UK/EU Customer DPA

Download a PDF copy

Schedule 4: Customer DPA

1. Definitions:

Data Breach	Any unauthorised access, accidental loss, destruction of or damage to any Personal Data processed by the Supplier under or concerning the Licence Contract and/or this DPA.
DPA Start Date	The start date of the Licence Contract.
Licence Contract	The Licence Contract between the Supplier and the Customer

2. Interpretation:
   1. The rules of interpretations and definitions in the Licence Contract also apply to this DPA, unless expressly stated otherwise in the DPA.
   2. “Controller” “Data“, “Data Subject“, “Personal Data” and “Processor” respectively have the meanings given under the Data Protection Legislation.
   3. “OTMs“: means the organisational and technical measures that the Supplier has to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
3. Acknowledgements: The parties acknowledge that:
   1. the Customer and Users are incorporated or resident in the Territory;
   2. the Customer will collect and access Personal Data of Users directly from Users, to the extent that Users do not upload/input that Personal Data into the Software Platform; and
   3. the Supplier will have access to that Personal Data for the Software Platform Purpose and/or to perform its obligations under the Licence Contract and/or this DPA.
4. Processing:
   1. The parties acknowledge that for the purposes of the Data Protection Legislation, (i) Schedule 1 to this DPA sets out the nature, scope and purposes for the processing of Personal Data under the Licence Contract and/or this DPA, and (ii) as between the parties, the Customer is the Controller and the Supplier is the Processor for that Personal Data. The Customer acknowledges and accepts that it has reviewed and is satisfied with the OTMs.
   2. The Customer will comply with all applicable requirements of the Data Protection Legislation as Controller (to include, but not limited to, ensuring that there is a lawful basis for Processing of Personal Data) and the Supplier will comply with all applicable requirements of the Data Protection legislation as a Processor.
   3. Without prejudice to the generality of clause 6.b., the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of the Licence Contract
   4. Without prejudice to the generality of clause 6.b., the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under the Licence Contract:
      1. process that Personal Data only on the written instructions of the Customer, unless the Supplier is otherwise required or permitted by Data Protection Legislation to process that Personal Data;
      2. ensure that it has in place and maintains the OTMs; and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and comply with all relevant and applicable obligations under this Licence Contract.
   5. Each party will promptly notify the other party after becoming aware of its breach of clause 6.
   6. Each party will provide the other party with such reasonable information as it reasonably requires to be able to demonstrate its compliance with clause 6.
   7. In respect of transferring Personal Data to a territory outside of the United Kingdom (UK) and outside of the European Economic Area (EEA) the following rules apply:
      1. the Customer shall be the data exporter;
      2. either:
         • the Personal Data must be processed in a territory which is subject to adequacy regulations under the Data Protection Legislation, in that the territory provides adequate protection for the privacy rights of individual (and such territory must be notified to and agreed by the Customer); or
         • the Processor must participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the transferring party (and, where appropriate, the other party) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR; and
      3. if any Personal Data transfer between the parties requires execution of the IDTA or the Addendum (as applicable) to comply with clause 6.g.ii (second bullet point) the parties will fully co-operate with each other and act in good faith to complete all relevant details in, and execute, the IDTA or Addendum (as applicable) in a time and cost-efficient manner.
5. Liability: Liability under this DPA will be governed by the Licence Contract as if this DPA was a schedule of the Licence Contract and governed by the terms of the Licence Contract.
6. Notices: The parties will keep each other informed of their contact details. Notices must be given in writing and in English. Notices sent by post or given by hand delivery must go to the recipient’s latest postal address. Notices sent by email must go to the recipient’s latest email address. Notices are deemed served: (i) 10 Business Days after posting, (ii) 1 hour after confirmed email dispatch (if emailed by 4 pm on a Business Day) or by 9 am on the next Business Day (if emailed after 4 pm or on a day other than a Business Day), or (iii) immediately, for hand delivery. The above of clause 8 do not apply to the service of legal proceedings.
7. Concerns: The terms under the heading “Concerns” of Schedule 2 of the Licence Contract also apply to this DPA.
8. Termination: This DPA will terminate when the Licence Contract terminates or otherwise with the written agreement of the Supplier and the Customer. After termination of the DPA all Personal Data is to be returned to the Customer or as otherwise agreed between the Customer and Supplier (however the Customer may retain any Personal Data it is required to or entitled to retain under the law).
9. General Terms: The terms under the heading “General Terms” of Schedule 2 of the Licence Contract also apply to this DPA, including (but not limited to) the following:
   1. English and Welsh law governs this DPA, and English and Welsh courts have exclusive jurisdiction over all DPA related disputes and claims, whether contractual or non-contractual.
   2. Any purported variation, deletion, or exclusion of any provision of this DPA require the express written consent of both parties to be valid and enforceable.

DPA SCHEDULE 1: DATA PROCESSING PROTOCOL

Personal Data Categories	Identity Data: Information like names, username, birthdate, and gender. Contact Data: Details such as addresses, email addresses, and phone numbers. Financial Data: Includes bank and payment card details, income, and credit history. Transaction Data: Information about payments and services a data subject or its employer/business has purchased. Incident Data: Information about criminal history, credit history, country court judgments, accidents and related information. Technical Data: Automatically collected info when a data subject visits a website, like IP address and device details. Profile Data: A data subject’s purchases, interests, preferences, feedback, and survey responses. Usage Data: How a data subject uses a website, apps, online platforms and services. Marketing and Communications Data: A data subject’s preferences for receiving marketing and communication. Recorded Data: Audio and video recordings from calls, video conferencing, and CCTV.
Special Category Data	Race Ethnic origin Political affiliation Religious affiliation Trade union membership Genetic information Biometric information Health/medical condition Sexual orientation
Data Subject Types	Living natural persons who are (or work at or for organisations that are) the Customer’s: owners, members, directors or other officers, employees, non-employed workers, agents, advisers or representatives partners clients, customers or principals suppliers of good, services or both consultants or sub-contractors auditors or certification/accreditation providers regulators professional/trade associations or membership organisations opponents or other people involved in disputes or legal proceedings counterparties to any arrangement or contract business, commercial or other contacts
Purpose & Nature of Processing	Performing the Services under the Licence Contract. Complying with the Licence Contract. Enforcing rights under the Licence Contract. Complying with the Customer’s documented instructions (including keeping a written record of such instructions). Complying with the law.
Lawful Basis of Processing	Legitimate interest. Compliance with the law. Consent (where obtained and present from the applicable data subject).
Duration of Processing	The Contract Period (as defined in the Licence Contract) plus any longer period for which the Supplier has obligations under the Licence Contract
Persons with authority to give processing instructions to the Supplier	Any director or other officer of the Customer. Any person authorised by anyone in the above category.
Approved sub-processors/sub-contractors of the Supplier (as at the DPA Start Date)	The list of subprocessors as published on our Trust Centre page (https://trust.work-wallet.com) as amended from time to time
Non-UK Territories to transfer Personal Data	European Economic Area (EEA) or the United States of America
Personal Data Exporter	Customer
Lawful basis to transfer Personal Data outside of the UK	Going to a country, territory, sector or entity covered by  UK determination of adequacy determinations/regulations