DDFU Data Processing Addendum
Parties
This Data Processing Addendum (“DPA”) is between:
A. The DDFU entity (“DDFU ”) having entered into the Principal Agreement (as defined below)
acting on its own behalf;
and
B. the other party to the Principal Agreement (“Customer”).
DDFU and Customer hereinafter separately referred to as “Party” and jointly as “Parties”.

  1. Background; Definitions.
    1.1. Background.
    1.1.1. This DPA (including its Appendices and incorporations by reference) supplements and forms part of the agreement between DDFU and Customer
    under which DDFU shall carry out certain Services (“Principal Agreement”) provided that the Services include the Processing of Personal Data and Data Protection Legislation applies to Customer’s use of the Services.
    1.1.2. This DPA is in addition to, and does not relieve, remove, or replace either party’s
    obligations under the Data Protection Legislation.
    1.1.3. None of the terms and conditions of the Principal Agreement shall be waived or
    modified by this DPA but if there is any conflict between any of the provisions of
    this DPA and the provisions of the Principal Agreement in relation to the Processing of Personal Data, the Parties agree the provisions of this DPA shall prevail to the extent of any such conflict.
    1.1.4. If there is any conflict between the provisions of this DPA and the provisions of
    the Standard Contractual Clauses, the provisions of the Standard Contractual
    Clauses shall prevail to the extent of any such conflict. For the avoidance of
    doubt, where this DPA further specifies Sub-processor and audit rules in Sections
    2.3 and 2.11, such specifications also apply in relation to, and satisfy Customer
    rights under the respective provisions of the Standard Contractual Clauses.
    1.1.5. The terms used in this DPA shall have the meanings set forth in this DPA.
    Capitalized terms not otherwise defined herein shall have the meaning given to
    them in the Principal Agreement.
    1.2. Definitions.
    1.2.1. In this DPA, the following terms shall have the meanings set out below and
    cognate terms shall be construed accordingly.
    1.2.1.1. A. “Affiliate” means an entity that owns or controls, is owned or
    controlled by or is or under common control or ownership with a company,
    where control is defined as the possession, directly or indirectly, of the
    power to direct or cause the direction of management and the policies of an
    entity, whether through ownership of voting securities, by contract or
    otherwise.
    1.2.1.2. B. “Data Protection Legislation” means, (i) the GDPR (and any laws of
    Member States of the European Economic Area (“EEA”) implementing or
    supplementing the GDPR), (ii) UK Data Protection Law and (iii) data
    protection or privacy laws of Switzerland, in each case, to extent applicable
    to the Processing of Personal Data under this DPA and the Principal Agreement.
    1.2.1.3. C. “EEA Standard Contractual Clauses” means the EEA Controller to
    Processor SCCs and EEA Processor to Processor SCCs.
    1.2.1.4. D. “EEA Controller to Processor SCCs” means the clauses set out (and
    also sometimes referred to as Appendix 4) which are incorporated into this
    DPA by reference, as may be amended, updated or replaced from time to
    time.
    1.2.1.5. E. “EEA Processor to Processor SCCs” means the clauses set out (and
    also sometimes referred to as Appendix 5) which are incorporated into this
    DPA by reference, as may be amended, updated or replaced from time to
    time.
    1.2.1.6. F. “GDPR” means EU General Data Protection Regulation 2016/679.
    1.2.1.7. G. “Restricted Transfer” means a transfer of Personal Data which,
    subject to the paragraph below, is:
    1.2.1.7.1. (1) from an exporter subject to GDPR which is only permitted in
    accordance with GDPR if a Transfer Mechanism is applicable to that
    transfer (“EEA Restricted Transfer”);
    1.2.1.7.2. (2) from an exporter subject to UK Data Protection Law which is
    only permitted in accordance with UK Data Protection Law if a Transfer
    Mechanism is applicable to that transfer (“UK Restricted Transfer”);
    and/or
    1.2.1.7.3. (3) from an exporter subject to Data Protection Legislation
    applicable in Switzerland which is only permitted under that law if a
    Transfer Mechanism is applicable to that transfer (“Swiss Restricted
    Transfer”). Transfers of Personal Data will not be considered a
    Restricted Transfer where:
    1.2.1.7.3.1. (a) the jurisdiction to which the personal data is
    transferred has been approved by the European Commission under Article 45 of the GDPR or, as applicable, an equivalent provision under UK or Swiss
    Data Protection Law, as ensuring an adequate level of protection
    for the processing of Personal Data (an “Adequate Country”); or
    1.2.1.7.3.2. (b) the transfer falls within the terms of a derogation as
    set out in Article 49 of the GDPR, equivalent under Swiss Data Protection Law or the UK GDPR (as applicable).
