This Data Processing Agreement (“Agreement”) forms part of the Swoop Terms of Service between Swoop and you (the “Terms of Service”). Capitalized terms used in this Agreement that are not defined herein have the meaning ascribed to such term in the Terms of Service.
(A) In all cases under the Terms of Service and in connection with your use of the Services, you act as the “Data Controller.”
(B) In certain instances, Swoop may have access to Personal Data in connection with the performance of the Service, in which case Swoop will act as a “Data Processor.”
(C) The parties hereto seek to implement a data processing agreement that complies with the requirements of the current Data Protection Laws, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The parties hereto wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
- Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Data Protection Laws” means EU Data Protection Laws;
1.1.3 “EEA” means the European Economic Area;
1.1.4 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.5 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.6 “Data Transfer” means:
188.8.131.52 a transfer of Personal Data from you and Swoop; or
184.108.40.206 an onward transfer of Personal Data from Swoop to a Subprocessor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.7 “Personal Data” means any Personal Data Processed by a Data Processor on behalf of Data Controller pursuant to or in connection with the Service;
1.1.8 “Subprocessor” means any person appointed by or on behalf of Data Processor to process Personal Data on behalf of Data Controller in connection with the Service.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- Processing of Personal Data
2.1 Swoop, as the Data Processor, shall:
2.1.1 comply with applicable Data Protection Laws in the Processing of Personal Data; and
2.1.2 not Process Personal Data other than on your relevant documented instructions, which are found in the Terms of Service and by your use of the Service; and
2.2 By your use of the Service, you instruct Swoop to process Personal Data.
- Processor Personnel
Swoop will take commercially reasonable steps to ensure the proper handling of Personal Data, ensuring in each case that access is limited to those individuals who need to know/access the relevant Personal Data, as necessary for the purposes of the provision of the Service, and to comply with Applicable Laws in the context of that individual’s duties to the you, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Swoop shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
5.1 You agree to the engagement by Swoop of subcontractors necessary for Swoop to provide the Services subject to the implementation of an agreement by such subcontractor in accordance with Article 28 paragraphs 2-4 of the GDPR. A list of subcontractors can be provided upon request.
- Data Subject Rights
6.1 Taking into account the nature of the Processing, Swoop will assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligations, as reasonably understood by you, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Swoop shall:
6.2.1 promptly notify you if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of you or as required by Applicable Laws to which Swoop is subject, in which case Swoop will to the extent permitted by Applicable Laws inform you of that legal requirement before Swoop or any Swoop subcontractor responds to the request.
- Personal Data Breach
7.1 Swoop will notify you as promptly as commercially practicable upon becoming aware of a Personal Data Breach affecting Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Swoop shall co-operate with you and take reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Data Protection Impact Assessment and Prior Consultation
Swoop shall provide reasonable assistance to you with any data protection impact assessments by Supervising Authorities or other competent data privacy authorities, which you reasonably consider to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, Swoop.
- Deletion or return of Personal Data
9.1 Subject to this section 9, Swoop shall promptly and in any event within
30 days of the date of cessation of any Services involving the Processing of Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Personal Data.
9.2 Swoop shall provide written certification to you that it has fully complied with this section 9 within 10 business days of the Cessation Date.
- Audit rights
10.1 Subject to this section 10, Swoop shall make available to you on request information legally required by applicable Data Protection Laws to demonstrate compliance with this Agreement, and shall, upon not less than 60 days prior written notice not more than once per any 12 month period, allow for and contribute to a security audit by you or an independent auditor, which must be mutually acceptable to Swoop, strictly to confirm Swoop’s compliance with applicable Data Protection Laws relating to the Processing of Personal Data by Swoop. In no event will any audit or inspection have access to the general books and records of Swoop, including any financial or shareholder information.
10.2 Information and audit rights only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
- Data Transfer
11.1 Swoop may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without your prior written consent. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the parties shall ensure that the personal data are adequately protected. To achieve this, the parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
- General Terms
12.1 Confidentiality. Each party must keep this Agreement and information it receives about the other party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other party. The provisions of this Section 12 are supplemental to and do not supersede or replace the confidentiality provisions contained in the Terms of Service.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or courier, or sent by email to the last address or email address provided by either you or Swoop from time to time during the term of this Agreement.