These Data Processing Terms form part of the Customer Agreement and set out the terms upon which Growth Track processes personal data on behalf of the Customer. In these Data Processing Terms, the singular shall include the plural and vice versa, words indicating any one gender shall include the other genders, words indicating natural persons shall include juristic persons and bodies corporate and vice versa. Any phrase introduced by the terms “including”, “include” “in particular” or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms. The following definitions shall have the meanings assigned to them below:
Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data outside the EEA as may be permitted under Data Protection Laws from time to time;
Customer means the entity identified in the Order which enters into the Customer Agreement with Growth Track;
Data Controller means that term (or the term ‘controller’) in the GDPR;
Data Processor means that term (or the term ‘processor’) in the GDPR;
Data Protection Laws means any applicable UK or EU law relating to the processing, privacy, and use of Personal Data, as applicable to Growth Track and/or the Services including:
i. The Data Protection Act 1998;
ii. The EU Data Protection Directive (95/46/EC) as implemented in each relevant jurisdiction;
iii. The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each relevant jurisdiction; and
1v. The GDPR from the date the GDPR Date; and any corresponding or equivalent national laws or regulations and any amending, equivalent or successor legislation to any of the above from the date that they come into force and the guidance and codes of practice issued by the Information Commissioner;
Data Protection Losses means any costs (including legal costs), liabilities, claims, demands, actions, settlements, interest, charges, expenses, losses, damages, administrative fines, penalties, sanctions, costs of compliance with an investigation by a Supervisory Authority and/or compensation ordered by a Supervisory Authority;
Data Subject means that term in the GDPR;
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
End User has the meaning set out in the Software Licence Terms;
GDPR means the General Data Protection Regulation (EU) 2016/679;
GDPR Date means from when the GDPR applies on 25 May 2018;
Order means the order form which forms part of the Customer Agreement which sets out details of the Services and which is signed by the parties;
Personal Data means that term in the GDPR;
Personal Data Breach means any breach of security by Growth Track leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data on systems managed by or otherwise controlled by Growth Track excluding unsuccessful attempts or activities that do not compromise the security of Protected Data and/or where the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Processing means that term in the GDPR (and related terms such as process have corresponding meanings);
Processing Instructions means that term in clause 3.1.1.
Protected Data means any Personal Data processed by Growth Track as a Data Processor on behalf of the Customer in connection with the provision of Services and/or performance of Growth Track’s obligations under the Customer Agreement;
Software License Terms means the terms located at https://growthtrack.co.uk/growth-mail-terms-and-conditions/ which form part of the Customer Agreement;
Sub Contractors We continuously interact and collaborate with our sub-processors to certify compliance to various legislations, including GDPR, to ensure the safety and protection of your data.
Sub-Processor means another Data Processor engaged by Growth Track for carrying out processing activities in respect of the Protected Data as part of the Services on behalf of the Customer.
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
1.1 The following clauses in this Agreement will only apply to the extent that the Data Protection Laws apply to Protected Data.
- Data processor and data controller
2.1 The parties agree that, in relation to the Protected Data, the Customer is the Data Controller and Growth Track is the Data Processor.
2.2 Growth Track shall process Protected Data in compliance with the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under the Customer Agreement.
2.3 The Customer shall comply with all Data Protection Laws in connection with the processing of Protected Data and the exercise and performance of its respective rights and obligations under the Customer Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws.
2.4 The Customer warrants, that:
2.4.1 All Protected Data shall comply in all respects, including in terms of its collection, storage, processing and transfer to and use by Growth Track (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, relevant Data Subjects), with Data Protection Laws;
2.4.2 All instructions given by it to Growth Track in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
2.4.3 It has undertaken due diligence in relation to Growth Track’s processing operations, and it is satisfied that:
(a) Growth Track’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Growth Track to process the Protected Data; and
(b) Growth Track has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
2.5 The Customer shall not withhold, delay or condition its agreement to any change requested by Growth Track to the Services in order to ensure the Services and Growth Track (and each Sub-Processor) can comply with Data Protection Laws.
- Instructions and details of processing
3.1 Insofar as Growth Track processes Protected Data on behalf of the Customer, Growth Track:
3.1.1 Unless required to do otherwise by applicable law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this clause 3 and clause 12 (Data Processing Details), as updated from time to time upon written agreement between the parties and/or as further specified via the Customer’s use of the Services (Processing Instructions);
3.1.2 If applicable law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless applicable law prohibits such information on important grounds of public interest).
- Technical and organisational measures
4.1 Growth Track shall implement and maintain appropriate technical and organisational measures to:
4.1.1 Ensure the security, integrity, availability and confidentiality of the Protected Data and protect against accidental loss or destruction of, or damage to Protected Data, such measures to be appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected having regard to the state of technological development and the cost of implementing any measures;
4.1.2 Taking into account the nature of the processing, assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data.
- Using staff and other processors
5.1 The Customer acknowledges and agrees that Growth Track engages Sub-Processors to host some of the Services. Details of the Sub-Processors are available upon request. The Customer provides general consent to Growth Track engaging such Sub-Processors provided that Growth Track:
5.1.1 Provides to the Customer details of any new Sub-Processor appointed after the date of the Customer Agreement;
5.1.2 Notifies the Customer in advance of any change in a Sub-Processor. The Customer may object to any change in the Sub-Processor where it has reasonable grounds for doing so and in such circumstances Growth Track shall be entitled to address the objection through one of the following options at its sole discretion:
(a) Cease to use the relevant Sub-Processor;
(b) Take steps suggested by the Customer to address the objection; or
(c) Cease to provide the particular Services which involves the relevant Sub-Processor.
