Karuny.com – Data Processing Agreement

The following data processing agreement (referred to as “Data Processing Agreement” or this “Agreement”) is entered into between you (“the Controller”) and Karuny.com (“the Processor”).

The Controller and the Processor are individually referred to as “Party” and collectively as the “Parties”.

The Processor: 

Karuny.com
15 Harrowden Road
DN2 4EJ Doncaster
United Kingdom
info@karuny.com

1. Background

1.1 This Agreement forms an integral part of the agreement concerning the provision of website development services, marketing services, maintenance services, support services, webhosting services, cloud services and/or other services provided to the Controller by or on behalf of the Processor in relation to the Controller´s website platform and/or marketing platform and/or another platform (hereinafter the “Contract”). As part of the provision of the Services, the Processor may process Personal Data on behalf of the Controller.

1.2 This Agreement has been entered into by the Parties in order to regulate any such processing of Personal Data by the Processor and to ensure that such processing is carried out in compliance with the  Data Protection Act 2018 which is the UK’s implementation of the General Data Protection Regulation (GDPR)

2. General requirements

2.1 The Processor may process the Personal Data only in compliance with this agreement and in compliance with the Controller’s documented written instructions for further processing.

2.2 The data processing operations performed by the Processor on behalf of the Controller under this Agreement is the processing of Personal Data that may occur in connection with the provision of the Services rendered under the Contract, including but not limited to website development services, marketing services, maintenance services, support services, webhosting services, cloud services and/or other development/services. The Personal Data processed under this Agreement is the data processed by the Controller on their website platform and/or marketing platform and/or another platform offered by Karuny.com. The Processor will not process special categories of Personal Data (Sensitive) and/or Personal Data relating to criminal convictions or offences on behalf of the Controller under this Agreement.

2.3 The Processor is entitled to process the Personal Data only for the purpose of providing the Services and only to such an extent and in such a manner as is necessary to provide the Services.

2.4 If the Processor is a legal person, the provisions of this Agreement apply to every employee of the Processor. The Processor guarantees that its employees comply with this Agreement.

3. Personal Data

In order to provide the services, the Processor has access to platforms owned by the Controller and/or the Controller’s Social Media and/or Marketing accounts and/or other platforms and accounts controlled by the Controller.

These systems give the Processor access to the following personal data, that the Processor can process under this agreement.

• IP addresses
• Names
• Addresses
• Telephone numbers
• E-mail addresses
• Statistical data
• Pictures

The purpose for the processing, is for the Processor be able to deliver the services.

The data processed is the data of visitors to the Controllers website, the Controllers Mail list recipients, the application like smartcollection.co.uk and/or pictures, videos and/or contact persons named by the Controller.

The Processing of the data continues as long as the contract is in force.

If the Processor is not storing data for the Controller, all the data is on the Controllers platforms and accounts, and as such the issue of location of storage of data rests with the Controller.

If the Processor is storing data for the Controller, they are stored in GDPR compliant datacentres . Karuny.com us using the following 2 data center providers:

• https://aws.amazon.com/
  (link to GDPR Compliance: https://aws.amazon.com/compliance/gdpr-center/ )
• https://www.hetzner.com
  (link to Privacy Policy:
  https://www.hetzner.com/rechtliches/datenschutz/

Upon termination of the agreement the Processor will delete usernames and passwords after 1 month. The processor is strongly advised to change these upon termination of this agreement.

4. Disclosure of Personal Data

4.1 The Processor may not in any way modify, amend, or alter the contents of the Personal Data or disclose the Personal Data to any third party, unless

1) explicitly provided for in this Agreement.

2) the Controller has otherwise authorized and/or instructed the Processor in writing to do so; and/or

3) such disclosure is required by applicable legislation to which the Processor is subject.

4.2 If the disclosure falls within clause 4.1.3), the Processor must notify the Controller thereof before commencing the processing of the Personal Data, unless notification of the Controller is prohibited under Union law or the Member State law to which the Processor is subject.

5. Security

5.1 The Processor must implement appropriate technical and organizational security measures to protect the Personal Data against unauthorized or unlawful processing and against accidental or unlawful loss, destruction, damage, alteration, or disclosure.

