Data Processing Agreement
Background
A. On 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679, “the GDPR”) came into force in, inter alia, Member States of the European Union, including the UK.
B. The Client is the controller within the meaning of Article 3 of the GDPR to the extent that it transfers personal data into the possession or control of DWS under contracts for services with DWS from time to time.
C. The Parties intend to take all steps and measures to comply with GDPR insofar as they are required to do so.
D. The Parties acknowledge Article 28 of the GDPR.
E. DWS will be the data processor of the personal data in accordance with the GDPR.
F. The Parties wish to comply with the provisions of the GDPR and intend to do so, inter alia, by way of this agreement on the terms and conditions as set out below.
Agreement
1 Definitions
1.1 For the purposes of this Agreement, the following defined terms shall also apply:
Client Associate: a legal entity associated with the Client, which is entitled to receive the benefit of the services supplied by DWS as specified in a Service Agreement.
Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK, and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.
Service Agreement: a contract for services to which the Client and DWS are parties, whereby DWS supplies services to the Client, including but not limited to a Master Service Agreement and/or Support Agreements (as defined in the Master Service Agreement).
Schedule: the Data Protection Schedule to this Agreement.
1.2 In this Agreement:
a. reference to a clause is to the relevant clause of this Agreement;
b. references to the masculine include the feminine and references to the singular include the plural and vice versa in each case;
c. headings are included for convenience only and do not affect the interpretation of this Agreement;
d. references to an Act of Parliament, Regulation, statutory provision or statutory instrument include a reference to that Act of Parliament, statutory provision or statutory instrument as amended, extended or re‐enacted from time to time and to any regulations made under it;
e. to the extent that this Agreement conflicts or is inconsistent with the terms of the Data Protection Legislation, the Data Protection Legislation will prevail to the extent of the conflict and/or consistency; and
f. references to a person or body include references to its successor; and
g. Terms defined at Article 4 of the GDPR shall take the same meaning in this Agreement.
2 Term
2.1 This Agreement shall remain in force until DWS no longer processes personal data in the capacity of a processor for the Client.
3 Data Processing
3.1 For the purposes of the Data Protection Legislation, the Client is the controller and DWS is the processor.
3.2 Each of the Parties shall comply with its requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace a Party’s obligations under the Data Protection Legislation.
3.3 The Client will ensure that it has all necessary and/or appropriate authority to enable lawful transfer of personal data to DWS for the duration and purposes of this Agreement.
4 Lawful Basis for Processing
4.1 The Client warrants that:
a. it has conducted an assessment of the purposes and lawful bases of processing of personal data which will be provided to DWS under Service Agreements;
b. the Categories of Personal Data, Categories of Data Subjects, Purposes, Retention Period(s), Third Countries, Recipients and Lawful Bases set out in the Schedule are amongst those which it is lawfully permitted to process the personal data of data subjects named in the Schedule; and
c. the Schedule is otherwise correct in all material respects.
4.2 DWS shall in relation to any personal data processed in connection with the performance by DWS of its obligations under a Service Agreement:
a. process personal data only on the written instructions of the Client unless DWS is required by the laws of any member of the European Union or by the laws of the European Union applicable to DWS to process personal data (“Relevant Laws”).
b. where DWS relies on laws of a member of the European Union or European Union law as the basis for processing personal data, DWS shall notify the Client of the same before performing the processing required by the Relevant Laws unless those Relevant Laws prohibit DWS from so notifying the Client.
c. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Such measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it.
d. ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential.
e. not transfer any personal data outside of the European Economic Area unless the transfer is initiated by the Client or its agents, or prior written consent of DWS has been obtained and the following conditions are fulfilled:
i. the Client and DWS have provided appropriate safeguards in relation to the transfer;
ii. the data subject has enforceable rights and effective legal remedies;
iii. DWS complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
iv. DWS complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the personal data.
f. assist the Client, at the Client’s cost to respond to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
g. notify the Client without undue delay on becoming aware of a personal data breach.
h. at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of the agreement unless required by Relevant Laws to store the personal data.
4.3 The Parties shall cooperate to assist the other to comply with the terms of the GDPR.
4.4 Each of the Parties warrant that the Schedule sets out the scope, nature and purpose of processing by DWS, the duration of the processing and the types of personal data and categories of data subject.
4.5 To the extent that the Client requests the assistance of DWS and such assistance is not able to be supplied by DWS in a computer automated fashion whereby the Client may obtain the data it requires itself through the user interfaces of DWS systems, such assistance shall be supplied on a time and materials basis by DWS.
4.6 Each of the Parties shall notify the other where there are or is expected to be material changes required to the Schedule and each Party will thereafter comply with clause 3.2.
4.7 DWS shall maintain complete and accurate records and information to demonstrate its compliance with this clause.
4.8 The Client consents to DWS appointing sub-processors generally and specifically Microsoft and its subsidiaries as a third-party processor of personal data. The Client confirms that the Supplier may enter into written agreements with Microsoft Corporation and/or its subsidiaries for the provision of cloud based services provided by the Azure platform.
