Last Modified: 30 Apr 2024
In circumstances where Provider Data relates to data subjects based in the UK or EEA, this Data Processing Addendum (DPA) reflects the parties’ agreement in respect of the Processing of Provider Data (as defined in our Privacy Policy) as part of the Services provided by Pairly LTD (Pairly). The terms of this DPA are hereby incorporated into our Terms of Service, Privacy Policy or any other applicable services agreement between you and Pairly. These terms are additional to any requirements of the parties under applicable Data Protection Law.
This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR)for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
Definitions and interpretation
The following definitions and rules of interpretation apply in this DPA
Definitions:
Authorised Persons: the persons or categories of persons that the Provider authorises to give the Provider written personal data processing instructions and from whom the Provider agrees to accept such instructions.
Business Purposes: the Services to be provided by Pairly to the Provider as described in the Order and any other purpose specifically identified in this DPA.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
Controller: has the meaning given to it in section 6, DPA 2018.
Provider Data: shall have the meaning given to it in Pairly’s Privacy Policy.
Data Protection Legislation:
To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Provider or Provider is subject, which relates to the protection of personal data.
Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
EEA: the European Economic Area.
Personal Data: means any information relating to an identified or identifiable living individual that the Provider processes on behalf of the Provider as a result of, or in connection with, the provision of the services under the Terms of Service; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties.
Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Records: has the meaning given to it in Clause 12.
Standard Contractual Clauses (SCC):
the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU; or
such alternative clauses as may be approved by the European Commission or by the UK from time to time.
Term: this DPA's term as defined in Clause 10.
Terms of Service: shall be the Terms of Service governing the relationship between the Provider and Pairly.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
This DPA is subject to the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this DPA.
The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
A reference to writing or written includes email.
In the case of conflict or ambiguity between, the order of priority of documentation is as follows:
Applicable Data Protection Legislation;
SCCs;
This DPA;
Pairly Privacy Policy; and
Pairly Terms of Service.
Personal data types and processing purposes
The Provider and Pairly agree and acknowledge that for the purpose of the Data Protection Legislation:
the Provider is the data controller and Pairly is the processor of Provider Data.
the Provider retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Pairly.
ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Pairly may process the Personal Data to fulfil the Business Purposes.
In respect of some processing of Provider Data, Pairly may act as a Data Controller, for example, where data subjects have engaged with aspects of our website, mobile applications or platform beyond those relating to Provider’s use of our Services or where Provider Data is Processed by Pairly to conduct research and analysis to enable Pairly to improve its products and features and provide targeted recommendations. With regard to such processing, Pairly is an independent Data Controller and not a joint Data Controller with the Provider and such processing shall not be subject to this DPA.
Pairly's obligations
Pairly will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Provider's written instructions. Pairly will not process the Personal Data in a way that does not comply with this DPA or the Data Protection Legislation. Pairly must promptly notify the Provider if, in its opinion, the Provider's instructions do not comply with the Data Protection Legislation.
Pairly must comply promptly with any Provider written instructions requiring Pairly to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
Pairly will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Provider or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator. If a domestic law, court or regulator requires Pairly to process or disclose the Personal Data to a third party, Pairly must first inform the Provider of such legal or regulatory requirement and give the Provider an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
Pairly will reasonably assist the Provider, at no additional cost to the Provider, with meeting the Provider's compliance obligations under the Data Protection Legislation, taking into account the nature of Pairly's processing and the information available to Pairly, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the relevant regulator under the Data Protection Legislation.
Pairly must promptly notify the Provider of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting Pairly’s performance of the Terms of Service or this DPA.
Pairly's employees
Pairly will ensure that all of its employees:
are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
are aware both of Pairly’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
Pairly will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of its employees with access to the Personal Data.
Security
Pairly must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including but not limited to regular systems security testing, encryption, two-factor authentication, using virtual private networks and staff access limitation.
Pairly must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
Personal Data Breach
Pairly will as soon as reasonably possible notify the Provider if it becomes aware of:
the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. Pairly will restore such Personal Data at its own expense as soon as possible.
any accidental, unauthorised or unlawful processing of the Personal Data; or
any Personal Data Breach.
Where Pairly becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide the Provider with the following information:
description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
the likely consequences; and
a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, Pairly will reasonably co-operate with the Provider at no additional cost to the Provider, in the Provider's handling of the matter, including but not limited to:
assisting with any investigation;
providing the Provider with physical access to any facilities and operations affected;
facilitating interviews with Pairly's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Provider; and
taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
Pairly will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Provider's written consent, except when required to do so by domestic law.
Pairly agrees that the Provider has the sole right to determine:
whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, relevant regulator, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Provider's discretion, including the contents and delivery method of the notice; and
whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
Pairly will cover all reasonable expenses associated with the performance of the obligations under 6.1 to 6.3 unless the matter arose from the Provider's specific written instructions, negligence, wilful default or breach of this DPA, in which case the Provider will cover all reasonable expenses.
Pairly will also reimburse the Provider for actual reasonable expenses that the Provider incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that Pairly caused such, including all costs of notice and any remedy as set out in clause 6.5.
Cross-border transfers of personal data
The Provider hereby acknowledges that Pairly (and any subcontractor) will process Personal Data outside the UK and EEA in connection with the Services.
