Suggestions
    0 results available.
    Book a call

    1. Definitions and Interpretation

    1.1 "Squiz" and "Customer" have the meaning given to them in the Agreement.

    1.2 For the purposes of this Data Processing Agreement (DPA) the following terms have the following meanings:


    Agreement means the agreement between Squiz and the Customer, for Squiz to provide and the Customer to receive the products and services as set out in any order or statement of work signed and submitted to Squiz on behalf of the Customer and to which this DPA is an annexure;
    Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Legislation from time to time including, without limitation, the Standard Contractual Clauses, reliance on the European Commission or UK Government (as applicable) deeming the country to have an adequate level of protection and, for transfers to the USA, the EU-US Data Privacy Framework (DPF), or the UK-US extension to the DPF;
    Business Contact Data means the Personal Data of each party's staff processed by the other Party under or in connection with the Agreement;
    Competent Regulator shall mean the competent data protection regulator, which, by way of example, is the ICO in the United Kingdom;
    Data Protection Legislation means all applicable data protection, privacy and electronic marketing legislation (including any national data protection legislation enacted under Directive 2002/58/EC, GDPR or UK GDPR together with applicable legislation implementing or supplementing the foregoing), any replacement or repealing legislation, relating to the same, each as amended from time to time;
    Designated Data Officer shall mean an authorised representative of Squiz with sufficient awareness of Squiz's processing of Personal Data;
    EEA means the European Economic Area;
    GDPR means Regulation (EU) 2016/679;
    ICO means the Information Commissioner's Office;
    Member State means EU member states from time to time and Member State Law means laws implemented by such EU member states from time to time;
    Personal Data means any Personal Data processed by Squiz on behalf of the Customer pursuant to the Agreement;
    Restricted Transfer means a transfer of Personal Data between the parties to this DPA which, in the absence of the Standard Contractual Clauses (including as amended by the UK IDTA), would be prohibited by Data Protection Legislation;
    Standard Contractual Clauses means (i) the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to GDPR, as amended or replaced from time to time by a Competent Regulator under the relevant Data Protection Legislation or any set of clauses approved by the European Commission which amends, replaces or supersedes such standard contractual clauses, or (ii) the UK IDTA to the Standard Contractual Clauses issued by the ICO under section 119A(1) Data Protection Act 2018; as amended or replaced from time to time by a Competent Regulator under the relevant UK data protection laws;
    Sub-processor means any processor appointed by Squiz to assist with Squiz's processing of Personal Data;
    UK GDPR means the GDPR as incorporated into the laws of the United Kingdom;
    UK IDTA means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.
    Union means the European Union; and
    You means Customer (also referred to as the Customer) named in any order or statement of work submitted to Squiz.

    1.3 For the purposes of this DPA the terms controller, data subject, personal data, personal data breach, process, processing, processor and pseudonymisation shall have the meanings attributed to them in Article 4 of GDPR and/or UK GDPR.

    1.4 Where the Customer and Squiz have more than one agreement, references to the Agreement shall be to all agreements in place between the parties under which Squiz processes Personal Data on behalf of the Customer.

    1.5 Use of the terms include or including shall be construed without limiting the generality of the words preceding those terms.

    1.6 References to clauses are to clauses of this DPA.

    2. Acknowledgement of Roles and Responsibilities

    2.1 The parties hereby acknowledge that the Customer is the controller and Squiz is the processor in respect of Personal Data.

    2.2 The parties hereby acknowledge that both the Customer and Squiz are independent controllers of the Business Contact Data for the purpose of managing the business relationship.

    2.3 The parties acknowledge that Squiz processes Personal Data as processor as part of the provision of services under the Agreement. Each of the Customer and Squiz shall comply with their respective obligations in the Data Protection Legislation in the performance of the Agreement. The parties confirm that they shall process Personal Data as set out in the annexure to this DPA.