    1.2.1.8. H. “Services” means the services or products and other activities to be
    supplied to or carried out by or on behalf of DDFU for the Customer
    pursuant to the Principal Agreement.
    1.2.1.9. I. “Standard Contractual Clauses” means each of the EEA Standard
    Contractual Clauses and the UK Standard Contractual Clauses.
    1.2.1.10. J. “Sub-processor” means any third party (including any DDFU Affiliate)
    appointed by or on behalf of DDFU as a subcontractor to Process Personal
    Data on behalf of any Customer or Customer Affiliate in connection with the
    Principal Agreement.
    1.2.1.11. L. “Transfer Mechanism” means the Standard Contractual Clauses or
    any other appropriate safeguards under article 46 of the GDPR or equivalent
    under Swiss or UK Data Protection Law applicable to a relevant transfer
    of Personal Data that has the effect of permitting that transfer.
    1.2.1.12. M. “UK Data Protection Law” means UK GDPR (as defined in the UK
    Data Protection Act 2018) and the UK Data Protection Act 2018.
    N. “UK Controller to Processor SCCs” means the UK International Data
    Transfer Addendum which is made up of the provisions set which are
    incorporated into this DPA by reference, as may be amended, updated or
    replaced from time to time, incorporating the EEA Controller to Processor
    SCCs.
    1.2.1.13. O. “UK Processor to Processor SCCs” means the UK International Data
    Transfer Addendum which is made up of the provisions set out (and also
    referred to sometimes as Appendix 6) which are incorporated into this DPA
    by reference, as may be amended, updated or replaced from time to time,
    incorporating the EEA Processor to Processor SCCs.
    1.2.1.14. P. “UK Standard Contractual Clauses” means the UK Controller to
    Processor SCCs and UK Processor to Processor SCCs.
    1.2.1.15. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal
    Data Breach”, “Processing”, and “Processor”; shall have the same meaning
    as in the applicable Data Protection Legislation. The terms “Member
    State”, “Supervisory Authority” and “Union” shall have the same meaning as
    in the GDPR. The terms “data exporter” and “data importer” have the
    meaning set out in the applicable Standard Contractual Clauses. “including”
    shall mean including without limitation.
  2. Data Processing Obligations.
    2.1. Controller and Processor of Personal Data, Appointment of Processor and Purpose of
    Processing.
    2.1.1. DDFU will comply with all applicable requirements of the Data Protection
    Legislation to the extent it imposes obligations upon DDFU as a Data Processor
    and expects Customer to also comply with Data Protection Legislation.
    2.1.2. This DPA applies to the extent Customer is the Controller and DDFU is the
    Processor. It also applies to the extent that Customer is a Processor and DDFU is
    acting as a (sub) Processor. Where the Customer is a Processor, the Customer
    confirms that its instructions, including appointment of DDFU as a Processor or
    (sub) Processor, have been authorized by the relevant Controller.
    2.1.3. Appendix 1 of this DPA sets out the scope, nature and purpose of Processing by
    DDFU, the duration of the Processing and the types of Personal Data and
    categories of Data Subjects.
    2.2. DDFU’s obligations with respect to the Customer.
    2.2.1. DDFU will, in relation to any Personal Data it will be Processing under the
    Principal Agreement and this DPA:
    2.2.1.1. A. process such Personal Data solely for the purpose of providing the
    Services;
    2.2.1.2. B. process such Personal Data in accordance with documented and
    commercially reasonable instructions from the Customer, subject to and in
    accordance with the terms of the Principal Agreement;
    2.2.1.3. C. ensure that the persons authorized by it to process such Personal
    Data have committed themselves to confidentiality or are under an
    appropriate statutory obligation of confidentiality and have received
    appropriate training on their responsibilities; and
    2.2.1.4. D. limit access of DDFU personnel to the Personal Data undergoing
    processing to what is necessary for provision of the Services.
    2.2.2. Customer agrees that the Principal Agreement (including this DPA) are its
    complete documented instructions to DDFU for the Processing of Personal Data.
