1. Introduction
This Data Processing Addendum ("DPA") forms part of and supplements the services agreement (the "Agreement") between Clavon Solutions ("Processor") and the client organisation ("Controller") that has engaged Clavon Solutions to provide technology consulting, development, or related services.
This DPA sets out the terms under which Clavon Solutions processes personal data on behalf of the Controller in connection with the services, in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the Nigeria Data Protection Regulation (NDPR).
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data.
2. Definitions
In this DPA, unless the context requires otherwise, the following terms have the meanings set out below. Terms not defined here have the meanings given in the UK GDPR or the Agreement, as applicable.
"Controller" means the client organisation that determines the purposes and means of the processing of personal data and on whose behalf Clavon Solutions processes personal data under the Agreement.
"Processor" means Clavon Solutions, which processes personal data on behalf of the Controller in connection with the services provided under the Agreement.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Processor on behalf of the Controller in connection with the Agreement.
"Sub-processor" means any third party appointed by the Processor to process personal data on behalf of the Controller in connection with the services.
"Data Protection Laws" means all applicable legislation relating to data protection and privacy, including the UK GDPR, the Data Protection Act 2018, and the NDPR, as amended from time to time.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
3. Scope and Purpose of Processing
The Processor shall process personal data only to the extent necessary to perform the services set out in the Agreement and strictly in accordance with the Controller's documented instructions. The Processor shall not process personal data for any other purpose unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited from doing so by law).
The subject matter, nature, purpose, duration, types of personal data, and categories of data subjects shall be as described in the Agreement or as otherwise agreed in writing between the parties. Where the Agreement does not specify these details, the parties shall document them in a schedule to this DPA before processing begins.
4. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, including with respect to transfers of personal data outside the UK or EEA, unless required to do so by applicable law.
- Ensure that all personnel authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Not engage any Sub-processor without the prior specific or general written authorisation of the Controller, as set out in Section 6 below.
- Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data Subject requests.
- Assist the Controller in ensuring compliance with the Controller's obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
5. Security Obligations
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures shall include, as appropriate:
- Encryption of personal data in transit and at rest where technically appropriate.
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- Access controls to limit access to personal data to those personnel who require it for the performance of the services.
In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include, to the extent available, the nature of the breach, the categories and approximate number of Data Subjects and personal data records concerned, the likely consequences, and the measures taken or proposed to address the breach.
6. Sub-processors
The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the following conditions:
- The Processor shall maintain an up-to-date list of Sub-processors, which shall be made available to the Controller upon request.
- The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 14 days of being notified.
- Where the Controller raises a reasonable objection, the Processor shall work with the Controller to find a mutually acceptable solution. If no solution can be found, the Controller may terminate the affected services without penalty.
- The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less onerous than those set out in this DPA.
- The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
7. Data Subject Rights Assistance
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
If the Processor receives a request directly from a Data Subject, the Processor shall promptly inform the Controller and shall not respond to the request without the Controller's prior written instructions, unless required by applicable law.
8. Audit Rights
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following:
- The Controller shall provide at least 30 days' written notice of any audit, unless a shorter notice period is required by a supervisory authority.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
- The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.
- Audit findings and any information obtained shall be treated as confidential by the Controller and its auditors.
The Processor may satisfy audit requests by providing the Controller with relevant third-party audit reports or certifications (such as SOC 2 or ISO 27001), where available, in lieu of an on-site inspection, provided they are reasonably current and address the Controller's concerns.
9. International Data Transfers
The Processor shall not transfer personal data outside the United Kingdom or the European Economic Area without the Controller's prior written consent and unless appropriate safeguards are in place in accordance with the UK GDPR. Such safeguards may include UK International Data Transfer Agreements, Standard Contractual Clauses, or transfers to countries with an adequate level of protection as determined by the UK Secretary of State.
Where personal data is processed in Nigeria, the Processor shall ensure compliance with the NDPR transfer requirements, including obtaining any necessary approvals from the Nigeria Data Protection Commission.
10. Term and Termination
This DPA shall remain in effect for the duration of the Agreement and for so long as the Processor processes personal data on behalf of the Controller. Upon termination or expiry of the Agreement, the Processor shall, at the Controller's election, either return all personal data to the Controller or securely delete all personal data within 30 days, and certify in writing that it has done so.
The Processor may retain personal data to the extent required by applicable law, provided that the Processor ensures the confidentiality of such data and processes it only for the purpose required by law.
11. Governing Law
This DPA and any disputes or claims arising out of or in connection with it, its subject matter, or its formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction.
Contact
To request a signed copy of this DPA or to discuss data processing arrangements, please contact us: