1.1. This Data Processing Agreement (“DPA”) is entered into between OCTY LTD (“Data Processor”) and the Customer (“Data Controller”) (together the “Parties”) and sets out the rights and obligations that apply to the Data Processor’s handling of personal data on behalf of the Data Controller. “Personal Data” shall mean personal data as defined by the GDPR.
1.2. This DPA is incorporated by reference into the Master Customer Agreement dated between the Parties (“Agreement”) for the supply of Services by the Data Processor to the Data Controller.
1.3. This DPA has been designed to ensure the Parties’ compliance with Applicable Data Protection Laws. “Applicable Data Protection Laws” shall mean all applicable federal, state and foreign data protection, privacy and data security laws, regulations, and directives, including, without limitation, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”).
1.4. The terms used in this DPA shall have the meanings set forth in this DPA. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
1.5. This DPA shall not exempt the Parties from their respective obligations under Applicable Data Protection Laws.
Now therefore, in consideration of the mutual promises herein and other good and valuable consideration, the Parties to this DPA agree as follows:
2. The rights and obligations of the Data Controller and processing of personal data
2.1. The Data Controller appoints the Data Processor to process the personal data described in Appendix A. 2.2. The details on the subject matter, duration, nature and purpose of processing and the Personal Data categories and data subject types in respect of which will be subjected to processing by the Data Processor in the performance of the Services pursuant to the Agreement are specified in Appendix A.
2.3. The Data Controller shall have both the right and obligation to make decisions about the purposes and means of the processing of personal data and shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorised in law.
3. Obligations of the Data Processor
3.1. The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller to the extent as is necessary to perform its obligations under the Agreement unless processing is required under EU or Member State law to which the Data Processor is subject. In this case, and where possible to do so, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest
3.2. The Data Processor shall inform the Data Controller as soon as reasonably possible if the instructions, in the opinion of the Data Processor, contravene the GDPR or data protection provisions contained in other EU or Member State law.
4. Confidentiality
4.1. The Data Processor shall reasonably ensure that:
a) only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of the Data Controller;
b) only persons who require access to the personal data in order to fulfil the obligations of the Data Processor to the Data Controller shall be provided with authorisation; and
c) that persons authorised to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality.
5. Security of processing