DDFU Data Processing Addendum
This Data Processing Addendum (“DPA”) is between:
A. The DDFU entity (“DDFU ”) having entered into the Principal Agreement (as defined below)
acting on its own behalf;
B. the other party to the Principal Agreement (“Customer”).
DDFU and Customer hereinafter separately referred to as “Party” and jointly as “Parties”.
- Background; Definitions.
1.1.1. This DPA (including its Appendices and incorporations by reference) supplements and forms part of the agreement between DDFU and Customer
under which DDFU shall carry out certain Services (“Principal Agreement”) provided that the Services include the Processing of Personal Data and Data Protection Legislation applies to Customer’s use of the Services.
1.1.2. This DPA is in addition to, and does not relieve, remove, or replace either party’s
obligations under the Data Protection Legislation.
1.1.3. None of the terms and conditions of the Principal Agreement shall be waived or
modified by this DPA but if there is any conflict between any of the provisions of
this DPA and the provisions of the Principal Agreement in relation to the Processing of Personal Data, the Parties agree the provisions of this DPA shall prevail to the extent of any such conflict.
1.1.4. If there is any conflict between the provisions of this DPA and the provisions of
the Standard Contractual Clauses, the provisions of the Standard Contractual
Clauses shall prevail to the extent of any such conflict. For the avoidance of
doubt, where this DPA further specifies Sub-processor and audit rules in Sections
2.3 and 2.11, such specifications also apply in relation to, and satisfy Customer
rights under the respective provisions of the Standard Contractual Clauses.
1.1.5. The terms used in this DPA shall have the meanings set forth in this DPA.
Capitalized terms not otherwise defined herein shall have the meaning given to
them in the Principal Agreement.
1.2.1. In this DPA, the following terms shall have the meanings set out below and
cognate terms shall be construed accordingly.
184.108.40.206. A. “Affiliate” means an entity that owns or controls, is owned or
controlled by or is or under common control or ownership with a company,
where control is defined as the possession, directly or indirectly, of the
power to direct or cause the direction of management and the policies of an
entity, whether through ownership of voting securities, by contract or
220.127.116.11. B. “Data Protection Legislation” means, (i) the GDPR (and any laws of
Member States of the European Economic Area (“EEA”) implementing or
supplementing the GDPR), (ii) UK Data Protection Law and (iii) data
protection or privacy laws of Switzerland, in each case, to extent applicable
to the Processing of Personal Data under this DPA and the Principal Agreement.
18.104.22.168. C. “EEA Standard Contractual Clauses” means the EEA Controller to
Processor SCCs and EEA Processor to Processor SCCs.
22.214.171.124. D. “EEA Controller to Processor SCCs” means the clauses set out (and
also sometimes referred to as Appendix 4) which are incorporated into this
DPA by reference, as may be amended, updated or replaced from time to
126.96.36.199. E. “EEA Processor to Processor SCCs” means the clauses set out (and
also sometimes referred to as Appendix 5) which are incorporated into this
DPA by reference, as may be amended, updated or replaced from time to
188.8.131.52. F. “GDPR” means EU General Data Protection Regulation 2016/679.
184.108.40.206. G. “Restricted Transfer” means a transfer of Personal Data which,
subject to the paragraph below, is:
220.127.116.11.1. (1) from an exporter subject to GDPR which is only permitted in
accordance with GDPR if a Transfer Mechanism is applicable to that
transfer (“EEA Restricted Transfer”);
18.104.22.168.2. (2) from an exporter subject to UK Data Protection Law which is
only permitted in accordance with UK Data Protection Law if a Transfer
Mechanism is applicable to that transfer (“UK Restricted Transfer”);
22.214.171.124.3. (3) from an exporter subject to Data Protection Legislation
applicable in Switzerland which is only permitted under that law if a
Transfer Mechanism is applicable to that transfer (“Swiss Restricted
Transfer”). Transfers of Personal Data will not be considered a
Restricted Transfer where:
126.96.36.199.3.1. (a) the jurisdiction to which the personal data is
transferred has been approved by the European Commission under Article 45 of the GDPR or, as applicable, an equivalent provision under UK or Swiss
Data Protection Law, as ensuring an adequate level of protection
for the processing of Personal Data (an “Adequate Country”); or
188.8.131.52.3.2. (b) the transfer falls within the terms of a derogation as
set out in Article 49 of the GDPR, equivalent under Swiss Data Protection Law or the UK GDPR (as applicable).
