DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT

1.    AGREEMENT

This agreement is made on                                                        between

a.                                                                       of

(“you” or “your”); and

b.   Kai Ai Ltd with its registered address at 10 Waltham Gardens, Banbury, Oxfordshire OX16 4FD (“we” or “us” or “our”).

This Agreement is to ensure there is in place proper arrangements relating to personal data passed from us to you. 

This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation. 

The parties wish to record their commitments under this Agreement.

2.    DEFINITIONS

In this Agreement:

“Data Protection Laws” means the General Data Protection Regulation, adopted into UK law as the Data Protection Act 2018;

“Data” means personal data passed under this Agreement which:

  • is being processed by means of equipment operating automatically in response to instructions given for that purpose,
  • is recorded with the intention that it should be processed by means of such equipment,
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; or
  • is recorded information held by a public authority.

“GDPR” means the General Data Protection Regulation;

“Services” means include our:

  • products,
  • services,
  • content,
  • features,
  • technologies,
  • functions,
  • contact (including e-mail),
  • websites; and
  • mobile applications.

3.    DATA PROCESSING

We are the data controller for the Data and you are the data processor for the Data.  You agree to process the Data only in accordance with Data Protection Laws and in particular on the following conditions:

  1. you shall only process the Data:
    1. on the written instructions from us,
    1. for completing the Services; and
    1. in the UK with no transfer of the Data outside of the UK (Article 28, para 3(a) GDPR).
  2. ensure that all employees and other representatives accessing the Data:
    1. are aware of the terms of this Agreement,
    1. have received comprehensive training on Data Protection Laws and related good practice, and
    1. are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);
  3. We and you have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR, details of those measures are set out under Part A of the Annex to this Agreement (Article 28, para 3(c) GDPR);
  4. you shall not involve any third party in the processing of the Data without our consent.  Such consent may be withheld without reason. If consent is given a further processing agreement will be required (Article 28, para 3(d) GDPR); 
  5. taking into account the nature of the processing, assist us by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of our obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc (Article 28, para 3(e) GDPR);
  6. assist us in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the ICO etc, taking into account the nature of processing and the information available to you (Article 28, para 3(f) GDPR);
  7. at our choice safely delete or return the Data at any time. [It has been agreed that you will in any event securely delete the Data at the end of the Services].  Where you are to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data.  Where there is a legal requirement you will prior to entering into this Agreement confirm such an obligation in writing to us.  Upon request by us, you shall provide certification of destruction of all Data (Article 28, para 3(g) GDPR); 
  8. make immediately available to us all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for and contribute to any audits, inspections or other verification exercises required by us from time to time (Article 28, para 3(h) GDPR);
  9. arrangements relating to the secure transfer of the Data from us to you and the safe keeping of the Data by you are detailed under Part A of the Annex.
  10. maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created; and
  11. immediately contact us if there is any personal data breach or incident where the Data may have been compromised.

4.  TERMINATION

We may immediately terminate this Agreement on written notice to you. You may not terminate this Agreement without our written consent.

5.  GENERAL

This Agreement may only be varied with the written consent of both parties.

For the purposes of this Agreement the representatives of each party are detailed under Part B of the Annex.

This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their data controller/processor relationship under Data Protection Laws.

This Agreement is subject to English law and the exclusive jurisdiction of the English Courts.

6.  THE DOTTED LINE

Signed by and on behalf of Kai Ai Ltd

Name: …Robert Hutt

Date: 27/05/2019

……………………………………………………………………………………….

Signed by and on behalf of [                                     ]

Name: ………………………………………………………………………………

Date: ………………………………………………………………………………..

ANNEX

Part A

Compliance with Article 32, para 1 of GDPR

  1. Consideration of anonymisation, pseudonymisation and encryption. 

<ENTER INFORMATION>

  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and related services.

<ENTER INFORMATION>

  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

<ENTER INFORMATION>

  • A process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing.

<ENTER INFORMATION>

Compliance with Article 32, para 2 of GDPR

  • In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to data transmitted, stored or otherwise processed.

<ENTER INFORMATION>

Compliance with Article 32, para 3 of GDPR

  • Adherence to an approved code of conduct referred to in Article 40 (GDPR) or an approved certification mechanism as referred to in Article 42 (GDPR) may be used as an element by which to demonstrate compliance with the requirements set out in para 1 of GDPR – see above. 

<ENTER INFORMATION>

Compliance with Article 32, para 4 of GDPR

  • You must ensure that anyone acting on your behalf does not process any of the Data unless following instructions from us unless they are required to do so under English law.

ANNEX

Part B

Our Representative shall be <INSERT DETAILS> or such other person as shall be notified by us <INSERT DETAILS>.

Your Representative shall be <INSERT DETAILS> or such other person as shall be notified by you <INSERT DETAILS>.