Data Processing Agreement

DATED: 24-3-2023

CHIDEM LTD 

T/A SKIN MASTERCLASS

This Data Processing Agreement with appendices (the "Agreement") has been entered between:

(1)   The Controller: You (the "Controller"); and

(2)   The Processor: Chidem Limited t/a Skin Masterclass of Lote Tree House, Horton Cum Studley, Oxfordshire, United Kingdom, OX33 1AW and registered company number 08301240 (the "Processor"),

each a "Party" and collectively, the "Parties".

1.      BACKGROUND

1.1.     The Agreement forms part of Chidem Limited T/A Skin Masterclass's terms and conditions (the "Existing Agreement") and sets out the additional terms, requirements and conditions on which the Processor will Process Personal Data (each as defined below) when fulfilling its obligations under the Terms. The Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors (the "UK GDPR"). This document was drafted by GZ Legal (www.gzlegal.co.uk).

1.2.     The Agreement contains the following appendices:

  • List of sub-processors

  • Technical and organisational security measures

  • Contact details

2.      DEFINITIONS

The terms used in this Agreement shall have the same meaning as ascribed to them in Article 4 of the UK GDPR.

"Anonymised Data" means any Personal Data or Special Category Personal Data, which has been anonymised such that the Data Subject to whom it relates cannot be identified.

"Applicable Law" refers to the legislation applicable to the Processing of Personal Data, including the UK GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by the Supervisory Authority. 

"Controller" means the company / organisation that decides for what purposes and in what way Personal Data is to be processed and is responsible for the processing of Personal data in accordance with applicable data protection legislation. 

"Data Subject" means the natural person whose Personal Data is processed. 

"Personal Data" means any kind of information that can be derived from an identifiable natural person (in the Agreement, "Personal Data" is used synonymously with "personal data for which the Controller is responsible and that is processed by the Processor on behalf of the Controller"). 

"Processing" means any operation or set of operations which is performed on Personal Data, for example, storage, modification, reading, handover and similar. 

"Processor" means the company / organisation that processes Personal Data on behalf of the controller and can therefore only process the Personal Data according to the instructions of the controller and Applicable law.

Special Category Personal Data” means any information that reveals ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, biometric data to uniquely identify a natural person, health information or information about a physical person's sexual life or sexual orientation.   

"Supervisory Authority" means the Information Commissioner's Office or another supervisory authority which on the basis of law has the authority to conduct supervisory activities over the Controllers operation. 

Unless otherwise defined herein, all capitalised terms (definitions) used in this Agreement shall have the same meaning as ascribed to them in the Existing Agreement.

3.      DESCRIPTION OF PROCESSING

3.1.     Categories of Data Subjects

The Controller directs the Processor to process data that identifies the Controllers':

  • Customers

  • Members

  • Users

  • Consultants

3.2.     Categories of Personal Data

The Processor will process the following personal data on behalf of the Controller:

  • Contact details

  • Data that arise through communication

  • User-generated data

  • Customer segment

  • Preferences/interest

  • Purchase information

  • Order and delivery information

  • Genetic data

  • Health information

  • Photographs

3.3.     Source

The Processor will access the Personal Data from the following sources:

  • The Controller, who collects the Personal Data directly from the Data Subject and makes it available to the Processor via the Processor’s Site

3.4.     The purpose of the processing of Personal Data (the "Purpose")

The Processor will process the personal data for the following purposes:

  • To arrange events or similar marketing or social opportunities

  • To evaluate and follow up customer usage of a product or webpage

  • To generate statistics and/or carry out analysis

  • To provide product advice and recommendations to the Controller for the benefit of the Data Subject and for other marketing purposes

3.5.     Processing of Personal Data

The Processor will process Personal Data in the following ways:

  • Collection of Personal Data

  • Storing of Personal Data

  • Organisation of Personal Data

  • Compute the Personal Data

  • Adjustment or merging of Personal Data

  • Address information to send parcel/goods/other

  • Analysis of Personal Data

  • Anonymisation of Personal Data

4.      SPECIFIC UNDERTAKING OF THE PROCESSOR

4.1.     The Processor undertakes to consider and observe the principles for processing Personal Data set out in Article 5 of the GDPR in connection with each and every Processing.