184.108.40.206. H. “Services” means the services or products and other activities to be
supplied to or carried out by or on behalf of DDFU for the Customer
pursuant to the Principal Agreement.
220.127.116.11. I. “Standard Contractual Clauses” means each of the EEA Standard
Contractual Clauses and the UK Standard Contractual Clauses.
18.104.22.168. J. “Sub-processor” means any third party (including any DDFU Affiliate)
appointed by or on behalf of DDFU as a subcontractor to Process Personal
Data on behalf of any Customer or Customer Affiliate in connection with the
22.214.171.124. L. “Transfer Mechanism” means the Standard Contractual Clauses or
any other appropriate safeguards under article 46 of the GDPR or equivalent
under Swiss or UK Data Protection Law applicable to a relevant transfer
of Personal Data that has the effect of permitting that transfer.
126.96.36.199. M. “UK Data Protection Law” means UK GDPR (as defined in the UK
Data Protection Act 2018) and the UK Data Protection Act 2018.
N. “UK Controller to Processor SCCs” means the UK International Data
Transfer Addendum which is made up of the provisions set which are
incorporated into this DPA by reference, as may be amended, updated or
replaced from time to time, incorporating the EEA Controller to Processor
188.8.131.52. O. “UK Processor to Processor SCCs” means the UK International Data
Transfer Addendum which is made up of the provisions set out (and also
referred to sometimes as Appendix 6) which are incorporated into this DPA
by reference, as may be amended, updated or replaced from time to time,
incorporating the EEA Processor to Processor SCCs.
184.108.40.206. P. “UK Standard Contractual Clauses” means the UK Controller to
Processor SCCs and UK Processor to Processor SCCs.
220.127.116.11. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal
Data Breach”, “Processing”, and “Processor”; shall have the same meaning
as in the applicable Data Protection Legislation. The terms “Member
State”, “Supervisory Authority” and “Union” shall have the same meaning as
in the GDPR. The terms “data exporter” and “data importer” have the
meaning set out in the applicable Standard Contractual Clauses. “including”
shall mean including without limitation.
- Data Processing Obligations.
2.1. Controller and Processor of Personal Data, Appointment of Processor and Purpose of
2.1.1. DDFU will comply with all applicable requirements of the Data Protection
Legislation to the extent it imposes obligations upon DDFU as a Data Processor
and expects Customer to also comply with Data Protection Legislation.
2.1.2. This DPA applies to the extent Customer is the Controller and DDFU is the
Processor. It also applies to the extent that Customer is a Processor and DDFU is
acting as a (sub) Processor. Where the Customer is a Processor, the Customer
confirms that its instructions, including appointment of DDFU as a Processor or
(sub) Processor, have been authorized by the relevant Controller.
2.1.3. Appendix 1 of this DPA sets out the scope, nature and purpose of Processing by
DDFU, the duration of the Processing and the types of Personal Data and
categories of Data Subjects.
2.2. DDFU’s obligations with respect to the Customer.
2.2.1. DDFU will, in relation to any Personal Data it will be Processing under the
Principal Agreement and this DPA:
18.104.22.168. A. process such Personal Data solely for the purpose of providing the
22.214.171.124. B. process such Personal Data in accordance with documented and
commercially reasonable instructions from the Customer, subject to and in
accordance with the terms of the Principal Agreement;
126.96.36.199. C. ensure that the persons authorized by it to process such Personal
Data have committed themselves to confidentiality or are under an
appropriate statutory obligation of confidentiality and have received
appropriate training on their responsibilities; and
188.8.131.52. D. limit access of DDFU personnel to the Personal Data undergoing
processing to what is necessary for provision of the Services.
2.2.2. Customer agrees that the Principal Agreement (including this DPA) are its
complete documented instructions to DDFU for the Processing of Personal Data.
