DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Terms and Conditions (the "Agreement") between ABC Service, a company registered in England and Wales with its registered office at 69 West Street, Tavistock, Devon, PL19 8AJ ("the Processor"), and the entity purchasing services from ABC Service ("the Controller").

1. DEFINITIONS AND INTERPRETATION

1.1. In this DPA, the following terms shall have the meanings set out below:

"Applicable Laws" means the UK GDPR and the Data Protection Act 2018.
"Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data in relation to the services.
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data and privacy, including the UK GDPR.
"Data Subject" means an identified or identifiable living individual to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable living individual.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Processor" means ABC Service (or any other entity processing Personal Data on behalf of the Controller) which processes Personal Data on behalf of the Controller in relation to the services.
"UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
"Sub-processor" means any third party appointed by or on behalf of the Processor to process Personal Data in connection with the Agreement.

1.2. The terms "Processing" and any related terms shall have the same meaning as set out in the UK GDPR.

2. SCOPE AND RESPONSIBILITY

2.1. This DPA applies to the Processing of Personal Data by ABC Service in the course of providing Managed IT Support, Web Hosting, and Printing services to the Controller, including where services are delivered and/or administered from 69 West Street, Tavistock, Devon, PL19 8AJ (and via the Processor’s associated systems and digital infrastructure).

2.2. The Controller shall comply with Data Protection Laws in its use of the services and its instructions for the Processing of Personal Data. The Controller shall ensure it has a valid legal basis for Processing and has provided all necessary notices to Data Subjects.

2.3. The Processor shall process Personal Data only on the documented (written) instructions of the Controller, unless required to do otherwise by Applicable Laws. Where the Processor is required by Applicable Laws to process Personal Data other than on the Controller’s instructions, the Processor shall (to the extent permitted by law) inform the Controller of that legal requirement before carrying out the Processing.

3. OBLIGATIONS OF ABC SERVICE

3.1. Processing on written instructions: The Processor shall process Personal Data only on the documented (written) instructions of the Controller (including as set out in the Agreement and this DPA), unless required to do otherwise by Applicable Laws.

3.2. Confidentiality: The Processor shall ensure that persons authorised to process the Personal Data (including its local specialists, employees, and contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Technical and organisational measures: The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature of the services provided at 69 West Street and through its digital infrastructure.

3.4. Assistance: Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.

3.5. Compliance Assistance: The Processor shall provide reasonable assistance to the Controller in ensuring compliance with obligations regarding security, breach notifications, and data protection impact assessments (DPIAs), taking into account the information available to the Processor.

4. SECURITY MEASURES

4.1. Without prejudice to clause 3.3, the Processor shall maintain appropriate technical and organisational measures designed to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, or damage.

4.2. The Processor’s security measures may include (as appropriate to the services provided):

Encryption of data in transit and/or at rest where appropriate.
Firewalls and anti-malware controls to protect systems and networks.
Secure local storage and access controls for any Personal Data stored or handled at 69 West Street, Tavistock (including reasonable physical security measures and role-based access).

4.3. The Processor may update or modify its security measures from time to time, provided that such updates do not materially decrease the overall level of security for the services.

5. SUB-PROCESSING

5.1. The Controller provides a general written authorisation to the Processor to engage reputable Sub-processors (for example, Microsoft cloud services and Tier-1 UK data centres), as required to provide the services.

5.2. The Processor shall provide the Controller with notice of any intended changes concerning the addition or replacement of Sub-processors via its website and/or direct communication, thereby giving the Controller the opportunity to object on reasonable grounds related to data protection.

5.3. Where the Processor engages a Sub-processor, it shall do so by way of a written contract which imposes the same data protection obligations as set out in this DPA.

6. PERSONAL DATA BREACH

6.1. The Processor shall notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach (unless a shorter timeframe is required by Applicable Laws).

6.2. Such notification shall include, at a minimum, the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned), and the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

6.3. The Processor shall cooperate with and provide reasonable assistance to the Controller in relation to any investigation, notification, or remediation steps required under Data Protection Laws.

7. AUDIT RIGHTS

7.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR.

7.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, under reasonable terms, provided that:
(a) the Controller gives reasonable prior written notice;
(b) audits are conducted during normal business hours;
(c) audits are limited to information and systems relevant to the Processing under the Agreement; and
(d) audits do not unreasonably disrupt ABC Service’s operations.

7.3. The Controller shall ensure that any auditor is bound by confidentiality obligations, and shall bear its own costs of any audit. The Processor may charge its reasonable costs for time spent assisting with an audit where the audit requires more than a reasonable amount of support.

8. DELETION OR RETURN OF DATA

8.1. Upon termination of the Agreement or at the Controller's request, the Processor shall, at the choice of the Controller, securely delete or return all Personal Data to the Controller and delete existing copies, unless Applicable Laws require storage of the Personal Data.

8.2. Where deletion is requested, the Processor shall take reasonable steps to ensure deletion is carried out securely (including from active systems and, where applicable, within reasonable backup retention cycles), subject to any legal or regulatory retention requirements.

9. INTERNATIONAL TRANSFERS (UK SPECIFICS)

9.1. The Processor shall ensure that Processing of Personal Data under the Agreement is carried out within the United Kingdom or the EEA, unless the Controller has specifically agreed otherwise in writing and the Processor has implemented appropriate safeguards required by Data Protection Laws.

9.2. The Processor shall not transfer Personal Data outside of the United Kingdom or the EEA unless it ensures that the transfer is conducted in accordance with Data Protection Laws (for example, by using the UK International Data Transfer Agreement and/or the UK Addendum to the EU Standard Contractual Clauses, as applicable).

10. LIMITATION OF LIABILITY

10.1. Each party’s liability for any breach of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

11. GOVERNING LAW

11.1. This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.

ANNEX 1: DESCRIPTION OF PROCESSING

Subject Matter: The provision of IT Support, Web Hosting, Managed Services, Telecommunications, and Printing Services.

Duration of Processing: The term of the Agreement plus the period from the expiry of the term until the return or deletion of data.

Nature and Purpose of Processing: Processing necessary to provide technical support, maintain servers, host websites, facilitate telecommunications, and execute bespoke printing orders.

Types of Personal Data: