This page contains the following information:
1: GDPR Compliance Statement
3: Cookies Policy
5: Data Processing Agreement
GDPR Compliance Statement
IntroductionThe EU General Data Protection Regulation (“GDPR”) came into force on 25 May 2018.The new Regulation aims to standardise data protection laws and processing across the EU, giving people greater rights to access and control their personal information.
Our Commitment: Envolve Technology Limited are committed to ensuring protection of all personal information that we hold, and to provide and to protect all such data. We recognise our obligations in updating and expanding this program to meet the requirements of GDPR.Envolve Technology Limited are dedicated to safeguarding the personal information under our control and in maintaining a system that meets our obligations under the new regulations. Our practice is summarised below.
How We Prepared for GDPR: Envolve Technology Limited already have a consistent level of data protection and security across our organisation, but we have introduced new measures to ensure compliance.Information Audit — We carried out an audit of information previously held and ensured that it was compliant with the new regulations.Policies and Procedures — we have revised data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:Data Protection – our main policy and procedure document for data protection has been revised to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy and the rights of individuals.Data Retention and Erasure – we have updated our retention policy and schedule to ensure that we meet the “data minimisation” and “storage limitation” principles and that personal information is stored, archived and destroyed in accordance with our obligations. We have procedures in place to meet the new “Right to Erasure” obligation.Data Breaches – our procedures ensure that we have safeguards in place to identify, assess, investigate and report any personal data breach as early as possible. Our procedures have been explained all employees.International Data Transfers and Third-Party Disclosures – where Envolve Technology Limited stores or transfers personal information outside the EU, we have robust procedures in place to secure the integrity of the data. Our procedures include a continual review of the countries with sufficient adequacy decisions, as well as binding rules, or standard data protection clauses for those countries without.Subject Access Request (SAR) – we have revised our SAR procedures to accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of chargePrivacy Notice/Policy – we have revised our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.Obtaining Consent – we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their informationDirect Marketing – we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, we have developed stringent procedures for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).Processor Agreements – where we use any third-party to process personal information on our behalf (ie Payroll, Recruitment, Hosting, etc), we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they meet and understand their/our GDPR obligations.
Data Subject Rights: We provide easy-to-access information via our website of an individual’s right to access any personal information that Envolve Technology Limited processes about them and to request information about:what personal data we hold about them the purposes of the processing the categories of personal data concerned the recipients to whom the personal data has/will be disclosed how long we intend to store your personal data for the right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this the right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use the right to lodge a complaint or seek judicial remedy and who to contact in such instances.
When handling personal data for any reason pursuant to any agreement with Envolve, all parties shall adhere at all times to the provisions of the Data Protection Act 1998, as amended from time to time, and all other applicable legislation, including, but not limited to, the Privacy and E-Commerce Regulations 2003. Each party shall use all reasonable commercial endeavours to ensure that any third party database list used in connection with the Services is accurate and complies with all applicable laws.
Information Security and Technical and Organisational Measures: Envolve Technology Limited takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction.
GDPR Roles and Employees: Envolve Technology Limited have designated Emma Smith as our Data Protection Officer (DPO)/Appointed Person and have appointed a data privacy team to develop and implement our roadmap for complying with the new data protection Regulation. The team are responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR compliance, identifying any gap areas and implementing the new policies, procedures and measures.Envolve Technology Limited understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans.If you have any questions about our GDPR compliance policies, please contact Emma Smith on email@example.com
Envolve Technology Limited (“Envolve”, “we” and “us”) are committed to protecting and respecting your privacy.
For the purpose of the EU General Data Protection Regulation (“GDPR”) 25 May 2018 and the Data Protection Act 1998 as may be amended or replaced from time to time (“the Act”) and save as otherwise expressly stated, the data controller for data that we collect is Envolve Technology Limited c/o Excalibur House, Newport, NP18 2HJ VAT Number: 200 854345.
