All capitalised terms in this DPA shall have the meaning as prescribed by the 247emaildata Terms as located at https://www.247emaildata.com/terms or as otherwise agreed between the parties, unless otherwise specified below.
references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable. A reference to a law includes all subordinate legislation made under that law.
2 Data Processor and Data Controller |
2.1 The parties agree that, for the Protected Data, the Client shall be the Data Controller and 247emaildata shall be the Data Processor. |
2.2 247emaildata shall process Protected Data in compliance with: |
2.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and |
2.3 The Client shall comply with: |
2.3.1 all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and |
2.3.2 the terms of this DPA. |
2.4 The Client warrants, represents and undertakes, that: |
2.4.1 all data sourced by the Client for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Client providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; |
2.4.2 all instructions given by it to 247emaildata in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and |
2.5 The Client shall not unreasonably withhold, delay or condition its agreement to any change or amendment requested by 247emaildata in order to ensure the Services and 247emaildata (and each Sub-Processor) can comply with Data Protection Laws. |
|
3 Instructions and details of processing |
3.1 By entering into this DPA, Client instructs 247emaildata to process Client Protected Data only in accordance with Applicable Law: |
3.1.1 To provide the Services; |
3.1.2 As further specified by Client’s use of the Services or the Software; |
3.1.3 As documented in the form of the terms and this DPA; and |
3.1.4 As further documented in any other written instructions provided by the Client and acknowledged by 247emaildata as being instructions for the purposes of this DPA. |
3.2 Insofar as 247emaildata processes Protected Data on behalf of the Client, 247emaildata: |
3.2.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Client’s documented instructions as set out in this clause, as updated from time to time as agreed between the parties (Processing Instructions); |
3.2.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Client of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and |
3.2.3 shall inform the Client if 247emaildata becomes aware of a Processing Instruction that, in 247emaildata’s opinion, infringes Data Protection Laws, provided that: |
(a) this shall be without prejudice to clauses 2.3 and 2.4; and |
(b) to the maximum extent permitted by mandatory law, 247emaildata shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Client's Processing Instructions following the Client's receipt of that information; and |
3.3 The subject matter and details of the processing of Protected Data to be carried out by 247emaildata under this DPA shall comprise the processing set out in Schedule 1 (Data processing details), as may be updated from time to time as agreed between the parties.
|
|
4 Technical and organisational measures |
4.1 247emaildata shall implement and maintain, at its cost and expense and in relation to the processing of Protected Data by 247emaildata, technical and organisational measures taking into account the nature of the processing, to assist the Client insofar as is possible in the fulfilment of the Client’s obligations to respond to Data Subject Requests relating to Protected Data. |
|
5 Using Sub-Processors |
5.1 Subject to the below, 247emaildata shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data without the Client’s written authorisation (such authorisation not to be unreasonably withheld, conditioned or delayed). |
5.2 Client specifically authorises the engagement of 247emaildata’s affiliates and associated group companies as Sub-Processors and also authorises the appointment of any of the Sub-Processors listed in Annex A at the footer of this document. |
5.3 247emaildata shall ensure: |
5.3.1 via a written contract that the Sub-Processor only accesses and processes Protected Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this DPA that is enforceable by 247emaildata; and |
5.3.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own. |
5.4 When any new Sub-Processor is engaged by 247emaildata during the Term, 247emaildata shall give Client 30 days’ prior notice of the appointment of any new Sub-processor, including details of the Processing to be undertaken by the Sub-processor, via either email, the Software or the Site. |
5.5 Client may object (on reasonable grounds and only relating to data protection) to any new Sub-Processor appointed per clause 5.4. above within 14 days of 247emaildata’s notice; If Client notifies 247emaildata in writing of any objections to the proposed appointment: |
5.5.1 247emaildata shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and |
