Data Processing Agreement
This outlines the agreement we have in place between us, the Data Processor, and you, the Data Controller. It's a GDPR requirement and is an addition to our Sprint Media Limited Terms of Service. It's relevant to you if Sprint processes any of your data, e.g. if you are a Campus user, if we manage your unsubscribes, or if we cleanse any of your data.
(1) This Customer Data Processing Agreement reflects the requirements of the European Data Protection Regulation ("GDPR") as it comes into effect on May 25, 2018. Sprint Media's products and services offered in the European Union are GDPR ready and this DPA provides you with the necessary documentation of this readiness.
(2) This Data Processing Agreement ("DPA") is an addendum to the Terms and Conditions ("Agreement") between Sprint and the Customer. The Customer enters into this Data Protection Agreement on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorised Affiliates (defined below). By continuing to use Sprint's Services in which it acts as a Data Processor the Customer agrees to the conditions in this Data Processing Agreement.
(3) Under this agreement between Sprint (the Data Processor) and the Customer (the Data Controller) Sprint provides to the Customer the Services described in Schedule 1.
(4) The provision of the Services by Sprint involves it in processing the Personal Data described in Schedule 1 on behalf of the Customer.
(5) Under EU Regulation 2016/679 General Data Protection Regulation ("the GDPR") (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organisation which processes personal data on its behalf governing the processing of that data.
(6) The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by Sprint Media Limited for the Customer.
(7) The terms of this Agreement are to apply to all processing of Personal Data carried out for the Customer by Sprint and to all Personal Data held by the Sprint in relation to all such processing.
The parties agree as follows:
1. Definitions and Interpretation
1.1. In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
"Authorised Affiliate" means any of Customer Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Agreement.
"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.
"Customer Data" means any data that Sprint and/or its Affiliates processes on behalf of Customer in the course of providing the Services.
"Data Controller", "Data Processor", "processing", and "data subject" shall have the meanings given to the terms "controller", "processor", "processing", and "data subject" respectively in Article 4 of the GDPR.
"Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
"EU Data Protection Law" means:
(i) prior to May 25, 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive") and on and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and
(ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded or replaced).
"ICO" means the UK's supervisory authority, the Information Commissioner's Office.
"Personal Data" means all such "personal data", as defined in Article 4 of the GDPR, as is, or is to be, processed by Sprint on behalf of the Customer, as described in Schedule 1.
"Privacy Shield" means the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the U.S. Department of Commerce.
"Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.
"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
"Services" means those services described in Schedule 1 which are provided by Sprint to the Customer and which the Customer uses for the purposes described in Schedule 1.
"Sprint" means Sprint Media Limited.
"Sub-Processor" means any Processor engaged by Sprint or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or any Sprint Affiliate.
"Sub-Processing Agreement" means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor.
1.2. Unless the context otherwise requires, each reference in this Agreement to:
a) "writing", and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
b) a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
c) "this Agreement" is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;
d) a Schedule is a schedule to this Agreement;
e) a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule;
f) a "Party" or the "Parties" refer to the parties to this Agreement.
1.3. The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
1.4. Words imparting the singular number shall include the plural and vice versa.
1.5. References to any gender shall include all other genders.
1.6. References to persons shall include corporations.
2. Scope and Application of this DPA
2.1. The provisions of this Agreement shall apply to where and only to the extent that Sprint processes Personal Data on behalf of the Customer in the course of providing the Services whether such Personal Data is held at the date of this Agreement or received afterwards and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom.
2.2 Role of the Parties. As between Sprint and the Customer, the Customer is the Controller of Personal Data and Sprint shall process Personal Data only as a Processor on behalf of the Customer. Nothing in the Agreement or this DPA shall prevent Sprint from using or sharing any data that Sprint would otherwise collect and process independently of the Customer's use of the Services.
2.3 Sprint's Processing of Personal Data. As a Processor, Sprint shall process Personal Data only for the following purposes:
a) processing to perform the Services in accordance with the Agreement;
b) processing to perform any steps necessary for the performance of the Agreement; and
c) to comply with other reasonable instructions provided by the Customer to the extent they are consistent with the terms of this Agreement and only in accordance with the Customer's documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer's complete and final instructions to Sprint in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between the Customer and Sprint.