Information we may collect from you
We may collect and process the following data about you:
Information that you provide to us
This includes without limitation when you participate in a conversation with a business through our widget placed on their website or social media account (“Site”) of one of our customers (“Business”) or participate in any of the activities of that Business, when you complete a user profile, when you subscribe to one of our Business hosting or related services, when you participate in conversations or any other social media functions on that Site from time to time, when you enter a competition, promotion or survey, when you post material on or through our Site, when you respond to a request for information which we may use for our internal research purposes or to evaluate our services when you report a problem with the widget on the Site or social account, or when you contact us for any other reason.
The information you give us may include your name, address, e-mail address and phone number, financial, credit card information or other details relating to any transaction carried out through the widget on one of our customers sit Site, personal descriptions, photograph, opinions etc.
Information we collect about you
With regard to each of your visits to our Site or to any Business we may automatically collect the following information:
- technical information, including without limitation the Internet protocol (IP) address, browser type and version, time zone setting, operating system and platform; and
- information about your visit, including without limitation the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page and any phone number used to call our customer service number; traffic data, location data, webblogs and other communication data, whether this is to predict your preferences or required for our own billing purposes or otherwise and the resources that you access.
This above is statistical data about your browsing actions and patterns, and does not identify you as an individual.
Information we receive from other sources
We may receive or access information about you and your participation in a Business from the customer on whose behalf we are hosting that Business. We will not share this information with any other Business. Such information will be aggregated and anonymised so that it does not identify you as an individual and may be used by us for analytics and other business purposes, including selling such anonymised and aggregated information to third parties.
We may receive information about you if you use any of the other websites we operate or the other services we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this Site. We also work closely with third parties from time to time (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
Where we store your personal data
The transmission of information via the Internet is not completely secure and you do so at your own risk. For example, if you engage with a a Business via our technology on their Site you may be able to send emails using our third party provider’s Internet based email tool. We cannot guarantee the security or confidentiality of any data transmitted to or via our Site and we do not accept any liability for this. Once we have received any information you supply on our Site, we will however use reasonable endeavours to protect any personal data held on our Site and will use strict procedures and security features to try to prevent unauthorised access.
Uses made of the information
Your information will be used for a wide range of purposes, including but not limited to,:
- To provide you with our products and services and to ensure that the content and services that we offer are tailored to your needs and interests;
- To allow you to engage with a Businesses, blogs and other interactive features of our service and to post information or other online content (such as photos, videos, audio recordings);
- To send you informational and promotional content that you may choose (or “opt in”) to receive. You can stop receiving our promotional emails by following the unsubscribe instructions included in every email;
- To ensure that content from the businesses widget on their Site is presented in the most effective manner for you and for your computer;
- To process your order transactions and contact you regarding any order;
- To bill and collect money owed to us. This includes sending you emails, invoices, receipts, notices of delinquency, and alerting you if we need a different credit card number. We use third parties for secure credit card transaction processing, and we send billing information to those third parties to process your orders and credit card payments;
- To carry out our obligations arising from any contracts entered into between you and us;
- For administration, accounting, marketing, research and development and quality assurance purposes including to monitor and report on the Services and to analyse Customer and user behaviours and trends.
- To support and improve the Site and the products and services we offer;
- To respond to your requests or follow up with you after you have provided information to us and to communicate with you about your account;
- To provide customer support;
- To provide information to representatives and advisors, for example lawyers and accountants, to help us comply with legal, accounting, or security requirements.
- To prosecute and defend a court, arbitration, or similar proceeding;
- To transfer your information in the case of a sale, merger, consolidation, or acquisition. We will notify you of the change either by sending you an email or posting a notice on our Site;
We may combine information we collect from third parties with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above.
Disclosure of your information
We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries from time to time, as defined in section 1159 of the UK Companies Act 2006.
We may disclose your personal information with selected third parties including:
- business partners, providers, suppliers and sub-contractors for the performance of our Site and services
- advertisers and advertising networks that require data to select and serve relevant adverts to you and others
- analytics and search engine providers that assist us in the improvement and optimisation of our Site.
Current third parties used for the provision of the Envolve service include:
Data shared directly from customer to Go Cardless
VAT & Invoicing
Data shared directly from customer to Quaderno
- In the event that we sell or buy any business or assets, in which case we may disclose your data to the prospective seller or buyer of such business or assets.