    3. Squiz's Data Processing Obligations

    3.1 Except as set out in clause 3.3, Squiz shall, and shall ensure that any natural person acting under its authority shall:

    3.1.1 only process Personal Data as is necessary to fulfil its obligations under the Agreement or in accordance with the Customer's express written instructions from time to time, and shall not process Personal Data for any other purposes except where required to do so by law in which case Squiz shall inform Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest;

    3.1.2 ensure that all such persons and parties involved with the processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

    3.1.3 be generally authorised to engage Sub-processors to process Personal Data. The Customer authorises Squiz to engage Sub-processors in accordance with this clause 3 and subject to Squiz meeting the following obligations with respect to each Sub-processor:

    i. enter into a written contract with each Sub-processor on terms which are the same as or substantially similar to this DPA;
    ii. ensure that each Sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Legislation and this DPA; and
    iii. remain responsible for its Sub-processor's compliance with the obligations of this DPA.

    In the case of general authorisation, Squiz shall inform the Customer of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Customer the opportunity to object to such changes within 30 working days. The Customer may, on request, obtain a list of current Sub-processors by contacting Squiz at privacy@legal.squiz.net;

    3.1.4 provide reasonable assistance to the Customer to enable the Customer to comply with its obligations under Data Protection Legislation in respect of Personal Data, including assisting the Customer in complying with its processes in order to give effect to a data subject's rights under the Data Protection Legislation including requests to amend, transfer or delete Personal Data (such data, if transferred, to be provided in a commonly used electronic form);

    3.1.5 at the end of the duration of the Agreement, promptly delete or return to the Customer (at the Customer's discretion) all Personal Data (unless applicable law to which Squiz or a Sub-processor (as applicable) is subject to requires storage of the Personal Data) and if requested, provide written notice to the Customer to confirm that such deletion or return has been completed;

    3.1.6 in the event that Squiz receives any complaint, notice or communication (from either a Competent Regulator or a data subject) which relates directly or indirectly to the processing of Personal Data or to either party's compliance with Data Protection Legislation, Squiz shall notify the Customer without undue delay (and in any event in not less than 48 hours) and it shall provide the Customer and any Competent Regulator (if applicable) with full co-operation and assistance in relation to any such complaint, notice or communication;

    3.1.7 not disclose Personal Data to any data subject or to a third party other than as set out in this DPA or at the request of, or with the written consent of the Customer, unless notification is required by law to which Squiz is subject;

    3.1.8 notify the Customer without undue delay (and in any event in not less than 48 hours) upon becoming aware of any accidental unauthorised or unlawful processing, disclosure, loss of, access to, damage to, or destruction of any Personal Data with sufficient information which allows the Customer to meet any obligations to report a personal data breach to an individual or supervisory authority under Data Protection Legislation.

    3.1.9 cooperate with the Customer and take such reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation and remediation of a personal data breach;

    3.1.10 implement and maintain appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR and/or UK GDPR.

    3.2 In the event that the Customer determines that any processing activity related to Squiz's processing of Personal Data is likely to result in high risk to the rights and freedoms of a data subject, Squiz shall reasonably co-operate with the Customer (if requested by the Customer) in conducting a data protection impact assessment and prior consultation with a supervisory authority in respect of such processing activity, as set out in the GDPR and/or UK GDPR. Squiz shall be entitled to have its reasonable costs in relation to such assistance it gives a controller reimbursed under this paragraph 3.2.

    3.3 Squiz is permitted to process the Personal Data other than as set out in Clause 3.1 only to the extent required by Union or Member State Law to which Squiz is subject, and will inform the Customer if such processing is required, including any details of the legal requirement, where possible before processing, unless prohibited from doing so by aforementioned applicable law.

    3.4 During the term of the Agreement, Squiz shall appoint a Designated Data Officer who shall act as a readily available point of contact for the Customer and who shall have as part of his/her responsibilities the obligation to respond to the Customer's queries in respect of Squiz's processing of Personal Data.  Squiz shall notify Customer of the contact details of the Designated Data Officer as soon as practicable. If at any time Squiz is required under GDPR and/or UK GDPR or otherwise to appoint a Data Protection Officer (DPO) (as defined in the Data Protection Legislation), then references in this DPA to a Designated Data Officer shall be considered to be references to such DPO.

