This Version is Effective 12th November 2018
This Data Processing Agreement, including its appendices ("DPA"), forms part of the agreement between John Stephen Consultancy Ltd t/a Thesaurus Technology and the customer ("Customer") for the subscription to Universal Estate Agency Software (the "Services") and related technical support to Customer (as amended from time to time) (the "Agreement"). This DPA reflect the parties’ agreement with respect to the terms governing Thesaurus’s processing and security of Personal Data (also referred to as Personal Information in the Agreement) from or about Customer’s employees on behalf of the Customer under the Agreement ("Customer Data"). For any other data from or about Customer, including any admin account information, Thesaurus Technology shall be a controller and this DPA shall not apply.
1.1. Definitions: In this DPA, the following terms shall have the following meanings:
2.1. Relationship of the parties: Customer (the controller) appoints Thesaurus Technology as a processor to process the Customer Data on Customers behalf. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
2.2. Purpose limitation: Thesaurus Technology shall process the Customer Data as a processor only as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law applicable to Customer. In no event shall Thesaurus Technology process the Customer Data for its own purposes or those of any third party, save that Thesaurus Technology may de-identify and aggregate data Customer Data ("Aggregated Data") and may process Aggregated Data to maintain and improve the Services.
2.3. International transfers: Thesaurus Technology shall not transfer the Customer Data (nor allow the Customer Data to be transferred) outside of the European Economic Area ("EEA") unless (a) it has first obtained Customer's prior consent; or (b) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Customer Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
2.4. Confidentiality of processing: Thesaurus Technology shall ensure that any person that it authorises to process the Customer Data (including Thesaurus Technology's staff, agents and subcontractors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Customer Data who is not under such a duty of confidentiality. Thesaurus Technology shall ensure that all Authorised Persons process the Customer Data only as necessary for the Permitted Purpose.
2.5. Security: Thesaurus Technology shall implement appropriate technical and organisational measures to protect the Customer Data from a Security Incident. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
2.6. Subprocessing: Customer consents to Thesaurus Technology engaging third-party subprocessors to process the Customer Data provided that: (a) Thesaurus Technology provides notice of the addition or removal of any subprocessor (including details of the processing it performs or will perform); (b) Thesaurus Technology imposes data protection terms on any subprocessor it appoints that are consistent with the terms of this DPA; and (c) Thesaurus Technology remains fully liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor that is acting on our behalf under this DPA. Thesaurus Technology shall maintain and provide updated copies of this list here. If Customer refuses to consent to Thesaurus Technology's appointment of a third party subprocessor relating to the protection of the Customer Data, Customer may elect to suspend or terminate the Agreement, including this DPA, subject to all fees and payment due for services rendered.
2.7. Cooperation and data subjects' rights:
2.7.1. During the Term, Thesaurus Technology shall, in a manner consistent with the functionality of the Services and taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to (a) any request from a data subject to exercise any of its rights under GDPR (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data as required under the GDPR.
2.7.2. If Thesaurus Technology receives any requests from a data subject related to Customer Personal Data, Thesaurus Technology shall advise the data subject to provide such request directly to the Customer and Customer shall be responsible for responding to such request.
2.8. Data Protection Impact Assessment: Upon Customer’s written request and to the extent that Customer does not otherwise have access to the relevant information and the information is available to Thesaurus Technology, Thesaurus Technology shall provide Customer with reasonable assistance (at Customer’s cost) needed to fulfil the Customers obligations under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Service. To the extent necessary, Thesaurus Technology shall provide reasonable assistance to the Customer in the consultation with its relevant data protection authority.
2.9. Security incidents:
2.9.1. If Thesaurus Technology becomes aware of an actual Security Incident that involves Customer Data, Thesaurus Technology will: (a) notify Customer of the Security Incident without undue delay; (b) take appropriate steps to identify the cause of the Security Incident and minimize harm and secure the Customer Data, to the extent remediation is within Thesaurus Technology’s reasonable control; and (c) provide Customer with information, subject to our privacy and data security policies, confidentiality and legal requirements, as may be reasonably necessary to assist Customer with its notification and reporting responsibilities. Thesaurus Technology will not assess the contents of the Customer Data to identify any specific reporting or other legal obligations that are applicable to the Customer. Any and all regulatory and/or data subject reporting obligations related to the Security Incident are the responsibility of the Customer.
2.9.2. Thesaurus Technology’s notification of or response to a Security Incident under this DPA will not be construed as an acknowledgement by Thesaurus Technology of any liability or fault with respect to the Security Incident.
2.9.3. Notification(s) of any Security Incident(s) by Thesaurus Technology shall be delivered to the notification email or address provided in the Agreement or, at Thesaurus Technology’s discretion, by phone or in-person meeting. Customer is solely responsible for ensuring that the notification contact details (e.g., phone and email) are valid and accurate.
2.10. Deletion or return of Customer Data: At Customer’s election Thesaurus Technology shall destroy or return to Customer (see https://www.thesaurus.org.uk/data for details) all Customer Data in its possession or control (including in the possession of any Subprocessor) in accordance with Thesaurus Technology’s data retention and destruction procedures and timeframes, unless otherwise agreed with Customer. This requirement shall not apply: (a) to the extent that Thesaurus Technology is required by any EU (or any EU Member State) law to retain some or all of the Customer Data, in which event Thesaurus Technology shall isolate and protect the Customer Data from any further processing except to the extent required by such law or (b) to any data stored on back-ups such data will be destroyed in accordance with our standard destruction policies for back-up data due to the cost and technical difficult of deleting back-ups.
2.11. Audit: Thesaurus Technology shall make available all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA. In particular, Thesaurus Technology shall allow for written audit questions to be submitted by Customer to Thesaurus Technology related to Thesaurus Technology's processing and protection of Customer Data. Customer shall not exercise this right more than one per year.
2.12. Legal Disclosures: If we reasonably believe we are required by a court order, agency action, or any other legal or regulatory requirement, to disclose any Customer Data, we will provide you with notice and a copy of the demand as soon as practicable, unless we are prohibited from doing so pursuant to applicable law or regulation.
3.1. This DPA, including the terms of the underlying Agreement, is the entire agreement between you and Thesaurus Technology and replaces all prior understandings, communications and agreements, oral or written, regarding its subject matter. If any court of law, having jurisdiction, rules that any part of this DPA is invalid, that section will be removed without affecting the remainder of the DPA. The remaining terms will be valid and enforceable.