Data Processing Agreement
We at take managing your data very seriously and the following outlines KulaHub’s approach to managing customer data. This agreement shall come into force upon acceptance of KulaHub’s invoice and shall continue for the duration of the term as per stated on the invoice.
This Agreement is made between KulaHub Ltd and made between:
(1) Your Company whose principal place of business is at (‘the Company’ address)
(2) KulaHub Ltd whose principal place of business is at Knaresborough Technology Park, Manse Lane, Knaresborough, HG5 8LF (‘the Processor’)
This Agreement is made further to an agreement of the same date between the parties under which the Processor is to supply the services set out in Schedule 1 to the Company.
Data Controller: has the meaning set out in section 1(1) of the Data Protection Act 1998.
Data Subject: an individual who is the subject of Personal Data.
Personal Data: has the meaning set out in section 1(1) of the Data Protection Act 1998 and relates only to personal data, or any part of such personal data, of which the Company is the Data Controller and in relation to which the Processor is providing services under this Agreement.
Processing and process: have the meaning set out in section 1(1) of the Data Protection Act 1998.
1. Obligations of the Processor
1.1 The Company and the Processor acknowledge that for the purposes of the Data Protection Act 1998, the Company is the Data Controller and the Processor is the data processor of any Personal Data.
1.2 The Processor shall process the Personal Data only to the extent, and in such a manner, as is necessary for the purposes specified in Schedule 1of this Agreement and in accordance with the Company’s instructions from time to time and shall not process the Personal Data for any other purpose. The Processor will keep a record of any processing of personal data it carries out on behalf of the Company.
1.3 The Processor shall promptly comply with any request from the Company requiring the Processor to amend, transfer or delete the Personal Data.
1.4 If the Processor receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Act 1998 and the data protection principles set out therein, it shall immediately notify the Company and it shall provide the Company with full co-operation and assistance in relation to any such complaint, notice or communication.
1.5 At the Company’s request, the Processor shall provide to the Company a copy of all Personal Data held by it in the format and on the media reasonably specified by the Company.
1.6 The Processor shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the Company.
1.7 The Processor shall promptly inform the Company if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Processor will restore such Personal Data at its own expense.
2. Processor’s Employees
2.1 The Processor shall ensure that access to the Personal Data is limited to:
2.1.1 those employees who need access to the Personal Data to meet the Processor’s obligations under this Agreement; and
2.1.2 in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for performance of that employee’s duties.
2.2 The Processor shall ensure that all employees:
2.2.1 are informed of the confidential nature of the Personal Data;
2.2.2 have undertaken training in the laws relating to handling personal data; and
2.2.3 are aware both of the Processor’s duties and their personal duties and obligations under such laws and this Agreement.
2.3 The Processor shall take reasonable steps to ensure the reliability of any of the Processor’s employees who have access to the Personal Data.
3. Rights of the Data Subject
3.1 The Processor shall notify the Company within three working days if it receives a request from a Data Subject for access to that person’s Personal Data.
3.2 The Processor shall provide the Company with full co-operation and assistance in relation to any request made by a Data Subject to have access to that person’s Personal Data.
3.3 The Processor shall not disclose the Personal Data to any Data Subject or to a third party other than at the request of the Company or as provided for in this Agreement.
4. Rights of the Company
4.1 The Company is entitled, on giving at least seven days’ notice to the Processor, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Personal Data by the Processor.
4.2 The requirement under clause 4.1 to give notice will not apply if the Company believes that the Processor is in breach of any of its obligations under this Agreement.
5.1 The Processor warrants that:
5.1.1 it will process the Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments; and
5.1.2 it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against the accidental loss or destruction of, or damage to, personal data to ensure the Company’s compliance with the seventh data protection principle.
5.2 The Processor shall notify the Company immediately if it becomes aware of:
5.2.1 any unauthorised or unlawful processing, loss of, damage to or destruction of the Personal Data;
5.2.2 any advance in technology and methods of working which mean that the Company should revise its security measures.
6.1 The Processor agrees to indemnify and keep indemnified and defend at its own expense the Company against all costs, claims, damages or expenses incurred by the Company or for which the Company may become liable due to any failure by the Processor or its employees or agents to comply with any of its obligations under this Agreement.
7. Appointment of subcontractors
7.1 The Processor may not authorise any third party or sub-contractor to process the Personal Data.
8.1.1 Any notice or other communication required to be given to a party under or in connection with this Contract shall be in writing and shall be delivered to the other party personally or sent by prepaid first-class post, recorded delivery or by commercial courier, at its registered office (if a company) or (in any other case) its principal place of business, or sent by fax to the other party’s main fax number.
8.1.2 Any notice or communication shall be deemed to have been duly received if delivered personally, when left at the address referred to above or, if sent by prepaid first-class post or recorded delivery, at 9.00 am on the [second] Business Day after posting, or if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed, or if sent by fax, on the next Business Day after transmission.
8.1.3 This clause 8.1 shall not apply to the service of any proceedings or other documents in any legal action. For the purposes of this clause, “writing” shall not include e-mails and for the avoidance of doubt notice given under this Contract shall not be validly served if sent by e-mail.
8.2 Governing law and jurisdiction: The Contract, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with, English law, and the parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.