Additional instructions, if any, require prior written agreement between the Parties. Where in the opinion of DDFU an instruction from the Customer infringes Data Protection Legislation, it shall inform the Customer thereof (but such communication shall not constitute legal advice by DDFU). However, such obligation shall not relieve the Customer from its own responsibility for compliance with Data Protection Legislation.
2.2.3. Where DDFU is required under applicable law to process Personal Data other
than on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an International organisation, DDFU shall use its reasonable endeavours to inform the Customer of that legal requirement before Processing, unless such information is prohibited by law on important grounds of public interest.
2.3.1. Customer provides DDFU a general authorization to engage Sub-processors.
Sub-processors may include:
184.108.40.206. (i) DDFU global Affiliate companies as exist from time to time (and their vendors); and/or (ii) any of the subcontractors that DDFU engages in connection with the provision of certain Processing activities as at the date of this Agreement. The Parties agree that the sub-processors listed at (i) and (ii) is the ‘agreed list’ for sub-processors in relation to Clause 9(a) of the EEA Standard Contractual Clauses and for the UK Standard Contractual Clauses.
2.3.2. DDFU shall Inform the Customer at least 14 days before DDFU appoints a new
or replacement Sub-processor to give the Customer opportunity to reasonably
object to the changes. DDFU must receive the notice of objection in writing from
the Customer within 14 days of DDFU informing it of the proposed changes. The
Parties agree that the name of the new or replacement Sub-processor together
with details of the processing activities it will carry out and the location of such
activities is the information the Customer requires to exercise such right. “Inform”
shall include by posting the update on a website (and providing Customer with a
mechanism to obtain notice of that update), by email or in other written form. The
parties confirm that this mechanism is not required where the new or replacement Sub-processor is an DDFU global Affiliate company.
2.3.3. The Parties agree that the Customer’s right to be object shall be as set out in
this Section 2.3.3 and Section 2.3.4. Any objection raised by the Customer pursuant to Section 2.3.2 must be where the Sub-processor demonstrably fails to offer the same or a reasonably comparable level of protection as that previously applicable to the relevant Processing of Personal Data.
2.3.4. If Customer has a reasonable and legitimate reason to object to the new Subprocessor pursuant to Section 2.3.3, and DDFU is not able to provide an
alternative Sub-processor, or the Parties are not otherwise able in good faith to
achieve an alternative resolution, Customer may terminate the respective part of
the Services where the new Sub-processor is to be used by giving written notice
to DDFU no later than 30 days from the date that DDFU receives the Customer’s
notice of objection and such termination shall take effect no later than 90 days following DDFU receipt of Customer’s notice of termination. If Customer does not terminate within this 30-day period, Customer is deemed to have accepted the new Sub-processor. Any termination under this Section 2.3.4 shall be deemed to be without fault by either Party and shall be subject to the terms of the Principal Agreement (including any documents agreed pursuant to it).
2.3.5. DDFU confirms that it has entered or (as the case may be) will enter into a
written agreement with its third-party company Sub-processors incorporating
terms which are substantially similar to those set out in this DPA.
2.3.6. As between the Customer and DDFU, DDFU shall remain fully liable for all acts
or omissions of any Sub-processor appointed by it pursuant to this Section 2.3
(unless the Sub-processor acted in accordance with instructions directly or indirectly received from Customer).
2.4. Data Subjects’ Right to Information. It is the Customer’s (or the party acting as
Controller) responsibility to inform the Data Subject(s) concerned of the purposes and the legal basis for which their Personal Data will be processed at the time the
Personal Data is collected.
2.5. Exercise of Data Subjects’ Rights.
2.5.1. Taking into account the nature of the Processing, DDFU shall assist the
Customer insofar as this is possible and reasonable for the fulfilment of the
Customer’s obligation under Data Protection Legislation to respond to requests
for exercising the Data Subject’s rights of: access, rectification, erasure and
objection, restriction of processing, data portability, not to be subject to a
decision based solely on automated processing.
