Data Processing Agreement
This agreement forms a key part of our standard Terms & Conditions and is made between:
A. Campaign and Digital Intelligence Ltd (company registration number 07066939), a company registered in England and Wales, the registered office of which is at 47 Newton Street, Manchester, (CANDDi),
B. the natural person or legal entity who is being provided with visitor analytics services or any related services by CANDDi (the Client) and each a “Party” and together the “Parties”.
1. Definitions
1.1. Data Controller means a data controller or controller (as the case may be) as defined by the Data Protection Legislation (and ‘controller’ shall be construed accordingly).
1.2. Data Processing Agreement means this agreement.
1.3. Data Processor means a data processor or processor (as the case may be) as defined by the Data Protection Legislation (and ‘processor’ shall be construed accordingly).
1.4. Data Protection Legislation means the GDPR for as long as it is directly applicable in the United Kingdom and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the United Kingdom, and then any successor legislation to the GDPR or the Data Protection Act 1998.
1.5. Data Subject means a data subject as defined by the Data Protection Legislation.
1.6. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.7. Personal Data means personal data as defined by the Data Protection Legislation.
1.8. Personal Data Breach means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2. General obligations
2.1. Both Parties shall comply with all applicable requirements of the Data Protection Legislation. This clause 2.1 is in addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.
2.2. The Parties acknowledge that for the purposes of the Data Protection Legislation and this Data Processing Agreement, the Client is the data controller and CANDDi is the data processor. The Schedule to this Data Processing Agreement sets out the scope, nature and purpose of processing by CANDDi, the duration of the processing and the types of Personal Data and categories of Data Subject.
2.3. Without prejudice to the generality of clause 2.1, the Client will ensure that it has, at all times:
2.3.1. a valid legal basis under the Data Protection Legislation for the processing of Personal Data under this Data Processing Agreement, including, without limitation, such processing by CANDDi as instructed or permitted by the Client under clause 3.1.1 and clause 3.2 of this Data Processing Agreement;
2.3.2. where required by law (for example, as required for the transmission by electronic means of direct marketing communications under the Privacy and Electronic Marketing Communications Regulations 2003), valid consent (under the Data Protection Legislation) for such processing; and
2.3.3. appropriate notices in place as required by the Data Protection Legislation to enable lawful transfer of Personal Data to CANDDi for the duration and purposes of this Data Processing Agreement.
2.4. CANDDi shall implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
2.5. CANDDi shall:
2.5.1. only process Personal Data in accordance with the documented instructions of Client (including to the extent necessary to provide the Services and to comply with its obligations under this Agreement);
2.5.2. inform the Client if, in CANDDi’s opinion, any of the Client’s instructions would breach Data Protection Laws; and
2.5.3. assist the Client with undertaking an assessment of the impact of processing that Personal Data, and with any consultations with a supervisory authority, if and to the extent an assessment or consultation is required to be carried out under Data Protection Laws.
3. Data Subject Rights
3.1. CANDDi shall:
3.1.1. implement appropriate technical and organizational measures for the fulfilment of the Client’s obligation to respond to requests by Data Subjects to exercise their rights of access, rectification or erasure, to restrict or object to processing of Personal Data, or to data portability; and
3.1.2. if a Data Subject makes a written request to CANDDi to exercise any of the rights referred to in clause 3.1.1, forward the request to the Client promptly and shall, upon the Client’s reasonable written request, provide the Client with all co-operation and assistance reasonably requested by the Client in relation to that request to enable the Client to respond to that request in compliance with applicable deadlines and information requirements.
4. Security measures:
4.1. CANDDi shall:
4.1.1 taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the risk of unauthorized or unlawful processing of Personal Data, and of accidental or unlawful loss, alteration, unauthorized disclosure or destruction of, or damage to, Personal Data; and
4.1.2 notify the Client without undue delay after becoming aware of a Personal Data Breach, and upon the Client’s reasonable written request, provide the Client with all co-operation and assistance reasonably requested by the Client to enable the Client to notify the Personal Data Breach to the relevant supervisory authority and relevant Data Subject(s) (as applicable).
