- Purpose
- 1. This date processing agreement (DPA) governs the processing of personal data (Personal Data) by AFP Services Limited (AFP) in the capacity of a processor on behalf of a client (Client) in connection with the provision of services by AFP for the Client (Services) pursuant to a signed engagement letter and/or order form (the Agreement).
- 2. In this DPA, the following definitions apply:
- 2.1. the terms controller, data subject, personal data breach, process, processing, processor, and supervisory authority are defined in Data Protection Laws;
- 2.2. a sub-processor is another processor engaged by AFP to process Personal Data;
- 2.3. Data Protection Laws means (i) to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Client is subject, which relates to the protection of personal data; or (ii) to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data;
- 2.4. EU GDPR means the General Data Protection Regulation ((EU) 2016/679);
- 2.5. SCCs means the standard contractual clauses for the Personal Data transfers from an EU or UK controller to a processor established in third countries which do not ensure an adequate level of data protection as set out in (a) where the EU GDPR applies, the Annex to Commission Implementing Decision 2021/914 on Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, pursuant to the European Commission Decision of 4 June 2021, as may be updated by the European Commission from time to time; or (b) where the UK GDPR applies, the Standard Data Protection Clauses as issued by the Information Commissioner under s119A(1) DPA, in the form of an (i) International Data Transfer Agreement; or (ii) International Data Transfer Addendum to the EU Commission Standard Contractual Clauses; and
- 2.6. UK GDPR is defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
- 3. The parties agree that for the purposes of Data Protection Laws, the Client is the controller of the Personal Data and AFP is the processor.
- 4. The Appendix to this DPA sets out the scope, nature and purpose of processing by AFP, the duration of the processing and the types of personal data and categories of data subject.
- Client obligations
- 1. The Client instructs AFP to process Personal Data in accordance with this DPA.
- 2. The Client is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow AFP to process Personal Data.
- AFP obligations
- 1. AFP must:
- 1.1. only process Personal Data in accordance with this DPA and the Client’s instructions (unless legally required to do otherwise);
- 1.2. not sell, retain or use any Personal Data for any purpose other than those permitted by the Agreement;
- 1.3. inform the Client immediately if (in AFP’s opinion) the Client’s instructions break Data Protection Laws;
- 1.4. use appropriate technical and organisational measures when processing Personal Data to ensure a level of security appropriate to the risk involved, as described in AFP’s information security policy from time to time;
- 1.5. notify the Client without undue delay after becoming aware of a personal data breach affecting the Personal Data and provide the Client with reasonable assistance as required under Data Protection Laws in responding to it;
- 1.6. ensure that anyone authorised by AFP to process Personal Data is committed to confidentiality obligations;
- 1.7. without undue delay, provide the Client with reasonable assistance at the Client’s expense with:
- 1.7.1. data protection impact assessments;
- 1.7.2. responses to data subjects’ requests to exercise their rights under Data Protection Laws; and
- 1.7.3. engagement with supervisory authorities;
- 1.8. maintain records of processing activities carried out on the Client’s behalf as required by Data Protection Laws;
- 1.9. allow for audits by making available to the Client on request an audit report, which the Client must treat confidentially (and the Client may not exercise this right more than once per year); and
- 1.10. return Personal Data on written request from the Client or delete Personal Data at the end of the relationship in accordance with clause 2.7 of the Services Agreement, unless retention is legally required.
- 1. AFP must:
- Compliance with laws
Each party must comply with Data Protection Laws in connection with the Personal Data. - Sub-processing
- 1. The Client authorises AFP to engage sub-processors when processing Personal Data. AFP’s existing sub-processors are listed in Appendix 2.
- 2. AFP must:
- 2.1. require its sub-processors to comply with obligations equivalent to its own under this DPA; and
- 2.2. inform the Client of any intended additions or replacements of sub-processors by updating the list of sub-processors, to enable the Client the opportunity to object; but if the Client does object and can’t demonstrate to AFP’s reasonable satisfaction that the objection is due to an actual or likely breach of Data Protection Laws, then the Client indemnifies AFP and its group companies for any losses, damages, costs (including reasonable legal fees) and expenses they suffer in accommodating the objection.
- 3. AFP is liable to the Client for any acts and omissions of its sub-processors that would breach AFP’s obligations under this DPA if they were a party to it.
- International data transfers
- 1. The Client agrees that AFP may transfer Personal Data outside of the European Economic Area or United Kingdom as required to perform the Services, as long as AFP ensures that all transfers comply with Data Protection Laws.
- 2. Any transfer of Personal Data from the UK or the EEA to third countries which do not ensure an adequate level of data protection where processors are established shall be in accordance with the SCCs. The SCCs shall come into effect and be incorporated from the date of the first relevant transfer. Any processing of such Personal Data shall be (i) under the SCCs; (ii) reflect the subject matter, purpose and scope of Personal Data processed under this DPA; and (iii) subject to the technical and organisational measures provided for by AFP. Either Party may, at any time with not less than 30 days’ notice, revise this paragraph 6.2 by replacing it with any applicable form of SCC with the agreement of both Parties by way of amendment to this Agreement.
Appendix 1 – Data processing information
- Subject matter of processing
AFP’s provision of the Services to the Client - Duration of the processing
The duration of the engagement and/or subscription under the Agreement, plus up to thirty (30) days after the termination of the Agreement. - Nature and purpose of the processing
To provide the Services to the Client. - Type of personal data
Personal data contained in Client data processed by AFP, including contact details, and personal data of employees and subcontractors of the Client, Client customers, Client suppliers and other Client counterparties.
IP addresses.
Geolocation information.
User device information. - Categories of data subjects
Employees and subcontractors of the Client, Client customers, Client suppliers and other Client counterparties. - Technical and organisational security measures
Described in AFP’s information security policy.
![AFP Services - Customer Service](https://afpservices.co.uk/wp-content/uploads/AFP-icons_RGB-speech-bubble.png)