This Data Processing Agreement (hereinafter referred to as “Agreement” or “DPA”) by and between , you (the "The Company" or "Data Controller"), and us (the “Vendor” or “Data Processor” or “Processor”) who agree to be bound by the terms of this Agreement.
This Data Processing Agreement will be supplemental to the Collections Agreement (CA) between the Parties, and this Agreement will follow the terms of that CA.
Whereas
The Company acts as the Data Controller and the Company wishes to subcontract certain Services, which may require the processing of personal data, to the Data Processor. The Parties seek to implement a data processing agreement in compliance with the requirements under the General Data Protection Regulation, and any other applicable Data Protection regulations. The Parties which to operate according to the following terms:
1. Terms of Agreement
1.1 This agreement supplements the Principal Contract and makes legally binding provisions for compliance with the UK GDPR as set forth in this agreement. As per the requirements of UK GDPR, all processing of personal data by a processor on behalf of a controller, shall be governed by a contract. The terms, obligations and rights set forth in this agreement relate directly to the data processing activities and conditions laid out in Schedule 1.
1.2 The terms used in this agreement have the meanings as set out in the 'definitions' part of the document
2. Definitions
2.1 In this Agreement, unless the text specifically notes otherwise, the below words shall have the following meanings: -
2.2 "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
2.3 "Effective Date" means that date that this agreement comes into force
2.4 "Personal Data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
2.5 “UK GDPR” means the United Kingdom General Data Protection Regulation (tailored by the Data Protection Act 2018)
2.6 "Principal Contract" means the main contract between the parties named in this agreement
2.7 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
2.8 "Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with domestic law, shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
2.9 "Third-party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
2.10 "Sub Processor" means any person or entity appointed by or on behalf of the Processor to process personal data on behalf of the Controller
2.11 "The Commissioner" means the Information Commissioners Office pursuant to Article 51 of the “GDPR”
3. Obligations and Rights of the Processor
3.1 The Processor shall comply with the UK GDPR and must: -
a) only act on the written instructions of the Controller
b) ensure that people processing the data are subject to a duty of confidence
c) ensure that any natural person acting under their authority who has access to personal data, does not process that data except on instructions from the Controller
d) use its best endeavours to safeguard and protect all personal data from unauthorised or unlawful processing, including (but not limited to) accidental loss, destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Schedule 1 of this agreement
e) ensure that all processing meets the requirements of the UK GDPR and is in accordance with the Data Protection Principles
f) ensure that where a Sub-Processor is used, they: -
i. only engage a Sub-Processor with the prior consent of the data controller
ii. inform the controller of any intended changes concerning the addition or replacement of Sub- Processors
iii. they implement a written contract containing the same data protection obligations as set out in this agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the UK GDPR
iv. understand that where any Sub-Processor is used on their behalf, that any failure on the part of the sub-processor to comply with the UK GDPR or the relevant data processing agreement, the initial processor remains fully liable to the controller for the performance of the Sub-Processor’s obligations
g) assist the Controller in providing subject access and allowing data subjects to exercise their rights under the UK GDPR
h) assist the Controller in meeting its data protection obligations in relation to: -
i. the security of processing
ii. data protection impact assessments
iii. the investigation and notification of personal data breaches
i) delete or return all personal data to the Controller as requested at the end of the contract
j) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the UK GDPR and allow for, and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
k) tell the Controller immediately if they have done something (or are asked to do something) infringing the UK GDPR
l) cooperate with the Commissioner in accordance with the UK GDPR Article 31 and notify the Controller of any personal data breaches in accordance with the UK GDPR Article 33
n) where applicable, employ a Data Protection Officer if required
3.2 Nothing within this agreement relieves the processor of their own direct responsibilities, obligations and liabilities under the UK GDPR.
3.3 The Processor is responsible for ensuring that each of its employees, agents, subcontractors or vendors are made aware of its obligations regarding the security and protection of the personal data and the terms set out in this agreement.
3.4 The Processor shall maintain induction and training programs that adequately reflect the Data Protection Law requirements and regulations, and ensure that all employees are afforded the time, resources and budget to undertake such training on a regular basis.
3.5 Any transfers of personal data to a third country or an international organisation shall only be carried out on documented instructions from the controller, unless required to do so by domestic law. Where such a legal requirement exists, the Processor shall inform the Controller of that legal requirement before processing.
