Schedule 5 (Data Processing)

Background

1. The Customer and the Provider entered into terms and conditions (the "Terms and Conditions") that may require the Provider to process Personal Data on behalf of the Customer.

2. This Data Processing Schedule ("Data Processing Schedule") forms part of the overall agreement entered into between the parties (which includes the Terms and Conditions) and sets out the terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Terms and Conditions.

3. This Data Processing Schedule contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.

4. This Data Processing Schedule contains the SCCs (incorporated by reference into Appendix B) as well as additional supplementary measures in connection with the SCCs (also set out in Appendix B) which the Parties have included to take account of the recommendations provided by the European Data Protection Board in November 2020.

Agreed Terms

1. Definitions And Interpretation

The following definitions and rules of interpretation apply in this Data Processing Schedule.

1.1 Definitions:

"Business Purposes" means the services described in the Terms and Conditions or any other purpose specifically identified in Appendix A.

“Controller” and “Processor” is as defined in the Data Protection Legislation.

"Data Subject" means an individual who is the subject of Personal Data.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Provider as a result of, or in connection with, the provision of the services under the Terms and Conditions; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing, processes and process" means either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.

"Data Protection Legislation" means the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

"Standard Contractual Clauses (SCC)" means the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.

"Supervisory Authority" means an independent public authority which is established by a country pursuant to the Data Protection Legislation.

"UK Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1.2 This Data Processing Schedule forms part of the overall agreement between the Provider and the Customer, which includes the Terms and Conditions. Interpretations and defined terms set forth in the Terms and Conditions apply to the interpretation of this Data Processing Schedule.

1.3 The Annexes form part of this Data Processing Schedule and will have effect as if set out in full in the body of this Data Processing Schedule. Any reference to this Data Processing Schedule includes the Annexes.

1.4 In the case of conflict or ambiguity, the following order of precedence shall apply:

a) any provisions of the SCCs incorporated into this Data Processing Schedule;

b) this Data Processing Schedule;

c) the Terms and Conditions; and

d) the terms of any accompanying order form, invoices or other documents annexed to the agreement between the parties.

2. Personal Data Types And Processing Purposes

2.1 The Customer and the Provider acknowledge that for the purpose of the Data Protection Legislation, the Customer is the controller and the Provider is the processor.

2.2 The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider .

2.3 The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

2.4 Appendix A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Provider may process to fulfil the Business Purposes of the Terms and Conditions. If the Parties have agreed to modify the Business Purposes during the life of the Terms and Conditions, then Appendix A may be updated by the Provider from time to time (and such updates will immediately bind the Customer) to reflect any changes in the Business Purposes and is available at: https://contracts.rightmarket.com/managed-service/subprocessors https://contracts.roi360.co.uk/managed-service/subprocessors.

3. The Provider's Obligations

3.1 The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Data Processing Schedule or the Data Protection Legislation. The Provider must immediately notify the Customer if, in its opinion, the Customer's instruction would not comply with the Data Protection Legislation.

3.2 The Provider must promptly comply with any Customer request or instruction requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3 The Provider will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or the agreement between the parties specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Provider to process or disclose Personal Data, the Provider must first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 The Provider will reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.

3.5 The Provider must promptly notify the Customer of any changes to Data Protection Legislation that may adversely affect the Provider’s performance of the Terms and Conditions.

4. The Provider's Employees

4.1 The Provider will ensure that all employees:

a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;

b) who have reasonable need to access personal data, have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and

c) are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Data Processing Schedule.

5. Security

5.1 The Provider must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Appendix C. Appendix C may be updated by the Provider from time to time (and such updates will apply with immediate effect) to reflect any changes in its organisational and security measures and is available at: https://contracts.rightmarket.com/managed-service/security-measures https://contracts.roi360.co.uk/managed-service/security-measures. The Provider must document those measures on its website or otherwise in writing and periodically review them to ensure they remain current and complete, at least annually.

5.2 The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.

6. Personal Data Breach

6.1 The Provider will promptly and without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Data at its own expense.

6.2 The Provider will promptly and without undue delay notify the Customer if it becomes aware of:

a) any accidental, unauthorised or unlawful processing of the Personal Data; or

b) any Personal Data Breach.

6.3 Where the Provider becomes aware of an event within the scope of clause 6.2, it shall promptly and without undue delay, also provide the Customer with the following information:

a) a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;

b) the likely consequences of the event; and

c) a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.

6.4 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Customer in the Customer's handling of the matter, including:

a) assisting with any investigation;

b) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

c) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.

6.5 The Provider will not inform any third party of any Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by law. This term does not affect the Customer’s ability to report any Personal Data Breach to a third party.

6.6 The Provider agrees that the Customer has the sole right to determine:

a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and

b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.7 The Provider will cover all reasonable expenses associated with the performance of its obligations under clause 6.2 and clause 6.4 unless the matter arose from the Customer's specific instructions, negligence, wilful default or breach of this Data Processing Schedule, in which case the Customer will cover all reasonable expenses of both parties.