4.9 DWS shall inform the Client of any intended changes concerning the addition or replacement of sub-processor.
4.10 DWS may, at any time on not less than 30 days’ notice, revise this clause 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attaching the same to this Agreement and delivering the same to the Client).
5 Retention of personal data Post Termination
5.1 Unless other agreed in writing, either before or after this Agreement is made, within 14 days of termination of a Service Agreement, the Client shall notify the Client in writing to dataprotection@dws-global.com whether it requires DWS to delete or pseudonymise personal data in its possession or control.
5.2 Should such notification not be received by DWS within 14 days of termination, DWS shall within a further 14 days (1) prepare a record comprising personal data processed on behalf of the Client as may remain in its possession or control (“the Data”), and (2) make the Data securely available and/or securely deliver a copy of the Data to the Client by any means reasonable in the circumstances.
5.3 Upon expiry of the 14 days of making the Data available and/or delivering the Data to the Client, DWS (1) shall delete copies the Data held in its capacity of processor, save where existing copies are required to be stored by laws in force in the European Union or UK law; and (2) have no further liability to the Client for retention or management of personal data.
6 Costs of this Agreement
Each Party shall bear their own costs connected to or associated with this Agreement.
7 Governing Law and Jurisdiction
This Agreement shall be governed by the laws of England and Wales. Each Party irrevocably agrees that the Courts of England and Wales shall have exclusive jurisdiction to resolve any dispute or claim arising out of or in connection with this Agreement, its subject matter or formation (including non-contractual disputes or claims).
Data Protection Schedule
1. Scope
1.1 DWS develops, hosts and supplies specialised business software applications which assist businesses, optimise business processes and tasks, and associated services. The services supplied by DWS relate primarily to processing of source code for purposes of optimising allocation of resources to update and maintain source code forming part of the JD Edwards EnterpriseOne software suite.
1.2 The Parties foreshadow that processing of personal data will be incidental to the performance of such services.
2. Purposes of Processing
2.1 Permit DWS to supply the Client with services to process and parse source code and other materials supplied pursuant to this Agreement.
2.2 Facilitate more efficient operation of the Client’s business by analysing source code and producing statistics and reports in relation thereto for allocation of resources to thereafter attend.
2.3 Communication between the Parties conducted by data subjects.
2.4 Legal Requirements
(a) Enable us to meet our legal and statutory obligations to you and others
(b) Ensure compliance with policies and procedures
(c) Data Protection assessments and audits
(d) Prevent, detect and investigate fraud, corruption and misconduct
(e) Monitor use of our information and communication systems to ensure compliance with our IT policies
(f) Ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
(g) Equal opportunities monitoring; Comply with health and safety obligations
3. Categories of Recipients of personal data
3.1 Staff of the Parties
3.2 Insurers of the Parties
3.3 Regulatory authorities of the Parties as the case may be from time to time
4. Transfers of personal data permitted to third countries or an international organisation (and identify) (excludes EEA countries)
United States; Canada, UAE, Australia and New Zealand, the location of the registered offices of the Client.
5. Duration of the processing
For the term of the relevant Service Agreement plus 42 days.
6. Categories of Data Subject
| Ref | Category of data subject | Categories of personal data |
| 1 | DWS Staff | Contact Details, Employee/Consultant profile information |
| 2 | DWS Suppliers | Contact Details, Employee/Consultant profile information |
| 3 | Client Staff (employees & contractors) | Contact Details, Employee/Consultant profile information |
| 4 | Third Party developers | Contact Details, Employee/Consultant profile information |
7. Types of Personal Data
| Ref | Categories of personal data | Elements – personal data | Type of personal data |
| 1 | Contact Details | Name, email address(es), address(es), telephone number(s), instant messaging address(es) | Personal Data |
| 2 | Employee/Consultant profile information | Employer, head contractor, username(s), job title, dates worked, age/DOB, geographical location of work, IP address used for work, skillsets for employment/work purposes, login names, aliases | Personal Data |
8. Lawful Basis and Retention Periods
| Category of Personal Data | Lawful Basis for Processing | Retention Period |
| Contact Details | Legal obligation, public task, vital interests, legitimate interests | Term of service agreement + 7 years |
| Employee/Consultant profile information | Legal obligation, public task, vital interests, legitimate interests | Term of service agreement + 42 days |
KEY:
| GDPR Article | Basis | Explanation |
| Article 6(1)(a) | Consent | the data subject has given consent to the processing of his or her personal data for one or more specific purposes |
| Article 6(1)(b) | Contract | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; |
| Article 6(1)(c) | Legal Obligation | processing is necessary for compliance with a legal obligation to which the controller is subject; |
| Article 6(1)(d) | Vital Interests | processing is necessary in order to protect the vital interests of the data subject or of another natural person; |
| Article 6(1)(e) | Public Task | processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
| Article 6(1)(f) | Legitimate Interests | processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child |
