General
This is the Data Processing Agreement for Blue Ring Digital Services Ltd, a company registered in England (company number 12709437) with a registered office at 186 Wetmore Road, Burton-on-Trent, Staffordshire, DE14 1QZ in relation to the processing of personal information provided on behalf of customers in relation to the use of the websites and services provided at blue-ring.co.uk.
This document is applicable to customers of Blue Ring Digital Services Ltd.
"Data Processing Agreement" refers to this Data Processing Agreement.
"You", "Your", "Controller", "Controller's" refers to You the customer.
"We ", "Us ", "Our ", "Processor ", "Blue Ring Digital Services Ltd " refers to Blue Ring Digital Services Ltd.
"Our Website" refers to Our website (blue-ring.co.uk).
"Software" refers to Our web application provided at blue-ring.co.uk.
"Our Services " refers to any product or service provided by Us to You.
"Data Protection Legislation" refers to the extent the UK GDPR and/ or the EU GDPR applies.
"UK GDPR" refers to the Data Protection Act 2018.
"EU GDPR" refers to the General data Protection Regulations ((EU) 2016/679).
We know that You will want to know exactly what We do with the information You provide Us with for processing. We will try to keep everything in this document as straightforward as possible, but if there’s anything You don’t understand, please get in touch with Us.
The headings in this Data Processing Agreement are for convenience only and shall not affect their interpretation.
The masculine shall include the feminine and the neuter and the singular the plural and vice versa.
If any provision or part of any provision of these Data Processing Agreement is found by a court or other competent authority to be void or unenforceable, such provision or part of a provision shall be deleted from these Data Processing Agreement and the remaining provisions or parts of the provision shall continue to be in full force and effect.
Duration of Processing
The duration of processing corresponds to the contracted term of Our Services.
Nature and purpose of the processing
The nature of the processing includes all types of processing required to fulfil Our Services with the Controller. The purposes of processing are all purposes required to provide Our Services to the Controller, including technical support.
Type of personal data and caegories of data subjects
The type and categorie of processed data is determined by the Controller and will depend on Our Services provided to the Controller, which includes any technical support.
Responsibility and processingon documented instructions
The Controller is responsible for complying with the legal requirements of the Data Protection Legislation, in particular, the legality of the transfer of data to the Processor and the legality of data processing under this Data Processing Agreement. This also applies to the purposes and means of processing set out in this Data Processing Agreement.
The instructions are initially determined by Our Services and can then be changed by You in writing or in an electronic format (text form) by individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. The instructions must be documented by the Controller and the Processor and kept for at least the duration of the contractual relationship. In the event of proposed changes, the Processor shall inform the Controller of the effects that this will have on Our Services, in particular, the possibility of providing Our Services, deadlines, and remuneration. If the implementation of the instruction is not reasonable to the Processor, the Processor is entitled to terminate the processing. The Processor has the right to reject any instructions relating to Our Services which are provided in an infrastructure that is used by several customers of the Processor (shared services), and a change in the processing for individual customers is not possible or is unreasonable.
The data processing carried out under this Data Processing Agreement takes place in the United Kingdom, unless the transfer of data to third countries becomes necessary in order to provide the Our Services. In the event that a transfer to a third country takes place, the Processor shall ensure that the relevant Data Protection Legislation requirements are fulfilled, in relation to any such third country transfer.
Rights of the Controller and obligations of the Processor
The Processor may process data of data subjects only within the framework of Our Services and the documented instructions of the Controller, except where otherwise required under the applicable Data Protection Legislation (and in such a case shall inform the Controller of that legal requirement before processing, unless applicable Data Protection Legislation prevents it from doing so on important grounds of public interest). This also applies to transfers of personal data to third countries or international organisations. If there is a processing obligation contrary to an instruction, the Processor shall inform the Controller of the relevant legal requirement prior to the processing (unless the relevant law prohibits such information due to an important public interest). The Processor shall inform the Controller without delay if it considers an instruction infringes or may infringe the applicable Data Protection Legislation. The Processor may suspend the implementation of the instruction until it has been confirmed or modified by the Controller.
In the light of the nature of the processing, the Processor shall, as far as reasonably possible, assist the Controller with appropriate technical and organisational measures in order to fulfil the rights of the data subjects laid down in the applicable Data Protection Legislation. The Processor is entitled to demand appropriate compensation from the Controller for these services, unless the support was required due to a breach of law or a breach of contract by the Processor. The Processor shall provide the Controller with cost information in advance.
Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller in its compliance with its obligations as a data Controller in respect of data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities or any notice or investigation by a relevant supervisory authority. The Processor is entitled to demand appropriate compensation from the Controller for these services, unless the support was required due to a breach of law or a breach of contract by the Processor. The Processor shall provide the Controller with cost information in advance.