5.2 When determining the appropriate technical and organizational security measures, the Processor must take account of the current available technology and technological developments; the costs of implementation; the nature, scope, context, and purposes of the processing; and the risks of varying likelihood and severity for rights and freedoms of natural persons.

5.3 The Processor must comply with and ensure compliance by its employees with the data security requirements applying to the Processor, including without limitation (i) all security measure requirements notified to the Processor in writing, (ii) the Processor’s own internal security standards, and (iii) the national security measure requirements of the country in which the Processor is established, or in the country where the data processing takes place.

5.4 The Processor must keep the Personal Data confidential. The Processor must take reasonable steps to ensure that every employee, agent or contractor who has access to the Personal Data is reliable and trustworthy, and that they are all subject to confidentiality undertakings, professional secrecy or statutory non-disclosure obligations. The Processor must also ensure in each case that access is strictly limited to those persons who need to access the relevant Personal Data to carry out the duties assigned to them by the Processor, and that this is strictly necessary for the provision of the Services, and that all such persons:

(i) are informed of the confidential nature of the Personal Data; (ii) have received appropriate training in relation to the Data Protection Legislation; and (iii) are aware of the Processor’s obligations under this Agreement.

6. Transfer of Personal Data to third countries

6.1 The Processor may process or access the Personal Data from or transfer the Personal Data to any third country in accordance with the requirements set out in clause 8 (below).

6.2 If Personal Data is transferred to a third country, the Processor must ensure that the transfer is made on a legal basis, e.g. the European Commission model contracts for the transfer of personal data to third countries, before such transfer may be made by the Processor.

7. Assistance

7.1 The Processor must assist the Controller in dealing with requests from data subjects in connection with the data subject’s exercise of his/her rights under the Data Protection Legislation, including without limitation requests for access, rectification, restriction of processing, deletion or data portability.

7.2 The Processor must, without undue delay after becoming aware thereof, notify the Controller in writing of any request from a data subject for the exercise of his/her rights received directly from the data subject or from a third party.

7.3 The Processor must implement adequate technical and organizational measures to assist the Controller in the performance of its obligation to respond to such data subject requests. The Processor must provide all information requested by the Controller within one month upon receipt of the request.

7.4 The Processor must, immediately upon becoming aware thereof, notify the Controller in writing of any suspected or confirmed (i) personal data breach; (ii) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Processor under this Agreement; or (iii) any other non-compliance with the Processor’s obligations under this Agreement. The Processor must cooperate with and provide assistance to the Controller in connection with the management of the personal data breach.

7.5 The Processor must assist the Controller in complying with any other obligations imposed on the Controller under the Data Protection Legislation, including without limitation upon request providing the Controller with all necessary information required to make an impact assessment.

7.6 The Processor will receive remuneration for the services rendered in relation to this clause 7 in accordance with the Processor’s standard hourly rates from time to time.

8. Sub-Processing

8.1 The Processor may appoint any third party to process Personal Data on behalf of the Processor (“Sub Processor”) without the prior written consent of the Controller.

8.2 The Processor’s appointments of Sub-Processors under clause 8.1 is conditional upon the Processor:

1) carrying out adequate due diligence on each Sub-Processor to ensure that it can provide the level of protection for the processing of Personal Data as is required by this Agreement and the Data Protection Legislation.

2) including terms in the contract between the Processor and each Sub-Processor which, at a minimum, impose the same obligations on the Sub-Processor as those imposed on the Processor under this Agreement; and

3) remaining fully liable to the Controller for any failure by any Sub-Processor to perform its obligations in relation to the processing of Personal Data.

8.3 The Processor is obliged to inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors.

8.4 The Controller is entitled, upon demand, to receive a copy of those parts of the Processor’s contract with the Sub-Processor which concern the Sub-Processor’s obligations relating to the processing of Personal Data under this Agreement.

9. Compliance with legislation, liability etc.

9.1 The Controller is obliged to ensure that there is a legal basis for the processing of the Personal Data contained in the Controller’s instructions to the Data Processor.

9.2 The Controller acknowledges that the Processor is reliant on the Controller for direction as to the extent to which the Processor is entitled to use and process the Personal Data on behalf of the Controller. Consequently, the Processor will not be liable for any claim brought by a data subject arising from any action or omission by the Processor, to the extent that such act or omission resulted directly from performing the Services in accordance with the Controller’s instructions.