4.2.     By entering into this Agreement, the Processor guarantees that the Controller does not need to take any additional measure to ensure that the Processor meets the requirements for expertise, reliability and resources to carry out the technical and organisational measures required by Applicable law.

4.3.     The Processor undertakes to only process Personal Data in accordance with the Agreement, the purposes set out in the Existing Agreement, the Controller's documented instructions and Applicable Law.

4.4.     The Processor undertakes to ensure that when processing Personal Data for anonymisation purposes, all personal identifiers are removed to the extent that resulting Anonymised Data cannot be de-anonymised by the Processor or any third party. The Controller acknowledges and agrees that the Processor may, only in the circumstances where this criterion has been met, sell the Anonymised Data to third parties in accordance with this Agreement.[1] [2] 

4.5.     Upon the Controller's request, the Processor shall (i) (by using the appropriate technical and organisational measures) assist the Controller in its duty to respond to the request for the exercise of the rights of Data Subjects and (ii) with regards to the type of processing and available information, carry out Data Protection Impact Assessments (DPIA) and participate in consultations with Supervisory Authorities in accordance with Applicable Law.

4.6.     If the Processor violates Applicable Law by independently determining the purposes and means of the Processing (e.g. processing the Personal Data for purposes other than the Purpose), the Processor shall be regarded as the controller for the new Processing. To clarify, any new Processing shall not affect the Processing made in accordance with this Agreement. 

4.7.     If there is a conflict between the Controller's instructions and Applicable law, the Processor has the right to refrain from complying with such instructions. The Processor shall inform the Controller immediately if it considers that the instructions provided by the Controller are incomplete, inadequate or incorrect.

5.      SPECIFIC UNDERTAKINGS OF THE CONTROLLER

5.1.     The Controller determines the purpose and means for the Processing of the Personal Data. The Controller has full ownership and the formal control of the Personal Data Processed by the Processor.

5.2.     The Controller is responsible to the Data Subject for the Processing of the Personal Data.

5.3.     The Controller is responsible for ensuring it has obtained explicit consent from the Data Subject for collecting, and sharing with the Processor, their Personal Data or Special Category Personal Data.

5.4.     When obtaining consent of the Data Subject in accordance with 5.3, the Controller undertakes to inform the Data Subject via a privacy policy of the method and purpose of the Processing, which includes the anonymisation of their Personal Data and Special Category Personal Data and the sale of that Anonymised Data by us to third parties.

5.5.     The Controller is responsible for ensuring that the Personal Data is accurate and up to date.

6.      PERSONAL DATA BREACH

6.1.     In the event of a situation leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed ("Personal Data Breach"), the Processor shall, without undue delay, and no later than 48 hours after having become aware of the Personal Data Breach, notify the Controller by sending a written notice to the address provided in Appendix 3 (Contact details). The information shall, to the extent that it is available to the Processor, contain the following at least:

·       A description of the circumstances surrounding the Personal Data Breach;

·       A description of the nature of the Personal Data Breach, and, if possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data concerned;

·       A description of the likely consequences of the Personal Data Breach;

·       A description of the measures taken or proposed to address the Personal Data Breach, and, where appropriate, measures to mitigate its potential adverse effects; and

·       Contact information to the Data Protection Officer or other contact person who can provide more information to the Controller.

 

6.2.     If it is not possible for the Processor to provide all the information at once, the information may be provided in installments without undue delay.

7.      AUDIT RIGHTS[3] 

7.1.     Upon the Controller's request, the Processor shall give access to all information necessary to show that the Processor's obligations under Applicable Law and this Agreement have been fulfilled.

7.2.     If the information provided in accordance with the previous paragraph cannot reasonably demonstrate that the Processor's obligations under Applicable law have been fulfilled, the Controller is entitled to carry out physical audits.

7.3.     The Processor shall enable and contribute to audits and inspections carried out by the Controller or by an impartial third party appointed by the Controller. The Controller shall notify the Processor in writing of the planned audit at least 15 business days in advance.

7.4.     The audit shall be carried out:

7.4.1.      during normal business hours;

7.4.2.      after the Controller has ensured that the person conducting the review is subject to a confidentiality agreement appropriate in relation to the Personal Data and information to be reviewed; and

7.4.3.      in accordance with the Processor's internal policies and security procedures

7.5.     Each Party is responsible for its own costs incurred in connection with performing the first audit in any 12 month period. In the event of any additional audits within a 12 month period, the Controller shall be responsible for all costs (including the Processor's) incurred in connection with performing such audit(s).

