Master Data Processing Agreement

Contact details

Supplier

Company Name and Company Number: SETYL LTD (with company number: 12677958)

Address: Unit 5 Glenbuck Studios, Surbiton, KT6 6BX

Email: hello@setyl.com

Customer

Company Name: X

Address: X

Email: X

Each of the parties shall be referred to as a Party or together, the Parties.

Processing details

Purpose. For the purpose of the Supplier providing Setyl's IT asset management platform, and related products and services, to the Customer.

Scope and nature of the processing. The scope of the personal data includes personal data for the purpose of providing an IT asset management platform, which will be transferred, accessed and stored in digital format by the Supplier.

Categories of data subject. Categories of personal data relate to Employees' profiles for the purpose of providing IT asset management platform.

Categories of personal data. Name, photo/avatar, job title, email, status, department, location, legal entity, join date, leave date, contract type, detection sources, employee ID, phone number, address, username, manager, personal email, notes, location type, role,assigned app licenses, managed apps, assigned assets, platform activity, password (if set), authentication data, survey responses, documents, support tickets, marketing preferences, communications with Setyl.

Duration of Processing. For the duration that the Supplier provides Setyl's IT asset management platform to the Customer. At times this duration may be extended, for example where data is required to be retained by law by Setyl Ltd.

Data Protection Officer(s). The Supplier's data protection officer is Christopher Batts.

Background

A. The Supplier is providing services to the Customer where the Supplier is required to process Customer Personal Data to fulfill the Purpose (as defined in the Contract Details).

B. This Agreement sets out the terms on which the Supplier will process the Customer Personal Data, in accordance with Data Protection Laws.

Agreed terms

1. Definitions and interpretation

1.1.

In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

Agreement: refers to this master data processing agreement and includes the Contract Details and any Schedules attached to it.

Customer Personal Data: the personal data processed by the Supplier on behalf of the Customer under this Agreement. This personal data being processed is detailed as the ‘Scope and nature of processing’, the ‘Categories of personal data’ and the ‘Categories of data subjects’ in the Contract Details at the front of this Agreement.

Contract Details: refers to the terms agreed between the Parties on the front pages of this Agreement titled “Contract Details”.

Data Protection Laws: all applicable data protection and privacy legislation in force in the United Kingdom, including but not limited to:
(i) the UK GDPR as defined in section 3(10) of the Data Protection Act 2018, and supplemented by section 205(4) (“UK GDPR”);
(ii) the Data Protection Act 2018;
(iii) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426),in each case as amended, updated or replaced from time to time, together with any guidance or codes of practice issued by the DP Regulator from time to time.

Data controller, data processor, personal data, processing and appropriate technical and organizational measures shall each have the meanings given to them in the UK GDPR.

Duration of Processing: the length of time the Supplier will process the Customer Personal Data as described in the Contract Details at the front of this Agreement.

DP Regulator: a valid supervisory authority (as defined under the UK GDPR), which in the UK is the Information Commissioner's Office.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Purpose: means the purpose for processing the Customer Personal Data, as detailed in the Contract Details.

Sub-Processor(s): any processor, including any agent, sub-contractor or other third party, engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Customer Personal Data.

1.2.

A person means an individual, a firm, a company, an unincorporated body or a government entity (whether or not having a separate legal identity from its members or owners) and any of its successors, permitted transferees or permitted assignees.

1.3.

Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.

1.4.

References to statutes, regulations or other legislation or enactments referenced herein shall be deemed to be references to that enactment as amended, supplemented, re-enacted or replaced from time to time.

1.5.

The words include, including and similar words or expressions will not limit the meaning of the words that come before them.

1.6.

Reference to writing or written includes e-mail but not any other form of electronic communication.

2. Data protection roles and relationship

2.1.

The Parties acknowledge that the Customer is the data controller of the Customer Personal Data uploaded, stored and/or transmitted by the Customer’s personnel via Setyl and the Supplier is the data processor of the Customer Personal Data.

2.2.

Both Parties will comply with all applicable requirements of Data Protection Laws in relation to personal data that is shared or processed under this Agreement. This Agreement does not relieve, remove or replace, a Party's obligations or rights under applicable Data Protection Laws.

3. Data processing obligations

3.1.

Each Party shall maintain records which indicate how that Party processes personal data under its responsibility. These records will contain at least the minimum information required by the Data Protection Laws and each Party shall make that information available to any DP Regulator on request.

3.2.

To the extent that the Supplier processes Customer Personal Data on behalf of the Customer, the Supplier shall:

3.2.1.

process that Customer Personal Data only on the documented instructions of the Customer, which shall include processing the Customer Personal Data to the extent necessary for the Purpose, unless the Supplier is otherwise required by applicable laws. The Supplier shall notify the Customer if its instructions infringe Data Protection Laws or other applicable laws;

3.2.2.

implement appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, including as appropriate:

a) the pseudonymisation and encryption of Customer Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;

3.2.3.

maintain the confidentiality of the Customer Personal Data, not disclose the Customer Personal Data to any third party other than as authorized to do so under this Agreement and ensure that any personnel engaged and authorized by the Supplier to process Customer Personal Data have committed themselves to obligations of confidentiality;

3.2.4.

assist the Customer in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under applicable Data Protection Laws. This process shall be provided (at the Customer’s cost) and shall include:

a) recording and referring all requests and communications received from data subjects or any DP Regulator to the Customer which relate to any Customer Personal Data promptly (and in any event within five days of receipt); and
b) not responding to any such requests without the Customer’s express written approval and strictly in accordance with the Customer’s instructions unless and to the extent required by applicable law.

3.2.5.

promptly (and in any event within 24 hours):

a) notify the Customer if it (or any of the Sub-Processors or the Supplier personnel) becomes aware of any actual occurrence of any Personal Data Breach in respect of any Customer Personal Data; and
b) provide all information as the Customer reasonably requires to report the circumstances to a DP Regulator and to notify affected data subjects under Data Protection Laws.

3.3.

Where the Supplier is relying on applicable laws as the basis for processing Customer Processor Data under clause 3.2.1 above, the Supplier shall use reasonable efforts to notify the Customer of this before performing the processing required by the applicable laws unless those applicable laws prohibit the Supplier from so notifying the Customer.

Close Cookie Preference Manager
Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Made by Flinch 77
Oops! Something went wrong while submitting the form.