DATA PROCESSING AGREEMENT

Data Processing Agreement

IDWAL ID PLATFORM

Data Protection Agreement ("DPA")

This DPA reflects the parties’ agreement with respect to the processing of personal data the Supplier (including on the behalf of the Customer) in connection with Services under the agreement between the Supplier and the Customer (the "Agreement"). 

This DPA is supplemental to, forms an integral part of and is incorporated by reference into the Agreement. 

In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

We update these terms from time to time. We will let you know when we do via email.

1.              Definitions

1.1           In this DPA, the following definitions shall apply (in addition to the definitions set out in the Agreement):

(a)        Applicable Laws means:

(i)          To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.

(ii)         To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier is subject.

(b)        Applicable Data Protection Laws means

(i)          To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.

(ii)         To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier is subject, which relates to the protection of personal data.

(c)        controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.

(d)        Customer Personal Data means any personal data which the Supplier processes in connection with the Agreement, in the capacity of a processor on behalf of the Customer.

(e)        EU GDPR means the General Data Protection Regulation ((EU) 2016/679).

(f)         Purpose means the provision of the Services.

(g)        Supplier Personal Data any personal data which the Supplier processes in connection with the Agreement, in the capacity of a controller.

(h)        UK GDPR has the meaning given to it in the Data Protection Act 2018.

2.              Data protection

2.1           Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This DPA is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Laws.

2.2           The parties have determined that, for the purposes of Applicable Data Protection Laws:

(i)         the Supplier shall act as controller in respect of the Supplier Personal Data; and

(j)         the Supplier shall process the Customer Personal Data as a processor on behalf of the Customer.

2.3           The Customer consents to (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by the Supplier in connection with the processing of Supplier Personal Data, provided these are in compliance with the then-current version of the Supplier's privacy policy available at [insert website address] (Privacy Policy). In the event of any inconsistency or conflict between the terms of the Privacy Policy and the Agreement, the Privacy Policy will take precedence.

2.4           Without prejudice to the generality of paragraph 2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Supplier for the duration and purposes of the Agreement.

2.5           In relation to the Customer Personal Data, Annex A to this DPA sets out the scope, nature and purpose of processing of the Customer Personal Data by the Supplier, the duration of the processing and the types of personal data and categories of data subject.

2.6           Without prejudice to the generality of paragraph 2 the Supplier shall, in relation to Customer Personal Data:

(a)        process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process the Customer Personal Data for the purposes of providing the Services, unless the Supplier is required by Applicable Laws to otherwise process that Customer Personal Data. Where the Supplier is relying on Applicable Laws as the basis for processing Customer Processor Data, the Supplier shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer. The Supplier shall inform the Customer if, in the opinion of the Supplier, the instructions of the Customer infringe Applicable Data Protection Laws;

(b)        implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

(c)        ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;

(d)        assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Supplier), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(e)        notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;

(f)         at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless the Supplier is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this paragraph 8(f) Customer Personal Data shall be considered deleted where it is put beyond further use by the Supplier; and

(g)        maintain records to demonstrate its compliance with this DPA.

2.7           The Customer hereby provides its prior, general authorisation for the Supplier to:

(h)        appoint processors to process the Customer Personal Data, provided that the Supplier:

(i)          shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Supplier in this paragraph 2;

(ii)         shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and

(iii)        shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Supplier's reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection.

(i)         transfer Customer Personal Data outside of the UK or EEA as required for the Purpose, provided that the Supplier shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).

2.8           The Supplier party may, at any time on not less than 30 days' notice, revise this DPA by replacing it (in whole or part) with any applicable standard clauses approved by the EU Commission or the UK Information Commissioner's Office or forming part of an applicable certification scheme or code of conduct (Amended Terms). Such Amended Terms shall apply when the Supplier notifies the Customer in writing (which may include e-mail).

2.9           The Supplier's total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of Services under the Agreement or any collateral contract insofar as it relates to the obligations set out in this paragraph 2, or Applicable Data Protection Laws shall be subject to and included within the limitations set out clause 11 of the Agreement.

Annex A to DPA