8.      SUB-PROCESSOR[4] 

8.1.     The Processor may not appoint a sub-processor without first informing the Controller. Accordingly, the Processor shall inform the Controller if it intends to appoint a sub-processor (or replace an existing sub-processor) at least 15 business days in advance.

8.2.     If there is a reasonable reason for the Controller to object to the appointment of a sub-processor the parties shall endeavour to find a suitable alternative. Should the parties fail to find a suitable alternative, the Controller has the right to terminate this Agreement.

8.3.     When engaging a sub-processor, the Processor shall ensure that the sub-processor comply with the Processor's obligations in the Agreement by entering into a contract or other legal act (the "Sub-processor agreement"). The foregoing shall be particularly observed in respect of the Processor's obligation to provide sufficient guarantees regarding implementing appropriate technical and organisational measures as required to comply with Applicable Law.

8.4.     The Controller is always entitled to a copy of the Sub-processor agreement (strictly commercial information may be edited).

8.5.     The Processor must keep an updated record of the sub-processors. The record shall be made available to the Controller upon request.

8.6.     Processor shall be exclusively responsible towards the Controller if the sub-processor fails to, or omits from, fulfilling its obligations under the Sub-processor agreement.

9.  RECORD OF PROCESSING AND DATA PROTECTION OFFICER

9.1.     The Processor undertakes to keep a written record of the processing of Personal Data according to Article 30 (2) of the GDPR. The record shall be available to the Controller upon request.

9.2.     If the Processing or the nature of the Controller's business requires the Controller to appoint a Data Protection Officer in accordance with Article 37 of the GDPR, the Data Protection Officer's contact details shall be included in the appendix Contact details.

10.   CONTACT WITH SUPERVISORY AUTHORITY AND THE DATA SUBJECT

10.1.  The Processor shall promptly inform the Controller of all contact it may have with the Data Subject, a Supervisory Authority or any other third party concerning the Personal Data that the Processor is Processing.

10.2.  In the event a Data Subject makes a request to the Processor regarding his / her rights in respect of the Processing, the Processor shall refer the Data Subject to the Controller.

10.3.  The Processor shall allow any inspections that the Supervisory Authority may require to perform in accordance with Applicable law.

10.4.  The Processor is not entitled to represent the Controller or otherwise act on behalf of the Controller in respect of the Data Subject, a Supervisory Authority or any other third party.

11. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

11.1.  The Processor shall take the appropriate organisational and technical security measures to ensure that the Personal Data included in the scope of this Agreement is protected against any unauthorised or illegal access. This includes ensuring the adequate capacity, technical solutions, skills, financial and human resources, procedures and methods.

11.2.  The appropriateness of the technical and organisational security measures shall be assessed taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the Processing as well as the risks (of varying likelihood and severity) for rights and freedoms of natural persons posed by the Processing.

11.3.  If the Controller assesses that the Processing operation is of high risk to the rights and freedoms of the Data subject and conducts a DPIA, the Controller shall share the results of the DPIA with the Processor to ensure that this can be taken into account when determining what constitutes appropriate security measures.

11.4.  The Processor must comply with any decisions and consultation opinions that the Supervisory Authority announces regarding measures for complying with the security requirements and all other requirements relating to the Processor under Applicable Law.

11.5.  The Processor shall ensure that employees (of the Processor or their sub-contractors) are only allowed access to Personal Data to that extent necessary and that those who have access to Personal Data have undertaken to respect the confidentiality of such information (e.g. by signing an individual non-disclosure agreement).[5] 

11.6.  Only persons employed/engaged as consultants by the Processor and who have been deemed to have the adequate level of knowledge of the nature and extent of the Processing of Personal Data may process the Personal Data.

11.7.  Computer equipment, storage media and other equipment used in the Processing of Personal Data carried out by the Processor must be kept where/or in such manner that no unauthorised persons can access them.

11.8.  The security at the Processor's facilities where Personal Data is Processed must be appropriate and secure in regards of locking equipment, functioning alarm equipment, protection against fire, water and burglary, protection against power outages and power disturbances. The equipment used to process Personal Data must have good protection against theft and events that may destroy the equipment and / or Personal Data.

