This Data Processing Agreement (DPA) forms part of and supplements the Services Agreement between Brandworkz and the Customer to reflect the parties’ agreement with regard to the processing of personal data by Brandworkz on behalf of the Customer.
1 Interpretation
The following definitions and rules of interpretation apply in this DPA:
1.1 All capitalised terms not defined in this DPA will have the meanings given to them in the Services Agreement.
1.2 Where there is any contradiction between the Services Agreement and this DPA the contents of this DPA shall take precedence in relation only to its subject matter.
1.3 Definitions
Brandworkz means Brandworkz Ltd, a company registered in England and Wales with company number 03375289 with its registered office at Suite 118, 22 Highbury Grove, London, N5 2EF.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing have the meanings given to them in the Data Protection Legislation.
Customer Data means any personal data which Brandworkz processes in connection with the Services Agreement, in the capacity of a processor on behalf of the Customer.
Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR, the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), in each case as amended from time to time, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).
Domestic Law means the law of the United Kingdom or a part of the United Kingdom.
EU-U.S. Data Privacy Framework (EU-U.S. DPF): The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. Brandworkz, Ltd has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
EEA means the European Economic Area.
Services Agreement means, for the purposes of this DPA, the Brandworkz terms and conditions as provided to the Customer and any order forms agreed between Brandworkz and the Customer.
UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
2 Scope of data processing
2.1 Relationship of the parties: The Customer and Brandworkz agree and acknowledge that for the purpose of the Data Protection Legislation: (i) the Customer is the Controller and Brandworkz is the Processor in relation to Customer Data; and (ii) each party will comply with its obligations under the Data Protection Legislation with respect to the processing of Customer Data.
2.2 Right to Access: Customer has the right to access their Personal Data stored with Brandworkz at any time.
2.3 Anonymised data: Brandworkz is authorised by the Customer to anonymise the Customer Data and once such anonymised data no longer contains personal data to use such anonymised data for its own business purposes.
2.4 Details of processing: The Annex describes the subject matter, duration, nature and purpose of the processing and the personal data categories and data subject types in respect of which Brandworkz may process the Customer Data to perform its obligations under the Services Agreement.
3 Obligations of Brandworkz
3.1 Compliance with instructions: Brandworkz shall only process the Customer Data to the extent, and in such a manner, as is necessary for the Services in accordance with the Customer’s written instructions, save that Brandworkz may anonymise the Customer Data as set out at clause 2. Brandworkz shall promptly notify the Customer if, in its opinion, the Customer’s instructions do not comply with the Data Protection Legislation.
3.2 Confidentiality: Brandworkz shall maintain the confidentiality of the Customer Data and will not disclose the Customer Data to third parties unless it is anonymised as set out in clause 2, the Customer specifically authorises the disclosure whether in this DPA or otherwise in writing, or as required by Domestic Law. If Domestic Law requires Brandworkz to disclose the Customer Data to a third party, Brandworkz must first inform the Customer and give the Customer an opportunity to object or challenge the requirement, unless Domestic Law prohibits the giving of such notice. If the identity of a sub-processor is provided to the Customer as set out in clause7.1, the Customer shall maintain the confidentiality of such identified sub-processor and not disclose it to third parties unless Brandworkz specifically authorises such disclosure in writing or where such disclosure is required by Domestic Law.
3.3 Lawful Requests by Public Authorities: Brandworkz may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security law enforcement requirements in the countries in which clients are based.
3.4 Assistance: Brandworkz shall reasonably assist the Customer, at the Customer’s cost, with meeting the Customer’s compliance obligations under the Data Protection Legislation in relation to Customer Data, taking into account the nature of Brandworkz’s processing of the Customer Data and the information available to Brandworkz in relation to such Customer Data.
3.5 Employees: Brandworkz will ensure that all of its employees are informed of the confidential nature of the Customer Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Data and are aware both of Brandworkz’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
3.6 Audits: Brandworkz will maintain complete and accurate records and information to demonstrate its compliance with this DPA and allow for audits by the Customer or the Customer’s designated auditor (subject to the designated auditor entering into appropriate confidentiality obligations with Brandworkz) at reasonable times and on reasonable notice.