2.5.2. Where the Data Subjects submit requests to DDFU to exercise their rights,
DDFU shall forward these requests by email to a Customer email address on file
with DDFU. If Customer wishes for DDFU to forward Data Subject requests to
a specific email address, it shall notify DDFU of such address. DDFU shall not
respond to a Data Subject request unless and to the extent instructed by
Customer to do so.
2.6. Notification of Personal Data Breach.
2.6.1. DDFU shall notify the Customer of a Personal Data Breach without undue delay
after DDFU becoming aware of it by email to a Customer email address on file
with DDFU, along with any necessary documentation to enable the Customer,
where necessary, to notify this breach to the Data Subject and / or the competent
2.6.2. If available and taking into account the nature of the Processing, the notification
in accordance with Section 2.6.2 shall at least:
220.127.116.11. A. describe the nature of the Personal Data Breach including where
possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
18.104.22.168. B. communicate the name and contact details of the data protection
officer or other contact point where more information can be obtained;
22.214.171.124. C. describe the likely consequences of the Personal Data Breach; and
126.96.36.199. D. describe the measures taken or proposed to be taken by DDFU to
address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
2.6.3. Where, and in so far as, it is not possible to provide the information at the same
time, the information may be provided in phases without undue further delay.
2.6.4. The Customer (or the party acting as Controller) is responsible to notify the
Personal Data Breach to the Supervisory Authority, and to the Data Subjects,
when this is required by the applicable Data Protection Legislation.
2.7. Assistance lent by DDFU to the Customer regarding Compliance with Customer’s
Obligations under the Data Protection Legislation.
2.7.1. Where requested by the Customer and to the extent required by Data
Protection Legislation, DDFU shall, taking into account the nature of processing
and the information available to DDFU, provide reasonable assistance to the
188.8.131.52. A. in carrying out data protection impact assessments; or
184.108.40.206. B. should the Customer need prior consultation with a Supervisory
2.8. Security Measures.
2.8.1. Taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of Processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons, the
Customer and DDFU shall both be responsible to implement appropriate
technical and organisational measures to ensure a level of security appropriate to
2.8.2. DDFU agrees to implement the Technical and Organizational Measures in
respect of the Services.
2.8.3. Customer is responsible for implementing and maintaining privacy protections
and security measures for components that Customer or any Customer Affiliate
provides or controls. Customer shall apply the principle of data minimisation and
limit DDFU access to systems or Personal Data to only where essential for the
performance of Services. Where DDFU is performing Services on premises of the
Customer (or of any Customer Affiliate or subcontractor, agent or similar) or in
connection with access to any of their systems and data, Customer shall be
responsible for providing DDFU personnel with user authorizations and
passwords to access those systems, overseeing their use of those passwords
and terminating these as required. Customer shall not store any Personal
Data in a non-production environment unless it has production environment
equivalent controls in place.
2.9. Data Return or Destruction. Where DDFU has stored Personal Data as part of the
Services: at the end of the Service(s) upon Customer’s written instruction, DDFU
may (i) offer a data return service or (ii) following a reasonable data retention period
delete the Personal Data unless applicable law requires further storage of the
Personal Data. DDFU may chargé a fee for any data return services.
2.10. The Data Protection Officer. DDFU has designated a data protection officer in
accordance with Data Protection Legislation. They can be contacted by email
2.11. Inspections and Audits.
2.11.1.The right of audit, including inspections, which the Customer may have under
Data Protection Legislation and under the Standard Contractual Clauses, are as
set out in this Section 2.11.
2.11.2. Upon written request from Customer DDFU shall, where available, provide a
copy of the latest Service Organization Control (SOC) audit report and/or other
third-party audit reports or information to demonstrate the processing activities
of DDFU relating to the Personal Data is in compliance with its obligations under
2.11.3. Customer may request evidence of DDFU relevant policies and other related
documents to verify that DDFU is complying with its obligations under this DPA.
2.11.4.Customer may conduct an on-site inspection at DDFU’s premise either by itself
or by an independent thirdparty auditor (not to include a competitor of DDFU)
where the information under Sections 2.11.2 and 2.11.3 has failed to verify compliance by DDFU of its obligations under this DPA or such an inspection is formally required by the Supervisory Authority.