    Additional instructions, if any, require prior written agreement between the Parties. Where in the opinion of DDFU an instruction from the Customer infringes Data Protection Legislation, it shall inform the Customer thereof (but such communication shall not constitute legal advice by DDFU). However, such obligation shall not relieve the Customer from its own responsibility for compliance with Data Protection Legislation.
    2.2.3. Where DDFU is required under applicable law to process Personal Data other
    than on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an International organisation, DDFU shall use its reasonable endeavours to inform the Customer of that legal requirement before Processing, unless such information is prohibited by law on important grounds of public interest.
    2.3. Sub-processing.
    2.3.1. Customer provides DDFU a general authorization to engage Sub-processors.
    Sub-processors may include:
    2.3.1.1. (i) DDFU global Affiliate companies as exist from time to time (and their vendors); and/or (ii) any of the subcontractors that DDFU engages in connection with the provision of certain Processing activities as at the date of this Agreement. The Parties agree that the sub-processors listed at (i) and (ii) is the ‘agreed list’ for sub-processors in relation to Clause 9(a) of the EEA Standard Contractual Clauses and for the UK Standard Contractual Clauses.
    2.3.2. DDFU shall Inform the Customer at least 14 days before DDFU appoints a new
    or replacement Sub-processor to give the Customer opportunity to reasonably
    object to the changes. DDFU must receive the notice of objection in writing from
    the Customer within 14 days of DDFU informing it of the proposed changes. The
    Parties agree that the name of the new or replacement Sub-processor together
    with details of the processing activities it will carry out and the location of such
    activities is the information the Customer requires to exercise such right. “Inform”
    shall include by posting the update on a website (and providing Customer with a
    mechanism to obtain notice of that update), by email or in other written form. The
    parties confirm that this mechanism is not required where the new or replacement Sub-processor is an DDFU global Affiliate company.
    2.3.3. The Parties agree that the Customer’s right to be object shall be as set out in
    this Section 2.3.3 and Section 2.3.4. Any objection raised by the Customer pursuant to Section 2.3.2 must be where the Sub-processor demonstrably fails to offer the same or a reasonably comparable level of protection as that previously applicable to the relevant Processing of Personal Data.
    2.3.4. If Customer has a reasonable and legitimate reason to object to the new Subprocessor pursuant to Section 2.3.3, and DDFU is not able to provide an
    alternative Sub-processor, or the Parties are not otherwise able in good faith to
    achieve an alternative resolution, Customer may terminate the respective part of
    the Services where the new Sub-processor is to be used by giving written notice
    to DDFU no later than 30 days from the date that DDFU receives the Customer’s
    notice of objection and such termination shall take effect no later than 90 days following DDFU receipt of Customer’s notice of termination. If Customer does not terminate within this 30-day period, Customer is deemed to have accepted the new Sub-processor. Any termination under this Section 2.3.4 shall be deemed to be without fault by either Party and shall be subject to the terms of the Principal Agreement (including any documents agreed pursuant to it).
    2.3.5. DDFU confirms that it has entered or (as the case may be) will enter into a
    written agreement with its third-party company Sub-processors incorporating
    terms which are substantially similar to those set out in this DPA.
    2.3.6. As between the Customer and DDFU, DDFU shall remain fully liable for all acts
    or omissions of any Sub-processor appointed by it pursuant to this Section 2.3
    (unless the Sub-processor acted in accordance with instructions directly or indirectly received from Customer).
    2.4. Data Subjects’ Right to Information. It is the Customer’s (or the party acting as
    Controller) responsibility to inform the Data Subject(s) concerned of the purposes and the legal basis for which their Personal Data will be processed at the time the
    Personal Data is collected.
    2.5. Exercise of Data Subjects’ Rights.
    2.5.1. Taking into account the nature of the Processing, DDFU shall assist the
    Customer insofar as this is possible and reasonable for the fulfilment of the
    Customer’s obligation under Data Protection Legislation to respond to requests
    for exercising the Data Subject’s rights of: access, rectification, erasure and
    objection, restriction of processing, data portability, not to be subject to a
    decision based solely on automated processing.
    2.5.2. Where the Data Subjects submit requests to DDFU to exercise their rights,
    DDFU shall forward these requests by email to a Customer email address on file
    with DDFU. If Customer wishes for DDFU to forward Data Subject requests to
    a specific email address, it shall notify DDFU of such address. DDFU shall not
    respond to a Data Subject request unless and to the extent instructed by
    Customer to do so.