5.2 Growth Track shall, prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing obligations which offer materially the same level of protection for the Protected Data as those set out in these Data Processing Terms. The Customer acknowledges and agrees that it has no right to audit and inspect a Sub-Processor’s facilities and premises and Data Processing Terms that Growth Track shall not be obliged to include such rights in its agreement with its Sub-Processors.
5.3 Growth Track shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to an obligation to keep the Protected Data confidential (except where disclosure is required in accordance with applicable law, in which case Growth Track shall, where practicable and not prohibited by applicable law, notify the Customer of any such requirement before such disclosure).
- Assistance with the customer’s compliance and data subject rights
6.1 Growth Track shall promptly refer all Data Subject Requests it receives to the Customer upon receipt of the request, and shall, at the Customer’s cost at Growth Track’s standard rates in force at the time, assist the Customer with Data Subject Requests.
6.2 Growth Track shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Growth Track) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
6.2.1 Security of processing;
6.2.2 Data protection impact assessments (as such term is defined in Data Protection Laws);
6.2.3 Prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4 Notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach.
6.3 The Customer shall pay Growth Track’s charges for providing the assistance in clause 6.2, at Growth Track’s standard rates in force at the time.
- Records, information and audit
7.1 Growth Track shall maintain, in accordance with Data Protection Laws binding on Growth Track, written records of all categories of processing activities carried out on behalf of the Customer.
7.2 Growth Track shall, in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Growth Track’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, subject to clause 5.2 and subject to the Customer:
7.2.1 Giving Growth Track reasonable prior notice of such information request, audit and/or inspection being required by the Customer;
7.2.2 Carrying out no more than one audit or inspection in any calendar year except where the Customer reasonably believes necessary due to genuine concerns as to Growth Track’s compliance with these Data Processing Terms or where the Customer is required or requested to carry out such an audit or inspection by Data Protection Laws and/or a Supervisory Authority;
7.2.3 Ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by applicable law);
7.2.4 Ensuring that such audit or inspection is undertaken during normal business hours in England, with minimal disruption to Growth Track’s business and the business of other customers of Growth Track; and
7.2.5 Paying Growth Track’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits. Data Processing Terms.
7.3 Growth Track may object to any third-party auditor appointed by the Customer to conduct any audit under clause 7.2 if the auditor is not in Growth Track’s reasonable opinion, suitably qualified or independent.
7.4 Nothing in clause 7.2 gives the Customer any right to access any data of any other customer of Growth Track or information that could cause Growth Track to breach its obligations under Data Protection Laws and/or its confidentiality or privacy obligations to any third party.
7.5 As an alternative to the right to audit in clause 7.2, Growth Track may provide the Customer with copies of security reports relating to the Software and Growth Track’s systems.
- Breach notification
8.1 In respect of any Personal Data Breach involving Protected Data, Growth Track shall, without undue delay, notify the Customer of the Personal Data Breach and provide the Customer with details of the Personal Data Breach.
8.2 In the event that the Customer becomes aware of a Personal Data Breach by Growth Track or otherwise in connection with the Services, it shall without undue delay notify Growth Track of the Personal Data Breach and provide Growth Track with details of the Personal Data Breach.
8.3 As the Data Controller, the Customer is solely responsible for complying with its notification obligations for Personal Data Breaches under Data Protection Laws, including providing notification to the relevant Supervisory Authority and Data Subjects (where applicable).
- Deletion or return of protected data and copies
9.1 Growth Track shall, at the Customer’s written request return or delete the Protected Data (unless storage of any data is required by applicable law and, if so, Growth Track shall inform the Customer of any such requirement).
10.1 The Customer shall indemnify and keep indemnified Growth Track in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, Growth Track and any Sub-Processor arising from or in connection with any:
10.2 Non-compliance by the Customer with the Data Protection Laws;
10.3 Processing carried out by Growth Track or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Laws; and/or,
10.4 Breach by the Customer of any of its obligations under the Customer Agreement, except to the extent Growth Track is liable under clause 10.2.
10.5 Growth Track’s liability for any Data Protection Losses (howsoever arising, whether in contract, tort (including negligence or otherwise) under or in connection with the Customer Agreement is limited to the extent caused by the processing of Protected Data by Growth Track under the Customer Agreement and where such Data Protection Losses result directly from Growth Track’s breach of clauses 1 to 9 (inclusive) and are not contributed to or caused by any breach by the Customer of Data Protection Laws, these Data Processing Terms and/or the Customer Agreement.
10.6 The liability of Growth Track for Data Protection Losses and/or under or in connection with these Data Processing Terms (howsoever arising, whether in contract, tort (including negligence), statutory duty or otherwise is subject to the exclusions and limitations of liability in the Software Licence Terms which forms part of the Customer Agreement.
10.7 The Customer shall not be entitled to claim back from Growth Track any part of any compensation paid by the Customer to a person relating to the processing of Protected Data, to the extent that the Customer is liable to indemnify Growth Track under clause 10.1. Data Processing Terms.
11.1 Growth Track may amend these Data Processing Terms from time to time, including where required to comply with any applicable law or where the amendments do not result in a material reduction in the protection of Protected Data and/or do not breach Data Protection Laws.
- Data processing details
12.1 Detail Description Subject-matter of processing: Growth Track’s provision of the Services to the Customer.
12.2 Duration of the processing: The term of the Customer Agreement until the deletion of Protected Data in accordance with the Customer Agreement.
12.3 Nature and purpose of the processing: Growth Track will process Protected Data for the purposes of providing the Services to the Customer in accordance with the Customer Agreement.
12.4 Type of Personal Data: Data relating to the Data Subjects provided to Growth Track via the Services, by (or at the direction of) the Customer, namely email addresses.
12.5 Categories of Data Subjects: Data relating to Data Subjects provided to Growth Track via the Services, by (or at the direction of) the Customer including data relating to End Users and email recipients of End Users.