- If Envolve or substantially all of its assets are acquired by a third party, in which case data held by it about its customers and users will be one of the transferred assets.
Public Information and Third Parties
Blog. We may have public blogs on our Site or a Business. Any information you include in a comment on our blog may be read, collected, and used by anyone. If your personal information appears on these blogs and you’d like it to be removed, contact us at firstname.lastname@example.org or in the case of a blog available on a Business, contact the Business operator. If we’re not able to remove your information, we’ll let you know why.
Social Media Widgets. Our Site may include social media features, like the Facebook Like button. These features may collect information about your IP address and which page you’re visiting on our Site, and they may set a cookie to make sure the feature functions properly. Social media features and widgets are either hosted by a third party or hosted directly on our Site. Your interactions with those features are governed by the privacy policies of the companies that provide them.
Service Providers. If it is necessary to provide you a service you’ve requested, like send you a T-shirt, then we may provide your personal information to a service provider. We will restrict any service provider’s use of your personal information. We will tell you whenever reasonably possible and you may request at any time the name of our service providers.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the web pages we use from time to time to collect your data. You can also exercise the right at any time by contacting us at email@example.com
Access to information
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you.
Google Analytics: We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the page, how you got there and what you click on. This Analytics data is not tied to any personally identifiable information, so it cannot be used to identify who you are.
You can find out more about Google’s position on privacy regarding its analytics service at www.google.com/intl/en_uk/analytics/privacyoverview.html
Session Cookies: We use a session cookie to remember your log-in for you if you are a registered user or for other purposes strictly necessary for the operation of our website. If these are disabled then the website will not function properly.
More information on session cookies and what they are used for can be found at www.allaboutcookies.org/cookies/session-cookies-used-for.html
Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Third Party Cookies: These are cookies set on your computer by external service providers. Cookies of this type are advertising networks and providers of analysis services as well as the social network sharing buttons to allow visitors to share content onto their social networks. Third party cookies we currently use include Facebook and Twitter. In order to implement these sharing buttons, and connect them to the relevant social networks and external sites, scripts are used from domains outside of our website. You should be aware that these sites are likely to be collecting information about what you are doing across the internet, not just on this website. We have no control over third party cookies used on our website and you should check the respective policies of each of these sites to see how they use your information and to find out how to opt out, or delete, such information, if you wish to do so.
Welcome to www.envolvetech.com a service operated by Envolve Technology Limited (“Envolve”, “we” or “us”) (the “Site”) which, amongst other things, is intended to (i) provide you with information about and to allow you to subscribe to and purchase our products and services as a customer (a “Customer”) (ii) allow you to register a user account with us (a “Registered User”) (iii) allow you to use the technology without a registered account (a “User”) to engage with one or more of the virtual Businesses via our technology hosted on their own website or social media accounts (“Site“) on behalf of our customers (a “Businesses”) (iv) allow you to post and upload content and interact with others and (v) allow you to contact us directly.
Please note that:
If you are a Registered User and Customer of our business using products and services available on the Site your use of those products and services will be governed by the Customer Licence and Terms of Service which you will have accepted at the time of putting our technology live on your website or in your social channels.
Information about us
The Site, and technology which sits on a businesses website or in their social channels is operated by Envolve Technology Limited a company registered in England (Number 08548197) with our registered office being c/o Excalibur House, Newport, NP18 2HJ VAT Number: 200 854345.
In order to engage with a Business via our technology hosted on their website or their social channels (“Site”), you must provide the requested identification information. You represent and warrant that all personal data and information provided during the registration process is up to date, complete, accurate and true and agree to communicate to Envolve any changes of your personal data in a timely manner.
You are responsible for the activities carried out on or through the Site through and all such activities shall be attributed to you as the User. You are liable for any damage caused to or prejudices against Envolve or third parties as a result of the misuse, loss, misappropriation and/or compromising of the confidentiality of your User ID and password.
You are responsible for making all arrangements necessary for you to have access to our Site.