    2.6. Notification of Personal Data Breach.
    2.6.1. DDFU shall notify the Customer of a Personal Data Breach without undue delay
    after DDFU becoming aware of it by email to a Customer email address on file
    with DDFU, along with any necessary documentation to enable the Customer,
    where necessary, to notify this breach to the Data Subject and / or the competent
    Supervisory Authority.
    2.6.2. If available and taking into account the nature of the Processing, the notification
    in accordance with Section 2.6.2 shall at least:
    2.6.2.1. A. describe the nature of the Personal Data Breach including where
    possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
    2.6.2.2. B. communicate the name and contact details of the data protection
    officer or other contact point where more information can be obtained;
    2.6.2.3. C. describe the likely consequences of the Personal Data Breach; and
    2.6.2.4. D. describe the measures taken or proposed to be taken by DDFU to
    address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
    2.6.3. Where, and in so far as, it is not possible to provide the information at the same
    time, the information may be provided in phases without undue further delay.
    2.6.4. The Customer (or the party acting as Controller) is responsible to notify the
    Personal Data Breach to the Supervisory Authority, and to the Data Subjects,
    when this is required by the applicable Data Protection Legislation.
    2.7. Assistance lent by DDFU to the Customer regarding Compliance with Customer’s
    Obligations under the Data Protection Legislation.
    2.7.1. Where requested by the Customer and to the extent required by Data
    Protection Legislation, DDFU shall, taking into account the nature of processing
    and the information available to DDFU, provide reasonable assistance to the
    Customer:
    2.7.1.1. A. in carrying out data protection impact assessments; or
    2.7.1.2. B. should the Customer need prior consultation with a Supervisory
    Authority.
    2.8. Security Measures.
    2.8.1. Taking into account the state of the art, the costs of implementation and the
    nature, scope, context and purposes of Processing as well as the risk of varying
    likelihood and severity for the rights and freedoms of natural persons, the
    Customer and DDFU shall both be responsible to implement appropriate
    technical and organisational measures to ensure a level of security appropriate to
    the risk.
    2.8.2. DDFU agrees to implement the Technical and Organizational Measures in
    respect of the Services.
    2.8.3. Customer is responsible for implementing and maintaining privacy protections
    and security measures for components that Customer or any Customer Affiliate
    provides or controls. Customer shall apply the principle of data minimisation and
    limit DDFU access to systems or Personal Data to only where essential for the
    performance of Services. Where DDFU is performing Services on premises of the
    Customer (or of any Customer Affiliate or subcontractor, agent or similar) or in
    connection with access to any of their systems and data, Customer shall be
    responsible for providing DDFU personnel with user authorizations and
    passwords to access those systems, overseeing their use of those passwords
    and terminating these as required. Customer shall not store any Personal
    Data in a non-production environment unless it has production environment
    equivalent controls in place.
    2.9. Data Return or Destruction. Where DDFU has stored Personal Data as part of the
    Services: at the end of the Service(s) upon Customer’s written instruction, DDFU
    may (i) offer a data return service or (ii) following a reasonable data retention period
    delete the Personal Data unless applicable law requires further storage of the
    Personal Data. DDFU may chargé a fee for any data return services.
    2.10. The Data Protection Officer. DDFU has designated a data protection officer in
    accordance with Data Protection Legislation. They can be contacted by email
    via legal@ddfu.org.
    2.11. Inspections and Audits.
    2.11.1.The right of audit, including inspections, which the Customer may have under
    Data Protection Legislation and under the Standard Contractual Clauses, are as
    set out in this Section 2.11.
    2.11.2. Upon written request from Customer DDFU shall, where available, provide a
    copy of the latest Service Organization Control (SOC) audit report and/or other
    third-party audit reports or information to demonstrate the processing activities
    of DDFU relating to the Personal Data is in compliance with its obligations under
    this DPA.
    2.11.3. Customer may request evidence of DDFU relevant policies and other related
    documents to verify that DDFU is complying with its obligations under this DPA.
    2.11.4.Customer may conduct an on-site inspection at DDFU’s premise either by itself
    or by an independent thirdparty auditor (not to include a competitor of DDFU)
    where the information under Sections 2.11.2 and 2.11.3 has failed to verify compliance by DDFU of its obligations under this DPA or such an inspection is formally required by the Supervisory Authority.
