Data Processing Provisions between YUDU Ltd (Licensor) and our Customers


Version 1.0 - 26th April 2018

The objective of this agreement is to define the data protection obligations of the Licensor and the Customer with respect to data protection legislation for the UK and EU. It is an addendum to the data protection provisions of all previously signed agreements between the Licensor and Customer and replaces all previous data protection clauses.

1.1 In this provision, the terms:

  • 1.1.1 "CustomerData" means any personal data provided by or on behalf of the Customer to the Licensor or otherwise collected by the Licensor on behalf of the Customer pursuant to this Agreement;
  • 1.1.2 “Commencement Date" means the agreed date set out in 1.9 below;
  • 1.1.3 “Data Controller”, "data processor", "personal data", "joint controller", “data subject” and "processing" shall be as defined in the Data Protection Legislation;
  • 1.1.4 “Data Protection Legislation" means (i) prior to 25 May 2018 the UK Data Protection Act 1998 and the Data Protection Directive (95/46/EC) and (ii) on and after 25 May 2018, EU Regulation 2016/679 (“GDPR”) or any equivalent or similar legislation implemented in the United Kingdom following the United Kingdom's withdrawal from the European Union;
  • 1.1.5 “Data Protection Officer” (DPO) mean the Licensor’s DPO.
  • 1.1.6 “Data Subject" is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
  • 1.1.7 “Security Breach" means any breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, alteration, damage, unauthorised disclosure of or access to the Customer Data.
  • 1.1.8 “Services” Shall be those services listed in Appendix 2

1.2 Each party agrees that it will at all times comply with all requirements applicable to it under the Data Protection Legislation.

1.3 For the purposes for the Data Protection Legislation, the Licensor is the Processor of the Customer Data and the Customer is the Controller of the Customer Data.

1.4 The Licensor shall only process the Customer Data (i) in accordance with the written instructions of the Customer or set out in agreements between the customer and the Licensor (including this Agreement) or (ii) where required to do so by applicable law.

1.5 The Licensor shall, in addition to the measures put in place by the Customer, implement and maintain all appropriate technical and organisational security measures: (i) to ensure a level of security appropriate to the risk to the Customer Data when it is processed by the Licensor and (ii) to assist the Customer in the fulfilment of its obligations to respond to requests from data subjects exercising their rights under the Data Protection Legislation

1.6 The Licensor shall:

  • 1.6.1 provide all assistance to the Customer as is reasonably requested to enable the Customer to comply with its obligations pursuant to the Data Protection Legislation;
  • 1.6.2 take all reasonable steps to ensure that access to the Customer Data is limited to those personnel who require access to it for the purpose of complying with the Licensor’ obligations under this Agreement and that such personnel are bound by enforceable obligations of confidentiality;
  • 1.6.3 not process or host the Customer Data outside of the European Economic Area (or permit the Customer Data to be so processed or transferred) unless it has obtained the Customer’s prior written consent;
  • 1.6.4 following the end of the provision of the Services or at the Customer's request, return to the Customer (or permanently delete, at the sole discretion of the Customer) all Customer Data (including copies) in the Licensor' possession or control, save where required to retain such Customer Data by applicable law; and
  • 1.6.5 allow the Customer and/or the Customer’s representatives, on reasonable notice to the Licensor, to conduct audits (including inspections) of all data processing facilities, procedures, documentation and other matters required to demonstrate compliance with the Data Protection Legislation and this Agreement. Without prejudice to the foregoing, the Licensor shall contribute to such audits in a reasonable manner, and provide all information reasonably necessary to demonstrate compliance with the Data Protection Legislation.
  • 1.6.6 follow the post-incident procedures as set out in Appendix 3

1.7 The Licensor agrees that it shall not engage a sub-contractor to handle or process Customer Data without the prior written consent of the Customer (not to be unreasonably withheld or delayed). Where a sub-contractor is engaged, The Licensor shall remain liable to the Customer in respect of any breach of this agreement that is caused by an act, error or omission of such sub-contractor.

1.8 The Licensor agrees to comply with the provisions set out in Art.30 (Records of Processing Activities) of the General Data Protection Legislation

1.9 The Commencement Date shall be 25th May 2018 and the agreement will remain in force unless the Services in Appendix 2 are terminated.