9.3 The limitations on the Processor’s liability applicable under the Contract are also applicable under this Agreement.

10. Compliance audits and statements

10.1 At the request of the Controller, the Processor must, within a reasonable time, provide all information necessary for the Controller, a third-party auditor mandated by the Controller, or a public authority to verify compliance with this Agreement and/or the Data Protection Legislation.

10.2 The Processor is obliged to once a year with a written notice of no less than 8 weeks, to cooperate in such compliance audit, inspection and/or review carried out by the Controller, a third-party auditor mandated by the Controller, or by a public authority concerning the processing of Personal Data under this Agreement undertaken by the Processor and any Sub-Processors.

10.3 If the Processor considers an instruction under this clause 10 to constitute a breach of the Data Protection Legislation, the Processor must promptly notify the Controller thereof in writing.

10.4 On request, the Processor will deliver a statement prepared by the Processor which demonstrates that the requirements of the Data Protection Legislation are complied with.

10.5 If the statement indicates any failure in connection with the Processor’s processing of Personal Data to comply with the Data Protection Legislation, the Processor must without undue delay remedy such failure.

10.6 The Processor will receive remuneration for the services rendered in relation to this clause 10 in accordance with the Processor’s standard hourly rates from time to time, save for the services rendered under clauses 10.4 and 10.5 for which no separate remuneration applies.

11. Duration and termination

11.1 This Agreement takes effect on the effective date of the Contract and will remain in effect until the Contract is terminated.

11.2 Both Parties are entitled to terminate this Agreement for convenience on the same terms as those which apply to the Contract.

11.3 This Agreement is to apply as between the Parties for as long as the Processor processes Personal Data on behalf of the Controller.

11.4 Upon termination of this Agreement, for whatever reason, the Data Processor must  :

1) with the exception of paragraph 3) below, cease processing the Personal Data;

2) as requested by the Controller, (i) return to the Controller all Personal Data which is in its possession or control and all copies thereof, or (ii) destroy all copies of the same and certify to the Controller that it has done so, unless the Processor is prevented by applicable law or any public authority from destroying or returning all or part of the Personal Data, in which case the Processor must keep such data confidential, continue to process them in accordance with the terms of this Agreement and must not perform any processing other than what is necessary in order to comply with the requirements of such applicable law or the relevant public authority; and

3) at the Controller’s request against a special charge, provide the necessary transitional services to the Controller, including cooperating in good faith and as quickly as possible to facilitate the transfer of the performance of the data processing to a new data processor or back to the Controller.

11.5 If the Data Processor has not received any instructions regarding the return or the deletion of the Personal Data from the Controller one month after the termination of this Agreement, the Data Processor is entitled to delete the Personal Data.

11.6 Upon termination of this Agreement, for whatever reason, clauses 9.2, 11.3 and 16 will remain in effect indefinitely.

12. Assignment

12.1 Except as provided for in clause 8, the Processor may not assign or otherwise transfer any or all of the Processor’s rights or obligations under this Agreement to any third party (or attempt to do so) without the prior written consent of the Controller.

13. Entire Agreement

13.1 The Parties agree that this Agreement constitutes the entire agreement and understanding between the Parties in respect of the subject matter hereof and supersedes any previous agreement between the Parties relating to the subject matter hereof.

13.2 In the event of any discrepancy between the provisions of this Agreement and the provisions of the Contract, the provisions of the Contract will prevail. Notwithstanding the above, the provisions of this Agreement will not apply where the Processor is subject to stricter obligations, e.g. when using the European Commission model contracts for the transfer of personal data to third countries.

14. Amendments

14.1 The terms, provisions, obligations, or conditions of this Agreement may not be waived or amended except by a written instrument signed by both Parties.

14.2 If any provision of this Agreement is or becomes illegal, void, invalid or unenforceable, such provision must be severed from the other terms and conditions, which will continue to be valid and enforceable to the fullest extent permitted by law.

15. Notices

15.1 All notices required to be given under this Agreement must be in writing.

16. Governing law

16.1 This Agreement is governed by and will be construed in accordance with UK law, without regard to its conflict of laws rules.