Legal

Data Processing Agreement for Viewpoint Dash 

Last Updated: 10/09/2024 

This Data Processing Agreement (“DPA”) is an addendum to the existing agreement (“Principal Agreement”) between Viewpoint Dash (“Processor”) and the client or customer (“Controller”) that governs the Controller’s use of the services provided by the Processor (“Services”). This DPA reflects the parties’ agreement concerning the processing of personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679 and any applicable national data protection laws. 

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”). 

• Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or destruction. 

• Controller: The entity that determines the purposes and means of processing Personal Data. 

• Processor: Viewpoint Dash, which processes Personal Data on behalf of the Controller. 

• Sub-Processor: Any third party engaged by the Processor to assist with processing Personal Data on behalf of the Controller. 

• Data Subject: An individual whose Personal Data is processed. 

• Supervisory Authority: An independent public authority established by a Member State of the European Union. 

2. Scope and Roles

The Controller is the data controller and retains control over the purposes and means of Processing Personal Data. The Processor acts as the data processor and Processes Personal Data only on behalf of the Controller in accordance with the Controller’s instructions, as outlined in this DPA and the Principal Agreement. 

3. Processing of Personal Data

• Purpose: The Processor agrees to Process Personal Data only for the purposes outlined in the Principal Agreement or as otherwise instructed by the Controller in writing. 

• Instructions: The Processor will only Process Personal Data in accordance with the documented instructions provided by the Controller, including with regard to transfers of Personal Data to a third country or international organization. 

• Types of Personal Data: The types of Personal Data that may be processed include, but are not limited to, names, contact details, email addresses, and any other data necessary for the provision of the Services. 

• Categories of Data Subjects: Data Subjects may include, but are not limited to, the Controller’s employees, customers, users, and other individuals whose Personal Data is collected and Processed by the Controller. 

4. Processor’s Obligations

• Confidentiality: The Processor will ensure that all personnel authorized to Process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. 

• Security: The Processor will implement appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. 

4.1 Specific Security Measures: 

• Encryption: All Personal Data transmitted electronically will be encrypted. 

• Access Control: Personal Data will be accessible only by authorized personnel. 

• Regular Security Audits: The Processor will conduct regular audits to ensure compliance with data protection standards. 

• Pseudonymization and Anonymization: When appropriate, Personal Data will be pseudonymized or anonymized to protect privacy. 

• Physical Security: Facilities where Personal Data is stored will have physical security measures to prevent unauthorized access. 

• Assistance: The Processor will assist the Controller in ensuring compliance with data protection laws, including assisting with data protection impact assessments, responding to Data Subject requests, and ensuring data security. 

• Personal Data Breach: The Processor will notify the Controller without undue delay upon becoming aware of any Personal Data breach. The notification will include sufficient information to enable the Controller to comply with any obligations to report or inform Data Subjects of the breach. 

5. Controller’s Obligations

• Compliance: The Controller is responsible for ensuring that the Processing of Personal Data complies with all applicable data protection laws. 

• Instructions: The Controller will provide clear and lawful instructions to the Processor regarding the Processing of Personal Data. 

• Data Subject Rights: The Controller is responsible for responding to requests from Data Subjects regarding their rights under applicable data protection laws (e.g., access, rectification, erasure). The Processor will assist the Controller as needed to fulfil these requests. 

6. Sub-Processing

• Authorized Sub-Processors: The Controller authorizes the Processor to engage Sub-Processors to assist in providing the Services. A list of authorized Sub-Processors will be made available by the Processor upon request. The Processor will enter into a written agreement with each Sub-Processor requiring the Sub-Processor to comply with data protection obligations that are no less protective than those set out in this DPA. 

• Sub-Processor Changes: The Processor will notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors. The Controller may object to such changes within a reasonable period. 

• Liability: The Processor remains fully liable to the Controller for the performance of the Sub-Processor’s obligations. 

7. International Data Transfers

The Processor will not transfer Personal Data to countries outside the European Economic Area (EEA) or to international organizations without ensuring adequate safeguards are in place, such as entering into Standard Contractual Clauses approved by the European Commission or other lawful mechanisms recognized under data protection laws. 

7.1 Safeguards for International Transfers: 

• Standard Contractual Clauses: The Processor will use Standard Contractual Clauses approved by the European Commission. 

• Binding Corporate Rules: Where applicable, the Processor will implement Binding Corporate Rules approved by a Supervisory Authority. 

• Adequacy Decisions: The Processor will only transfer Personal Data to countries that have been deemed to provide an adequate level of protection by the European Commission. 

• Supplementary Measures: Additional measures will be implemented as required to ensure that transferred data maintains equivalent protection as within the EEA. 

8. Data Retention and Deletion

Upon termination of the Principal Agreement or upon the Controller’s written request, the Processor will, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller and delete any existing copies, unless applicable law requires the retention of such data. 

9. Audit and Inspection

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as permitted under data protection laws. 

10. Data Subject Rights

The Processor will promptly notify the Controller if it receives any request from a Data Subject to exercise any of their rights under applicable data protection laws, including requests for access, rectification, restriction, erasure, or data portability of their Personal Data. The Processor will assist the Controller, where appropriate, in responding to such requests. 

11. Data Breach Notification

The Processor will notify the Controller without undue delay after becoming aware of any breach of Personal Data. Such notification will include, at a minimum: 

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected. 

• The likely consequences of the breach. 

• Measures taken or proposed to address the breach and mitigate its possible adverse effects. 

12. Indemnification

The Processor will indemnify and hold harmless the Controller against any legal claims, fines, or penalties arising from the Processor’s breach of this DPA or applicable data protection laws, to the extent that such claims, fines, or penalties are attributable to the Processor’s actions or omissions. The Processor’s liability under this indemnity is subject to the limitations set out in the Principal Agreement, except where such limitations are prohibited by applicable law. 

13. Limitation of Liability

The Processor’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Principal Agreement. 

14. Governing Law and Jurisdiction

This DPA is governed by the laws of [Insert Jurisdiction], and any disputes arising out of or in connection with this DPA will be subject to the exclusive jurisdiction of the courts of [Insert Jurisdiction]. 

15. Termination

This DPA will remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller under the Principal Agreement. 

15.1 Termination Rights in Case of Data Breach: 

In the event of a significant Personal Data breach affecting the Controller’s Personal Data, the Controller reserves the right to terminate the Principal Agreement and this DPA with immediate effect if it determines that the breach has exposed the Personal Data to significant risk and that continued Processing poses an unacceptable risk. 

Upon termination of the Principal Agreement, the Processor will cease all Processing of Personal Data and, at the Controller’s direction, return or delete the Personal Data in its possession, except where continued retention is required by applicable law. 

16. Contact Information

If you have any questions about this DPA, please contact us at: 

Viewpoint Dash 

Phone: 07708 092071 

Email: legal@viewpointdash.com