Data Processing Agreement

1. Appointment:

The Processor (Freeola) has agreed to provide Services to the Controller in accordance with the terms of the Agreement. The Processor will process Customer Data on behalf of the Controller, this may include some Personal Data. Personal Data will be processed and protected in line with the terms of this DPA.

The Processor shall process the data only to the extent necessary to provide the Services in accordance with the Controller’s instructions and this DPA.

2. Processor Obligations:

• The Processor may only use or process Personal Data within the framework laid out in this DPA.

• The Processor shall process Personal Data on behalf of the Controller, and shall only process the Personal Data on the instruction of the Controller.

• The Processor will inform and advise the Controller, if they believe that any of the instructions regarding processing do not conform or are in breach of any applicable data protection laws.

• The Processor will ensure that any employees involved in handling and processing Personal Data, have received appropriate training on their responsibility as a Processor and are bound by the terms of this DPA.

• The Processor will ensure that all employees, agents, officers and contractors involved in handling and processing the Personal Data are aware of its confidential nature and are subject to a duty of confidence.

• The Processor shall implement appropriate technical and organisational measures to ensure data security, such as (but not limited to) maintaining the security of our servers. These measures are subject to review and development.

• The Controller acknowledges and agrees that in the course of operating and providing the Services, it may be necessary for the Processor to access the Personal Data to respond to any technical problems or Controller queries, as well as ascertaining that the Services are in proper working order. Access will be limited to only these purposes.

• Taking into account the nature of the processing, the Processor shall assist the Controller by having in place technical and organisational measures, so far as is possible, for the fulfilment of the Controller’s obligation to respond to Data Subject’s requests to exercise their rights. Note: Freeola (the Processor) only processes data in terms of hosting. The Processor will not undertake any data deletion for or on behalf of the Controller.

3. Controller Obligations:

• The Controller shall process and collect Personal Data in accordance to the requirements of the applicable laws. The Controller’s instructions for the processing of Personal Data shall comply with the applicable law; if it does not, then the Processor reserves the right to refuse such instructions.

• The Controller is the owner of the Personal Data and shall have the sole responsibility for the accuracy, quality and legality of Personal Data and the means by which it was acquired and transferred.

• The Controller shall implement appropriate technical and organisational measures and procedures to protect Personal Data, and to ensure that the level of security is appropriate to the risk. Including but not limited to; encryption, the ability to restore Personal Data in a timely manner in the event of a technical incident and running regular tests and reviews of the measures in place.

• The Controller shall ensure that all Affiliates of the Controller comply with the obligations of the Controller set out in this DPA.

• The Controller is responsible for compliance with all applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement.

4. Sub-Processors:

• The Controller acknowledges and agrees that a Sub-processor may be engaged by the Processor to assist with the provision of Services.

• If a Sub-processor is located outside of the United Kingdom, the Processor must ensure that they adhere and are in compliance with applicable law.

• All Sub-processors shall comply with the obligations of the Processor as set out in this DPA and will comply with any applicable data protection laws.

• The Processor will make available to the Controller a full list of any Sub-processors used; including their identity and location. The Controller will then agree to the engagement of the Sub-processors.

• The Processor (Freeola) currently commission only the following Sub-processor:

  • OVH Limited – for use of their datacentres in the UK for a Virtual Private Server service (whereby email and web-hosting traffic is filtered through the VPS, to provide an extra layer of protection against attacks and viruses).

• The Processor shall inform the Controller, with prior notification of any proposed changes to the list of Sub-processors, before authorising any new Sub-processors.

  • The Controller may object to a new Sub-processor, by notifying the Processor promptly in writing (within 10 days of notification). If the objection is not unreasonable, the Controller may terminate the Agreement involving Services that cannot be fulfilled without the use of the new Sub-processor.

5. Audits:

• The Processor shall make available on the request of the Controller, all necessary information to demonstrate the Processor’s compliance with its obligations under this DPA and relevant data protection legislation.

• The Processor will allow for and cooperate with audits and inspections. In the event that the Controller would like a third-party audit, it will be subject to the following conditions:

  • Carried out at the Controller’s expense.

  • Limited to matters specific to the Controller and agreed in advance.

  • Conducted during UK business hours, with advance notice (4 weeks).

  • Performed in a manner that does not disrupt the Processor’s day-to-day business.

6. Notifiable Data Breach:

• The Processor shall notify the Controller without undue delay, after becoming aware of any Notifiable Data Breach (within 72 hours of becoming aware).

• The Processor shall take appropriate measures to secure the Personal Data and to limit any detrimental effect to the Data Subjects.

• The Processor will assist the Controller in meeting the Controller’s obligations under applicable law, such as informing Data Subjects and competent authorities.

• The Processor will co-operate with the Controller and provide the Controller with any information they may reasonably request relating to the breach.

7. Compliance, Cooperation and Response:

• The Processor will refer Data Subjects to the Controller, in the event of receiving a Data Subject request.

• The Processor will promptly inform the Controller of any complaints relating to the processing of Personal Data, unless the notification of such is in breach of applicable law or a court order.

• Taking into account the nature of the processing and the information available to the Processor, the Processor shall reasonably assist the Controller’s obligation to carry out any data protection impact assessments (DPIAs).

• If, due to a change in law, amendments need to be made to the DPA, then either party may provide written notice to the other party, regarding the change in law.

• The Processor will co-operate with requests from supervisory authorities (such as the ICO) and law enforcement agencies.

8. End of Service Term:

• The Processor will only process Personal Data for the term of the DPA. The term of the DPA will run alongside the Agreement and will automatically end with the termination and/or expiration of the Agreement.

• At the end of the Agreement, the Controller may choose whether they want the Processor to return or delete data (which may include Personal Data). If the Controller would like the data returned, they must download the website files or emails and save them locally.

Appendix A: Overview

Freeola Limited may act as a Data Processor in the provision of Website Hosting, Web Design and Email Services. By using one of these Services, a Data Controller may store Personal Data (including that of their Data Subjects) on Freeola's servers, according to the Agreement. Personal Data will be processed only to the extent that is required to operate the Service.

Processing Operations:

Personal Data will only be processed to the extent necessary to provide the Services in accordance with both the Agreement and Controller’s instructions. Processing operations include:

• The collection and storage of Controller credential data; so that the Services can be accessed and utilised.

• Technical support, diagnostics and error correction to ensure that systems and Services are running properly and efficiently; either in the provision of Services or in response to specific Controller queries.

• Automated antivirus, anti-spam and malware checks.

• Storage and serving of data in order to publish a website or transmit email messages.