Data Processing Agreement
Introduction
This Data Processing Agreement forms part of Agreement as defined in the Blocktype General Terms & Conditions.
This Data Processing Agreement is made by and between the parties to the Agreement, and is entered into upon acceptance of the Agreement.
In this Data Processing Agreement:
Agreement: has the meaning set out in the Blocktype General Terms & Conditions, of which this Data Processing Agreement forms part.
Controller: has the meaning ascribed to it in the Data Protection Legislation.
Customer: means the entity under the Agreement which has contracted with Blocktype for the provision of Services.
Data Protection Legislation: means all laws and regulations that are applicable to the Processing of Customer Personal Data in connection with the provision of the Services under the Agreement. “Data Protection Laws” may include, but not limited to, the California Consumer Privacy Act of 2018 (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the United Kingdom General Data Protection Regulation (“UK GDPR”); and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time)
Data Subject: has the meaning ascribed to it in the Data Protection Legislation.
Blocktype: means the entity under the Agreement providing services to the Customer.
Personal Data Breach has the meaning ascribed to it in the Data Protection Legislation.
Process/Processing: has the meaning ascribed to it in the Data Protection Legislation.
Processor: has the meaning ascribed to it in the Data Protection Legislation.
Standard Contractual Clauses: means the “2021 Standard Contractual Clauses,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj amended and updated from time to time).
Sub-processor: any further Processor appointed by Blocktype in connection with the Services.
Except where expressly stated otherwise in this Data Processing Agreement, terms defined in the Agreement shall have the same meaning when used in this Data Processing Agreement.
General Terms
1. Each party shall comply with its respective requirements under the Data Protection Legislation. The provisions of this Data Processing Agreement are in addition to, and do not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
2. The parties acknowledge and agree that:
(a) where applicable, for the purposes of the Data Protection Legislation, the Customer is the Controller and Blocktype is the Processor;
(b) the subject-matter of the Processing is the Customer Personal Data;
(c) the duration of the Processing is the duration of the Agreement plus any period during which Blocktype continues to Process Customer Personal Data at the written request of the Customer or where required by applicable laws;
(d) the nature and purpose of the Processing is the use of the Customer Personal Data in the performance of the Services as envisaged by the Agreement (including, without limitation, in connection with services provided by Third Party Suppliers);
(e) the types of Personal Data which shall be Processed are data required for the use and/or performance of the Services including but not limited to:
(i) first and last name;
(ii) title;
(iii) position;
(iv) employer;
(v) contact information (company, email, phone, physical business address);
(vi) ID data;
(vii) professional life data;
(viii) connection data; and
(ix) localisation data.
(f) the categories of Data Subjects are:
(i) Authorised Users;
(ii) prospects, customers and business partners of the Customer (who are natural persons); and
(iii) employees or contact persons of the Customer's prospects, customers and business partners.
Data Processing Terms
1. Without prejudice to the generality of paragraph 2.1 of this Data Processing Agreement, Blocktype shall, in relation to any Customer Personal Data which is Processed in connection with the performance by Blocktype of its obligations under this Data Processing Agreement:
(a) process that Customer Personal Data only on the written instructions of the Customer (which shall be deemed to include the terms of this Data Processing Agreement), unless otherwise required by EU or Member State laws, in which case Blocktype shall inform the Customer prior to Processing, unless prohibited from doing so by EU or Member State laws;
(b) ensure that all Supplier personnel who Process any Customer Personal Data are obliged to keep the same confidential;
(c) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, and that these measures are appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
(d) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject to exercise rights under the Data Protection Legislation and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify the Customer without unreasonable delay on becoming aware of a Personal Data Breach in relation to the Customer Personal Data;
(f) subject to any provision of the Agreement regarding the deletion or return of Customer Personal Data, and at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless required by EU or Member State laws to store the Customer Personal Data; and
(g) subject to and in accordance with any provision of the Agreement governing audit and access to records, make available to the Customer on request all information necessary to demonstrate compliance with the obligations in this paragraph 3, and allow for and contribute to audits, including inspections, conducted by the Customer or the Customer's designated auditor (provided always that audits shall be subject to reasonable prior notice, that the scope of the audit shall be agreed with Blocktype in advance, and that the audit shall be conducted at the Customer's own expense).
2. Blocktype shall inform the Customer if, in the Supplier's opinion, the Supplier's compliance with paragraph 3.1 (a) of this Data Processing Agreement would breach Data Protection Legislation. Blocktype shall be entitled to suspend execution of the instructions concerned, until the Customer's Data Protection Officer (or such other person notified in writing by the Customer to the Supplier) confirms in writing that such instructions are lawful and are to be followed.
3. The Customer specifically authorises the use by Blocktype of each of the Sub-processors listed below to this Data Processing Agreement, and generally authorises Blocktype to make changes to its use of Sub-processors (including by appointing new Sub-processors). The authorisations granted by the Customer are subject to the conditions of paragraph 3.4.
4. Blocktype shall:
(a) notify the Customer in advance of any change, thereby giving the Customer the opportunity to object to the change. Any such objections must be exercised without undue delay and on reasonable grounds;
(b) enter into written agreements with each Sub-processor which impose obligations on the Sub-processor which are consistent with the terms of this Data Processing Agreement; and
(c) remain liable for the acts or omissions of each Sub-processor, subject to clause 8 of the General Terms & Conditions.