In relation to third-party and intragroup transfers, Pairly may only process, or permit the processing, of the Personal Data outside the EEA under the following conditions:
Pairly is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. For the avoidance of doubt, intra-group transfers between Pairly UK limited, based in the UK and Pairly Limited, based in New Zealand are deemed adequate under Data Protection Legislation; or
Pairly has executed Standard Contractual Clauses relating to the transfer; or
the transfer otherwise complies with the Data Protection Legislation.
Subcontractors
Pairly may only authorise a third party (subcontractor) to process the Personal Data if:
the Provider is provided with an opportunity to object to the appointment of each subcontractor within 30 working days after Pairly supplies the Provider with full details in writing regarding such subcontractor;
Pairly enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Provider's written request, provides the Provider with copies of the relevant excerpts from such contracts;
Pairly maintains control over all of the Personal Data it entrusts to the subcontractor; and
the subcontractor's contract terminates automatically on termination of this DPA for any reason.
Those subcontractors approved as at the commencement of this DPA are as set out [here].
Where the subcontractor fails to fulfil its obligations under the written agreement with Pairly which contains terms substantially the same as those set out in this DPA, Pairly remains fully liable to the Provider for the subcontractor's performance of its agreement obligations.
The Parties agree that Pairly will be deemed to control legally any Personal Data controlled practically by or in the possession of its subcontractors.
Complaints, data subject requests and third-party rights
Pairly must, at no additional cost to the Provider, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Provider as the Provider may reasonably require, to enable the Provider to comply with:
the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
information or assessment notices served on the Provider by a relevant regulator under the Data Protection Legislation.
Pairly must notify the Provider immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
Pairly must notify the Provider within 5 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
Pairly will give the Provider, at no additional cost to the Provider, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
Pairly must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with the Provider's written instructions, or as required by domestic law.
Term and termination
This DPA will remain in full force and effect so long as:
the Terms of Service remain in effect; or
Pairly retains any of the Personal Data related to the Services in its possession as a Data Processor (Term).
Any provision of this DPA that expressly or by implication should come into or continue in force following termination or expiry of the Term in order to protect the Personal Data will remain in full force and effect.
Pairly's failure to comply with the terms of this DPA is a material breach of the Terms of Service. In such event, the Provider will have a right to terminate the Services effective immediately on written notice to Pairly, without further liability or obligation of the Provider.
If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Terms of Service, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within a reasonable period of time, either party may terminate the Services on written notice to the other party.
Data return and destruction
At the Provider's request, Pairly will give the Provider, or a third party nominated in writing by the Provider, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Provider.
On termination of the Services for any reason or expiry of the Term, Pairly will securely delete or destroy or, if directed in writing by the Provider, return and not retain, all or any of the Personal Data related to this DPA in accordance with its Retention Policy.
If any law, regulation, or government or regulatory body requires Pairly to retain any documents or materials or Personal Data that Pairly would otherwise be required to return or destroy, it will notify the Provider in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends. Notification to the Provider shall not take place where any law, regulation, or government or regulatory body prohibits such notification to the Provider.
Records
Pairly will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, applicable subcontractors, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in 5.1 (Records).
Pairly will ensure that the Records are sufficient to enable the Provider to verify the Pairly's compliance with its obligations under this DPA and Pairly will provide the Provider with copies of the Records upon request.
The Provider and Pairly must review the information listed in the Annexes to this DPA at least once a year to confirm its current accuracy and update it when required to reflect current practices.
Audit
Pairly will give the Provider and its third-party representatives reasonable assistance to conduct such audits. The assistance may include, but is not limited to:
physical access to, remote electronic access to, and copies of the Records and any other information held at Pairly's premises or on systems storing the Personal Data;
access to and meetings with any of Pairly's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process the Personal Data.
The notice requirements in 13.1 will not apply if the Provider reasonably believes that a Personal Data Breach occurred or is occurring, or Pairly is in breach of any of its obligations under this DPA or any Data Protection Legislation.
If a Personal Data Breach occurs or is occurring, or Pairly becomes aware of a breach of any of its obligations under this DPA or any Data Protection Legislation, Pairly will:
promptly conduct its own audit to determine the cause;
produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
provide the Provider with a copy of the written audit report; and
remedy any deficiencies identified by the audit.
At the Provider's written request, Pairly will:
conduct an information security audit before it first begins processing any of the Personal Data and repeat that audit on at least an annual basis;
produce a written report that includes detailed plans to remedy any security deficiencies identified by the audit;
provide the Provider with a copy of the written audit report; and
remedy any deficiencies identified by the audit.
Pairly will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by Pairly's management.
Warranties
Pairly warrants and represents that:
its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;
it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Services; and
considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:
the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage;
the nature of the Provider Data protected; and
comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in 5.1.
The Provider warrants and represents that Pairly's expected use of the Provider Data for the Business Purposes and as specifically instructed by the Provider will comply with the Data Protection Legislation.
Notice
Any notice given to a party under or in connection with this DPA must be in writing and delivered to the Account Holder or Pairly’s data protection contact by email
16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
Personal Data processing purposes and details
Subject matter of processing:
Processing of Provider Data in connection with the Services.
Duration of Processing:
Processing activities shall continue for the duration of the Services.
Nature of Processing:
Collection, recording, structuring, storage, disclosure by transmission or otherwise making available, erasure or distribution (whether or not by automated means) of Provider Data.
Business Purposes:
Performance of the Services to our Providers
Personal Data Categories:
Provider Data (as defined by our Privacy Policy)
Data Subject Types:
Provider Employees
Provider’s prospective service users.