Effective date: May 25, 2018
1.1 This agreement re processing of personal data (the ”Data Processing Agreement”) regulates DutySheet Ltd (the ”Data Processor”) processing of personal data on behalf of the customer (the ”Data Controller”) in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller (the ”Main Services”) as described in Appendix A.
2.1 The Data Processing Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the ”Applicable Law”), including in particular:
3.1 In connection with the Data Processor’s delivery of the Main Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.
3.2 ”Personal data” include “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the Main Services. The parties shall update sub-appendix A whenever changes occur that necessitates an update.
3.3 The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32 (2).
3.4 The Data Processor processes information provided by either the Data Controller or the Data Subject to aid them with their volunteering. The data is only available to authenticated users who are controlled by the Data Controller. Access of data is strictly logged and is auditable.
4.1 The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the ”Instruction”). The Instruction at the time of entering into this Data Processor Agreement is that the Data Processor may only process the Personal Data with the purpose of delivering the Main Services as described in Appendix A.
4.2 The Data Controller guarantees that the Personal Data transferred to the Data Processor is processed by the Data Controller in accordance with the Applicable Law, including the legislative requirements re lawfulness of processing.
4.3 The Data Processor shall give notice without undue delay if the Data Processor considers the at the time being Instruction to be in conflict with the Applicable Law.
5.3 The Data Processor shall ensure that access to the Personal Data is restricted to only the users to whom it is necessary and relevant to process the Personal Data in order for the Data Processor to perform its obligations under the Main Agreement and this Data Processor Agreement.
5.4 The Data Processor shall also ensure that the Data Processor’s users processing the Personal Data only processes the Personal Data in accordance with the Instruction.
5.5 Data protection impact assessments and prior consultation
5.6 Rights of the data subjects
5.7 Personal Data Breaches
5.8 Documentation of compliance
Location of the Personal Data
6.1 The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wish to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within seven (7) calendar days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed a consent to the relevant Sub-Processor.
6.2 The Data Processor shall conclude a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.
6.3 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
6.4 The Data Processor is at the time of entering into this Data Processor Agreement using the Sub-Processors listed in sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in Appendix B.
7.1 The Data Controller shall remunerate the Data Processor based on time spent to perform the obligations under section 5.5, 5.6, 5.7 and 5.8 of this Data Processor Agreement based on the Data Processor’s hourly rates.
7.2 The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction. The Data Processor is exempted from liability for non-performance with the Main Agreement if the performance of the obligations under the Main Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Main Agreements is changed to reflect the new Instruction and commercial terms hereof.
7.3 If changes to the Applicable Law, including new guidance or courts practice, result in additional costs to the Data Processor, the Data Controller shall indemnify the Data Processor of such documented costs.
8.1 The Main Agreement’s regulation of breach of contract and the consequences hereof shall apply equally to this Data Processor Agreement as if this Data Processor Agreement is an integrated part hereof.
8.2 Each party’s cumulated liability under this Data Processor Agreement is limited to the payments made under the Main Agreement in the 12 months before the occurrence of the circumstances leading to a breach of contract. If the Data Processor Agreement has not been in force for 12 months before the occurrence of the circumstances leading to a breach of contract, the limited liability amount shall be calculated proportionately based on the actual performed payments.
8.3 The limitation of liability does not apply to the following:
9.1 The Data processor Agreement shall remain in force until the Main Agreement is terminated.
10.1 The Data Processor’s authorization to process Personal Data on behalf of the Data Controller shall be annulled at the termination of this Data Processor Agreement.
10.2 The Data Processor shall continue to process the Personal Data for up to three months after the termination of the Data Processor Agreement to the extent it is necessary and required under the Applicable Law. In the same period, the Data Processor is entitled to include the Personal Data in the Data Processor’s backup. The Data Processor’s processing of the Data Controller’s Personal Data in the three months after the termination of this Data Processor Agreement shall be considered as being in accordance with the Instruction.
10.3 At the termination of this Data Processor Agreement, the Data Processor and its Sub-Processors shall return the Personal Data processed under this Data Processor Agreement to the Data Controller, provided that the Data Controller is not already in possession of the Personal Data. The Data Processor is hereafter obliged to delete all the Personal Data and provide documentation for such deletion to the Data Controller.
11.1 David Davies, Data Protection Officer, DutySheet Ltd, Riverbridge House, Guildford Road, Leatherhead, Surrey, KT22 9AD. dpo @ dutysheet.com
This Agreement constitutes the entire Agreement between the Parties as regards the subject matter hereof and supersedes all prior oral or written Agreements regarding such subject matter.
In any provision of this Agreement is held by a Court of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the remaining provisions of this Policy, which shall remain in full force and effect.
The validity, construction and interpretation of the Agreement and any determination of the performance which it requires shall be governed by the Laws of England and the Parties hereby submit to the exclusive jurisdiction of the English Courts.
1.1 Volunteer details to enable the Data Controller to manage volunteers effectively; processing their personal details, contacting them and tracking their activities and achievements.
2.1 Until contract termination.
3.1 DutySheet processes information provided by either the Data Controller or the Data Subject to aid them with their volunteering. The data is only available to authenticated users who are controlled by the Data Controller. Access of data is strictly logged and is auditable.
4.1 Name, gender, force identification number (FIN), date of birth, phone number(s), email address(es), photo, racial or ethnic background, sexual orientation, gender, professional development plans, expenses, shifts, internal messages, IP addresses and any other additional custom attributes as set by the Data Controller via the tools available to them on DutySheet.
5.1 The Data Processor processes Personal Data about the following categories of data subjects on behalf of the Data Controller:
6.1 If a data subject leaves the organisation, their contact details are automatically cleansed after a set period of time, as determined by the Data Controller. Then, after further set period of time, their data is exported to an encrypted Excel file, stored in “deep-freeze” and completely anonymised on the live database. This allows the Data Controller access to data should a need arise for investigatory purposes. This process can be executed manually by authorised users of the Data Controller. If an organisation leaves DutySheet, the data of the Data Controller is automatically destroyed after 60 days. This data can be exported to a common format (XLSX, XML) and the retention period can be modified upon request.
1.1 The following Sub-Processors shall be considered approved by the data Controller at the time of entering into this Data Processor Agreement:
2.1 None currently.