    2.11.5. General Procedure: The following Sections 2.11.6, 2.11.7 and 2.11.8 shall
    apply to each of Sections 2.11.2, 2.11.3 and 2.11.4.
    2.11.6. Unless otherwise mandated by a Supervisory Authority, Customer shall: (a)
    give DDFU at least 30 days’ prior written notice of its intention to conduct an
    audit, including inspection, under this Section 2.11; and (b) agree with DDFU the frequency and duration of these, which shall not extend beyond two consecutive business days nor be more than once per contract year.
    2.11.7. Any audit, including inspections, must be conducted during local business
    hours, not unreasonably disrupt DDFU business operations and not burden the
    provision of services by DDFU to its customers. Customer shall limit these to remote audits or meetings with senior representatives of DDFU as far as possible and will avoid or minimise the need for an audit (including inspection), without limitation by using current certifications, other audit reports or combining them with others under the Principal Agreement. Additionally, these rights are subject to limitations set out in the Principal Agreement. Any audit, including inspections, shall be subject to DDFU’s relevant policies and procedures.
    2.11.8. Conditions of confidentiality and the scope of an audit, including inspection,
    shall be agreed in advance between DDFU and Customer. Customer shall provide DDFU the results of any audit, including inspection. Customer bears all expenses related to inspections and audits.
    2.12. Customer Information and related Restrictions.
    2.12.1. Instructions by Customer related to the Processing of Personal Data must be
    provided in writing duly signed by an authorised representative of Customer.
    2.12.2. Customer is responsible to have all necessary consents and notices in place
    and confirms it is entitled to lawfully transfer the Personal Data to DDFU.
  3. International Transfers.
    3.1. Personal Data may be processed in the EEA, the United Kingdom and Switzerland
    (each a “Designated Country”) and in countries outside of a Designated Country
    (“Other Countries”) by DDFU or its Sub-processors. The transfer to Other Countries
    shall be in accordance with Data Protection Legislation (to the extent it applies).
    3.2. The Parties shall have in place a Transfer Mechanism in respect of any Restricted
    Transfer:
    3.2.1. In the event of an EEA Restricted Transfer where Personal Data is transferred
    from Customer as data exporter acting as a Controller or Processor (as applicable), to DDFU as data importer acting as a Processor, the Parties shall, as part of this DPA, comply with the EEA Controller to Processor SCCs where the Customer acts as a Controller and the EEA Processor to Processor SCCs where the Customer acts as a Processor.
    3.2.2. In the event of a UK Restricted Transfer, where Personal Data is transferred
    from Customer as data exporter acting as a Controller or Processor (as applicable) to DDFU as data importer acting as a Processor, the Parties shall, as part of this DPA, comply with the UK Controller to Processor SCCs where the Customer acts as a Controller and the UK Processor to Processor SCCs where the Customer acts as a Processor.
    3.2.3. In the event of a Swiss Restricted Transfer, whereby Personal Data is
    transferred from Customer as data exporter, acting as a Controller or Processor
    (as applicable), to DDFU as data importer acting as a Processor, the Parties shall,
    as part of this DPA, comply with the corresponding module of the EEA Standard
    Contractual Clauses.
    3.2.4. The Standard Contractual Clauses will not apply to a Restricted Transfer to the
    extent that DDFU has adopted Binding Corporate Rules for Processors or an alternative recognised compliance standard for lawful Restricted Transfers.
    3.3. Where pursuant to the Standard Contractual Clauses DDFU attempts to redirect a
    request from a public authority, including judicial authorities (“Government Request”)
    to the Customer, and/or determines that a requirement to challenge or appeal a
    Government Request regarding Customer’s Personal Data exists, Customer agrees to
    participate in and support such challenge as reasonably requested. Where possible,
    the Customer itself will seek a protective order or other appropriate remedy in
    response to the Government Request.
  4. General Provisions.
    4.1. Execution of this DPA. Where requested by Customer, DDFU and Customer shall
    execute this DPA in one or more counterparts, each of which shall be deemed an
    original and all of which together shall constitute one and the same instrument. For
    the purposes hereof, a facsimile or scanned copy of this DPA, including all pages
    hereof, shall be deemed an original.