7. Cross-Border Transfers Of Personal Data

7.1 If an adequate protection measure for the international transfer of Personal Data is required under applicable data protection legislation (and has not otherwise been arranged by the parties) the SCCs shall be incorporated into this Data Processing Schedule at Appendix B as if they had been set out in full.

7.2 The Customer consents to the Provider (and its subprocessors) transferring Personal Data outside the European Economic Area ("EEA"). Provided that where such Processing occurs, the Provider :

a) is processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or

b) participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Provider (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the General Data Protection Regulation ((EU) 2016/679). The Provider must identify in Appendix A the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Provider must immediately inform the Customer of any change to that status; or

c) ensures that the transfer otherwise complies with the Data Protection Legislation.

8. Subprocessors

8.1 The Provider may only authorise a third party (subprocessor) to process the Personal Data if:

a) the Customer is provided with an opportunity to object to (but not prevent) the appointment of each subprocessor within 10 days after the Provider supplies the Customer with full details regarding such subprocessor;

b) The Provider enters into a written contract with the subprocessor that contains terms similar to those set out in this Data Processing Schedule, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer's written request and at the Customer’s expense, provides the Customer with copies of such contracts (subject to redaction of any confidential information);

c) The Provider maintains control over all Personal Data it entrusts to the subprocessor; and

d) the subprocessor will cease processing any Personal Data as a subprocessor for the Customer on termination of this Data Processing Schedule for any reason.

8.2 The Customer authorises the Provider to use subprocessors in the general categories of data storage, hosting (including data centres and providers of virtual software environments) and IT support. The subprocessors falling within these generally approved categories as well as any other subprocessors in use by the Provider as at the commencement of this Data Processing Schedule are as set out in Appendix A.

8.3 Where the subprocessor fails to fulfil its obligations under such written agreement, the Provider remains fully liable to the Customer for the subprocessor’s performance of its agreement obligations.

9. Compaints, Data Subject Requests And Third-Party Rights

9.1 The Provider must, at no additional cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

b) information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.

9.2 The Provider must notify the Customer immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

9.3 The Provider must notify the Customer without undue delay if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.

9.4 The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9.5 The Provider must not disclose the Personal Data to any Data Subject or to a third party other than at the Customer's request or instruction, as provided for in this Data Processing Schedule or as required by law.

10. Term And Termination

10.1 This Data Processing Schedule will remain in full force and effect so long as:

a) the Terms and Conditions remain in effect; or

b) The Provider retains any Personal Data related to the Terms and Conditions in its possession or control ("Term").

10.2 Any provision of this Data Processing Schedule that expressly or by implication should come into or continue in force on or after termination of the Terms and Conditions in order to protect Personal Data will remain in full force and effect.

10.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Terms and Conditions, the parties will suspend the processing of Personal Data until that processing complies with the new requirements.

11. Data Return And Destruction

11.1 At the Customer's request, the Provider will give the Customer a copy of all of the Customer's Personal Data in its possession or control in a commonly accessible and electronic format determined by the Provider.

11.2 On termination of the Terms and Conditions for any reason or expiry of its term, the Provider will, within 30 days, securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Data Processing Schedule in its possession or control. This requirement shall not apply to Personal Data which the Provider has archived on its backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by the Provider using those backups to restore its systems).

11.3 Clause 11.2 shall not apply to the extent any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy.

12. Records

12.1 The Provider will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Customer, including but not limited to, the access, control and security of the Personal Data, approved subprocessors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in clause 5.1 ("Records").

12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this Data Processing Schedule and the Provider will provide the Customer with copies of the Records upon request.

13. Audit

13.1 No more than once during any consecutive 12 month period, on request from the Customer, the Provider will carry out an audit (whether by itself or its third-party representatives) to audit its compliance with this Data Processing Schedule and provide the results to the Customer. The Customer shall be entitled to ask questions of the Provider related to compliance with Data Protection Legislation in advance of the audit, which the Provider shall use its reasonable endeavours to respond to adequately when providing the audit results.

13.2 On the Customer's written request and at the Customer’s cost, the Provider will exercise relevant audit rights it has in connection with its subprocessor’s compliance with their obligations regarding the Customer's Personal Data and provide the Customer with the audit results.

13.3 The audit rights set out at clauses 13.1 – 13.2 are the Customer’s only contractual rights (and the Provider’s only obligations) in connection with the auditing of the Provider’s Processing of Personal Data. Save that nothing in this Data Processing Schedule shall prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly the Provider shall submit to any audits required by a Supervisory Authority or Data Protection Law.

14. Variation

14.1 From time to time, the Provider may modify the Terms and Conditions and Schedules where reasonably necessary to comply with updated Data Protection Legislation and guidance. Any such variations will take effect immediately upon expiry of that notice and may apply retroactively.