We do not guarantee that our or a businesses Site, or any content on it, will always be available or be uninterrupted. Access to our Site is permitted on a temporary basis. From time to time, we may suspend, withdraw, discontinue or change all or any part of our Site without notice. We will not be liable if for any reason the Site is unavailable at any time or for any period.
Acceptable use policy
In using the Site, you undertake that you:
- will not provide any false information to us or to any Business, including but not limited to your email address or any other information requested by a Business;
- will not include any malicious, defamatory or libellous material on the Site or in responses or contributions to Business activities hosted on the Site;
- will use your best efforts to ensure that no false, malicious, defamatory or libellous material is published on the Site or in any Business; and you will take immediate appropriate action to remedy any complaint or concern upon becoming aware, including notifying us;
- will indemnify Envolve against any claims from third parties arising from such false malicious, defamatory or libellous information or material;
- will not disclose any personally identifiable information unless permission has been expressly granted by the person to whom such information relates;
- acknowledge that you arrange, attend or participate in any meetings with any group, organisation or person arising from your use of the Site entirely at your own risk
- will be solely responsible for your activities and interactions with customers or other users of the Site or a Business. We reserve the right, but have no obligation, to monitor any dispute between you and another user;
- will only use the Site or any Business for lawful purposes and may not use the Site or any Business:
- in any way that breaches any applicable local, national or international law or regulation
- in any way that is unlawful or fraudulent, or has any unlawful or fraudulent purpose or effect;
- for the purpose of harming or attempting to harm minors;
- will not retrieve, store, transmit, distribute, post or email any material including without limitation text, files, images, photos, videos, sounds musical works, works of authorship and applications (“Content”):
- without having permission from the party that owns the intellectual property rights in such Content;
- which breaches, infringes, violates or is contrary to any law, by-law, statute or regulation or any other parties’ rights (including but not limited to intellectual property rights and privacy rights); or
- which in our opinion involves behaviour that is explicit, discriminatory, racist, abusive, threatening, bullying, harassing, libellous or obscene or encouraging illegal activity; and/or which could otherwise be capable of offending other users;
- will not, other than via functionality specifically provided by us to do so, use the Site without written permission to promote another site, service or business in any way including but not limited to posting any email addresses or URLs;
- will not transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam) ;
- will not buy or sell third party products or services through the Site, except in respect of Business as expressly permitted by that Business;
- will not access without authority, interfere with, damage or disrupt any part of the Site, or any other user account, or any equipment or network on which the Site is hosted, or any software used in the provision of the Site; or any equipment or network or software owned or used by any relevant third party.
Intellectual property rights
We are the owner or the licensee of all intellectual property rights in the Site and in the material published on it. Those works are protected by copyright laws and treaties around the world. All such rights are reserved.
You may print off one copy of any page from the Site and, where applicable functionality exists, download data from the Site for your personal reference. You may also draw the attention of others to material posted on the Site.
Our status, and that of any identified contributors, as the authors of Content on the Site must always be acknowledged.
You are not permitted to publish or otherwise copy or use any part of this on the Site for commercial purposes, distribution or personal gain to other parties without first obtaining our express written consent or a licence to do so from us or our licensors
Other than any materials clearly marked as capable of being modified, you must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text or logos.
‘Envolve.com’ and ‘Envolve’ plus any other trade marks or logos used on the Site are trade marks of Envolve Technology or its third party licensors. You are not permitted to use any of these marks without express written consent.
Uploading Content to the Site
Any contributions, experiences, information, views or other Content that you upload to or through the Site is for public display and will be considered non-confidential and non proprietary, and we have the right to use, copy, distribute and disclose to third parties any such material for any purpose associated with the operation of the Site.
We will not be liable for any Content transmitted or posted by you on or through the Site or for any interactions you may have with other users. You warrant that you are able to licence the material that you upload to the Site to us and that the use of such Content will not infringe the intellectual property rights of any other party.
You acknowledge that we have the right to disclose your identity to any third party who is claiming that any Content posted or uploaded by you on or through the Site constitutes:
- a violation of their intellectual property rights or of their right to privacy; or
- a breach of civil or criminal law, including libel, discrimination, incitement or may be considered to be inflammatory.
