1. Purpose of this Data Processing Agreement
This Personal Data Processing Agreement (“Data Processing Agreement”) applies to the processing of personal data by Supplier within the scope of the services provided by Supplier to Customer.
The Parties acknowledge that for the purposes of this Data Processing Agreement, Customer is a “Data Controller” and Supplier is a “Data Processor”, as these terms are defined in the Data Protection Legislation.
2. Definitions
Data Protection Legislation: The applicable data protection legislation, from time to time.
Data Subject: An individual who is the subject of Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Personal Data: Any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour. Personal Data specifically includes, but is not limited to, the name of individual, ID number, address, online identifier, terms of employment, business conduct, one or more factors that characterise an individual in a physical, genetic, mental or social sense and other similar data which are considered Personal Data according to the Data Protection Legislation.
Personal Data Breach: Any act or omission that compromises the (i) security, confidentiality, integrity or availability of Personal Data or the (ii) physical, technical, administrative or organisational safeguards that the Data Processor or their sub processors put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Personnel: All employees, directors, contractors, consultants, and others who work for and/or represent the Data Processor.
Processing or Process: Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Processing Purpose: The purpose of the Processing of Personal Data, as further described in Annex I.
Unauthorised Processing: Any accidental, unlawful or unauthorised Processing of Personal Data.
3. The Data Controller’s Obligations
The Data Controller retains control of the Personal Data and remains responsible for the Data Controller’s compliance obligations under the Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the Processing instructions it gives to the Data Processor.
4. The Data Processor’s Obligations
4.1 The Data Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Processing Purpose and in accordance with the Data Controller’s written instructions.
4.2 The Data Processor must promptly notify the Data Controller if, in its opinion, the Data Controller’s instruction would not comply with the Data Protection Legislation.
4.3 The Data Processor will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Data Controller or this Data Processing Agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Data Processor to process or disclose Personal Data, the Data Processor must first inform the Data Controller of the legal or regulatory requirement and give the Data Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.
5. Personnel
The Data Processor will ensure that all Personnel:
A. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
B. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
C. are aware of both the Data Processor’s duties and their personal duties and obligations under the Data Protection Legislation and this Data Processing Agreement.
6. Cross-border transfer of Personal Data
The Data Processor shall not transfer or otherwise process Personal Data outside the European Economic Area (EEA) or the United Kingdom without obtaining the Data Controller’s prior written consent and instructions unless such transfer is required by law or is carried out in accordance with applicable Data Protection Laws and subject to appropriate safeguards, including where applicable the EU Standard Contractual Clauses or other lawful transfer mechanisms. If a law requires the Data Processor to transfer the Personal Data to any such country, the Data Processor shall first inform the Data Controller of the legal requirement, unless the law prohibits such notice.
Contracting with Sub-Processors
6.1 The Data Controller provides general authorisation for the Data Processor to engage sub-processors to Process Personal Data in connection with the provision of the Services.
6.2 The Data Processor shall maintain an up-to-date list of its sub-processors and make such list available to the Data Controller upon request or by other appropriate means.
6.3 The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors and shall provide the Data Controller with an opportunity to object to such changes on reasonable data protection grounds within a reasonable period of time following such notification.
6.4 Where the Data Controller objects to a new sub-processor on reasonable data protection grounds, the parties shall work together in good faith to resolve the objection. If the objection cannot reasonably be resolved, the Data Controller may terminate the affected Services in accordance with the Agreement.
6.5 The Data Processor shall ensure that any sub-processor is bound by written contractual obligations that provide at least the same level of protection for Personal Data as those set out in this Data Processing Agreement, including obligations to implement appropriate technical and organisational measures to protect Personal Data in accordance with Data Protection Legislation.
6.6 The Data Processor shall remain fully liable to the Data Controller for the performance of the sub-processor’s obligations where the sub-processor fails to fulfil its data protection obligations.
7. Security
7.1 The Data Processor must at all times implement appropriate security, technical and organisational measures against unauthorised or unlawful Processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
7.2 The Data Processor must implement such measure to ensure a level of security appropriate to the risk involved (including as appropriate the pseudonymisation and encryption of Personal Data). The Data Processor has implemented a process for regularly testing, assessing and evaluating the effectiveness of its security measures.
