The Data Processing Terms (“DPT”) that include the Standard Contractual Clauses adopted by the European Commission, as applicable, reflect the Parties’ agreement concerning the terms governing the Processing of Personal Data. The DPT are entered into by and between HelloPush Ltd (hereinafter referred to as the “Processor”) and any client of HelloPush Ltd (hereinafter referred to as the “Controller”). Processor and Controller are hereinafter jointly referred to as the “Parties” and individually as the “Party”.
a day other than a Saturday, Sunday, or public holiday in England when banks in London are open for business.
Data Protection Authority:
the relevant data protection authority is the Information Commissioner’s Office (ICO).
Data Protection Legislation:
means the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any legislation implemented in connection with the aforementioned legislation. Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.
Data Security Breach:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Shared Personal Data.
The purpose of the DPT is to describe the work to be carried out by the Processor in relation with the DPT. The DPT shall be deemed to take effect from the effective date and shall continue in full force and effect until their termination.
3.1 The Processor agrees to process the Personal Data only in accordance with Data Protection Legislation.
3.2 Both Parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to and does not relieve, remove, or replace, a Party’s obligations or rights under the Data Protection Legislation. In this clause 3, Applicable Laws means (for so long as and to the extent that they apply to either party) the law of the European Union, the law of any member state of the European Union and/or UK Law;
3,3 The Parties acknowledge that the Processor may process Personal Data on behalf of the Controller during the term of the DPT. A description of the Personal Data and the processing activities undertaken by the Processor is set out in Appendix 1.
3.4 To the extent that the Processor processes Personal Data on behalf of the Controller in connection with the DPT, the Processor shall:
3.4.1 Solely process the Personal Data for the purposes of fulfilling its obligations under the DPT and in compliance with the Controller’s written instructions as set out in the DPT and as may be specified from time to time in writing by the Controller;
3.4.2 Notify the Controller immediately if any instructions of the Controller relating to the processing of Personal Data are unlawful;
3.4.3 Maintain a record of its processing activities in accordance with Article 30(1) of the GDPR;
3.4.4 Assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR taking into account the nature of the data processing undertaken by the Processor and the information available to the Processor, including (without limitation):
22.214.171.124 International Data Transfers
The Processor shall comply with the Controller’s instructions in relation to transfers of Personal Data to a Country outside of the European Economic Area unless the Processor is required, pursuant to Applicable Laws, to transfer Personal Data outside the European Economic Area, in which case the Processor shall inform the Controller in writing of the relevant legal requirement before any such transfer occurs, unless the relevant law prohibits such notification on important grounds of public interest;
126.96.36.199 Staff Confidentiality
The Processor shall ensure that any persons used by the Processor to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons used by it to provide the Services have undergone training in Data Protection and in the care and handling of Personal Data;
188.8.131.52 Security Measures
The Processor shall take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of or damage to Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with Article 32 of the GDPR;
184.108.40.206 Data Subject Rights
220.127.116.11 Data Breaches
The Processor shall provide information and assistance upon request to enable the Controller to notify Data Security Breaches to the Information Commissioner and / or to affected individuals and / or to any other regulators to whom the Controller is required to notify any Data Security Breaches;
18.104.22.168 Data Protection Impact Assessments
The Processor shall provide input into and carry out Data Protection Impact Assessments in relation to the Processor’s data processing activities;
22.214.171.124 Deletion or Return of Data
Upon termination of the DPT, at the choice of the Controller, the Processor shall delete securely or return all Personal Data to the Controller and delete all existing copies of the Personal Data unless and to the extent that the Processor is required to retain copies of the Personal Data in accordance with Applicable Laws in which case the Processor shall notify the Controller in writing of the Applicable Laws which require the Personal Data to be retained;
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this clause 3 and allow for and contribute to audits, including inspections, conducted by or on behalf of the Controller or by the Information Commissioners Office (ICO) pursuant to Article 58(1) of the GDPR.
3.4.5 The Processor shall not transfer any Personal Data outside of the European Economic Area and/or the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
4.1 Breach Identification and Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a breach if:
4.1.1 the Processor or any Sub-Contractor engaged by, or on behalf of, the Processor suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data; or
4.1.2 the Processor or any Sub-Contractor engaged by, or on behalf of, the Processor receives any data security breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation.
In each case, the Processor shall provide full cooperation, information, and assistance to the Controller concerning any such data security breach, compliance notice, or communication.
Upon request the Processor shall allow the Controller, the ICO, and its representatives access to the Processor’s premises, records, and personnel to assess the Processor’s compliance with its obligations under the DPT.
Each Party must keep the DPT and information it receives about the other Party and its business in connection with the DPT (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
The DPT is governed by the laws of England and Wales. The DPT and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) is governed by and shall be construed and interpreted in accordance with the laws of England and Wales, and the Parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.
5.1 Either Party, at its sole discretion, may terminate the DPT in writing (with email sufficing) at any time and for any or no reason with a 30-day notice period.
5.2 On termination of the DPT for whatever reason, the Processor shall cease to process the Personal Data and Confidential Information and shall arrange for the prompt and safe return of all of the Personal Data and Confidential Information, processed under the terms of the DPT to the Controller, together with all copies of the Personal Data in its possession or control or that of its agents or contractors, within such time and by such secure means as the Controller shall provide for in writing at the time of termination of the DPT.
5.3 Termination of the DPT shall not affect any rights or obligations of either Party which have accrued prior to the date of termination and all provisions which are expressed to, or do by implication, survive the termination of the DPT shall remain in full force and effect.
All notices required under the DPT shall be deemed sufficient if in writing and delivered personally (with an initially dated receipt), by registered mail, or by email.
Any such notice will be deemed to have been delivered:
The Parties undertake to give notice of any changes in their contact information, by observing the procedures set forth herein.
This Appendix 1 includes the processing activities carried out by the Processor as required by Article 28(3) GDPR.
These are as follows:
The Controller has defined the following Data Subject categories from whom the Personal Data as defined above will be collected:
The Controller has determined the following lawful basis to process personal data under the Data Protection Act 2018/GDPR 2016:
The Processor will carry out the following activities and utilize the Sub-Contractor(s) stated:
Name of Sub-Contractor
Amazon Web Services Emea Sarl, Norwegian Branch
Data Processing & Storage
c/o Kvale Advokatfirma DA Postboks 1752 Vika
0122 Oslo, Norway
You only pay a commission for visitors who convert after clicking on our notifications
Start growing your push conversions today