Data Processing Agreement

This agreement sets out our, and your, responsibilities in relation to the processing of data and under the GDPR, and forms part of the Terms and Conditions.

Contractual Relationship

When we say “you”, we are referring to an Organisation, and any Member who has administrator rights for the Organisation’s account on the Website, and who has logged in to the administration panel (“Administrator”).

By logging into the administration panel of the Organisation’s account on the Website, you enter into this agreement and agree to be subject to its terms.

If you have Creator administrative rights for the Organisation, you enter into the agreement on behalf of the Organisation. You promise that you have the legal right to enter into the agreement on behalf of the Organisation, and that the Organisation will be bound by the terms of this agreement.

Where there is more than one of you, you agree that you are jointly and individually responsible for all of your, and the Organisation’s, responsibilities and obligations under this agreement.

Definitions

"Data Protection Laws" means all data protection and privacy laws applicable to the processing

of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive") and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

“Member Data” means any Personal Data that we process on behalf of an Organisation.

“Organisation” means the entity that has an organisation account to use the Service.

“Sub-processor” means any entity that Processes Personal Data on our behalf.

“Terms and Conditions” means our Terms and Conditions, which govern the provision of the Service, as updated from time to time.

“Controller”, “Personal Data”, “Processing”, “Processor”, “Supervisory Authority” have the meaning as provided in Article 4 of the GDPR.

“Service”, “Member”, “Website”, have the meaning as provided in the Terms and Conditions.

Roles of the Parties

For the purposes of GDPR, you are the Controller, and we will process data as a Processor, acting on your behalf.

You agree to comply with your obligations as a Controller under GDPR. You promise that you have provided notice, and obtained all consents and rights necessary under GDPR for us to process the Member Data and provide the Service.

Processing of Data

You will, when using the Service, Process Personal Data in accordance with the requirements of GDPR, and will ensure that any instructions that you provide to us to Process Personal Data comply with these requirements. You are responsible for the accuracy, quality and legality of Personal Data, and the means by which you acquired the Personal Data.

Subject to the paragraph below, we will treat the Personal Data as confidential and will only Process the Personal Data for the purpose of providing the Service, on behalf of, and in accordance with, your written instructions for the following purposes:

  • Processing in accordance with this agreement;

  • Processing initiated by a Member or Administrator in using the Service; and

  • Processing to comply with reasonable instructions provided by you (e.g. by email) where such instructions are consistent with this agreement.

If we are required to Process Member Data under Article 28 (3(a)) GDPR, we will inform you of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

We will Process the Personal Data for the duration of this agreement, in accordance with the terms of this agreement, unless otherwise agreed in writing with you.

We will tell you if we think that we have received an instruction to Process Member Data, which does not comply with GDPR or any related data protection laws.

Types of Personal Data

The amount and type of Personal Data that you, or your Members, may submit to the Service is determined by you. This may include, but is not limited to:

  • member data: Name, title, email address, phone numbers, address, date of birth, grouping of members (e.g family groups), form data, password

  • order data: items purchased, amounts, payment method, card data, direct debit mandate references, Paypal payment references, Sage Pay transaction references.

In addition, when you, or a member, uses the Service or browses on our Website, we collect information about the visit to the Website, usage of the Services, and web browsing:

  • IP address, browser data, pages visited, login dates, and other information about how the visitor interacted with the Website.

Categories of Data Subjects

The amount and type of Personal Data that you may submit to the Service is determined by you. This may include, but is not limited to the following categories of data subjects:

  • members of your Organisation, including prospective members

  • participants in your Organisation’s activities

  • parents/guardians of members or participants

WebCollect Personnel

We will ensure that our personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. We will ensure that such confidentiality obligations survive the termination of the personnel engagement.

We will take commercially reasonable steps to ensure the reliability of any personnel engaged by us to Process Personal Data. We will ensure that access to Personal Data is limited to those personnel performing the Service in accordance with this agreement.

We have appointed a Data Protection Officer. The appointed person can be reached at privacy@webcollect.org.uk.

Data Request from a Member

We will promptly notify you if we receive a request from a Member, or any other person for whom we hold Personal Data on your behalf, to exercise their right to access, rectify, restrict or object to Processing, or their right not to be subject to any automated individual decision making (“Data Request”). If we do not receive a response from you, we may remove, or update the member’s information, and respond to their request, within a reasonable time.

The Service provides you with a number of controls that you may use to retrieve, correct, delete or restrict Member Data, which you may use to assist you in connection with your obligations under GDPR, including your obligations relating to responding to requests from data subjects or applicable data protection authorities.

To the extent that you are not able to independently access the relevant Member Data within the Service, we will provide commercially reasonable efforts to assist you in responding to the Data Request, if you ask us to. To the extent that we are legally allowed to, we may charge you for providing this assistance.

Third Party Processing

We may retain third party Sub-processors in connection with the provision of the Services. We have entered into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this agreement with respect to the protection of Personal Data, to the extent applicable to the nature of the service provided by the Sub-processor.

The list of our Sub-processors is provided in Appendix A to this agreement, including their identities, location, and the service provided, and the type of Personal Data that we may share with them for the purposes of providing the Service.

If we engage a new Sub-processor, we will notify you of the new Sub-processor before authorising them to Process Personal Data in connection with the Service. We will notify you by updating Appendix A, and publishing that update on our website. You may object to the appointment of the new Sub-processor, by informing us in writing of your objection. If you object, we will use reasonable efforts to recommend changes to your configuration of the Service to avoid Processing by the new Sub-processor. If we are unable to provide such changes, then you may terminate the Service and this agreement, in which case we will refund any prepaid fees for the Service.