4 Security
4.1 Appropriate measures: Brandworkz shall implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Data, including as appropriate:
4.1.1 the pseudonymisation and encryption of Customer Data;
4.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.1.3 the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and
4.1.4 a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
5 Personal data breach
5.1 Notification: If Brandworkz becomes aware of a personal data breach in relation to Customer Data, Brandworkz will notify the Customer without undue delay. Brandworkz will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Customer Data and/or a personal data breach without first obtaining the Customer’s written consent, except when required to do so by Domestic Law.
5.2 Assistance: Brandworkz will reasonably co-operate with the Customer in the Customer’s handling of a personal data breach in relation to Customer Data, including but not limited to taking reasonable steps to mitigate the effects and to minimise any damage resulting from the personal data breach.
5.3 Handling of the personal data breach: Brandworkz agrees that the Customer has the sole right to determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the personal data breach to any data subjects, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice. Under the terms set forth in Annex I of the DPF Principals, under certain conditions, the Customer has the right to invoke binding arbitration regarding a Personal data Breach. For more information, please visit https://www.dataprivacyframework.gov/
6 International transfers
6.1 Brandworkz shall not transfer any Customer Data outside of the UK or the EEA unless the following conditions are fulfilled:
6.1.1 the Customer or Brandworkz has provided appropriate safeguards in relation to the transfer;
6.1.2 data subjects have enforceable rights and effective legal remedies;
6.1.3 Brandworkz complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Customer Data that is transferred; and
6.1.4 Brandworkz complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Customer Data.
7 Sub-processors
7.1 Permitted sub-processors: The Customer provides its general written authorisation to Brandworkz to authorise third party sub-processors to process the Customer Data. The sub-processors currently engaged by Brandworkz are set out at the Annex. Brandworkz shall inform the Customer of any sub-processors that it intends to engage and any intended changes concerning the addition or replacement of any sub-processors by updating the Annex and making the updated version available on its website thereby giving the Customer the opportunity to object to such changes. Where Brandworkz does not provide a sub-processor’s identity in the Annex this is because it is confidential, but details can be provided upon request.
7.2 Sub-processor obligations: Brandworkz shall enter into a written contract with each sub-processor that contains terms substantially the same as those set out in this DPA and shall remain responsible for any acts or omissions of any sub-processor that cause Brandworkz to breach any of its obligations under this DPA.
8 Data subject rights
8.1 Notification: Brandworkz shall promptly notify the Customer if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Customer Data or to either party’s compliance with the Data Protection Legislation in relation to the Customer Data.
8.2 Assistance: Brandworkz shall use its commercially reasonable endeavours to provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with the rights of data subjects under the Data Protection Legislation.
9 Return or deletion of Customer Data: At the written direction of the Customer, Brandworkz shall delete or return the Customer Data and copies thereof to the Customer unless required by Domestic Law to store the Customer Data
10 Limitation of liability: The limitations of liability set out in the Services Agreement shall apply to this DPA.
11 Updates to this DPA: Brandworkz may vary this DPA by notice to the Customer, and/or may revise this DPA by replacing it with any applicable controller to processor standard clauses or similar terms adopted under the Data Protection Legislation or forming part of an applicable certification scheme, and in each case the varied or revised DPA shall apply when uploaded to Brandworkz’s website.
Brandworkz complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce Brandworkz, Ltd has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Brandworkz is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). To learn more about the FTC, please visit https://www.ftc.gov/
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Brandworkz commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Brandworkz, Ltd at: legal@brandworkz.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Brandworkz commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to TRUSTArc, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. The services of TRUSTArc are provided at no cost to you.
Annex
Details of the processing
Processing by Brandworkz:
1. Nature and purpose of processing | Performance of Brandworkz’s obligations in relation to Customer Data in accordance with and as set out in the Services Agreement. |
2. Duration of the processing | The term of the Services Agreement. |
3. Categories of data subject | Determined and controlled by the Customer in its sole discretion and which may include, but is not limited to, personal data relating to the following categories of data subjects:
|
4. Types of personal data | Determined and controlled by the Customer in its sole discretion and which may include, but is not limited to, the following categories of personal data of data subjects:
Personal details including:
|
5. Sub-processors | Technical and client support is provided on a global bases by sub-processors with staff in the United Kingdom, Australia, and the United States of America.
Cloud hosting of the Brandworkz platform is fulfilled by world class providers in the European Union and the United States and is architected to meet the needs of our global customers. |