DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement (“Agreement”) is entered into by and between:
(1) Controller: The client (hereinafter referred to as the “Controller”), and
(2) Processor: Flexy Consent, a product of Westcoast Technology Limited, with its registered office at 71-75 Shelton Street Covent Garden London WC2H 9JQ United Kingdom (hereinafter referred to as the “Processor”).
(together as the “Parties”)
Effective Date: April 15, 2024
This Agreement is an annex to the primary service agreement (the “Main Agreement” available at (https://flexyconsent.com/terms-of-use) entered into by the Parties and forms an integral part of it. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Controller Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Controller pursuant to or in connection with the Main Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
1.1.8.1 a transfer of Controller Personal Data from the Controller to a Contracted Processor; or
1.1.8.2 an onward transfer of Controller Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 “Services” means all the services and solutions the Processor provides.
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Controller in connection with the Agreement.
1.2 The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Subject Matter and Duration
2.1 The subject matter of this Agreement is the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of consent management services under the Main Agreement.
2.2 This Agreement shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller.
3. Nature and Purpose of Processing
3.1 In delivering the Services to the Controller under the Agreement, the Processor shall process Personal Data only as necessary to fulfill the Services, in accordance with the Agreement, this DPA, and the Controller’s documented instructions, which may be updated from time to time.
3.2 Both the Controller and the Processor shall ensure that any individual acting on their behalf who has access to Personal Data processes such data only under the Controller’s instructions unless required to do so by applicable Data Protection Law.
3.3 The Processor shall process Personal Data solely for the purpose of providing consent management and related services as specified in the Main Agreement.
4. Types of Personal Data and Categories of Data Subjects
4.1 Types of Personal Data:
Consent records (Consent ID, Consent time and date, browser User Agent, Consent State),
Device information,
Geolocation data,
IP address,
Visited URL,
Other data collected via consent banners.
4.2 Categories of Data Subjects: Website visitors and users interacting with the Controller’s digital properties (end users).
5. Processor Personnel
The Processor shall take reasonable measures to ensure the trustworthiness of any employee, agent, or contractor of any Contracted Processor who may have access to Controller Personal Data. Access shall be strictly limited to those individuals who need to know or access the relevant data solely for the purposes of fulfilling the Main Agreement and complying with Applicable Laws, based on their specific duties to the Contracted Processor. The Processor shall also ensure that all such individuals are bound by confidentiality agreements or are subject to professional or legal obligations of confidentiality.
6. Confidentiality and Security
6.1 Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of the Processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures in relation to the Controller Personal Data. These measures shall ensure a level of security appropriate to the risk, including, where applicable, those outlined in Article 32(1) of the GDPR.
6.2 When determining the appropriate level of security, the Processor shall specifically consider the risks associated with the Processing, particularly those arising from a Personal Data Breach.
6.3 The Processor shall ensure that all persons authorized to process the Personal Data are bound by confidentiality obligations.
7. Use of Subprocessors
7.1 The Controller provides general authorization to the use of subprocessors. The current list of subprocessors is available upon request by contacting the Processor via email at support@flexyconsent.com. By booking the service, the use of these subprocessors is considered approved.
7.2 The Controller agrees to the modification of further Subprocessors provided that the Processor notifies the Controller of any intended changes concerning subprocessors thirty (30) days in advance in writing (via e-mail). The Controller may object on reasonable grounds.
7.3 The Processor shall ensure that its subprocessors are bound by data protection obligations no less protective than those in this Agreement.
8. Data Subject Rights
8.1 The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under GDPR.
8.2 The Processor’s Consent Management Platform (CMP) enables the automated collection of end-user consent on behalf of the Controller and allows users to withdraw their consent directly through the platform. For the exercise of other data subject rights not supported by the CMP’s functionality, the Processor shall act only upon the Controller’s instructions, such as providing information, correcting, deleting, or restricting the processing of personal data handled on behalf of the Controller. If a data subject contacts the Processor directly regarding such requests, the Processor shall promptly forward the request to the Controller unless legally prohibited from doing so. In cases where the Processor is legally required to respond, the Controller shall fully cooperate as needed. The Controller shall also reimburse the Processor for any extraordinary or excessive costs incurred in assisting with data subject requests.
9. Personal Data Breach
9.1 The Processor shall notify the Controller without undue delay upon becoming aware of any Personal Data Breach involving Controller Personal Data. Such notification shall include sufficient details to enable the Controller to fulfill its obligations under applicable Data Protection Laws, including any duty to report the breach or inform affected Data Subjects.
9.2 The Processor shall cooperate with the Controller and, upon the Controller’s direction, take all reasonable and commercially practicable steps to support the investigation, mitigation, and resolution of any such Personal Data Breach.
10. Cooperation and Compliance
10.1 The Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, including data breach notifications, impact assessments, and consultations with supervisory authorities.
10.2 The Processor shall promptly inform the Controller of any request or complaint related to the processing of Personal Data that may have a negative impact on the Controller, unless such disclosure is prohibited by applicable law or a binding court order.
10.3 The Processor may copy and/or retain Personal Data as necessary to comply with legal or regulatory obligations, including but not limited to data retention requirements.
10.4 The Controller, the Processor, and, where applicable, their respective representatives shall cooperate with any supervisory data protection authority upon request in fulfilling their obligations under this DPA and applicable Data Protection Laws.
11. Return or Deletion of Data
11.1 Subject to the provisions of this Section 11, the Processor shall, promptly and no later than 30 days following the cessation of any Services involving the Processing of Controller Personal Data (the “Cessation Date“), delete and ensure the deletion of all copies of such Controller Personal Data unless legal obligations require otherwise or partial Personal data is stored in backups, in that case such Personal Data shall be deleted from backups up to 1 year after the cessation of the services.
11.2 The Processor shall provide the Controller with written confirmation certifying full compliance with the requirements of this Section 11 within 30 days following the Cessation Date.
12. Audits and Inspections
12.1 Subject to this Section 12, the Processor shall, upon request, provide the Controller with all necessary information to demonstrate compliance with this Agreement. The Processor shall also permit and support audits, including inspections, conducted by the Controller or an auditor authorized by the Controller, in relation to the processing of Controller Personal Data by the Contracted Processors.
12.2 Information and audit rights of the Controller only arise under section 12.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
13. Liability
13.1 Each Party’s liability under this Agreement shall be subject to the limitations and exclusions set out in the Main Agreement.
13.2 The parties agree that the Processor shall be responsible for any breaches of this DPA resulting from the acts, omissions, or negligence of its Sub-Processors, to the same extent as if the Processor had performed the Sub-Processor’s obligations itself, subject to any liability limitations set forth in the Agreement.
13.3 The parties agree that the Controller shall be held responsible for any breaches of this DPA resulting from acts or omissions, as though those actions had been carried out by the Controller directly.
14. Data Transfer
14.1 The Processor shall not transfer, or permit the transfer of, Personal Data to countries outside the EU and/or the European Economic Area (EEA) without the Controller’s prior written consent. In the event that Personal Data processed under this Agreement is transferred from within the EEA to a location outside the EEA, the Parties shall ensure adequate protection of the data. Unless otherwise agreed, such transfers shall be governed by the EU-approved Standard Contractual Clauses.
15. General
15.1 Any changes or additions to this Agreement, including all of its components, must be made in writing, which may also be in electronic form (text format), and must explicitly state that they constitute an amendment or addition to these terms and conditions.
15.2 The terms of this Agreement shall remain in effect following the termination of the Main Agreement and shall continue until all of the Controller’s personal data has been completely returned or securely deleted. Unless otherwise stated, the provisions of the Main Agreement shall apply accordingly.
15.3 If any provision of this Agreement is found to be invalid, the validity of the remaining provisions shall remain unaffected.
16. Governing Law and Jurisdiction
16.1 This Agreement shall be governed by and construed in accordance with the laws of England and Wales.
16.2 Any dispute arising in connection with this Agreement, which the Parties are unable to resolve amicably, shall be submitted to the exclusive jurisdiction of the courts of England and Wales, subject to possible appeal to the Court of Appeal of England and Wales and, where applicable, the UK Supreme Court.