8. Personal Data Breach
8.1 The Data Processor will without undue delay notify the Data Controller if it becomes aware of any Unauthorised Processing or any Personal Data Breach.
8.2 Where the Data Processor becomes aware of any Unauthorised Processing or any Personal Data Breach, it shall, without undue delay, also provide the Data Controller with the following information:
A. description of the nature of the Unauthorised Processing or the Personal Data Breach;
B. the categories and approximate number of both Data Subjects and Personal Data records concerned;
C. the likely consequences; and
D. description of the measures taken or proposed to be taken to address the Unauthorised Processing or the Personal Data Breach including measures to mitigate its possible adverse effects.
8.3 Immediately following any unauthorised or unlawful Personal Data Processing or Personal Data Breach, the Parties will co-ordinate with each other to investigate the matter. The Data Processor will reasonably co-operate with the Data Controller in the Data Controller’s handling of the matter, including:
A. assisting with any investigation;
B. providing the Data Controller with physical access to any facilities and operations affected;
C. facilitating interviews with the Data Processor’s Personnel, former employees and others involved in the matter;
D. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Data Controller; and
E. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or Unauthorised Processing.
9. Assistance to the Data Controller
9.1 The Data Processor shall assist the Data Controller by ensuring compliance with the Data Controller’s following obligations under the Data Protection Legislation:
A. the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the Data Protection Legislation;
B. report to and consulting with supervisory authorities under the Data Protection Legislation.
9.2 The Data Processor must notify the Data Controller immediately if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation. The Data Controller shall respond to any such notice in an appropriate manner according to the Data Protection Legislation, i.e. by further directing the Data Controller on how to proceed with the Data Subject’s request.
10. Records
10.1 The Data Processor will keep detailed, accurate and up-to-date written records regarding any Processing of Personal Data it carries out for the Data Controller (“Records”). The Records shall include the following information:
A. Name of the Data Processor.
B. Contact information of the Data Processor’s Data Protection Officer (or the Data Processor’s data protection manager or other Personnel with responsibility for data protection compliance if a Data Protection Officer has not been appointed).
C. Name and information about the Data Controller.
D. Categories of Processing.
E. List of countries outside the European Economic Area (EEA) which the Data Processor transfers Personal Data to (if applicable).
F. General description of technical and organisational data security measures in relation to the Processing.
10.2 The Data Processor will provide the Data Controller with copies of the Records upon request.
10.3 The Data Processor must review its records frequently to confirm its current accuracy and update it when required to reflect current practices.
11. Audit
11.1 The Data Processor will permit the Data Controller to audit the Data Processor’s compliance with its Data Processing Agreement obligations.
A. In relation to the audit the Data Processor shall provide:
B. access to the Records or any other information in the Data Processor’s possession or control in relation to the Processing; and
C. access to and meetings with any of the Personnel reasonably necessary to provide all explanations to perform the audit effectively.
11.2 At the Data Controller’s written request, the Data Processor will provide the Data Controller with a copy of a written audit report that includes details about the Processing and how the Processing is compliant with applicable Data Protection Legislation.
12. Data Return and Destruction
12.1 The Data Processor shall make Controller Personal Data available to the Data Controller through the Services. Where such access is not reasonably sufficient for the Data Controller to comply with its obligations under applicable data protection laws, the Data Processor shall provide reasonable assistance in providing such data.
12.2 On termination of the Parties’ agreement for any reason or expiry of its term, the Data Processor will securely delete or destroy or, if directed in writing by the Data Controller, return and not retain, all or any Personal Data related to this Data Processing Agreement in its possession or control.
12.3 Upon request by the Data Controller, the Data Processor will certify in writing that it has destroyed the Personal Data within 10 days after completing such destruction.
12.4 If any law, regulation, or government or regulatory body requires the Data Processor to retain any documents or materials that the Data Processor would otherwise be required to return or destroy, it will notify the Data Controller in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
13. Limitation of Liability
Each party’s total aggregate liability arising out of or in connection with this Data Processing Agreement shall not exceed the fees paid or payable during the twelve (12) months preceding the event giving rise to the liability, except to the extent that such limitation is not permitted under applicable Data Protection Legislation.
14. Duration
14.1 This Data Processing Agreement will remain in full force and effect so long as the Data Processor provides services to the Data Controller or the Data Processor retains any Personal Data related to the services in its possession or control.