The Processor ensures that the employees involved in the processing of Controller's data and other persons acting on behalf of the Processor are prohibited from processing the personal data outside the instruction issued. Furthermore, the Processor ensures that persons authorised to process the personal data are subject to a contractual duty of confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality remains even after the order has been completed.
The Processor shall inform the Controller immediately if it becomes aware of violations of the protection of personal data of the Controller. The Processor shall take the necessary measures to safeguard the data and to mitigate possible adverse consequences for the data subjects.
Upon cancellation or expiry of the provision of the processing services, the Processor will arrange for the permanent deletion of the Controllers data as detailed in our Terms of Service under 'Your Data and Content'.
If a data subject asserts claims for compensation according to the relevant Data Protection Legislation, the Processor shall support the Controller in defending the claims, as far as reasonably possible. The Processor shall be entitled to charge reasonable costs in relation to such assistance.
Obligations of the controller
The Controller must immediately and completely inform the Processor if it identifies errors or irregularities with regard to data protection regulations.
At the request of the Processor, the Controller shall appoint a contact person for data protection matters.
Requests from data subjects
If a data subject approaches the Processor with requests for correction, deletion or information, the Processor, where possible, shall refer the data subject to the Controller. The Processor shall immediately forward the request of the data subject to the Controller. The Processor shall support the Controller with such requests as far as is reasonably possible. The Processor shall not be liable if the data subject request is not answered by the Controller, not answered correctly or not answered in due time.
Measures for the security of processing
The Processor will take appropriate technical and organisational measures in its area of responsibility to ensure that the processing is carried out in accordance with the requirements of the applicable Data Protection Legislation and ensure the protection of the rights and freedoms of the data subjects. The Processor shall take appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of the processing systems and services in the long term.
The Processor will carry out regular reviews of the effectiveness of the technical and organisational measures to ensure the security of processing in accordance with the relevant Data Protection Legislation.
The Processor may, as a result of advances and technical developments or changes to the risk or nature of the processing, in its sole discretion, adapt or implement new measures relating to data security. The Processor shall ensure that any such changes continue to meet the requirements of all applicable Data Protection Legislation.
Proof and verification
The Processor shall provide the Controller with all information necessary to prove compliance with its data Processor obligations and shall allow and contribute to audits, including inspections, carried out by the Customer or another inspector appointed by the Controller (subject always to appropriate obligations of confidentiality). The Processor agrees to the designation of an independent external auditor by the Controller, if the Controller provides the Processor with a copy of the audit report. The Processor may refuse competitors of the Controller or persons working for competitors of the Controller (as may be reasonably determined by the Processor) as investigators.
Such inspections may only be carried out during normal business hours and without undue disruption of Blue Ring Digital Services Ltd. The Controller must give the Processor reasonable notice in writing (unless it is necessary to carry out an inspection without notification, due to a risk of the inspection being jeopardised. The Controllers's inspection right is limited to verifying the Processor’s compliance with its obligations under the applicable Data Protection Legislation and this Agreement. The Processor will use all reasonable efforts to facilitate and assist the Controller with such inspection.
The Processor is entitled to charge reasonable costs for the provision of information and assistance, unless the inspection was required due to a breach of law or a breach of contract by the Processor. The Processor shall provide the Controller with cost information in advance.
Subprocessors
The Controller grants the Processor the general permission to use other processors for the fulfilment of Our Services.
If the Processor engages subprocessors, it is the Processor's responsibility to impose its data protection obligations under this Data Processing Agreement to the subprocessor.
The Processor shall ensure, in particular through regular checks, any subprocessors comply with the technical and organisational measures.
Liability and Compensation
In the event of a claim for compensation by a data subject under the applicable Data Protection Legislation, the Controller and Processor undertake to assist each other to determine the underlying facts of the claim.
The Controller shall indemnify and hold the processor harmless in the event of any claim. In any event, claims will have a monetary limit. For further information please see the 'Disclaimer' in our Terms of Service.
Contract Period and miscellaneous
Our Data Processing Agreement commences on the execution of Our Services. It terminates or expires upon the conclusion of Our Services. If any data processing on behalf of the Controller still continues after termination of this Data Processing Agreement, the terms of this Data Processing Agreement remain in force until the processing activities cease.
If the data of the Controller is endangered by seizure or confiscation, by a bankruptcy or settlement procedure, or by other events or measures of third parties, the Processor shall inform the Controller immediately. The Processor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data lie exclusively with the qualifying Controller.
CHANGES TO OUR PRIVACY STATEMENT
This Data Processing Agreement replaces all previous versions. We reserve the right to change the Data Processing Agreement at any time.