    4. Processing Review

    4.1 Squiz shall keep at its normal place of business detailed, accurate and up-to-date records (whether in electronic form or hard copy) relating to the processing of Personal Data by Squiz and to the measures taken by Squiz under Clause 3.1.10.

    4.2 Squiz shall permit the Customer and its third-party representatives, on at least one week's notice and during normal business hours to:

    4.2.1 gain access to, and take copies of, the Records and any other information held at Squiz's premises or on Squiz's computer systems; and
    4.2.2 inspect all Records, documents and electronic data and Squiz's computer systems, facilities and equipment (so far as they relate to the Customer and the Personal Data),

    for the purpose of auditing Squiz's compliance with its obligations under this DPA. Such audit rights may be exercised only once in any calendar year during the term of the Agreement.

    4.3 Squiz shall give reasonable assistance to the conduct of any such audits and the Designated Data Officer shall be present throughout any audit.

    4.4 Audit access by any third party representative of the Customer shall be subject to such representative agreeing to confidentiality obligations in respect of the information obtained, provided that all information obtained may be disclosed to the Customer.

    5. International transfers

    5.1 The Customer agrees that Squiz may transfer Personal Data to countries outside the EEA or United Kingdom to any international organisation provided that:

    5.1.1 all such transfers shall be effected in accordance with Data Protection Legislation;
    5.1.2. Squiz has given prior notice to Customer of the intended transfer;
    5.1.3 all such transfers shall (to the extent required under Data Protection Legislation) be effected by way of Appropriate Safeguards.

    5.2 In respect of any Restricted Transfer subject to the GDPR which takes place between the parties to the Agreement, the parties hereby enter into Module 2 respectively of the Standard Contractual Clauses (with Customer and each applicable Affiliate as data exporter and Squiz as data importer), which is hereby incorporated by reference into this DPA and which shall come into effect upon the commencement of a relevant Restricted Transfer. The parties make the following selections for the purposes of Modules 2:

    (a) clause 7: docking clause shall apply;
    (b) clause 9: use of subprocessors Option 2 shall apply and the "time period" shall be 30 days;
    (c) clause 11(a): redress the optional language shall not apply;
    (d) clause 13(a): supervision; (option (i) or (ii) is dependent on whether Customer is established in the Union)

    (i) where Customer or its Affiliate is established in an EU Member State, the following shall apply: "The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall be the supervisory authority of the Member State in which Customer or Customer Affiliate is established or (if different) the lead supervisory authority of Customer in respect of a cross-border processing activity";

    OR

    (ii) where Customer or its Affiliate is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: "The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, namely the Republic of Ireland, shall act as competent supervisory authority.";

    (e) clause 17: governing law "Option 1" shall apply and the "Member State" shall be the Republic of Ireland;
    (f) clause 18: choice of forum and jurisdiction the Member State shall be the Republic of Ireland;
    (g) Annex 1: the data exporter is Customer or its Affiliate and the data importer is Squiz (in each case as identified, including in relation to their places of establishment, in this Agreement) and the processing operations are deemed to be those described in Annex 1 to this DPA;
    (h) Annex 2: the technical and organisational security measures are deemed to be as described in Annex 2 to this DPA; and
    (i) Annex 3: not applicable.

    5.3 In respect of any Restricted Transfer subject to the UK GDPR, the provisions of clause 5.2 shall apply, except that the Standard Contractual Clauses shall be supplemented and modified by the provisions of the UK IDTA, which is hereby incorporated by reference into this DPA and which shall come into effect upon the commencement of a relevant Restricted Transfer. For the purposes of the UK IDTA, the parties agree that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Annex 1 and Annex 2 to this DPA, except that for the purposes of Table 4 of Part 1 the parties select the “Exporter” option.

    5.4 The provisions of this clause 5 shall constitute the Customer’s documented instructions with respect to transfers outside the EEA, United Kingdom or to any International Organisation in accordance with clause 3.1.1.