14.2 Each Party can terminate this Data Processing Agreement in the event of an unremedied material breach of the other Party.
15. Applicable Law and Jurisdiction
15.1 This Data Processing Agreement shall be governed by and construed in accordance with the governing law applicable to the relevant Encore Pro contracting entity under the Agreement. For the avoidance of doubt:
(i) where the contracting entity is Encore Pro Inc., this Data Processing Agreement shall be governed by the laws of the State of Connecticut, United States;
(ii) where the contracting entity is Encore Pro ApS, this Data Processing Agreement shall be governed by the laws of Denmark; and
(iii) where the contracting entity is Encore Pro Ltd, this Data Processing Agreement shall be governed by the laws of England and Wales.
15.2 This Data Processing Agreement shall be governed by and construed in accordance with the governing law applicable to the relevant Encore Pro contracting entity under the Agreement. For the avoidance of doubt:
(i) where the contracting entity is Encore Pro Inc., this Data Processing Agreement shall be governed by the laws of the State of Connecticut, United States;
(ii) where the contracting entity is Encore Pro ApS, this Data Processing Agreement shall be governed by the laws of Denmark; and
(iii) where the contracting entity is Encore Pro Ltd, this Data Processing Agreement shall be governed by the laws of England and Wales.
15.3 Any dispute arising from or in connection with this Data Processing Agreement shall be brought exclusively before the courts in the jurisdiction as stipulated in 15.1.
Annex I to Data Processing Agreement
Personal Data Processing
Under the Data Protection Legislation, the Data Processor shall only Process Personal Data in accordance with the Data Controller’s documented instructions, as regulated in the Data Protection Legislation. This document forms part of the Data Controller’s instructions, directing the Data Processor on the scope, nature, and purpose when Processing Personal Data on behalf of the Data Controller.
A. SCOPE / PURPOSE OF PROCESSING
The Data Processor shall Process Personal Data hereunder exclusively within the scope of the services provided by the Data Processor to the Data Controller.
The Data Processor shall only be allowed to Process Personal Data on behalf of the Data Controller for the purpose of verifying the identity of potential clients and assessing potential risks of illegal intentions for business relationships to ensure the Data Controller’s anti-money laundering regulation compliance.
B. TYPES OF PERSONAL DATA
☐ Name (name and surname)
☐ Date of birth
☐ Nationality
☐ Gender
☐ Username
☐ E-mail address
☐ Telephone number
☐ Customer number
☐ Order number
☐ Tracking ID
☐ Club member ID
☐ Buying history
☐ Payment history
☐ Billing address
☐ Shipment address
☐ Family information
☐ Emergency number
☐ Staff card number
☐ IP-address
☐ Other categories of Personal Data: Other information provided by the Data Controller or Data Controller representative.
C. CATEGORIES OF DATA SUBJECTS
☐ Employees (including current and former employees, trainees and interns, pre-hires and applicants)
☐ Customers (current, former and potential)
☐ Business partners, suppliers, and subcontractors (including its employees)
☐ External agents, representatives, consultants, advisors, auditors
☐ Visitors (on premise)
☐ Other categories: Other information provided by the Data Controller or Data Controller representative.
D. PROCESSING ACTIVITIES
☐ Collection
☐ Registration
☐ Organisation
☐ Structuring
☐ Storing
☐ Adaptation or alteration
☐ Retrieval
☐ Accessing, reading or consultation
☐ Use
☐ Disclosure by transmission
☐ Dissemination or otherwise making available
☐ Alignment or combination
☐ Restriction
☐ Erasure or destruction
☐ Other processing activity: Click here to enter text.
E. PERSONNEL AND SUB-PROCESSORS WHO ARE RESPONSIBLE FOR THE PROCESSING (CATEGORIES OR NAMES)
The Data Processor maintains an up-to-date list of authorised Sub-processors, which is available at the following link: https://www.activitystream.com/dpa-subprocessors/
F. DURATION OF PROCESSING
Personal Data shall not be Processed for a period longer than is necessary for serving its purpose.
☐ The duration of all Processing operations shall be for the duration of the Agreement and until the Personal Data has been securely returned or destroyed in accordance with this Agreement.
