Last modified: January 25, 2021

This Data Processing Addendum (“DPA”) is made between DUTYSHEET LIMITED (trading as ‘Assemble’), a company registered in England and Wales with Company Number 06034879 whose principal place of business is at 19-20 Bourne Court, Unity Trading Estate, Southend Rd, Woodford Green, IG8 8HD ("“We”, “Us, “Our”) and the customer identified in the Services Agreement(“You”, “Your”) (together jointly referred to as “Both of Us”).

This DPA forms a part of the Agreement between You and Us.

1. DEFINITIONS

Agreement means an existing contractual arrangement between You and Us, including, without limitation, Our ‘Terms of Service’ or any negotiated contracts.

Data Protection Legislation means all applicable laws and regulations relating to the processing of Personal Data and privacy including the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated. The terms “Personal Data”, “Personal Data Breach”, “Data Protection Officer”, “Data Controller”, “Data Processor” and “process” (in the context of usage of Personal Data) shall have the meanings given to them in the Data Protection Legislation;

EEA means, in this DPA, the European Economic Area, the United Kingdom, Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.

Privacy Shield means the EU-US Privacy Shield and Swiss-US Privacy Shield Framework self-certification programme operated by the US Department of Commerce and approved by the European Commission and Swiss Federal Council.

Sub-Processor means a third-party Data Processor engaged to provide processing services to a Data Processor who is party to this DPA.

2. THE DPA AND THE AGREEMENT

2.1. This DPA shall replace any existing DPA or data protection provisions in, or forming part of, all current Agreements.

2.2. Except for the changes made by the DPA, all current Agreements remain in full force and effect. For the avoidance of doubt, the provisions of this DPA will prevail if there are any conflicts between an Agreement and this DPA.

2.3. Only You, We, our successors or any agreed assignees shall benefit from any terms under this DPA.

2.4. This DPA shall be governed and interpreted under the same laws and jurisdiction as an Agreement unless Data Protection Legislation dictates otherwise.

2.5. This DPA shall remain in effect until the termination of all Agreements existing between You and Us.

3. ROLES

3.1. For the purposes of an Agreement, both parties may receive Personal Data. Where the parties receive Personal Data as Data Controllers each party agrees to comply with Data Protection Legislation.

3.2. Throughout the commercial relationship of the parties, each party will be processing the Personal Data of the other’s employees to facilitate contact and co-operation between the parties and achieve their respective business interests.

3.3. Aside from the Personal Data described in clause 3.2, You, acting as Data Controller, will be passing Personal Data to Us as Data Processor for the purpose of using and recording information in Assemble's volunteer management platform.

4. PROCESSING

4.1. All processing of Personal Data under this DPA is pursuant to performance of an Agreement and serves the Data Controllers in their respective businesses as outlined within an Agreement.

4.2. Personal Data described under clause 3.1 is processed by the Data Processor by use of email, phone or postal correspondence, including occasionally recording calls and meetings.

4.3. Personal Data described in clause 3.3 will be processed by Us by electronically storing the information and making it available to You over the internet through the Assemble platform.

4.4. Categories of Data Subjects whose Personal Data will be processed under this Agreement include employees and volunteers.

4.5. The types of Personal Data that will be processed under this Agreement include:

   4.5.1. Identity Data such as names, usernames or similar; marital status; title; date of birth; birthday; sex and gender;

   4.5.2. Contact Data such as addresses; email addresses and telephone numbers;

   4.5.3. Transaction Data such as information about payments and details of expenses claimed;

   4.5.4. Technical Data such as IP addresses; login data; browser info; time zone; location; browser plug-ins; operating systems; platforms and other technology on the device used to access this website;

   4.5.5. Profile Data such as usernames; passwords; security answers; social media accounts; skills, interests and roles; preferences; feedback and responses to surveys, blogs and messages; and

   4.5.6. Any custom categories of data that you identify as being relevant to achieving your objectives.

5. INSTRUCTION

5.1. Where a party receives Personal Data from a Data Controller as a Data Processor (an “Instructed Processor”), that party shall:

   5.1.1. act solely on the instructions of the party sending the Personal Data in relation to the processing of that Personal Data. In the event that a legal requirement prevents the Instructed Processor from complying with such instructions the Data Processor shall, unless such legal requirement prohibits it from doing so, inform the other party of the relevant legal requirement before carrying out the relevant processing activities;

   5.1.2. at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such Personal Data and such measures shall include taking reasonable steps to ensure the reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. The Instructed Processor shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the Instructed Processor to disclose the Personal Data to a third party;

   5.1.3. subject to clause 6.4, not transfer the Personal Data outside of the European Economic Area (as such term is commonly understood) or to any third party without the other party’s written consent;

   5.1.4. send to the other party any communications received from individuals in relation to their Personal Data as soon as reasonably practicable. The Instructed Processor shall provide reasonable co-operation to the other party in relation to any individuals exercising their rights under the Data Protection Legislation;

   5.1.5. give the other party reasonable assistance in relation to its compliance with Data Protection Legislation;

   5.1.6. take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data;

   5.1.7. co-operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and/or sub-contractors) as the other party may reasonably require to enable it to monitor compliance by the Instructed Processor with the obligations in this Agreement;