5.5.2 where such a change cannot be made within 14 days of 247emaildata's receipt of Client's notice, Client may by written notice to 247emaildata with immediate effect terminate the Service Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor. This termination right is Client’s sole and exclusive remedy to Client’s objection of any Sub-Processor appointed by 247emaildata during the Term. |
|
6 International data transfers |
6.1 The Client agrees that 247emaildata may transfer any Protected Data to countries outside the European Economic Area (EEA) or to any International Organisation(s) (an International Recipient), provided all transfers by 247emaildata of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this Agreement shall constitute the Client’s instructions with respect to transfers in accordance with clause 3.1. |
|
7 Staff |
7.1 247emaildata shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case 247emaildata shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure). |
|
8 Assistance with the Client’s compliance and Data Subject rights |
8.1 247emaildata shall refer all Data Subject Requests it receives to the Client within three Business Days of receipt of the request, provided that if the number of Data Subject Requests exceeds three per calendar month, the Client shall pay 247emaildata’s Charges calculated on a time and materials basis for recording and referring the Data Subject Requests in accordance with this clause 8.1. |
8.2 Further to the above and notwithstanding anything to the contrary in the Terms, 247emaildata reserves the right to disclose the identity of the Client to any relevant Data Subject following any such request from a Data Subject. |
8.3 247emaildata shall provide such reasonable assistance as the Client reasonably requires (taking into account the nature of processing and the information available to 247emaildata) to the Client in ensuring compliance with the Client’s obligations under Data Protection Laws with respect to: |
8.3.1 security of processing; |
8.3.2 data protection impact assessments (as such term is defined in Data Protection Laws); |
8.3.3 prior consultation with a Supervisory Authority regarding high risk processing; and |
8.3.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach. |
|
9 Records, information and audit |
9.1 247emaildata shall maintain, in accordance with Data Protection Laws binding on 247emaildata, written records of all categories of processing activities carried out on behalf of the Client. |
9.2 247emaildata shall, in accordance with Data Protection Laws, make available to the Client such information as is reasonably necessary to demonstrate 247emaildata's compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose, subject to the Client: |
9.2.1 giving 247emaildata reasonable prior notice of such information request, audit and/or inspection being required by the Client; |
9.2.2 ensuring that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law); |
9.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to 247emaildata's business and the business of other Clients of 247emaildata; and |
9.2.4 paying 247emaildata's reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits. |
|
10 Breach notification |
10.1 In respect of any Personal Data Breach involving Protected Data, 247emaildata shall, without undue delay (but in any event within 24 hours) from when 247emaildata becomes aware of the same: |
10.1.1 notify the Client of the Personal Data Breach; and |
10.1.2 provide the Client, where possible, with details of the Personal Data Breach. |
10.2 Notice of a Personal Data Breach as contemplated under 10.1.1 above shall include: |
10.2.1 the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects and data records concerned); |
10.2.2 the likely consequences of the Personal Data Breach; and |
10.2.3 the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. |
|
11 Deletion or return of Protected Data and copies |
11.1 247emaildata shall, at the Client’s written request, or provide facilities for the Client to either delete or return all the Protected Data to the Client in such form as the Client reasonably requests within a reasonable time after the earlier of: |
11.1.1 the end of the provision of the relevant Services related to processing; or |
11.1.2 once processing by 247emaildata of any Protected Data is no longer required for the purpose of 247emaildata’s performance of its relevant obligations under this Agreement, |
and delete existing copies (unless storage of any data is required by Applicable Law and, if so, 247emaildata shall inform the Client of any such requirement). |
|
12 Cooperation |
12.1 If a party receives a compensation claim from a person relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall: |
12.1.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and |
12.1.2 consult fully with the other party in relation to any such action. |
|
Annex A - List of 247EmailData Sub-processors |
247EmailData uses its Affiliates and a range of third party Sub-processors to assist it in providing the Services (as described in the Agreement). These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.
Entity Name |
Corporate Location |
Tsohost |
Slough, UK |
High Availability Hosting Ltd |
Sheffield, UK |
Rackspace |
London, UK |
|