2.11.5. General Procedure: The following Sections 2.11.6, 2.11.7 and 2.11.8 shall
apply to each of Sections 2.11.2, 2.11.3 and 2.11.4.
2.11.6. Unless otherwise mandated by a Supervisory Authority, Customer shall: (a)
give DDFU at least 30 days’ prior written notice of its intention to conduct an
audit, including inspection, under this Section 2.11; and (b) agree with DDFU the frequency and duration of these, which shall not extend beyond two consecutive business days nor be more than once per contract year.
2.11.7. Any audit, including inspections, must be conducted during local business
hours, not unreasonably disrupt DDFU business operations and not burden the
provision of services by DDFU to its customers. Customer shall limit these to remote audits or meetings with senior representatives of DDFU as far as possible and will avoid or minimise the need for an audit (including inspection), without limitation by using current certifications, other audit reports or combining them with others under the Principal Agreement. Additionally, these rights are subject to limitations set out in the Principal Agreement. Any audit, including inspections, shall be subject to DDFU’s relevant policies and procedures.
2.11.8. Conditions of confidentiality and the scope of an audit, including inspection,
shall be agreed in advance between DDFU and Customer. Customer shall provide DDFU the results of any audit, including inspection. Customer bears all expenses related to inspections and audits.
2.12. Customer Information and related Restrictions.
2.12.1. Instructions by Customer related to the Processing of Personal Data must be
provided in writing duly signed by an authorised representative of Customer.
2.12.2. Customer is responsible to have all necessary consents and notices in place
and confirms it is entitled to lawfully transfer the Personal Data to DDFU.
- International Transfers.
3.1. Personal Data may be processed in the EEA, the United Kingdom and Switzerland
(each a “Designated Country”) and in countries outside of a Designated Country
(“Other Countries”) by DDFU or its Sub-processors. The transfer to Other Countries
shall be in accordance with Data Protection Legislation (to the extent it applies).
3.2. The Parties shall have in place a Transfer Mechanism in respect of any Restricted
3.2.1. In the event of an EEA Restricted Transfer where Personal Data is transferred
from Customer as data exporter acting as a Controller or Processor (as applicable), to DDFU as data importer acting as a Processor, the Parties shall, as part of this DPA, comply with the EEA Controller to Processor SCCs where the Customer acts as a Controller and the EEA Processor to Processor SCCs where the Customer acts as a Processor.
3.2.2. In the event of a UK Restricted Transfer, where Personal Data is transferred
from Customer as data exporter acting as a Controller or Processor (as applicable) to DDFU as data importer acting as a Processor, the Parties shall, as part of this DPA, comply with the UK Controller to Processor SCCs where the Customer acts as a Controller and the UK Processor to Processor SCCs where the Customer acts as a Processor.
3.2.3. In the event of a Swiss Restricted Transfer, whereby Personal Data is
transferred from Customer as data exporter, acting as a Controller or Processor
(as applicable), to DDFU as data importer acting as a Processor, the Parties shall,
as part of this DPA, comply with the corresponding module of the EEA Standard
3.2.4. The Standard Contractual Clauses will not apply to a Restricted Transfer to the
extent that DDFU has adopted Binding Corporate Rules for Processors or an alternative recognised compliance standard for lawful Restricted Transfers.
3.3. Where pursuant to the Standard Contractual Clauses DDFU attempts to redirect a
request from a public authority, including judicial authorities (“Government Request”)
to the Customer, and/or determines that a requirement to challenge or appeal a
Government Request regarding Customer’s Personal Data exists, Customer agrees to
participate in and support such challenge as reasonably requested. Where possible,
the Customer itself will seek a protective order or other appropriate remedy in
response to the Government Request.
- General Provisions.
4.1. Execution of this DPA. Where requested by Customer, DDFU and Customer shall
execute this DPA in one or more counterparts, each of which shall be deemed an
original and all of which together shall constitute one and the same instrument. For
the purposes hereof, a facsimile or scanned copy of this DPA, including all pages
hereof, shall be deemed an original.