2.0 The Licensor shall indemnify and keep indemnified the Customer against all losses arising from any breach by the Licensor or any sub processor of this Agreement and or as a result of any bone-fide claim made or brought by an individual or other legal person in respect of any loss, damage or distress caused to them as a result of the Licensor’s unauthorised processing, unlawful processing, unauthorised or unlawful destruction of and/or damage to any Customer Data.

2.1 The Customer agrees to reimburse the Licensor for any investigations, report generation or time consumed by the Licensor’s personnel in responding to a request from the Customer following a breach or error by the Customer in their capacity as Data Controller. Fees are set out in Appendix 3.

2.2 The scope of data covered by this agreement is listed in Appendix 1.

2.3 This Agreement shall be amended from time to time to reflect and changes in law. Any material changes to this agreement will be communicated to existing clients and a notice and date of the amendment made on this site.

2.4 This Agreement supersedes all prior Data Protection Clauses in prior Agreements and and oral or written arrangements on data protection agreed between the parties.

2.5 The Customer in its capacity as Data Controller agrees to abide by the provisions of the Data Protection Legislation.

2.6 This Agreement and all disputes and claims arising out of or in connection with them, shall be governed by, and construed in accordance with, English law. Each party irrevocably agrees to submit to the exclusive jurisdiction of the English courts as regards any claim or matter arising under or in connection with it.

2.7 Force Majure. Neither party shall be liable for any loss or delay resulting from any force majeure event, including, but not limited to, acts of God, fire, natural disaster, terrorism, labor stoppage, war or military hostilities or criminal acts of third parties, providing that the foregoing shall not operate to excuse any failure to pay any amounts when due.



Appendix 1

Personal data stored by the Licensor:

This agreement defines three categories of Customer Data which the Licensor shall store on behalf of the Customer:

    A) Authentication data for Data Subjects accessing content published by the Customer using the Licensor’s software (‘subscribers’), such as mobile apps and internet-based content displayed using the Licensor’s software. This data includes Data Subject names, e-mail addresses, and non-mandatory data provided by the Customer on behalf of the Data Subject.

    B) Authentication data for Data Subjects using the Licensor’s software to publish content on behalf of the Customer (‘publishers’). This data includes Data Subject names, e-mail addresses, and non-mandatory data provided by the Data Subject.

    C) Opt-in survey / questionnaire / e-mail data from mobile apps or web-based content, provided by Data Subjects on a non-mandatory basis.

Only Licensor personnel who have undergone training in GDPR and have signed confidentiality agreements will have access to the Customer Data.

Nature of processing activities by the Licensor:

Primary processing activities are i) to store the data, make it available to the Customer and allow the Customer and/or their automatic systems to add, update and delete the data; ii) to authenticate and authorise Data Subjects for access to the Customer’s content and/or the Licensor’s software; and iii to send push notifications to Data Subjects as agreed with the Customer to advise on new content or services.

Permissions are granted by the Processor to Customer nominated persons to control and manage the Data Subjects.

The above provisions will not apply to bespoke contracts and specialist services that will be governed by separate agreements.

YUDU Mailing provisions are set out separately for each YUDU Mailing client.



Appendix 2. Services

The Services are defined as those provided by the Licensor to the Customer as set out in current and future signed agreements, written instructions or oral instructions for the provision of online digital services.



Appendix 3

Post Incident procedures

In the event of a security breach as defined by the Data Protection Legislation or any such event that may impact on the Customer Data the Licensor will upon discovery notify the Customer without undue delay and in any event within 48 hours.

The Customer and Licensor will formulate and agree a breach management plan upon notification of a breach.

In the event that any Customer Data is stolen, subjected to unauthorised access or is lost, becomes damaged, corrupted, destroyed or unusable, the Licensor shall use its best endeavours to restore Customer Data promptly.

In the event that the Data Controller has made an error, is subject to an investigation, or requires support due to a failure in their role as Data Controller the Licensor agrees to provide the support required in a timely fashion at an hourly rate of £600/man/day with payment in accordance with YUDU’s standard terms and conditions of sale.

Notifications

The DPO will notify the Customer of a breach or data incident by email to the nominated Customer recipients advised by the Customer.

The DPO will notify the Customer within two working days of receipt from of any data request or complaints regarding the processing of Customer Data from a Data Subject.

Notifications of that amend this agreement will be communicated to existing clients and a notice and date of the amendment made on this site.