registered in England with number 04298247 whose registered office is at Avalon House 1 Savannah Way, Leeds Valley Park, Leeds, England, LS10 1AB (Smoothwall),
each a party and together the parties.
- Smoothwall provides safeguarding solutions for online safety and safeguarding of vulnerable individuals including advanced on-device monitoring.
- Smoothwall and the Customer entered into an agreement for the provision of a safeguarding solution dated as of the signature on the Quotation, being incorporated in the Main Agreement.
- Smoothwall and the Customer wish to enter into this Agreement to govern the sharing and use of data generated as part of the safeguarding solution referenced in Recital B.
It is agreed:
1. Definitions and interpretation
1.1 Business Day means a day other than a Saturday, Sunday or bank holiday in the UK.
1.2 Data Breach means any unauthorised or unlawful processing, disclosure of, or access to, Personal Data and/or any accidental or unlawful destruction of, loss of, alteration to, or corruption of Personal Data;
1.3 Data Controller has the meaning ascribed to it under the Regulation;
1.4 Data Protection Law the following laws: (i) the Regulation; and (ii) the European Privacy and Electronic Communications Directive (Directive 2002/58/EC), including, in each case, any laws applicable to the processing of personal data that promulgate the same into national law and as such law (or respective national law) may be replaced, supplemented, substituted or amended from time to time;
1.5 Data Subject has the meaning ascribed to it under the Regulation;
1.6 Personal Data has the meaning ascribed to it under the Regulation;
1.7 Purpose has the meaning given in clause 3 of this Agreement;
1.8 Regulation means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
1.9 Services means the services provided by Smoothwall to the Customer pursuant to the Main Agreement;
1.10 Shared Personal Data means all Personal Data in whatever form or medium relating to the online activity of users which is shared between the parties during the provision of the Services;
1.11 Special Category Personal Data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or concerning gender or sexual orientation; and
1.12 Supervisory Authority has the meaning ascribed to it under the Regulation.
1.13 Clause, Schedule and paragraph headings shall not affect the interpretation of this Agreement.
1.14 The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.
1.15 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.16 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.17 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
1.18 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.
1.19 A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
1.20 Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
2.1 This Agreement sets out the framework for the sharing of Shared Personal Data between the parties. It defines the principles and procedures that each party shall adhere to in order to ensure compliance with Data Protection Laws.
2.2 The parties consider the data sharing set out in this Agreement necessary for the purposes of Smoothwall providing the Services to the Customer.
2.3 Smoothwall shall only process Shared Personal Data for the following purposes:
2.3.1 Providing filtering, monitoring, safeguarding and record keeping services as required by the Customer in their choice to operate our products and services, including;
2.3.2 identifying at risk individuals during the provision of the Services; and
2.3.3 notifying the Customer of potentially at risk individuals.
Smoothwall shall not process Shared Personal Data in a way that is incompatible with the purposes described in this clause (together the Purpose).
2.4 Neither party shall collect or use the Shared Personal Data for any unlawful purposes, or in any manner that otherwise violates this Agreement or Data Protection Law.
2.5 The points of contact at each party for any issues arising from data sharing under this Agreement are:
2.5.1 Defined on the Quotation for the Customer
2.5.2 The Customer’s Account Manager of Smoothwall Ltd. Avalon House, 1 Savannah Way, Leeds Valley Park, LS10 1AB, UK. Tel: +44 (0)870 1999 500
3. Shared personal data
3.1 The categories of Shared Personal Data set out in the relevant Article 30 Record will be shared between the parties during the term of this Agreement.
3.2 Smoothwall will also share the Shared Personal Data with its subcontractors to the extent required for the Purpose. Smoothwall shall procure that any subcontractor has entered into a contract with Smoothwall obliging such subcontractor to comply with its obligations under Data Protection Law.
3.3 Each party shall restrict access to and processing of the Shared Personal Data to employees and contractors that require this information where necessary for performing the Purpose.
4. Compliance with data protection laws
4.1 Each party shall only process the Shared Personal Data in compliance with its obligations under Data Protection Law, including responding to any requests or enquiries regarding its processing of the Shared Personal Data received by any Data Subject or Supervisory Authority.
5. Lawfulness, fairness, and transparency
5.1 Shared Personal Data (excluding Special Category Personal Data) is processed by the Customer:
5.1.1 where necessary for compliance with a legal obligation pursuant to Article 6(1)(c) of the Regulation;
5.1.2 where necessary in order to protect the vital interests of the Data Subject or another natural person pursuant to Article 6(1)(d) of the Regulation; or
5.1.3 where processing is necessary for the purposes of the legitimate interests pursued by the Customer pursuant to Article 6(1)(f) of the Regulation.
5.2 Special Category Personal Data is processed by the Customer where necessary for reasons of substantial public interest pursuant to Article 9 (2)(h) and Article 10 of the Regulation and:
5.2.1 Schedule 1, Part 2, S 6 Data Protection Act 2018 Statutory or government purposes;
5.2.2 Schedule 1, Part 2, S 10 Data Protection Act 2018 Preventing or detecting unlawful acts;
5.2.3 Schedule 1, Part 2, S 18 Data Protection Act 2018 Safeguarding of children and of individuals at risk; or
5.2.4 Schedule 1, Part 3, S 36 Data Protection Act 2018 Substantial public interest extension for criminal convictions data.