3.6 The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing: -
4. Obligations and Rights of the Controller
4.1 The Controller is responsible for verifying the validity and suitability of the Processor before entering into a business relationship.
4.2 The Controller shall carry out adequate and appropriate onboarding and due diligence checks for all Processors, with a full assessment of the mandatory UK GDPR requirements.
4.3 The Controller shall verify that the Processor has adequate and documented processes for data breaches, data retention and data transfers in place.
4.4 The Controller shall obtain evidence from the Processor as to the: -
a) verification and reliability of the employees used by the Processor
b) certificates, accreditations and policies as referred to in the due diligence / onboarding questionnaire (if applicable)
c) technical and operational measures need to be described in a separate schedule this agreement
d) procedures in place for allowing data subjects to exercise their rights, including (but not limited to), subject access requests, erasure & rectification procedures and restriction of processing measures
4.5 Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the controller must verify that similar data protection agreements are in place between the initial Processor and Sub- Processor.
4.6 Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the details of the Sub-Processor must be added to a separate schedule to this agreement.
5. Penalties & Termination
5.1 By signing this agreement, the Processor confirms that they understand the legal and enforcement actions that they may be subject to should they fail to uphold the agreement terms or breach the Data Protection Laws. If the processor fails to meet their obligations, they may be subject to:
a) investigative and corrective powers of the Commissioner under Article 58 of the UK GDPR
b) an administrative fine under Article 83 of the UK GDPR
c) a penalty under Article 84 of the UK GDPR
d) pay compensation under Article 82 of the UK GDPR
5.2 The Controller or Processor can terminate this agreement in accordance with the termination of the collections agreement.
6. Signing
By accessing and using this Data Processing Agreement (DPA), the parties or their duly authorised representatives acknowledge and agree to all its clauses. Agreement to this DPA is confirmed through the acceptance of our Digital Collections Agreement, which is completed during the order process.
This Data Processing Agreement (hereinafter referred to as “Agreement” or “DPA”) by and between , you (the "The Company" or "Data Controller"), and us (the “Vendor” or “Data Processor” or “Processor”) who agree to be bound by the terms of this Agreement.
This Data Processing Agreement will be supplemental to the Collections Agreement (CA) between the Parties, and this Agreement will follow the terms of that CA.
Whereas
The Company acts as the Data Controller and the Company wishes to subcontract certain Services, which may require the processing of personal data, to the Data Processor. The Parties seek to implement a data processing agreement in compliance with the requirements under the General Data Protection Regulation, and any other applicable Data Protection regulations. The Parties which to operate according to the following terms:
1. Terms of Agreement
1.1 This agreement supplements the Principal Contract and makes legally binding provisions for compliance with the UK GDPR as set forth in this agreement. As per the requirements of UK GDPR, all processing of personal data by a processor on behalf of a controller, shall be governed by a contract. The terms, obligations and rights set forth in this agreement relate directly to the data processing activities and conditions laid out in Schedule 1.
1.2 The terms used in this agreement have the meanings as set out in the 'definitions' part of the document
2. Definitions
2.1 In this Agreement, unless the text specifically notes otherwise, the below words shall have the following meanings: -
2.2 "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
2.3 "Effective Date" means that date that this agreement comes into force
2.4 "Personal Data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
2.5 “UK GDPR” means the United Kingdom General Data Protection Regulation (tailored by the Data Protection Act 2018)
2.6 "Principal Contract" means the main contract between the parties named in this agreement
2.7 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
2.8 "Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with domestic law, shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
2.9 "Third-party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
2.10 "Sub Processor" means any person or entity appointed by or on behalf of the Processor to process personal data on behalf of the Controller
2.11 "The Commissioner" means the Information Commissioners Office pursuant to Article 51 of the “GDPR”
3. Obligations and Rights of the Processor
3.1 The Processor shall comply with the UK GDPR and must: -
a) only act on the written instructions of the Controller
b) ensure that people processing the data are subject to a duty of confidence
c) ensure that any natural person acting under their authority who has access to personal data, does not process that data except on instructions from the Controller
d) use its best endeavours to safeguard and protect all personal data from unauthorised or unlawful processing, including (but not limited to) accidental loss, destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Schedule 1 of this agreement
e) ensure that all processing meets the requirements of the UK GDPR and is in accordance with the Data Protection Principles
f) ensure that where a Sub-Processor is used, they: -
i. only engage a Sub-Processor with the prior consent of the data controller
ii. inform the controller of any intended changes concerning the addition or replacement of Sub- Processors
iii. they implement a written contract containing the same data protection obligations as set out in this agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the UK GDPR
iv. understand that where any Sub-Processor is used on their behalf, that any failure on the part of the sub-processor to comply with the UK GDPR or the relevant data processing agreement, the initial processor remains fully liable to the controller for the performance of the Sub-Processor’s obligations
g) assist the Controller in providing subject access and allowing data subjects to exercise their rights under the UK GDPR
h) assist the Controller in meeting its data protection obligations in relation to: -
i. the security of processing
ii. data protection impact assessments
iii. the investigation and notification of personal data breaches
i) delete or return all personal data to the Controller as requested at the end of the contract
j) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the UK GDPR and allow for, and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
k) tell the Controller immediately if they have done something (or are asked to do something) infringing the UK GDPR
l) cooperate with the Commissioner in accordance with the UK GDPR Article 31 and notify the Controller of any personal data breaches in accordance with the UK GDPR Article 33
n) where applicable, employ a Data Protection Officer if required
3.2 Nothing within this agreement relieves the processor of their own direct responsibilities, obligations and liabilities under the UK GDPR.
