“Data Protection Legislation”
means 1) unless and until EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations, and secondary legislation (as amended from time to time), in the UK and subsequently 2) any legislation which succeeds the GDPR.
1. Data Processing
1.1 In this Clause 1, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in Article 4, EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
1.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause X shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.
1.3 For the purposes of the Data Protection Legislation and for this Clause 1, Tradebox is the “Data Controller” and ReferralFile is the “Data Processor”.
1.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are set out in Schedule A.
1.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement.
1.6 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement:
1.6.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law.
1.6.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures. Measures to be taken are set out in Schedule X.
1.6.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; and
1.6.4 Except as needed to fulfil the contract (for example posting a promotional credit to a customers account on a third party system), not transfer any personal data outside of the European Economic Area without the prior written consent of the Data Controller and only if the following conditions are satisfied:
1.6.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data;
1.6.4.2 Affected data subjects have enforceable rights and effective legal remedies;
1.6.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and
1.6.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data.
1.6.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office);
1.6.6 Notify the Data Controller without undue delay of a personal data breach;
1.6.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and
1.6.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 1 and to allow for audits by the Data Controller and/or any party designated by the Data Controller.
1.7 The Data Processor shall not sub-contract any of its obligations to a sub-processor with respect to the processing of personal data under this Clause 1 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-processor, the Data Processor shall:
1.7.1 Enter into a written agreement with the sub-processor, which shall impose upon the sub-processor the same obligations as are imposed upon the Data Processor by this Clause 1 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and
1.7.2 Ensure that the sub-processor complies fully with its obligations under that agreement and the Data Protection Legislation.
1.8 Either Party may, at any time, and on at least 30 calendar days notice, alter this Clause 1, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply and replace this Clause 1 by attachment to this Agreement.
SCHEDULE A
1. Data Processing
Scope
Referral programme management, referral tracking, referral performance tracking and reward posting.
Nature
Account management, programme reporting and posting rewards.
Purpose
To track referrals associated with a user account, and where necessary facilitate distribution of rewards (promotional credit or commission) to those users. For example, this might include posting to a data controllers own system to notify them of a sale and to post promotional credit.
Duration
For the duration the user is enrolled in the referral programme.
2. Types of Personal Data
Name, business name, email address, payment information, computer browser information.
3. Categories of Data Subject
Customers and Affiliates.
4. Organisational and Technical Data Protection Measures
Data sent over TLS connections. Data is segregated per customer and affiliate account. Staff only have access to relevant information necessary to their job functions.