12.   CONTROL OVER THE PERSONAL DATA

12.1.  The Processor shall ensure that Personal Data processed is not accidentally or unlawfully destroyed, altered or corrupted. All Personal Data shall be protected against any unauthorised access during storage, transfer and other Processing.

12.2.  No Personal Data may be provided to the Controller before the identity of the recipient has been duly verified.

13.   TRANSFER OF DATA OUTSIDE THE EU/EEA

13.1.  In the event that the Processor transfers Personal data outside the EU/EEA, the Processor ensures that the level of protection is adequate and in accordance with Applicable Law by controlling that at least one of the following requirements are fulfilled:

  • the level of protection is adequate in the third country where the data is processed;

  • the Processor has signed up to the EU Commission's standard contract clauses (SCCs) and the International data transfer addendum; and

  • the Processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with Applicable Law.[6] 

14.   LIABILITY

14.1.  No Party is liable for any delay or failure to perform due to extraordinary circumstances beyond the control of the Party, which the Party could not reasonably expect and which consequences the Party could not reasonably have avoided or overcome.

14.2.  Each Party's liability, taken together and in aggregate is subject to the limitations of liability in the Existing Agreement and any reference to the liability of a Party in the Existing Agreement means the aggregate liability of that Party under the Existing Agreement and this Agreement together.

14.3.  The Processor agrees to indemnify, keep indemnified and defend at its own expense the Controller against all costs, claims, damages or expenses incurred by the Controller or for which the Controller may become liable due to any failure by the Provider or its employees, subcontractors or agents to comply with any of its obligations under this Agreement and/or the Data Protection Legislation.

14.4.  Any limitation of liability set forth in the Existing Agreement will not apply to this Agreement's indemnity or reimbursement obligations.

14.5.  In no event shall the Processor be liable for any indirect or consequential damages such as lost revenue or profits, contracts, customers or business opportunities, loss of goodwill, or expected savings.

15.   CONFIDENTIALITY[7] 

15.1.  The Processor may not use information or other material to which it is granted access in connection with entering into this Agreement or the Existing Agreement for any other purpose than fulfilling its obligations under this Agreement or the Existing Agreement.

15.2.  The Processor may not disclose information, to third parties or any other unauthorised persons, about the Processing of Personal Data or the content of Personal Data covered by this Agreement or other information to which the Processor has been granted access as a result of, or in connection with entering into, this Agreement. This undertaking does not apply to information that the Processor is required to disclose under mandatory law.

16.   TERM AND TERMINATION

16.1.  The Agreement is valid and in force from the date that the Processor first processes Personal Data on behalf of the Controller to the date when it ceases such Processing or until this Agreement is replaced by another Data Processing Agreement.

16.2.  The obligations of the Processor under the Agreement shall continue to apply, regardless of whether the Agreement has been replaced, as long as the Processor processes Personal Data on behalf of the Controller.

17.   ERASURE AND RETURNING OF PERSONAL DATA[8] 

17.1.  Upon the termination of the Agreement, the Processor and any sub-processor shall, at the request of the Controller, either erase or return the Personal Data processed within the scope of this Agreement.

17.2.  If the Controller has not requested the return or deletion of the Personal Data within 60 days of the Agreement being terminated, the Processor may delete the Personal Data[9] .

18.   GOVERNING LAW AND JURISDICTION

18.1.  This Agreement, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with the law of England and Wales.

18.2.  Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).

APPENDIX 1

EXISTING AND APPROVED SUB-PROCESSORS

The current list of sub-processors engaged in Processing Personal Data on behalf of the Processor in connection with this Agreement, including a description of their processing activities and countries of location, shall be provided to the Controller by the Processor within five business days of the date of this Agreement.

APPENDIX 2

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Processor has taken technical and organisational measures to ensure that Personal Data is processed securely and protected from loss, misuse and unauthorised access.

Technical security measures are measures implemented through technical solutions.

●    Two-step verification

●    Data back-up[10] 

Organisational security measures are measures that are implemented in work processes and routines within the organisation.

●    Login and password management  

APPENDIX 3

CONTACT DETAILS

Processor

Contact person


            Full name: Cigdem Kemal

            E-mail address: info@skinmasterclass.com