Data Processing Agreement

Effective From 8th November 2022

This Data Processing Agreement (the “DPA“) forms part of either the Clearvision Terms of Service or the Master Services Agreement the Parties have executed (the “Agreement”) between Clearvision (CM) 2005 Limited “Clearvision” and the customer so defined in the Agreement as Client or You, herein (the “Client”), each a “Party” and collectively the “Parties”. This DPA reflects the Parties’ agreement with regard to the processing of personal data in accordance with Applicable Data Protection Law (as defined  below). 

All capitalised terms not defined herein shall have the meaning set forth in the Agreement.

To the extent that the terms of this DPA and the Agreement conflict, the terms of this DPA prevail.

This DPA will automatically expire on the termination date (however so triggered) or expiration date of the Agreement, whichever is earlier. 

WHEREAS, in rendering the Services Clearvision may be provided with, or have access to, information of the Client that may qualify as Personal Data within the meaning of the UK General Data Protection Regulation “UK GDPR”, under the Data Protection Act 2018 “DPA 2018” and other applicable data protection laws and provisions. 

WHEREAS, the Parties agree that they would like to use this DPA as the required contractual processing agreement.

NOW, THEREFORE, in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals in relation to the Personal Data specified in Annex 1, the Parties have entered into this DPA as follows: 

1. Definitions

In this Agreement, the following words and expressions will have the following meanings: 

“Applicable Law/s” means all applicable laws (including decisions) and guidance by relevant supervisory authorities relating to data protection, the Processing of Personal Data and privacy, including the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act 2018;

and references to “Data Controller”, “Data Subject”, “Personal Data”, “Process”, “Processed”, “Processing”, “Data Protection Officer”, “Data Processor” and “Personal Data Breach” have the meanings set out in, and will be interpreted in accordance with, such Applicable Law/s.

“Controller” has the meaning defined in Article 4 of the General Data Protection Regulation

1.2 “Personal Data” has the meaning defined in Article 4 of the General Data Protection Regulation

1.3 “Processor”has the meaning defined in Article 4 of the General Data Protection Regulation

1.4 “Processing” has the meaning defined in Article 4 of the General Data Protection Regulation

2. Background

2.1 Clearvision provides Services to the Client which may involve the Processing of Personal Data by Clearvision on behalf of the Client. This may include Personal Data relating to the Client, its personnel and where applicable, its clients or other individuals with whom the Client deals in the course of its business as relevant to the Services (“Relevant Data Subjects”). Further information on the subject matter, nature, purpose and duration of Processing in relation to the provision of Services can be found in the applicable Statement of Work.

3. Description of processing

3.1 The Processing to be carried out by Clearvision is as follows:

a. the subject matter of the Processing is as described in clause 2.1;

b. the duration of the Processing will be throughout the period within which Clearvision performs the Services;

c. the nature of the Processing is described in clause 2.1;

d. the purpose of the Processing is to enable Clearvision to perform the Services to the Client;

e. the Personal Data Processed will be any Personal Data of the Relevant Data Subjects provided in order to enable or facilitate the provision of the Services by Clearvision as described in clause 2.1. and the categories of data subjects are the Relevant Data Subjects; and

f. the obligations and rights of the data Controller are set out below.

4. Compliance with Data Protection Legislation

4.1 Each Client and Clearvision represent and warrant that it will comply with and ensure that its employees and/or subcontractors comply with the Data Protection Legislation in Processing Personal Data in connection with the Services.

5. Relationship of the Parties

5.1 In relation to the Processing of Personal Data in connection with the Services, the Parties acknowledge and agree that:

a. Client is the data Controller; and

b. Clearvision is the data Processor.

5.2 The Client instructs Clearvision to Process Personal Data where this is necessary to deliver the Services provided by Clearvision.

5.3 Clearvision agrees that it will Process the Personal Data in accordance with these DP Terms.

6. Processing of Personal Data by Clearvision

6.1 In relation to the Processing of Personal Data in connection with the Services Clearvision shall:

a. Process the Personal Data (including when making an international transfer of the Personal Data) only for the purpose of and to the extent necessary for provision of the Services and then only in accordance with:

i. these DP Terms; and

ii. Clients written instructions from time to time, unless otherwise required by law. Where Clearvision is required by law to Process the Personal Data otherwise than as provided by these DP Terms, it will notify the Client before carrying out the Processing concerned (unless the law also prevents Clearvision from doing so for reasons of important public interest);

b. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the Processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed under these DP Terms, as set forth in Annex 1.

c. take all reasonable steps to ensure that only authorised personnel have access to the Personal Data and that any persons whom it authorises to have access to the Personal Data will respect and maintain all due confidentiality in relation to the Personal Data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);

d. not engage any sub-processors in the performance of the Services without the prior written consent of the Client and otherwise in accordance with clause 7 at all times;

e. not do, or omit to do, anything, which would cause the Client to be in breach of its obligations under the Data Protection Legislation;

f. immediately notify the Client if, in Clearvisions opinion, any instruction given to Clearvision infringes the Data Protection Legislation;

g. where applicable in respect of any Personal Data Processed in relation to the Services, co-operate with and assist the Client in ensuring compliance with:

i. the Clients obligations to respond to requests from data subject(s) seeking to exercise their rights under Chapter 3 of The General Data Protection Regulation, including by notifying the Client of any written subject access requests Clearvision receives relating to the Clients obligations under the Data Protection Legislation; and

ii. Clients obligations under Articles 32 – 36 of The General Data Protection Regulation to: 

• ensure the security of the Processing; 
• notify the relevant supervisory authority, and any data subjects(s), where relevant, of any breaches relating to Personal Data;
• carry out any data protection impact assessments (each a “DPIA”) of the impact of the Processing on the protection of Personal Data; and
• consult the relevant supervisory authority prior to any Processing where a DPIA indicates that the Processing would result in a high risk in the absence of measures taken by the Client to mitigate the risk.

h. provide assistance where reasonably required by the Client in relation to the fulfilment of the Client’s obligations to co-operate with the relevant supervisory authority under Article 31 of The General Data Protection Regulation.