    6. Survival


    6.1 Clauses 3.1.1, 3.1.4, 3.1.5, 3.1.8, 4.1, 6 and 7 shall survive the termination or expiry of this DPA.

    7. Notification

    7.1 Notification to be provided to the Customer under this DPA, including (without limitation) pursuant to Clause 3.1.7, shall be provided by email to privacy@legal.squiz.net.

    8. General

    8.1 It is not envisaged that Squiz will be supplying any Personal Data to the Customer under the Agreement. However, in the event that such Personal Data is provided, the Customer confirms that it will comply with its obligations as a processor under the GDPR and/or UK GDPR as if they were set out in full in this agreement and will enter into a long form agreement incorporating such provisions if required by Squiz.

    8.2 In the event of any conflict between the terms of this DPA and any provision of the Agreement, this DPA shall take precedence.

    8.3 Where the Customer and Squiz are involved in the same processing and either the Customer or Squiz has, in accordance with paragraph 4 of Article 82 of the GDPR and/or UK GDPR, paid compensation for any damage caused by that processing, then that party shall be entitled to claim back from the other party such part of the compensation as corresponds to the other party’s share of responsibility for the damage.

    8.4 The Customer shall pay any reasonable costs (including for internal and any third party costs) and expenses incurred by Squiz in meeting the Customer’s requests made which are beyond the obligations required by Article 28 GDPR and/or UK GDPR.

    8.5 A person who is not a party to this DPA may not enforce any of its terms under the Contracts (Rights of Third Parties) Act 1999.

    8.6 This DPA is governed by and will be construed in accordance with laws of England and Wales and the parties will be subject to the exclusive jurisdiction of the English courts.

    8.7 This DPA may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

    Annex 1: Details of processing Personal Data


    This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR and/or UK GDPR

    Subject matter and duration of the processing of personal data

    The provision of the services as set out in the Agreement by Squiz to the Customer ("Services").

    The duration of the processing will be the term required for the provision of the Services by Squiz to the Customer.

    The nature and purpose of the processing of personal data

    Squiz processes Personal Data in order to provide the Services to the Customer in accordance with the Agreement.

    The categories of data subject to whom the personal data relates

    [Parties to confirm but could include the following:]

    • [employees / HR
    • clients
    • suppliers and business contacts]


    Customers' obligations and rights

    Customers' rights and obligations are set out in this DPA

    Annex 2: Technical and Organisational Measures



    Below is a summary of some of the key technical and organisational security measures in place within the Squiz and imposed on Sub-processors.  Further detailed information can be obtained by contacting the Squiz Designated Data Officer:

    1. Sensitive data is encrypted at rest and in transit.
    2. Squiz is a cloud first company, and only uses cloud services that have adequate security accreditations, and conduct PEN tests at least annually.
    3. Squiz does not store or process personal information in IT systems hosted in any office location.
    4. Security patches are installed following a documented security patch management process.
    5. Anti-malware controls are used to help avoid malicious software gaining unauthorized access to Personal Data.
    6. Data backup and restoration processes are in place to help ensure the ongoing availability of Personal Data.
    7. Log files are maintained which record access and use of information systems containing Personal Data.
    8. Role-based access permissions are used, and access to Personal Data is granted on a principle of least privilege basis.
    9. Industry standard practices are used to identify and authenticate users who attempt to access network or information systems.
    10. Information security and data protection training is provided for all relevant employees, contractors and consultants.
    11. Employees are subject to written confidentiality obligations.
    12. Physical access to data processing facilities is secured through manned reception areas, access keys, CCTV or other access control devices.
    13. Media and printed materials that contain Personal Data are securely disposed of.
    14. Users are required to immediately notify actual or suspected data security incidents to a dedicated point of contact.
    15. Communication services are reserved for business purposes, with only incidental personal use permitted.
    16. There are dedicated points of contact responsible for dealing with reports of information security breaches or failures.    
    17. Incident management process relating to security and data incidents concerning confidentiality, integrity, availability and privacy of data, and includes preparation, detection and analysis, containment, eradication, recovery and post incident activity.