Appendix A

Personal Data Processing Purposes And Details

1. Data Processing Purposes And Details

Subject matter of processingNames and email addresses, along with other Personal Data our Customers may choose to add to the platform such as phone numbers, addresses and other contact details.
Duration of ProcessingFor the duration of the Term.
Nature of ProcessingStorage, hosting and use.
Business PurposesProvision of the services under the Terms and Conditions.
Personal Data CategoriesContact information.
Data Subject TypesVolunteers, supporters, employees and others involved in the Customer’s projects who may use the platform.
The Provider's legal basis for Processing outside the EEAStandard Contractual Clauses

2. Approved Subprocessors

A list of subprocessors is made available and kept updated at: https://contracts.rightmarket.com/managed-service/subprocessors https://contracts.roi360.co.uk/managed-service/subprocessors.

Appendix B

Standard Contractual Clauses & Supplementary Measures To Address Recomendations Of The European Data Protection Board In Connection With The Standard Contractual Clauses

1. Introduction To This Appendix B

1.1 Paragraph 2 of this Appendix B completes the template elements of the SCCs incorporated into this Appendix in full.

1.2 Paragraph 3 of this Appendix B reflects the Parties’ endeavours to address the recommendations of the European Data Protection Board in their public consultation document 01/2020, adopted on 10 November 2020 and entitled “measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”.

2. Standard Contractual Clauses

Exporter contact detailsThose of the Customer as set out in this agreement
Importer contact detailsThose of the Provider as set out in this agreement
Governing Law (cl. 9 & 11)As set out in this agreement

Appendix 1 of the Model Contract Clauses:

Data ExporterThe Customer
Data ImporterThe Provider
Data SubjectsAs set out in Appendix A of this Data Processing Schedule
Categories of dataAs set out in Appendix A of this Data Processing Schedule
Special categories of dataAs set out in Appendix A of this Data Processing Schedule
Processing operationsAs set out in Appendix A of this Data Processing Schedule

Appendix 2 of the Model Contract Clauses:

Security MeasuresAs set out in Appendix C

2.1 The illustrative indemnity set out in the Model Contract Clauses is deemed deleted.

2.2 Any replacement to the SCCs adopted in accordance with Article 93(2) of the GDPR shall supersede the SCCs incorporated into this Appendix, and this Appendix shall be interpreted so as to give full effect to such replacement SCCs.

3. Supplementary Measures Adopted To Address The European Data Protection Board's Recommendations

Challenges to information requests

3.1 In addition to the SCCs, in the event the Provider receives an order from any third party for compelled disclosure of any Personal Data it is Processing for the Customer, the Provider shall:

a) use every reasonable effort to redirect the third party to request data directly from the Customer.

b) promptly notify the Customer, unless prohibited under the law applicable to the requesting third party (and, if prohibited from notifying the Customer, use all lawful efforts at the Customer’s sole cost and expense to obtain the right to waive the prohibition in order to communicate as much information to the Customer) as soon as possible; and

c) use all lawful efforts at the Customer’s sole cost and expense to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable Member State law.

3.2 For purposes of paragraph 3.1 of this Appendix, lawful efforts means exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a provider engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

Notification of Orders

3.3 In addition to the SCCs, the Provider shall at the Customer’s sole cost provide reasonable cooperation to the Customer in order for the Customer to inform Data Subjects about any legally binding order for disclosure of their Personal Data by an authority, unless:

a) providing such information proves impossible or unreasonable;

b) it can be reasonably expected that the Data Subject already has the information; or

c) such disclosure is otherwise legally prohibited (and in such case, paragraph 3.1 of this Appendix above shall apply).

Transparency Reporting

3.4 The Provider shall inform the Customer about access orders received from authorities concerning Personal Data Processed under this Data Processing Schedule, such information to consist at least of the number of orders, the nature of data demanded, the legal basis for such orders, and the identity of the ordering bodies, unless such information proves impossible for the Provider to provide, or the disclosure of such information is otherwise legally prohibited.

3.5 If the disclosure contemplated at paragraph 3.4 of this Appendix is legally prohibited, then paragraph 3.1 of this Appendix shall apply. the Provider shall distinguish between cases where copies of Personal Data is and is not requested. In its law enforcement transparency reporting, it shall provide additional details on the types of responses where it legally can do so, such as by providing information on the number of US demands versus demands from other countries.

Notification of Material Changes in applicable law

3.6 The Provider shall regularly review, assess and continuously monitor the scope of disclosures of Personal Data in response to the orders of law enforcement and other authorities it receives, as well as the safeguards and recourse in place to protect Data Subjects, and inform the Customer promptly if it becomes aware of a change in applicable law that would materially impact such access by authorities or recourse available to Data Subjects.

Duty to Cooperate

3.7 Upon reasonable request, the Provider shall provide the Customer with all information, documentation, and reasonable assistance as required to enable the Customer to comply with the requirements for the transfer of personal data to the Provider pursuant to Chapter V of the GDPR (including any mandatory requirements by competent regulators or the European Data Protection Board and relevant court decisions) taking into account the specific tasks and responsibilities of the Provider as a Processor in the context of the Processing to be carried out and the risk to the rights and freedoms of the Data Subjects pursuant to the Data Processing Schedule.

Appendix C

Security Measures

Details of the Provider’s security measures are made available and kept updated at: https://contracts.rightmarket.com/managed-service/security-measures https://contracts.roi360.co.uk/managed-service/security-measures.