7. Sub-processors

7.1 Clearvision will ensure that any sub-processor it engages to provide any services on its behalf in connection with the Services does so only on the basis of a written contract which imposes on such sub-processor terms equivalent to those imposed on Clearvision under these DP Terms or such other alternative terms as may be agreed with the Client (the “Relevant Terms”).Clearvision shall procure the performance by the sub-processor of the Relevant Terms and shall be directly liable to the Client for:

a. any breach by the sub-processor of any of the Relevant Terms;

b. any act or omission of the sub-processor which causes:

i. Clearvision to be in breach of these DP Terms; or

ii. Client or Clearvision to be in breach of the Data Protection Legislation.

7.2 Where the Client has given a general authorisation to Clearvision to engage sub-processors, then prior to engaging a new sub-processor under the general authorisation Clearvision will notify the Client of any changes that are made that would affect that general authorisation and give the Client an opportunity to object to them.

7.3 Notwithstanding clauses 7.1 and 7.2, it is agreed Clearvision shall be permitted to transfer Personal Data to such sub-processors as are set forth in the Privacy Policy.

8. Monitoring and audit

8.1 The Client is entitled to monitor and audit Clearvisions compliance with the Data Protection Legislation and its obligations in relation to data Processing in connection with the Services at any time during normal business hours. Clearvision agrees to provide the Client promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If the Client believes that an on-site audit is necessary, Clearvision agrees to give the Client reasonable access to its premises (subject to any reasonable confidentiality and security measures), and to any stored Personal Data and data Processing programs it has on-site. The Client is entitled to have the audit carried out by a third party.

9. International transfers

9.1 We may transfer Personal Data internationally, including outside the EEA, and to any third party located internationally (including to all affiliates in the Eficode OY group of companies) where we are permitted to do so for that transfer under Articles 44 to 49 of The General Data Protection Regulation.

9.2 For the purposes hereof, it is agreed that Clearvision shall be permitted to transfer Personal Data internationally, including outside the EEA, and to such third parties located outside the EEA as set forth in the Privacy Policy provided the appropriate safeguard mechanisms remain in place.

10. Completion of services

10.1 Upon completion of the Services, Clearvision will at the Client’s discretion, on receipt of the Client’s written instruction, delete or return to the Client, all Personal Data (including copies) Processed in connection with the Services, except to the extent that Clearvision is required by law to retain any copies of the Personal Data and save to the extent that Clearvision receives instructions to the contrary from any applicable data subject(s). 

Annex 1 – Technical and Organisational Measures, Key Controls

1 Certifications

1.1 Clearvision has achieved and maintains the following certifications:

a. ISO 27001 Information Security Standard; and

b. Cyber Essentials

2 Information Security Management System

2.1 Clearvisions Information Security Management System details:

a. Policy;

b. Governance;

c. Process and procedure;

d. Roles and responsibilities;

e. Assurance and audit process;

f. Risk assessment and management; and

g. Improvement plans.

3 Physical security

3.1 Clearvision’s key measures to prevent physical unauthorised access to Clearvision premises and with regard to the data centres utilised by Clearvision include:

a. ISO 27001 certified data centres;

b. the fitting of appropriate locks and other physical entry controls on doors and windows;

c. surveillance facilities;

d. CCTV;

e. physically securing devices containing Personal Data e.g. locked cupboard/draw;

f. ensuring control of removable media;

g. secure disposal of physical assets; and

h. access control system including logging of visitors.

4 System access security

4.1 Clearvision’s key measures to prevent unauthorised system access to Clearvision’s IT systems include:

a. password procedures;

b. central management of access;

c. auditing of user access;

d. monitoring of suspicious activity; and

e. joiner/leaver processes managed by IT admins and HR.

5 Data access security

5.1 Clearvision’s key measures to prevent unauthorised data access include:

a. principle of least privilege applied;

b. role based access; and

c. management of logged access requests.

6 Vulnerability management

6.1 Clearvision’s key measures to prevent exploitation of technological vulnerabilities include:

a. software installation restricted to approved software only;

b. application of patching policy;

c. email threat management;

d. internet browser threat management;

e. awareness training;

f. virus scanning; and

g. utilisation of Amazon GuardDuty on AWS estate.

7 Awareness, training, and personnel

7.1 Clearvision’s key measures to prevent personnel vulnerabilities include:

a. performing reference checks on all new personnel;

b. induction training to include information security/data protection;

c. signed acceptance of compliance to information security policies;

d. refresher training conducted at least annually; and

e. clear job description including information security responsibilities. 

8 Incident management and business continuity

8.1 Clearvision’s key measures to prevent and manage incidents and business continuity events include:

a. incident management policies and procedures;

b. incident management training;

c. incident management key personnel;

d. business continuity plan including key personnel, external contacts and contingency plans;

e. incident and business continuity testing; and

f. continued improvement.

9 Audit

9.1 Clearvision applies a program of regular external and internal audits to monitor and enforce compliance with its security and data protection policies and procedures.