    4.2. The Parties agree that with respect to the period on and after the date that this DPA comes into effect between the Parties (or if earlier, the mandatory date when the relevant Standard Contractual Clauses must apply), this DPA shall replace and
    supersede any existing data processing addendum, attachment, exhibit or standard
    contractual clauses that Customer and DDFU may have previously entered into in
    connection with the Services.
  5. For Partner Agreements.
    5.1. If the Principal Agreement relates to the resale or supply of Services with a partner under an DDFU partner programme or a partner agreement (a “Partner”), with DDFU acting as the Partner’s sub-processor under that arrangement with no direct
    contractual relationship to the direct and indirect customers of the Partner which are
    entitled to use the Services such as the End User or, in the case of a Partner who is an
    MSP, the Beneficiary (as in each case as defined in the Principal Agreement) (hereinafter “Using Parties”), then the following provisions shall apply:
    5.1.1. All references to “Customer” in this DPA shall mean the Partner;
    5.1.2. Section 2.8.3 of this DPA shall be amended to read as follows: “Partner shall
    procure implementation and maintenance of privacy protections and security
    measures for components that Partner or any Using Parties (including Affiliates of
    any of these) provides or controls. Partner shall apply the principle of data minimisation and limit DDFU access to systems or Personal Data to only where
    essential for the performance of Services (and procure the same from Using Parties). Where DDFU is performing Services on premises of the Partner or Using Parties (or of an Affiliate, sub-contractor, agent or similar of any of these) or in connection with access to any of their systems and data, Partner shall be responsible for procuring provision to DDFU personnel of user authorizations and passwords to access those systems, oversight of their use of those passwords and termination of these as required. Partner shall not store any Personal Data in a non-production environment unless it has production environment equivalent controls in place (and procure the same from Using Parties).”

    APPENDIX 1
    DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
    See Appendix 2 of this DPA for each of following: Subject matter and duration of the
    Processing of Personal Data, the nature and purpose of the Processing of Personal
    Data, the types of Personal Data to be processed, special categories of data (if appropriate) and the categories of Data Subject to whom the Customer Personal Data relates.

    APPENDIX 2
    DESCRIPTION OF TRANSFER
    Categories of data subjects whose personal data is transferred Data Subjects may
    include employees, contractors, business partners or other individuals having Personal
    Data stored, transmitted to, made available to, accessed or otherwise processed by
    DDFU. Categories of personal data transferred Customer determines the categories of Personal Data which are processed by DDFU in connection with the Services in accordance with the terms of the Principal Agreement (and documentation governed
    by it). Customer submits Personal Data for processing after careful evaluation of compliance with applicable laws. The Personal Data may include the following categories of data: name, phone numbers, e-mail address, time zone, address data, company name, plus any application-specific data. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. None. The choice and type of Personal Data that will be processed using the DDFU Services remains solely within the discretion and choice of the Customer. In selecting the Personal Data of any categories, the Customer shall ensure that such Personal Data is suitable for processing with and through the Services in compliance with applicable data protection laws. DDFU disclaims all liabilities in relation to the selection of data for use with the Services. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Transfers shall be made on a continuous basis.

    Nature of the processing
    DDFU offers its Services, and in doing so, DDFU requires to process Personal Data.
    The Personal Data is subject to the basic processing activities as set out in the
    Principal Agreement which may include:
    (a) use of Personal Data to provide the Services;
    (b) storage of Personal Data;
    (c) computer processing of Personal Data for data transmission; and
    (d) other processing activities to deliver the Services.
    Purpose(s) of the data transfer and further processing
    See “nature of processing” above.
    The period for which the personal data will be retained, or, if that is not possible, the
    criteria used to determine that period The duration of the Processing of the Personal Data is set out in the Principal Agreement (and documentation governed by it) and this DPA.
    Subject matter, nature and duration of the processing for transfer to (sub-) processors
    As above.
    DDFU partner programs and partner agreements: Where section 5 of the DPA applies:
    for the purposes of these
    Appendices 1, 2 and 3, categories of Personal Data shall also include that of Using
    Parties (as defined in section 5 of the DPA). In Appendix 3, “Customer systems” refers
    to those of the Partner and Using Parties. Notwithstanding the foregoing,
    this shall not release the Partner of its obligations, either in these Appendices, the
    Annexes, the DPA or otherwise, and the Partner shall remain responsible for the
    decisions, acts and omissions of Using Parties, and shall procure that Using
    Parties comply with the provisions of these Appendices.