This DPA is entered into between us and the Customer and is incorporated into and governed by the Customer Terms and Conditions.
1. Definitions and Interpretation
Any capitalised term not defined in this DPA shall have the meaning given to it in the Customer Terms and Conditions.
"Customer Terms" means the agreement between Us and the Customer for the provision of the Services;
"Controller" means the Customer;
"Data Subject" shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (as amended from time to time, or replaced by subsequent legislation);
"Personal Data" shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (as amended from time to time, or replaced by subsequent legislation);
"DPA" means this data processing agreement;
"Processor" means Us;
"Standard Contractual Clauses" means the EU model clauses for Personal Data transfer from controllers to processors c2010-593 - Decision 2010/87EU;
"Subsidiary" means any entity that directly or indirectly controls, is controlled by, or is under common control of a party.
“Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;
"Sub-Processor" means a sub-processor appointed by the Data Processor to process the Personal Data;
"We/Us/Our" means Invoco Ltd, a limited company registered in England under company number 04465219, whose registered address is 11 Avalon Road, Bromsgrove, Worcestershire, B60 2RJ, and whose main trading address is Invoco Ltd, Unit 6 Greenbox, Westonhall Road, Stoke Prior, Worcestershire, B60 4AL.
2. Scope and Application of this Agreement
2.1 The provisions of the Agreement shall apply to the processing of the Personal Data, carried out for the Controller by Us, and to all Personal Data held by Us in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
2.2 The provisions of this Agreement supersede any other arrangement, understanding, or agreement made between the Parties at any time relating to the Personal Data.
2.3 This Agreement shall continue in full force and effect for so long as We are processing Personal Data on behalf of the Controller, and thereafter as provided in Clause 9.
3. Provision of the Services and Processing Personal Data
We are only to carry out the Services, and only to process the Personal Data received from the Controller:
3.1 for the purposes of those Services and not for any other purpose;
3.2 to the extent and in such a manner as is necessary for those purposes; and
3.3 strictly in accordance with the express written authorisation and instructions of the Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Controller to Us).
4. Data Protection Compliance
4.1 All instructions given by the Controller to the Us shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. We shall act only on such written instructions from the Controller unless the We are required by law to do otherwise (as per Article 29 of the GDPR).
4.2 We shall promptly comply with any request from the Controller requiring Us to amend, transfer, delete, or otherwise dispose of the Personal Data.
4.3 We shall transfer all Personal Data to the Controller at the Controller’s request in the formats, at the times, and in compliance with the Controller’s written instructions.
4.4 Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
4.5 The Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
4.6 We agree to comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO.
4.7 We shall provide all reasonable assistance to the Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
4.8 When processing the Personal Data on behalf of the Controller, We shall:
4.8.1 process data within the European Economic Area ("the EEA") (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein) or with certain SaaS providers outside of the EEA who comply with EU data export restrictions and fully comply with GDPR.
4.8.2 not transfer any of the Personal Data to any third party without the written consent of the Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10;
4.8.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as may be required by law (in which case, We shall inform the Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
4.8.4 implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure.
4.8.5 if so requested by the Controller (and within the timescales required by the Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
4.8.6 make available to the Controller any and all such information as is reasonably required and necessary to demonstrate Our compliance with the GDPR;
4.8.7 on reasonable prior notice which shall not be less than 4 weeks and at the Controller’s cost (based on reasonable time and costs), submit to audits and inspections and provide the Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Controller believes that We are in breach of any of its obligations under this Agreement or under the law; and
4.8.8 inform the Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
5. Data Subject Access, Complaints and Breaches
5.1 We shall, at the Controller’s cost, assist the Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
5.2 We shall notify the Controller without undue delay if it receives:
5.2.1 a subject access request from a data subject; or
5.2.2 any other complaint or request relating to the processing of the Personal Data.
5.3 We shall, at the Controller’s cost, cooperate fully with the Controller and assist as required in relation to any subject access request, complaint, or other request, including by:
5.3.1 providing the Controller with full details of the complaint or request;
5.3.2 providing the necessary information and assistance in order to comply with a subject access request;
5.3.3 providing the Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Controller); and
5.3.4 providing the Controller with any other information requested by the Controller.
5.4 We shall notify the Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
6. Appointment of a Data Protection Officer
6.1 We have appointed a Data Protection Officer in accordance with Article 37 of the GDPR. Our Data Protection Officer is Jeremy Strong, and can be contacted by email at email@example.com, by telephone on 01527 306 000, or by post at Invoco Ltd, Unit 6 Greenbox, Westonhall Road, Stoke Prior, Worcestershire, B60 4AL.
7. Liability and Indemnity
7.1 The Controller shall be liable for, and shall indemnify (and keep indemnified) Us in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, Us and any Sub-Processor arising directly or in connection with:
7.1.1 any non-compliance by the Controller with the GDPR or other applicable legislation;
7.1.2 any Personal Data processing carried out by Us or the Sub-Processor in accordance with instructions given by the Controller that infringe the GDPR or other applicable legislation; or
7.1.3 7.1.3 any breach by the Controller of its obligations under this Agreement,
7.2 The Controller shall not be entitled to claim back from Us or Sub-Processor any sums paid in compensation by the Controller in respect of any damage to the extent that the Controller is liable to indemnify Us or Sub-Processor under sub-Clause 7.1.
7.3 Nothing in this Agreement (and in particular, this Clause 7) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR. Furthermore, We hereby acknowledge that We shall remain subject to the authority of the ICO and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the GDPR may render Us subject to the fines, penalties, and compensation requirements set out in the GDPR.
6.6 We do not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected.
8. Intellectual Property Rights
All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Controller or Us) shall belong to the Controller or to any other applicable third party from whom the Controller has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). We are licensed to use such Personal Data under such rights only for the purposes of the Services, and in accordance with this Agreement.
9.1 We shall maintain the Personal Data in confidence, and in particular, unless the Controller has given written consent for Us to do so, We shall not disclose any Personal Data supplied Us by, for, or on behalf of, the Controller to any third party. We shall not process or make any use of any Personal Data supplied to Us by the Controller otherwise than in connection with the provision of the Services to the Controller.
9.2 We shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
9.3 The obligations set out in in this Clause 9 shall continue for a period of 12 months after the cessation of the provision of Services by Us to the Controller.
9.4 Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
10. Appointment of Sub-Processors
10.1 The Controller acknowledges and agrees that We may engage Sub-Processors in connection with the provision of the Services.
10.2 In the event that We appoint a Sub-Processor, We shall:
10.2.1 enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon Us by this Agreement and which shall permit both Us and the Controller to enforce those obligations; and
10.2.2 ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the GDPR.
10.3 In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, We shall remain fully liable to the Controller for failing to meet its obligations under this Agreement.
11. Deletion and/or Disposal of Personal Data
11.1 We shall, at the written request of the Controller, delete (or otherwise dispose of) the Personal Data or return it to the Controller in the format(s) reasonably requested by the Controller within a reasonable time
11.2 Following the deletion, disposal, or return of the Personal Data under sub-Clause 11.1, We shall delete (or otherwise dispose of) all further copies of the Personal Data that We hold, unless retention of such copies is required by law.
12. Law and Jurisdiction
12.1 This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
12.2 Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.
13. Changes to Our Data Processing Agreement
We may change this Data Processing Agreement from time to time (for example, if the law changes). Any changes will be immediately posted on our site, www.invoco.net/data-processing-agreement and you will be deemed to have accepted the terms of the Data Processing Agreement on your first use of our site following the alterations. We recommend that you check this page regularly to keep up-to-date.