The Site changes regularly
Envolve aims to update the Site regularly, and may change or delete the content at any time. Any of the content on the Site may be out of date at any given time, and we are under no obligation to maintain or update such content. If the need arises, we may without liability suspend access to the Site, or close it indefinitely.
The material displayed on the Site is provided without any guarantees, conditions or warranties as to its accuracy or it being comprehensive.
To the extent permitted by law, we expressly exclude all conditions, warranties and other terms which might otherwise be implied by statute, common law or the law of equity.
We will not be liable to any user for any loss or damage, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising under or in connection with:
- use of, or inability to use, our Site; or
- use of or reliance on any content displayed on or through our Site.
If you are a business, please note that in particular, we will not be liable for:
- loss of income or revenue;
- loss of business;
- loss of profits or contracts;
- loss of anticipated savings;
- loss of data;
- loss of opportunity, goodwill or reputation; or
- any indirect or consequential loss or damage
- wasted management or office time; and
whether caused by tort (including negligence), breach of contract or otherwise
Transactions with third parties and links from / to the Site
Where the Site or activities hosted on it contain links to other sites and resources provided by third parties, these links are provided for your information only. We have no control over the content of those sites or resources, and accept no liability for them or for any loss or damage that may arise from your use of them.
Contracts for the supply of any goods or services formed as a consequence of the use of these external sites arising through use of the Site shall be governed by the terms and conditions of supply of the relevant party supplying those goods or services. We will have no involvement, liability or obligations in relation to any contracts that you form with any third parties.
Third parties shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 in relation to any agreement between us and you.
The Site must not be framed on any other site.
Viruses, hacking and other offences
We do not guarantee that our Site will be secure or free from bugs or viruses. You are responsible for configuring you information technology, computer programmes and platform in order to access our Site. You should use your own virus protection software.
You must not knowingly introduce viruses, trojans, malware, worms, logic bombs or other material which is malicious or technologically harmful. You must not attempt to gain unauthorised access to the Site, the server on which the Site is stored or any server, computer or database connected to the Site. You must not attack the Site via a denial-of-service attack or a distributed denial-of service attack. By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities and we will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use the Site will cease immediately.
We will not be liable for any loss or damage caused by a distributed denial-of-service attack, viruses or other technologically harmful material that may infect your computer equipment, computer programs, data or other proprietary material due to your use of the or to your downloading of any material posted on it, or on any linked to it.
The Site uses:
- Ordnance Survey Code-Point® Open data
The Site contains:
- Ordnance Survey data © Crown copyright and database right 2015
- Royal Mail data © Royal Mail copyright and database right 2015
- National Statistics data © Crown copyright and database right 2015
Jurisdiction and applicable law
The English and Welsh courts will have exclusive jurisdiction over any claim arising from, or related to, a visit to the Site. However, we retain the right to bring proceedings against you for breach of these conditions in your country of residence or any other relevant jurisdiction
If you have any concerns in relation to our Site, please contact firstname.lastname@example.org.
Data Processing Agreement
This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between any businesses which uses the Envolve Technology Limited technology (the “Company”) and Envolve Technology Limited (the “Data Processor”) (together as the “Parties”)
(A) The Company acts as a Data Controller.
(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to 1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
188.8.131.52 a transfer of Company Personal Data from the Company to a Contracted Processor; or
184.108.40.206 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);1.1.9 “Services” means the services the Company provides.
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.1.2 The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2.1 Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on the relevant Company’s instructions.
2.2 The Company instructs Processor to process Company Personal Data.
3. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Company.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9. Deletion or return of Company Personal Data
9.1 Subject to this section 9 Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.
9.2 Processor shall provide written certification to Company that it has fully complied with this section 9 within 10 business days of the Cessation Date.
10. Audit rights
10.1 Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11. Data Transfer
11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
12. General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
13. Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of The United Kingdom.13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of The United Kingdom.
SIGNATORY AND AGREEMENT
By agreement of Emma Smith, CEO Envolve Technology Limited.
By placing the Envolve Technology platform on either your website or in your social channels you hereby agree to the terms of the data processing agreement.