Webarchitects Data Processing Agreement #

Note: If Webarchitects determines the purposes and means of processing, contrary to the terms of the following clauses, Webarchitects shall be considered to be a controller in respect of such processing ^[2].

Processor Obligations – see UK GDPR Article 28(3)(a) to (h)

Webarchitects shall ensure that it and any sub-processor (to be engaged only with the Controller's consent and on the same terms as below^[3]) identifies the Personal Data as above and –

1. in processing ^[4] the Personal Data:
   1. does so only on documented instructions from the Controller;
   2. does not transfer the Personal Data to a third country^[5] or an international organisation^[5], unless the Controller so instructs, or Webarchitects is required to do so by law;
   3. if Webarchitects is required by law to make such a transfer, Webarchitects shall inform the Controller of that legal requirement before transferring, unless the law prohibits such information being given on important grounds of public interest;
2. ensures that persons authorised to process the Personal Data are bound by contractual confidentiality obligations which reflect the requirements of these clauses and the need to keep the Personal Data secure and confidential^[7];
3. ensures appropriate technical and organisational measures are in place^[8] to ensure a level of security appropriate to the risk, including inter alia as appropriate:
   1. the pseudonymisation and encryption of the Personal Data;
   2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
   3. the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
   4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and in assessing the appropriate level of security account may be taken of adherence to an approved code of conduct^[9], and shall^[10] be taken of;
   5. the state of the art, the costs of implementation and the nature, scope, context and purposes of processing^[11];
   6. the risk of varying likelihood and severity for the rights and freedoms of natural persons)^[12];
   7. the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed^[13];
4. does not engage another processor (a sub-processor) unless the Controller in its absolute discretion gives a specific or general written authorisation; and where such consent is given, the Processor^[14]:
   1. shall inform the Controller of any intended changes to a general written authorisation to add or replace processors, thereby giving the Controller the opportunity to object to such changes^[15];
   2. shall impose the same data protection contractual obligations as set out in these clauses^[16];
   3. acknowledges that Webarchitects remains fully liable to the Controller for the performance of the sub-processor^[17];
5. assists the Controller by appropriate technical and organisational measures, so far as possible, to respond to requests for exercising the data subject's rights under Data Protection Legislation, including Chapter III of the UK GDPR^[18];
6. assists the Controller^[19] with:
   1. their joint obligation to ensure that appropriate technical and organisational security measures are in place^[20];
   2. notifying any Personal Data breach to the Commissioner (the UK ICO) and to the data subject^[21];
   3. data protection impact assessments and consulting the Commissioner where an assessment indicates the processing involves unmitigated high risk^[22];
7. at the choice of the Controller, deletes or returns all the Personal Data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless domestic law requires storage of the Personal Data^[23]; and
8. makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this clause and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller; and immediately informs the Controller if, in its opinion, an instruction infringes Data Protection Legislation^[24].

Footnotes

1. 1. The "UK GDPR" is defined in section 3(10) of the Data Protection Act 2018.
2. 2. Art 28(10).
3. 3. Art 28(4).
4. 4. Art 28(3)(a).
5. 5. A country outside the UK.
6. 6. An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries (Art 4(26)).
7. 7. Art 28(3)(b).
8. 8. Art 28(3)(c) and Art 32.
9. 9. Art 32(3).
10. 10. Art 32(1) and (2).
11. 11. Art 32(1).
12. 12. Art 32(1).
13. 13. Art 32(2).
14. 14. Art 28(2) and Art 28(3)(d).
15. 15. Art 28(2).
16. 16. Art 28(4).
17. 17. Art 28(4).
18. 18. Art 28(3)(e).
19. 19. Art 28(3)(f).
20. 20. Art 32.
21. 21. Art 33 and 34.
22. 22. Art 35 and 36.
23. 23. Art 28(3)(g).
24. 24. Art 28(3)(h).