We will be liable for the acts and omissions of our Sub-processors to the same extent that we would be liable if we had performed those acts or omissions.

We also provide the option for you to use third party payment providers to accept payments from your Members (“Third Party Payment Provider”). Details of the Third Party Payment Providers are set out in Appendix B. If you choose to use a Third Party Payment Provider’s services, you enter into an agreement directly with the Third Party Payment Provider. We are not a party to that agreement, and they are not Sub-processors for the purposes of this agreement. You authorise us to pass Personal Data, as prescribed in Appendix B, to the Third Party Payment Provider, for the purposes of enabling them to carry out the services that they provide to you. You are responsible for ensuring that your arrangement with the Third Party Payment Provider, and the service that they provide to you, is compliant with all applicable laws and regulations.

For the purposes of clarity, we host the Service on servers, owned and controlled by us. The provider of our data centre services does not have access to our servers, and is not a Sub-processor for the purposes of this agreement. These servers are located in data centres in the United Kingdom. We will not transfer, or process Member Data outside of the EEA.

Security

We will maintain appropriate technical and organisational measures for the protection of the confidentiality, integrity and security of Member Data, in accordance with our Security Standards Policy, including:

  • protecting against unauthorised or unlawful Processing

  • accidental or unlawful destruction, loss or alteration of the Member Data; and

  • unauthorised disclosure of, or access to, Member Data.

We regularly monitor compliance with our Security Standards Policy. We may update or modify our Security Standards Policy from time to time. We will not significantly decrease the overall security of the Service or the Website during the course of this agreement.

Other than as provided in this agreement, you are responsible for your secure use of the Service and Website, including securing your account authentication credentials, protecting the security of Member Data when in transit to and from the Service, as well as taking any appropriate steps to backup any Member Data uploaded to the Service.

Incident Management and Notification

We maintain security incident management policies and procedures, and will notify you as soon as is reasonably possible after becoming aware of any accidental, unlawful or unauthorised Processing, loss, alteration, disclosure, or access to the Member Data, in accordance with our Incident Management Policy.

We will provide you with reasonable assistance in the cooperation with the Supervisory Authority in the performance of its tasks, to the extent that we are required to under the GDPR.

Where the incident has been caused by us, or our Sub-processors, we will make reasonable efforts to identify the cause of the incident and take reasonable steps to prevent a recurrence of such an incident, to the extent that we are able to.

Group Sharing

Limitation of Liability

Our liability for all claims made by you, arising out of or related to this agreement, including by the Organisation and all Administrators, shall apply in aggregate.

Any claims brought under, or in connection with, this agreement shall be subject to the Terms and Conditions, including but not limited to the exclusions and limitations set out in the Terms and Conditions.

Nothing within this agreement relieves us of our own responsibilities and liabilities under GDPR.

Termination: Return/Deletion of Data

On termination of this agreement, we will delete or return to you, all Member Data in our possession or control, except that this requirement shall not apply to:

  • the extent that we are required by law to retain some or all of the Member Data; or

  • Member Data that we have archived on back-up systems, which Member Data we will securely isolate and protect from any further Processing, except to the extent required by applicable law.

Data Protection Impact Assessment

If you ask us, we will provide you with reasonable cooperation and assistance to enable you to carry out a data protection impact assessment, relating to your use of the Services, to the extent that you do not already have access to the relevant information, and to the extent that the information is available to us.

We will provide you with reasonable assistance in the cooperation with the Supervisory Authority in the performance of its tasks, to the extent that we are required to under the GDPR.

To the extent that we are permitted by law to do so, we may charge you for providing such assistance.

Administrators

Except where applicable laws require an Administrator to exercise a right or seek a remedy under this agreement against us by itself, you agree that:

  • only the Organisation shall exercise any such right or seek any such remedy on behalf of the Administrator; and

  • the Organisation shall exercise any such rights not separately for each Administrator individually, but in a combined manner for all Administrators together

  • the Organisation, when carrying out an audit of the procedures relevant to the protection of Member Data, shall take all reasonable measures to limit any impact on us, or our Sub-processors, by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Administrators in one single audit.

Audit

If you ask us to, we will, to the extent that we are permitted by law to do so, make available information necessary to demonstrate compliance with our obligations laid out in Article 28 GDPR. If you ask us, we will take part in, or contribute to, an audit or inspection, conducted by you, or another auditor on your behalf, provided that you ask at reasonable intervals, and the person carrying out the audit or inspection is not a direct competitor of ours. Any information that we provide, will be on a confidential basis.

To the extent that we are permitted by law to do so, we may charge you for providing such assistance.

 

Appendix A: Sub-processors

Sage Pay

Entity: Sage Pay Europe Ltd, a UK company (registered No 07492608), whose registered address is at North Park, Newcastle upon Tyne, NE13 9AA

Service Provided: Processing of debit and credit card payments from Members to Organisations, where the Organisation has elected to use Sage Pay’s services.

Personal Data shared: Member name, Member address, Member’s card details, including CVV, Vendor Code, Amount.

 

Appendix B: Third Party Payment Providers

Paypal

Entity: Sage Pay Europe Ltd, a UK company (registered No 07492608), whose registered address is at North Park, Newcastle upon Tyne, NE13 9AA

Service Provided: Processing of payments from Members to Organisations, where the Organisation has elected to use Paypal’s services.

Personal Data shared: Organisation’s Paypal email address, payment amount.

GoCardless

Entity: GoCardless Ltd, a UK company (registered No 07495895), whose registered address is at Sutton Yard, 65 Goswell Road, London, EC1V 7EN

Service Provided: Processing of payments from Members to Organisations, where the Organisation has elected to use GoCardless’ services.

Personal Data shared: GoCardless access token, GoCardless mandate ID, payment amount.