5. Sharing of personal data
5.1. The Client authorizes CANDDi to engage appropriate processors to carry out the processing of the Personal Data as envisaged under these GDPR Terms and Appendix
5.2. CANDDi shall:
5.2.1. save for those processors detailed in Appendix 1, not engage another processor without prior specific or general written authorization of the Client and in the case of general written authorization, inform the Client of any intended changes concerning the addition or replacement of other processors, thereby giving the Client the opportunity to object to such changes;
5.2.2. before disclosing Personal Data to any processor, enter into a contract with that processor under which the processor agrees to comply with obligations equivalent to those set out in these GDPR Terms; and
5.2.3. before disclosing Personal Data to any of its employees and representatives, and the employees and representatives of each of its processors, in each case who have access to the Personal Data, ensure that those persons:
5.2.3.1. have undergone appropriate training in data protection and the care and handling of Personal Data;
5.2.3.2. are bound to hold the information in confidence to at least the same standard as required under this Agreement (whether under a written agreement or otherwise).
6. Transfers of personal data
6.1. CANDDi shall:
6.1.1. not transfer Personal Data to, or process Personal Data in, any third country or territory without the prior written consent of The Client (which consent may be conditional upon CANDDi or the relevant third parties entering into an agreement containing similar terms to these GDPR Terms with Customer) unless (and for so long as):
6.1.1.1. there has been a European Community finding of adequacy pursuant to Article 25(6) of Directive 95/46/EC or, after 24 May 2018, Article 45 of the GDPR in respect of that country or territory
6.1.1.2. the transfer is to the United States to an importing entity that is a certified member of the EU-US Privacy Shield; or
6.1.1.3. The Client and the relevant importing entity are party to a contract in relation to the export of Personal Data incorporating standard contractual clauses in the form adopted by the European Commission under Decision 2010/87/EU or an equivalent data transfer agreement meeting the requirements of Data Protection Laws.
6.1.1.4. Where any mechanism for cross-border transfers of Personal Data is found by a supervisory authority, court of competent jurisdiction or other governmental authority to be an invalid means of complying with the restrictions on transferring Personal Data to a third country or territory as set out in Data Protection Laws, the parties shall act in good faith to agree the implementation of an alternatives solution to enable The Client to comply with the provisions of Data Protection Laws in respect of any such transfer.
7. Compliance
7.1. CANDDi shall:
7.1.1. notify the Client if it receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data, or to either party’s compliance with Data Protection Laws, and shall fully co-operate and assist The Client in relation to any such complaint, notice, communication or non-compliance; and
7.1.2. upon Customer’s reasonable written request, provide all information necessary to demonstrate compliance with these GDPR Terms, and allow The Client or an auditor appointed by The Client to carry out audits, including inspections of facilities, equipment, documents and electronic data, relating to the processing of Personal Data by CANDDi or any processor, to verify compliance with these GDPR Terms.
8. Termination / expiry
8.1. CANDDi shall:
8.1.1. unless expressly stated otherwise in this Agreement, upon termination of this Agreement, CANDDi shall, and shall procure that each processor shall, immediately cease to use the Personal Data and shall, at Customer’s option, return the Personal Data to The Client or to a processor nominated by The Client or delete the Personal Data and all copies and extracts of the Personal Data unless required to retain a copy in accordance with any law of the European Union or any member state of the European Union; and
8.1.2. on expiry or termination of this Agreement (however arising) these GDPR Terms shall survive and continue in full force and effect.
9. Limitations and exclusion of liability
9.1. CANDDi excludes any and all liability to the Client to the maximum extent permitted by law.
9.2. In any event, the Data Processor’s total aggregate liability to the Client in any given calendar year shall not exceed an amount equal to fifty per cent. (50%) of any fees or charges paid by the Client to CANDDi for any Visitor Analytics service or other related service provided by CANDDi to the Client.
Appendix
Description of processing
The Personal Data transferred by the Client is processed by CANDDi to provide the Services pursuant to the Agreement. CANDDi is authorized to process the Client Personal Data for the duration of the Agreement.
Authorized Subprocessors
CANDDi makes available a full list of authorized Subprocessors and their country of location at here
The Client Personal Data
Data Subjects
The personal data transferred by The Client is determined and controlled by the Client, in its sole discretion, and includes the personal data of the end-users of Customer's website.
Data Categories
Types of personal data processed
- Names
- Age
- Address incl. postcode
- Email addresses
- Phone numbers
- Social Media profiles
- IP address
- Location (based on IP address)
- Browser type
- Operating system
Natural persons who use the visitor analytics or related services provided on the Client’s website(s) from time to time.
Special Categories of Personal Data
None — the personal data being processed by CANDDi does not include any Special Categories of Personal Data
Download Data Processing Agreement