3.3 The Processor is responsible for ensuring that each of its employees, agents, subcontractors or vendors are made aware of its obligations regarding the security and protection of the personal data and the terms set out in this agreement.
3.4 The Processor shall maintain induction and training programs that adequately reflect the Data Protection Law requirements and regulations, and ensure that all employees are afforded the time, resources and budget to undertake such training on a regular basis.
3.5 Any transfers of personal data to a third country or an international organisation shall only be carried out on documented instructions from the controller, unless required to do so by domestic law. Where such a legal requirement exists, the Processor shall inform the Controller of that legal requirement before processing.
3.6 The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing: -
4. Obligations and Rights of the Controller
4.1 The Controller is responsible for verifying the validity and suitability of the Processor before entering into a business relationship.
4.2 The Controller shall carry out adequate and appropriate onboarding and due diligence checks for all Processors, with a full assessment of the mandatory UK GDPR requirements.
4.3 The Controller shall verify that the Processor has adequate and documented processes for data breaches, data retention and data transfers in place.
4.4 The Controller shall obtain evidence from the Processor as to the: -
a) verification and reliability of the employees used by the Processor
b) certificates, accreditations and policies as referred to in the due diligence / onboarding questionnaire (if applicable)
c) technical and operational measures need to be described in a separate schedule this agreement
d) procedures in place for allowing data subjects to exercise their rights, including (but not limited to), subject access requests, erasure & rectification procedures and restriction of processing measures
4.5 Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the controller must verify that similar data protection agreements are in place between the initial Processor and Sub- Processor.
4.6 Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the details of the Sub-Processor must be added to a separate schedule to this agreement.
5. Penalties & Termination
5.1 By signing this agreement, the Processor confirms that they understand the legal and enforcement actions that they may be subject to should they fail to uphold the agreement terms or breach the Data Protection Laws. If the processor fails to meet their obligations, they may be subject to:
a) investigative and corrective powers of the Commissioner under Article 58 of the UK GDPR
b) an administrative fine under Article 83 of the UK GDPR
c) a penalty under Article 84 of the UK GDPR
d) pay compensation under Article 82 of the UK GDPR
5.2 The Controller or Processor can terminate this agreement in accordance with the termination of the collections agreement.
6. Signing
By accessing and using this Data Processing Agreement (DPA), the parties or their duly authorised representatives acknowledge and agree to all its clauses. Agreement to this DPA is confirmed through the acceptance of our Digital Collections Agreement, which is completed during the order process.
Get in touch with DebtCo
Have questions? Get into contact with one of our support
Give us a call
Our office is open Monday to Friday between 9am and 5pm
Send us a WhatsApp
We usually respond within 24 hours to your message
Drop us an Email
Reach us at: uk@debtco.io
Plan an interactive demo
Ready to get your unpaid invoices settled? The team at DebtCo is eager to collaborate and provide a seamless, no-win, no-fee service that aligns with your financial goals. Contact us today for a successful and results-driven partnership.
Give us a call
We are open between 9am and 5pm, Monday to Friday.
Visit our office
Kings Chambers. Queen Street. Derby. DE1 3DS
Send us an email
Drop us an email at uk@debtco.io