   5.1.8. notify the other party of any Personal Data Breach and assist the other party with any investigation into and remediation of a Personal Data Breach. The Instructed Processor shall also provide the other party with reasonable assistance with any notifications made to relevant authorities and/or individuals in relation to a Personal Data Breach;

   5.1.9. subject to clause 6, not subcontract any of its obligations under this Agreement regarding the processing of Personal Data to a third party Sub-Processor without the prior written consent of the other party. The Instructed Processor shall be liable for the acts and omissions of the Sub-Processor as if they were the acts or omissions of the Instructed Processor itself and the Instructed Processor shall ensure that there is a written contract executed between the Instructed Processor and the Sub-Processor that contains equivalent protections for the Personal Data as are set out in this Agreement;

   5.1.10. when instructed by the other party, immediately cease processing the Personal Data and immediately supply any Personal Data to the other party or delete the Personal Data in accordance with the other party’s instructions;

   5.1.11. submit to audits and inspections carried out directly upon it by a supervisory authority, at its sole discretion, or by the Data Controller as the Data Controller reasonably believes necessary, based on evidence and providing such evidence in notification to the Processor, and co-operate in any audits and inspections carried out upon the Data Controller ; and

   5.1.12. inform the Data Controller immediately if any requests made of it that would involve infringing Data Protection Legislation.

6. SUB-PROCESSORS

6.1. Where You are passing Personal Data to Us in Your role as Data Controller, You agree that We shall be permitted to engage Sub-Processors. The Sub-Processors currently engaged by Us are listed in Our Sub Processors.

6.2. Should an Instructed Processor wish to make changes to their list of Sub-Processors, the Instructed Processor shall:

   6.2.1. give the Data Controller at least twenty (20) days’ notice of any impending additions or removals of a Sub-Processor; and

   6.2.2. provide a revised list of its engaged Sub-Processors to the Data Controller upon the Data Controller’s written request.

6.3. The Data Controller may object in writing to the Instructed Processor’s engagement of a new Sub-Processor within ten (10) days of receiving such notice, so long as the objection is based on legitimate data protection concerns.

6.4. Where an objection is received under clause 6.3, You and We shall discuss the data protection concerns in good faith and intending to resolve the issue. If no such resolution is possible between You and Us, whichever of us that raised the objection shall be entitled to terminate the Agreement without prejudice to any fees or obligations incurred by the party raising the objection prior to termination.

7. INTERNATIONAL TRANSFERS

7.1. Where You are passing Personal Data to Us in Your role as Data Controller, You agree that We shall be permitted to transfer Personal Data outside of the EEA. Details of where we currently transfer Personal Data, and the corresponding safeguards, are listed in Our Sub-Processors.

7.2. An Instructed Processor may make a transfer not already approved and process Personal Data anywhere in the world, provided that the Instructed Processor notifies the other of an intention to do so at least twenty (20) days’ notice.

7.3. The Data Controller may object in writing to the Instructed Processor’s new transfer outside of the EEA within ten (10) days of receiving such notice, so long as the objection is based on legitimate data protection concerns.

7.4. Where an objection is received under clause 7.3, You and We shall discuss the data protection concerns in good faith and intending to resolve the issue. If no such resolution is possible between You and Us, whichever of us that raised the objection shall be entitled to terminate the Agreement without prejudice to any fees or obligations incurred by the party raising the objection prior to termination.

8. ADDITIONAL OBLIGATIONS

8.1. The Instructed Processor shall comply with Data Controller’s Information Retention Policy (as amended from time to time) and will notify the Data Controller of any law in the jurisdiction(s) in which the Instructed Processor operates that would prevent the Instructed Processor from complying with the Data Controller’s Information Retention Policy.

8.2. The Instructed Processor shall maintain and keep up to date a list detailing the location of all Data Controller data (including Personal Data) together with details of any third party Sub-Processors or third parties with whom the Data Processor has shared any Data Controller data.

8.3. Nothing in this agreement relieves a Data Processor of its own direct obligations under Data Protection Legislation.

9. LIABILITY

9.1. Any legal claims issued under, or in connection with, this DPA shall be subject only to the terms of this DPA and no limitations of liability or similar terms within an Agreement shall apply to the processing of Personal Data.

9.2. We shall be liable to You for any losses incurred as a result of the Data Processor’s breach of any of these terms, up to a maximum of 150% of the total value of the Agreement to which the breach is related.

9.3. Clause 9 does not in any way purport to exclude or limit Your or Our liability for fines or to Data Subjects, as arising under Data Protection Legislation.

10. GENERAL

10.1. Any queries or concerns about Our performance under this DPA should be sent to the Data Protection Officer at dpo@goassemble.com.

10.2. Any contract rights of third parties under this DPA are excluded.

10.3. If any provision of this Agreement is deemed by a court of competent jurisdiction to be invalid, void, or unenforceable, Both of Us agree that the remaining provisions of this DPA shall not be affected thereby, and that the remainder of this DPA shall remain valid and enforceable.

10.4. No waiver by either party of any term hereof shall constitute a waiver of any such term in any other case whether prior or subsequent thereto. No single or partial exercise of any power or right by either party shall preclude any other or further exercise thereof or the exercise of any such power or right under this Agreement.