The Data Processing Terms (“DPT”) that include the Standard Contractual Clauses adopted by the European Commission, as applicable, reflect the Parties’ agreement concerning the terms governing the Processing of Personal Data. The DPT are entered into by and between HelloPush Ltd (hereinafter referred to as the “Processor”) and any client of HelloPush Ltd (hereinafter referred to as the “Controller”). Processor and Controller are hereinafter jointly referred to as the “Parties” and individually as the “Party”.

Background:

1. The Controller processes Personal Data in connection with its business activities;
2. The Processor processes Personal Data on behalf of other businesses or organizations;
3. The Controller wishes to engage the services of the Processor to process Personal Data on its behalf.

1. Definitions and interpretation

Business Day:
a day other than a Saturday, Sunday, or public holiday in England when banks in London are open for business.

Data Protection Authority:
the relevant data protection authority is the Information Commissioner’s Office (ICO).

Data Protection Legislation:
means the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any legislation implemented in connection with the aforementioned legislation. Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). This includes any replacement legislation coming into effect from time to time.

Data Security Breach:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Shared Personal Data.

2. Scope

The purpose of the DPT is to describe the work to be carried out by the Processor in relation with the DPT. The DPT shall be deemed to take effect from the effective date and shall continue in full force and effect until their termination.

3. Processing of the personal data

3.1 The Processor agrees to process the Personal Data only in accordance with Data Protection Legislation.

3.2 Both Parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to and does not relieve, remove, or replace, a Party’s obligations or rights under the Data Protection Legislation. In this clause 3, Applicable Laws means (for so long as and to the extent that they apply to either party) the law of the European Union, the law of any member state of the European Union and/or UK Law;

3,3 The Parties acknowledge that the Processor may process Personal Data on behalf of the Controller during the term of the DPT. A description of the Personal Data and the processing activities undertaken by the Processor is set out in Appendix 1.

3.4 To the extent that the Processor processes Personal Data on behalf of the Controller in connection with the DPT, the Processor shall:

3.4.1 Solely process the Personal Data for the purposes of fulfilling its obligations under the DPT and in compliance with the Controller’s written instructions as set out in the DPT and as may be specified from time to time in writing by the Controller;

3.4.2 Notify the Controller immediately if any instructions of the Controller relating to the processing of Personal Data are unlawful;

3.4.3 Maintain a record of its processing activities in accordance with Article 30(1) of the GDPR;

3.4.4 Assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR taking into account the nature of the data processing undertaken by the Processor and the information available to the Processor, including (without limitation):

3.4.4.1 Sub-Processors

1. Not engage with any Sub-Processor/Sub-Contractor to carry out any processing of Personal Data without the prior written consent of the Controller (such consent not to be unreasonably withheld), provided that notwithstanding any such consent the Processor shall remain liable for compliance with all of the requirements of the DPT including in relation to the processing of Personal Data;
2. The Controller gives the Processor general authorisation to replace any of its Sub-Processors or to add a new Sub-Processor. However, before any such replacement or addition, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Controller the opportunity to object to such changes. If no objection is raised within 30 days, the proposed replacement or addition will be considered accepted. If an objection is raised, and the Parties do not reach an agreement within 30 days from the day the objection is raised, the Processor shall have the right to proceed with the proposed addition or replacement, and the Controller shall have the right to terminate the DPT forthwith at no cost and with no need to provide notice.
3. Ensure that obligations equivalent to the obligations set out in this clause 3 are included in all contracts between the Processor and permitted Sub-Contractors who will be processing Personal Data;
4. Ensure that its Sub-Processor/Sub-Contractors shall not transfer to or access any Personal Data from a Country outside of the European Economic Area without the prior written consent of the Controller;

3.4.4.2 International Data Transfers

The Processor shall comply with the Controller’s instructions in relation to transfers of Personal Data to a Country outside of the European Economic Area unless the Processor is required, pursuant to Applicable Laws, to transfer Personal Data outside the European Economic Area, in which case the Processor shall inform the Controller in writing of the relevant legal requirement before any such transfer occurs, unless the relevant law prohibits such notification on important grounds of public interest;

3.4.4.3 Staff Confidentiality

The Processor shall ensure that any persons used by the Processor to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons used by it to provide the Services have undergone training in Data Protection and in the care and handling of Personal Data;

3.4.4.4 Security Measures

The Processor shall take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of or damage to Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with Article 32 of the GDPR;

3.4.4.5 Data Subject Rights

1. The Processor shall promptly notify the Controller if it receives a request from a Data Subject (Data Subject Access Request) under any Data Protection Legislation in respect of Personal Data; and
2. Ensure that it does not respond to that request except on the documented instructions of the Controller or as required by applicable Data Protection Legislation to which the Processor is subject, in which case the Processor shall to the extent permitted by applicable Data Protection Legislation inform the Controller of that legal requirement before the Processor responds to the request; and
3. Taking into account the nature of the data processing activities undertaken by the Processor, provide all possible assistance and cooperation (including without limitation putting in place appropriate technical and organisational measures) to enable the Controller to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation;

3.4.4.6 Data Breaches

The Processor shall provide information and assistance upon request to enable the Controller to notify Data Security Breaches to the Information Commissioner and / or to affected individuals and / or to any other regulators to whom the Controller is required to notify any Data Security Breaches;

3.4.4.7 Data Protection Impact Assessments

The Processor shall provide input into and carry out Data Protection Impact Assessments in relation to the Processor’s data processing activities;

3.4.4.8 Deletion or Return of Data

Upon termination of the DPT, at the choice of the Controller, the Processor shall delete securely or return all Personal Data to the Controller and delete all existing copies of the Personal Data unless and to the extent that the Processor is required to retain copies of the Personal Data in accordance with Applicable Laws in which case the Processor shall notify the Controller in writing of the Applicable Laws which require the Personal Data to be retained;

3.4.4.9 Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this clause 3 and allow for and contribute to audits, including inspections, conducted by or on behalf of the Controller or by the Information Commissioners Office (ICO) pursuant to Article 58(1) of the GDPR.

3.4.5 The Processor shall not transfer any Personal Data outside of the European Economic Area and/or the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:

1. the Controller or the Processor has provided appropriate safeguards in relation to the transfer;
2. the Data Subject has enforceable rights and effective legal remedies;
3. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
4. the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.

4. General terms

4.1 Breach Identification and Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a breach if:

4.1.1 the Processor or any Sub-Contractor engaged by, or on behalf of, the Processor suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data; or

4.1.2 the Processor or any Sub-Contractor engaged by, or on behalf of, the Processor receives any data security breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation.

In each case, the Processor shall provide full cooperation, information, and assistance to the Controller concerning any such data security breach, compliance notice, or communication.

4.2 Access

Upon request the Processor shall allow the Controller, the ICO, and its representatives access to the Processor’s premises, records, and personnel to assess the Processor’s compliance with its obligations under the DPT.

4.3 Confidentiality

Each Party must keep the DPT and information it receives about the other Party and its business in connection with the DPT (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

1. disclosure is required by law;
2. the relevant information is already in the public domain.

5. Governing law and jurisdiction

The DPT is governed by the laws of England and Wales. The DPT and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) is governed by and shall be construed and interpreted in accordance with the laws of England and Wales, and the Parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.

Termination

5.1 Either Party, at its sole discretion, may terminate the DPT in writing (with email sufficing) at any time and for any or no reason with a 30-day notice period.

5.2 On termination of the DPT for whatever reason, the Processor shall cease to process the Personal Data and Confidential Information and shall arrange for the prompt and safe return of all of the Personal Data and Confidential Information, processed under the terms of the DPT to the Controller, together with all copies of the Personal Data in its possession or control or that of its agents or contractors, within such time and by such secure means as the Controller shall provide for in writing at the time of termination of the DPT.

5.3 Termination of the DPT shall not affect any rights or obligations of either Party which have accrued prior to the date of termination and all provisions which are expressed to, or do by implication, survive the termination of the DPT shall remain in full force and effect.

6. Notices

All notices required under the DPT shall be deemed sufficient if in writing and delivered personally (with an initially dated receipt), by registered mail, or by email.

Any such notice will be deemed to have been delivered:

1. when delivered if delivered personally or by registered mail; or
2. on the next Business Day when sent by email.

The Parties undertake to give notice of any changes in their contact information, by observing the procedures set forth herein.

APPENDIX 1: Data Processing Activities

Description of data

This Appendix 1 includes the processing activities carried out by the Processor as required by Article 28(3) GDPR.

These are as follows:

• Website URLs visited by push notification subscriber
• Time spent by push notification subscriber on website URLs
• Push notification subscriber’s device type

Categories of data subjects

The Controller has defined the following Data Subject categories from whom the Personal Data as defined above will be collected:

• Customers
  
  

Lawful basis of data processing

The Controller has determined the following lawful basis to process personal data under the Data Protection Act 2018/GDPR 2016:

• Consent of the Data Subjects

Processing activities

The Processor will carry out the following activities and utilize the Sub-Contractor(s) stated: