Skip to content

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of the Agreement between the Parties.

1.   DEFINITIONS

1.1.   The terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

“Data Protection Laws” means the GDPR and any other applicable data protection legislation, including EU Member State legislation and any applicable data protection legislation in force from time to time in the UK (including the Data Protection Act 2018), and regulatory requirements which apply to a party to this Agreement relating to Personal Data (including without limitation the privacy of electronic communications) and any code of practice or guidance published by any other relevant Supervisory Authority, in each case as amended or replaced from time to time;
“GDPR” means the General Data Protection Regulation ((EU) 2016/679);

“Subscriber Personal Data” means any Personal Data Processed by Market Logic and/or any of its sub-processors on behalf of Subscriber pursuant to or in connection with the Agreement;

“Sub-processor” means a subcontractor engaged by Market Logic that will process Personal Data as part of the performance of the Services where Market Logic is the Processor;

1.2.   Terms used but not defined in this DPA, will have the same meaning as set forth in Article 4 of the GDPR.

2.   ROLES AND SCOPE

2.1.   This DPA applies to the Processing of Personal Data by Market Logic on behalf of Subscriber, within the scope of the GDPR.

2.2.   For purposes of this DPA, Subscriber and Market Logic agree that Subscriber is the Controller of Subscriber Data and Market Logic is the Processor of such data, except when Subscriber acts as a Processor of Personal Data (for example for one of its Affiliates), in which case Market Logic is a sub-processor.

2.3.   This DPA does not limit or reduce any data protection commitments Market Logic makes to Subscriber in this Agreement.

3.   OBLIGATIONS OF MARKET LOGIC: ARTICLES 28, 32 and 33 GDPR

3.1.   Market Logic shall not engage another Processor for the Processing of Personal Data without prior specific authorization of Subscriber. Market Logic shall inform Subscriber of any intended changes concerning the addition or replacement of other Processors, thereby giving Subscriber the opportunity to object to such changes (Article 28 (2) of the GDPR).

3.2.   Processing by Market Logic shall be governed by this DPA under European Union (“EU”) or Member State law and are binding on Market Logic with regard to Subscriber. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Subscriber are set forth in the Agreement with the Subscriber. In particular, Market Logic shall:

3.2.1.   process Personal Data only on documented instructions from Subscriber, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by EU or Member State law to which Market Logic is subject; in such case, Market Logic shall inform Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

3.2.2.   ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.2.3.   take all measures required pursuant to Article 32 of the GDPR;

3.2.4.   respect the conditions referred to in paragraphs 3.2.1 and 3.2.3 for engaging another Processor;

3.2.5.   taking into account the nature of the processing, assist Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;

3.2.6.   assist Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Market Logic;

3.2.7.   at the choice Subscriber, delete or return all the Personal Data to Subscriber after the end of the provision of the services relating to processing, and delete existing copies unless EU or Member State law requires storage of the Personal Data;

3.2.8.   make available to Subscriber all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

3.2.9.   Market Logic shall immediately inform Subscriber if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions. (Article 28/3 of the GDPR).

3.3.   Where Market Logic engages another Processor for carrying out specific Processing activities on behalf of Subscriber, the same data protection obligations as set out in this DPA shall be imposed on that other Processor by way or a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Where that other Processor fails to fulfil its data protection obligations, Market Logic shall remain fully liable to the Subscriber for the performance of that other Processor’s obligations. (Article 28/4)

3.4.    Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, Subscriber and Market Logic shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

3.4.1.   the pseudonymisation and encryption of Personal Data;

3.4.2.   the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3.4.3.   the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

3.4.4.   a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32/1)

3.5.   In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32/2)

3.6.   Subscriber and Market Logic shall take steps to ensure that any natural person acting under the authority of Subscriber or Market Logic who has access to Personal Data does not process them except on instructions from Subscriber unless he or she is required to do so by EU or Member State law. (Article 32/4)

3.7.   Market Logic shall notify Subscriber without undue delay after becoming aware of a Personal Data Breach (Article 33/2). Such notice will, at a minimum:

3.7.1.   describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;

3.7.2.   communicate the name and contact details of the data protection officer or other contact where more information can be obtained;

3.7.3.   describe the likely consequences of the Personal Data Breach; and

3.7.4.   describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. (Article 33/3)

4.   SUB-PROCESSORS

4.1.   Subscriber consents to Market Logic engaging Sub-processors for the processing of Personal Data in accordance with this DPA.

4.2.   Market Logic will ensure that Sub-processors are bound by written agreements that require them to provide at least the level of data protection required of Market Logic under this DPA.

4.3.   The Sub-processors used by Market Logic are listed in the applicable Statement of Work and/or published on Market Logic website.

5.   ASSISTING SUBSCRIBER RESPONSE TO REQUESTS FROM DATA SUBJECTS

5.1.   Market Logic will make available to Subscriber the Personal Data of its data subjects and the ability to fulfill data subject requests to exercise one or more of their rights under the GDPR in a manner consistent with the functionality of the Software Services and Market Logic’s role as Processor. Market Logic shall comply with reasonable requests by Subscriber to assist with Subscriber’s response to such a data subject request.

5.2.   If Market Logic receives a request from Subscriber’s data subject to exercise one or more of its rights under the GDPR, Market Logic will redirect the data subject to make its request directly to Subscriber.

6.   PROCESSING OF PERSONAL DATA

6.1.   This Agreement (incl. this DPA), along with Subscriber’s use of the Services are Subscriber’s instructions to Market Logic for the processing of Personal Data. The Subscriber understands that any Subscriber Data made available on the Software Services is not monitored by Market Logic and the Subscriber is not permitted to upload or make available any special categories of Personal Data (e.g. financial or health data).

6.2.   Market Logic may also transfer Personal Data if required by applicable law.

6.3.   Market Logic will ensure that its personnel engaged in the processing of Personal Data (i) will process Personal Data only on instruction from Subscriber, unless required to do so by EU, Member Sate, or other applicable law and (ii) have committed to maintain the confidentiality of any Personal Data even after their engagement ends.

6.4.   The subject-matter of the processing is limited to Personal Data within the scope of the GDPR, and the duration of the processing shall be for the duration of the Agreement.

6.5.    The nature and purpose of the processing is:

a) providing of Services by Market Logic to Subscriber;

b) providing of usage reporting to Subscriber;

c) operate, administer and optimize the Market Logic platform and to diagnose problems with the software.

6.6.  Categories of data subjects are Subscriber’s representatives and end users, such as employees, contractors, suppliers, and collaborators.

6.7.   The types of Personal Data processed may include: names of users of the platform, work address, business email address, personal account number, personal reference number, employee number, IP address/device identifier and usage tracking of users, as well as other Personal Data submitted by Subscriber to the Market Logic platform. Subscriber understands that Market Logic does not monitor Subscriber Data available on the platform and does not allow the uploading of special category data, as defined under the GDPR or financial data on the platform by Subscriber.

6.8.   On expiration or termination of this Agreement, Market Logic shall delete or return Personal Data in accordance with the terms and timeline set forth in this Agreement, unless EU, Member State, or other applicable law require storage of the Personal Data.

7.   SECURITY

Market Logic shall (i) maintain security practices and policies for the protection of Personal Data as set forth in the written Information Security Policy and (ii) subject to non-disclosure obligations, make the Information Security Policy available to Subscriber, along with a description of the security controls in place for the Software Services and other information reasonably requested by Subscriber regarding Market Logic’s security practices and policies.

8.   AUDIT

8.1.   Market Logic shall make available to Subscriber all information necessary to demonstrate compliance with Article 28, GDPR and allow for and contribute to audits, including inspections, conducted by Subscriber or another auditor mandated by Subscriber.

8.2.   Upon Subscriber’s reasonable request, and no more than once per year, unless exceptional circumstances warrant additional audit rights, Market Logic shall make available information reasonably necessary to demonstrate material compliance with the obligations laid down in this DPA and allow for and contribute to an audit (“Audit”). No Audit shall take place unless or until Subscriber has requested, and Market Logic has provided the necessary documentation to demonstrate compliance and Subscriber reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this DPA. Any Audit, including inspections of processing facilities under Market Logic’s control, conducted by Subscriber or another auditor chosen by Subscriber, shall be at Subscriber’s expense and shall be done during normal business hours and upon reasonable prior notice. Any auditor chosen by Subscriber shall not be a competitor of Market Logic. In no event shall Subscriber have access to the information of any other client of Market Logic and the disclosures made pursuant to this clause 8.2 shall be held in confidence as Market Logic’s confidential information and subject to any confidentiality obligations agreed upon by the parties. Subscriber shall employ the same degree of care to safeguard information obtained in an Audit that it uses to protect its own confidential and proprietary information and, in any event, not less than a reasonable degree of care under the circumstances. Subscriber shall be liable for any improper disclosure or use of information obtained through an Audit by Subscriber or its agents.

9.   PERSONAL DATA BREACH

Market Logic shall make reasonable efforts to assist Subscriber in fulfilling Subscriber’s obligations to notify the relevant supervisory authority and data subjects of and Personal Data Breach under Articles 33 and 34 of the GDPR.

10.   RECORDS OF PROCESSING ACTIVITIES

Market Logic shall maintain all records required by Article 30/2 of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Subscriber, make them available to Subscriber upon request

11.   MODIFICATION, SUPPLEMENTATION AND TERM

11.1.   Market Logic may modify or supplement this DPA, with notice to Subscriber, (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with applicable law, (ii) to implement standard contractual clauses laid down by the European Commission or (iv) to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 of the GDPR.

11.2.   Without prejudice to this DPA, Market Logic may from time to time provide additional information and detail about how it will execute this DPA in its technical, privacy or policy documentation.

11.3   This DPA becomes effective upon the later of (a) the start of enforcement of the GDPR or (b) Subscriber’s use of the Services.

(If you require a signed version of this DPA, please contact Market Logic Software´ s Legal Team at legal@marketlogicsoftware.com)