4.2. The Parties agree that with respect to the period on and after the date that this DPA comes into effect between the Parties (or if earlier, the mandatory date when the relevant Standard Contractual Clauses must apply), this DPA shall replace and
supersede any existing data processing addendum, attachment, exhibit or standard
contractual clauses that Customer and DDFU may have previously entered into in
connection with the Services.
- For Partner Agreements.
5.1. If the Principal Agreement relates to the resale or supply of Services with a partner under an DDFU partner programme or a partner agreement (a “Partner”), with DDFU acting as the Partner’s sub-processor under that arrangement with no direct
contractual relationship to the direct and indirect customers of the Partner which are
entitled to use the Services such as the End User or, in the case of a Partner who is an
MSP, the Beneficiary (as in each case as defined in the Principal Agreement) (hereinafter “Using Parties”), then the following provisions shall apply:
5.1.1. All references to “Customer” in this DPA shall mean the Partner;
5.1.2. Section 2.8.3 of this DPA shall be amended to read as follows: “Partner shall
procure implementation and maintenance of privacy protections and security
measures for components that Partner or any Using Parties (including Affiliates of
any of these) provides or controls. Partner shall apply the principle of data minimisation and limit DDFU access to systems or Personal Data to only where
essential for the performance of Services (and procure the same from Using Parties). Where DDFU is performing Services on premises of the Partner or Using Parties (or of an Affiliate, sub-contractor, agent or similar of any of these) or in connection with access to any of their systems and data, Partner shall be responsible for procuring provision to DDFU personnel of user authorizations and passwords to access those systems, oversight of their use of those passwords and termination of these as required. Partner shall not store any Personal Data in a non-production environment unless it has production environment equivalent controls in place (and procure the same from Using Parties).”
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
See Appendix 2 of this DPA for each of following: Subject matter and duration of the
Processing of Personal Data, the nature and purpose of the Processing of Personal
Data, the types of Personal Data to be processed, special categories of data (if appropriate) and the categories of Data Subject to whom the Customer Personal Data relates.
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred Data Subjects may
include employees, contractors, business partners or other individuals having Personal
Data stored, transmitted to, made available to, accessed or otherwise processed by
DDFU. Categories of personal data transferred Customer determines the categories of Personal Data which are processed by DDFU in connection with the Services in accordance with the terms of the Principal Agreement (and documentation governed
by it). Customer submits Personal Data for processing after careful evaluation of compliance with applicable laws. The Personal Data may include the following categories of data: name, phone numbers, e-mail address, time zone, address data, company name, plus any application-specific data. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. None. The choice and type of Personal Data that will be processed using the DDFU Services remains solely within the discretion and choice of the Customer. In selecting the Personal Data of any categories, the Customer shall ensure that such Personal Data is suitable for processing with and through the Services in compliance with applicable data protection laws. DDFU disclaims all liabilities in relation to the selection of data for use with the Services. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Transfers shall be made on a continuous basis.
Nature of the processing
DDFU offers its Services, and in doing so, DDFU requires to process Personal Data.
The Personal Data is subject to the basic processing activities as set out in the
Principal Agreement which may include:
(a) use of Personal Data to provide the Services;
(b) storage of Personal Data;
(c) computer processing of Personal Data for data transmission; and
(d) other processing activities to deliver the Services.
Purpose(s) of the data transfer and further processing
See “nature of processing” above.
The period for which the personal data will be retained, or, if that is not possible, the
criteria used to determine that period The duration of the Processing of the Personal Data is set out in the Principal Agreement (and documentation governed by it) and this DPA.
Subject matter, nature and duration of the processing for transfer to (sub-) processors
DDFU partner programs and partner agreements: Where section 5 of the DPA applies:
for the purposes of these
Appendices 1, 2 and 3, categories of Personal Data shall also include that of Using
Parties (as defined in section 5 of the DPA). In Appendix 3, “Customer systems” refers
to those of the Partner and Using Parties. Notwithstanding the foregoing,
this shall not release the Partner of its obligations, either in these Appendices, the
Annexes, the DPA or otherwise, and the Partner shall remain responsible for the
decisions, acts and omissions of Using Parties, and shall procure that Using
Parties comply with the provisions of these Appendices.