This Data Processing Addendum applies wherever BDQ acts as a data processor with respect to Personal Data supplied or made available to BDQ by or on behalf of the Customer. It should be read in conjunction with the General T&Cs or other applicable BDQ terms and conditions.
1. Definitions
1.1 In this DPA:
"BDQ" means Business Data Quality Limited, a company incorporated in England and Wales (registration number 04497196) having its registered office at Leytonstone House, 3 Hanbury Drive, Leytonstone, London E11 1GA;
"Customer" means BDQ's customer for Services;
"Customer Personal Data" means any Personal Data that is processed by BDQ on behalf of the Customer under or in relation to an Order; this shall exclude Personal Data with respect to which BDQ acts as a controller, such as Personal Data stored and used by BDQ in order to communicate with the Customer and/or to manage projects on behalf of the Customer;
"Data Protection Laws" means the EU GDPR and the UK GDPR and all other applicable laws relating to the processing of Personal Data;
"DPA" means this data processing addendum, as it may be updated from time to time in accordance with the General T&Cs or other applicable BDQ terms and conditions;
"EU GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679) and all other EU laws regulating the processing of Personal Data, as such laws may be updated, amended and superseded from time to time;
"General T&Cs" means the general terms and conditions of BDQ available at http://www.bdq.cloud/legal/general-terms-conditions, in the form current as at the date of the relevant Order, subject to variations in accordance with their terms;
"Order" means an order signed or otherwise agreed by or on behalf of each of the parties setting out the particulars of the Services;
"Personal Data" means personal data under any of the Data Protection Laws;
"Service Providers' Page" means https://www.bdq.cloud/legal/service-providers;
"Services" means the services provided or to be provided by BDQ to the Customer under the Order; and
"UK GDPR" means the EU GDPR as transposed into UK law (including by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) and all other UK laws regulating the processing of Personal Data, as such laws may be updated, amended and superseded from time to time.
2. Compliance with Data Protection Laws
2.1 Each party shall comply with the Data Protection Laws with respect to the processing of the Customer Personal Data.
2.2 The Customer warrants to BDQ that it has the legal right to disclose all Personal Data that it does in fact disclose to BDQ under or in connection with any Order.
3. Scope of processing
3.1 The Customer shall only supply to BDQ, and BDQ shall only process, Personal Data falling into the following categories:
(a) if BDQ is providing migration or backup services, then any Personal Data that is held in the relevant databases, which may include names, user account information and other information relating to the users of the relevant system;
(b) if BDQ is providing hosted or cloud software services, then any Personal Data relating to individual users of those services (but excluding information used by BDQ to manage its customer relationships); and
(c) in any case, Personal Data falling within any categories specified in the relevant Order or such other categories as may be agreed by the parties in writing.
3.2 BDQ shall only process the Customer Personal Data for the purposes of providing the Services, performing its other obligations under the applicable Order and communicating with the Customer, along with any other purposes specified in the applicable Order.
3.3 BDQ shall only process the Customer Personal Data on the documented instructions of the Customer (including with regard to transfers of the Customer Personal Data to a third country under the Data Protection Laws), as set out in the applicable Order, this DPA, the General T&Cs or any other document agreed by the parties in writing.
3.4 BDQ shall promptly inform the Customer if, in the opinion of BDQ, an instruction of the Customer relating to the processing of the Customer Personal Data infringes the Data Protection Laws.
3.5 Notwithstanding any other provision of this DPA, BDQ may process the Customer Personal Data if and to the extent that BDQ is required to do so by applicable law. In such a case, BDQ shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4. Duration of processing
4.1 BDQ shall only process the Customer Personal Data for the following periods:
(a) if BDQ is providing migration or backup services, then during the provision of those services and for a period of up to 1 month following the completion of those services;
(b) if BDQ is providing hosted or cloud software services, then during the period in which the relevant customer account is live on the services, and for a period of up to 3 months following the end of that period; and
(c) in any other case and unless specified in otherwise in the relevant Order, during the subsistence of the relevant Order and for not more than 90 days following the end of that period,
subject to the other provisions of this DPA.
4.2 BDQ shall, at the choice of the Customer, delete or return all of the Customer Personal Data to the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.
5. Confidentiality and security
5.1 BDQ shall ensure that persons authorised to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 BDQ shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Customer Personal Data, including any measures specified in the applicable Order.
6. Third party processors and international transfers
6.1 BDQ must not engage any third party to process the Customer Personal Data without the prior specific or general written authorisation of the Customer. In the case of a general written authorisation, BDQ shall inform the Customer (by updating the Service Providers' Page and, if the Customer has so requested, sending an email notice to the Customer) at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Customer objects to any such changes before their implementation, then the Customer may terminate the contract under which BDQ provides the relevant services to the Customer on 7 days' written notice to BDQ, providing that such notice must be given within the period of 7 days following the date that BDQ informed the Customer of the intended changes.
6.2 BDQ shall ensure that each third party processor is subject to equivalent legal obligations as those imposed on BDQ by this DPA.
6.3 BDQ is hereby authorised by the Customer to engage, as sub-processors with respect to Customer Personal Data, the third parties, and third parties within the categories, identified on the Service Providers' Page as at the date of agreement the applicable Order.
6.4 The Customer hereby authorises BDQ to make the following transfers of Customer Personal Data:
(a) BDQ may transfer the Customer Personal Data to its third party processors in the jurisdictions identified on the Service Providers' Page and may permit its third party processors to make such transfers, providing that such transfers must be protected by any appropriate safeguards identified therein; and
(b) BDQ may transfer the Customer Personal Data to a country, a territory or sector to the extent that the competent data protection authorities have decided that the country, territory or sector ensures an adequate level of protection for Personal Data.
7. Assistance and cooperation
7.1 BDQ shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws.
7.2 BDQ shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws. BDQ may charge the Customer at its standard time-based charging rates for any work performed by BDQ at the request of the Customer pursuant to this Clause 7.2.
7.3 BDQ shall make available to the Customer all information necessary to demonstrate the compliance of BDQ with its obligations under this DPA. BDQ may charge the Customer at its standard time-based charging rates for any work performed by BDQ at the request of the Customer pursuant to this Clause 7.3, providing that no such charges shall be levied with respect to the completion by BDQ (at the reasonable request of the Customer, not more than once per calendar year) of the standard information security questionnaire of the Customer.
7.4 BDQ shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of BDQ's processing of Customer Personal Data with the Data Protection Laws and this DPA. BDQ may charge the Customer at its standard time-based charging rates for any work performed by BDQ at the request of the Customer pursuant to this Clause 7.4, providing that no such charges shall be levied where the request to perform the work arises out of any breach by BDQ of this DPA or any security breach affecting the systems of BDQ.
8. Data breaches
8.1 BDQ must notify the Customer of any Personal Data breach affecting the Customer Personal Data without undue delay and, in any case, not later than 36 hours after BDQ becomes aware of the breach.
9. Changes in the law
9.1 This DPA may not be varied except as follows:
(a) to the extent reasonably necessary to ensure that the parties and this DPA comply with the Data Protection Laws, by BDQ giving to the Customer at least 30 days' prior written notice of the variation;
(b) by BDQ giving to the Customer at least 90 days' prior written notice of the variation, in which case the Customer may terminate the DPA on 14 days' written notice at any time during that 90-day period;
(c) in accordance with the other provisions of the contract between the parties; or
(d) by means of a written document signed by or on behalf of each party.