2.4 Nature of the Data. Sprint handles Customer Data provided by the Customer. Such Customer Data may contain special categories of data depending on how the Services are used by the Customer. The Customer Data may be subject to the following process activities:
a) storage and other processing necessary to provide, maintain and improve the Services provided to the Customer;
b) to provide customer and technical support to the Customer; and
c) disclosures as required by law or otherwise set forth in the Agreement.
2.5 Sprint Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), the Customer acknowledges that Sprint shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, Sprint is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.
2.6 Customer Obligations. The Customer agrees that:
a) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Sprint; and
b) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Sprint to process Personal Data and provide the Services pursuant to the Agreement and this DPA.
2.7. The provisions of this Agreement supersede any other arrangement, understanding, or agreement made between the Parties at any time relating to the Personal Data.
2.8. This Agreement shall continue in full force and effect for so long as Sprint is processing Personal Data on behalf of the Customer.
3. Data Protection Compliance
3.1. All instructions given by the Customer to Sprint shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. Sprint shall act only on such written instructions from the Customer unless Sprint is required by law to do otherwise (as per Article 29 of the GDPR).
3.2. Sprint shall promptly comply with any request from the Customer requiring Sprint to amend, transfer, delete, or otherwise dispose of the Personal Data.
3.3. Sprint shall transfer all Personal Data to the Customer on the Customer's request in the formats, at the times, and in compliance with the Customer's written instructions.
3.4. Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
3.5. Sprint hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
3.6. Sprint agrees to comply with any reasonable measures required by the Customer to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO.
3.7. Sprint shall provide all reasonable assistance (at the Customer's cost) to the Customer in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
3.8. When processing the Personal Data on behalf of the Customer, Sprint shall:
a) not process the Personal Data outside the European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) ("EEA"), or countries who have not got the Privacy Shield (Safe Harbour 2.0) in place - without the prior written consent of the Customer and, where the Customer consents to such a transfer to a country that is outside of the EEA or who does not have the Privacy Shield (Safe Harbour 2.0) in place, to comply with the obligations of Sprint under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred;
b) not transfer any of the Personal Data to any third party without the written consent of the Customer and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement;
c) process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Customer or as may be required by law (in which case, Sprint shall inform the Customer of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
d) implement appropriate technical and organisational measures, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure.
e) if so requested by the Customer supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
f) keep records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the GDPR;
g) make available to the Customer any and all such information as is reasonably required and necessary to demonstrate Sprint's compliance with the GDPR;
h) on reasonable prior notice, submit to audits and inspections and provide the Customer with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties' compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Sprint believes that the Customer is in breach of any of its obligations under this Agreement or under the law; and
i) inform the Customer immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
4. Data Subject Access, Complaints, and Breaches
4.1. Sprint shall, at the Customer's cost, assist the Customer in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
4.2. Sprint shall notify the Customer within 7 days if it receives:
a) a subject access request from a data subject; or
b) any other complaint or request relating to the processing of the Personal Data.
4.3. Sprint shall, at the Customer's cost, cooperate fully with the Customer and assist as required in relation to any subject access request, complaint, or other request, including by:
a) providing the Customer with full details of the complaint or request;
b) providing the necessary information and assistance in order to comply with a subject access request;
c) providing the Customer with any Personal Data it holds in relation to a data subject (within the timescales required by the Customer); and
d) providing the Customer with any other information requested by the Customer.
4.4. Sprint shall notify the Customer immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
5.1. Sprint shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Customer, it maintains security measures to a standard appropriate to:
a) the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
b) the nature of the Personal Data.
5.2. In particular, Sprint shall:
a) have in place, and comply with, a security policy which:
i. defines security needs based on a risk assessment;
ii. allocates responsibility for implementing the policy to a specific individual or personnel;
iii. is disseminated to all relevant staff; and
iv. provides a mechanism for feedback and review.
b) ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
c) prevent unauthorised access to the Personal Data;
d) protect the Personal Data using pseudonymisation, where it is practical to do so;
e) ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
f) have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using encryption);
g) password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure, and that passwords are not shared under any circumstances;
h) take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
i) have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
i. the ability to identify which individuals have worked with specific Personal Data;
ii. having a proper procedure in place for investigating and remedying breaches of the GDPR; and
iii. notifying the Customer as soon as any such security breach occurs.
j) have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
k) have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment; and
l) adopt such organisational, operational, and technological processes and procedures as are required to comply with the requirements of ISO/IEC 27001:2013, as appropriate to the Services provided to the Data Controller.
6. Intellectual Property Rights
All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either Sprint or the Customer) shall belong to the Customer or to any other applicable third party from whom the Customer has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). Sprint is licensed to use such Personal Data under such rights only for the purposes of the Services, and in accordance with this Agreement.
7.1. Sprint shall maintain the Personal Data in confidence, and in particular, unless the Customer has given written consent for Sprint to do so, Sprint shall not disclose any Personal Data supplied to it, for, or on behalf of the Customer to any third party. Sprint shall not process or make any use of any Personal Data supplied to it by the Customer otherwise than in connection with the provision of the Services to the Customer.
7.2. Sprint shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
7.3. The obligations set out in in this Clause 7 shall continue for a period of 1 month after the cessation of the provision of Services by Sprint to the Customer.
7.4. Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
8. Appointment of Sub-Processors
8.1. Authorized Sub-Processors. The Customer agrees that Sprint may engage Sub-Processors to process Personal Data on the Customer's behalf. The Sub-pPocessors currently engaged by Sprint and authorized by the Customer are listed in Schedule 2.
8.2. Sub-Processor Obligations. Sprint shall:
a) enter into a written agreement with the Sub-Processor imposing data protection terms that require the Sub-Processor to protect the Personal Data to the standard required by Data Protection Laws; and
b) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause Sprint to breach any of its obligations under this DPA.
8.3. Changes to Sub-Processors. Sprint shall provide the Customer reasonable advance notice (for which email shall suffice) if it adds or removes Sub-Processors.
8.4. Objection to Sub-Processors. The Customer may object in writing to Sprint's appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Sprint promptly in writing within 5 calendar days of receipt of Sprint's notice in accordance with Section 9.3. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by Sprint without the use of the objected-to-new Sub-Processor.
9. Deletion and/or Disposal of Personal Data
9.1. Sprint shall, at the written request of the Customer, delete (or otherwise dispose of) the Personal Data or return it to the Customer in the format(s) reasonably requested by the Customer within a reasonable time after the earlier of the following:
a) the end of the provision of the Services; or
b) the processing of that Personal Data by Sprint is no longer required for the performance of Sprint's obligations under this Agreement.
9.2. Following the deletion, disposal, or return of the Personal Data under sub-Clause 9.1, Sprint shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case Sprint shall inform the Customer of such requirement(s) in writing.
Schedule 1 - The Services Sprint Media Provides to the Customer
The following services that Sprint through which it acts as a Data Processor are:
If the Customer is a Campus user Sprint processes the Customer's CRM, education data, and user data by storing it, enabling the Customer to access, sort, search, embellish, suppress, and send marketing to it.
2. Managed Email and Postal Campaigns
In some instances Sprint may hold and process a list of the Customer's suppressions if they were provided by the Customer. The processing Sprint does surrounding these is to suppress this data against Sprint's own send lists to ensure those contacts are not emailed.
3. Website Build and Hosting
Where Sprint has built or hosts a Customer's website it processes user data and contact enquiry data that may have been submitted through a form on the website by storing it, enabling the Customer to access, sort, and search it in the CMS part of the Customer's website.
Schedule 2 - List of Sub-Processors
Sprint uses its Affiliates and a range of third party Sub-Processors to assist it in providing the Services (as described in the Agreement). These Sub-Processors set out below provide server hosting and storage services; review and content delivery services; incident tracking, diagnosis, response and resolution services.
The Customer consents to sub-processing by the following organisations: Help Scout, Northway, DigitalOcean, Atlassian, Trello.
For further information about any of these organisations please get in touch.