5.3 The parties acknowledge and agree that the Customer is responsible for providing information to Data Subjects in relation to the processing of their Personal Data in accordance with Articles 13 and 14 of the Regulation and ensuring that any such notice is valid and relates to all data processing activities contemplated under this Agreement.
6. Data subject rights
6.1 Each party shall, where applicable, promptly notify the other party upon receipt of any request received from a Data Subject that properly relates to the processing of the Shared Personal Data by that other party and shall only respond to such request to acknowledge receipt of the same and direct the relevant Data Subject to contact the other party (or such other response as the other party may authorise in writing).
6.2 Each party shall, where applicable, provide reasonable assistance as is necessary to the other party to enable to other party to respond to any Data Subject rights requests.
7. Data retention and deletion
7.1 Smoothwall and the Customer shall each retain Shared Personal Data in accordance with their respective data retention policies.
7.2 Smoothwall shall ensure that any Shared Personal Data are returned to the Customer or destroyed on termination of the Main Agreement, expiry of the term of this Agreement or once processing of the Shared Personal Data is no longer necessary for the Purposes.
8. Internal Transfers
8.1 Smoothwall and the Customer shall not transfer Shared Personal Data outside the European Economic Area without adequate safeguards in place in accordance with the Regulation.
8.2 Smoothwall has put in place Standard Contractual Clauses in line with the relevant EU legislation to cover EU-US internal transfers of data for the provision of the Smoothwall services.
9. Security and training
9.1 Each party shall maintain all appropriate technical and organisational measures to ensure security of the Shared Personal Data including protection against unauthorised or unlawful processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of Shared Personal Data).
9.2 It is the responsibility of each party to ensure that its own staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures together with any other Data Protection Laws and guidance.
10. Data breaches and reporting procedures
10.1 Each party shall have in place its own internal processes that must be followed in the event of a Data Breach.
10.2 Each party shall notify the other party and provide reasonable details of any Data Breach occurring in the course of its own processing of the Shared Personal Data to the extent such processing relates to, or affects, Shared Personal Data and shall act reasonably in co-operating with the other party in respect of any communications or notifications to be issued by the other party to any Data Subjects and/or Supervisory Authorities in respect of the Data Breach.
11. Resolution of disputes with data Subjects or a Supervisory Authority
11.1 Each party shall, where applicable, notify the other party upon receipt of any complaint received from a Data Subject that properly relates to the processing of the Shared Personal Data by that other party in connection with this Agreement and shall only respond to such complaint to acknowledge receipt of the same and direct the relevant Data Subject to contact the other party (or such other response as the other party may authorise in writing);
11.2 Each party shall, where applicable, provide the other party with reasonable details of any enquiry, complaint, notice or other communication it receives from any Supervisory Authority relating to its own processing of the Shared Personal Data to the extent such processing relates to, or affects, the processing of the Shared Personal Data by the other party or the Services and provide reasonable co-operation to the other party in respect of the same.
12. Mutual assistance
12.1 Each party shall act reasonably in providing such information and co-operation as the other party may reasonably request to enable that other party to comply with its own obligations under Data Protection Law in relation to the processing of the Shared Personal Data.
13. Limitation of liability
13.1 Liability for any breach under this Agreement is determined by the relevant terms as set out in the Main Agreement.
14.1 This Agreement shall terminate automatically on termination or expiry of the Main Agreement.
15.1 Each party undertakes that it shall not at any time during this Agreement, and for a period of five years after termination of this Agreement, disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by clause 2.
15.2 Each party may disclose the other party’s confidential information:
- to its employees, officers, representatives or advisers who need to know such information for the purposes of exercising the party’s rights or carrying out its obligations under or in connection with this Agreement. Each party shall ensure that its employees, officers, representatives or advisers to whom it discloses the other party’s confidential information comply with this clause 15; and
- as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
15.3 No party shall use any other party’s confidential information for any purpose other than to exercise its rights and perform its obligations under or in connection with this Agreement.
16. Charges to applicable law
16.1 In case the applicable Data Protection Laws or other applicable laws change in a way that this Agreement is no longer adequate for the purposes of governing lawful data sharing, the parties agree that they will negotiate in good faith to review the Agreement in light of the new legislation.
17. Entire agreement
17.1 This Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
18.1 Any notice given to a party under or in connection with this Agreement shall be in writing and shall be:
18.1.1 delivered by hand or by pre-paid first-class post or other next working day delivery service to the address specified in clause 5; or
18.1.2 sent by email to the address specified in clause 5 provided that a copy of the notice is also sent by pre-paid first-class post or other next working day delivery service in accordance with clause 18.1.1.
18.2 Any notice shall be deemed to have been received:
18.2.1 if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address; and
18.2.2 if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service; and
18.2.3 if sent by email, at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this clause, business hours means 9.00am to 5.00pm Monday to Friday on a day that is not a public holiday in the place of receipt.
18.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
19. No partnership or agency
19.1 Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
20.1 If there is an inconsistency between any of the provisions of this Agreement and the provisions of the Main Agreement then the provisions of this Agreement shall prevail.
21.1 No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
22.1 No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
23.1 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.
23.2 If any provision or part-provision of this Agreement is deemed deleted under clause 23.1UPDATE FC the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
24.1 This Agreement may be executed in any number of counterparts, each of which when executed and delivered shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement.
24.2 Third party rights
24.2.1 This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
25. Governing law
25.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
26.1 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation.