Terms and conditions
Last modified: November 15, 2023
The Data Processing Terms (“DPT”), incorporating the Standard Contractual Clauses endorsed by the European Commission as relevant, embody the agreement between the Parties concerning the conditions governing the Processing of Personal Data. These DPT are established by and between CartBooster Ltd (hereinafter referred to as the “Processor”) and any client of CartBooster Ltd (hereinafter referred to as the “Controller”). Both the Processor and Controller are collectively referred to as the “Parties” and individually as a “Party”.
Background:
- The Controller handles Personal Data within its business operations;
- The Processor manages Personal Data on behalf of other companies or organizations;
- The Controller intends to utilize the Processor’s services to manage Personal Data on its behalf.
1. Definitions and Interpretation
Business Day: Refers to any day that is not a Saturday, Sunday, or a public holiday in England where banks in London are operational.
Data Protection Authority: The pertinent authority for data protection is the Information Commissioner’s Office (ICO).
Data Protection Legislation: This refers to the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any legislation enacted in relation to the aforementioned laws. It also encompasses the EU General Data Protection Regulation (EU GDPR) when the data is processed by a controller or processor established in the European Union or involves data of individuals within the European Union. This includes any successor legislation enacted over time.
Data Security Breach: An incident of security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to shared Personal Data.
2. Scope
The DPT outlines the tasks to be performed by the Processor in relation to the DPT. The DPT is considered effective from the effective date and remains in force until terminated.
3. Processing of the Personal Data
3.1 The Processor agrees to handle the Personal Data strictly in line with Data Protection Legislation.
3.2 Each Party shall adhere to all applicable requirements of the Data Protection Legislation. This clause is supplemental to and does not diminish, remove, or replace a Party’s obligations or rights under the Data Protection Legislation. In this clause 3, Applicable Laws refer to (as long as and to the extent they apply to either party) the law of the European Union, the law of any member state of the European Union, and/or UK Law.
3.3 The Parties acknowledge that the Processor will handle Personal Data on behalf of the Controller during the term of the DPT. Details of the Personal Data and the processing activities carried out by the Processor are outlined in Appendix 1.
3.4 Insofar as the Processor handles Personal Data on behalf of the Controller in connection with the DPT, the Processor shall:
3.4.1 Process the Personal Data exclusively to fulfill its responsibilities under the DPT and in accordance with the Controller’s written directives as stipulated in the DPT and as may be detailed periodically in writing by the Controller;
3.4.2 Promptly notify the Controller if any of the Controller’s directives regarding the handling of Personal Data are unlawful;
3.4.3 Keep a record of its processing activities in compliance with Article 30(1) of the GDPR;
3.4.4 Support the Controller in upholding the obligations outlined in Articles 32 to 36 of the GDPR, taking into account the nature of the data handling by the Processor and the information available to the Processor, including (without limitation):
3.4.4.1 Sub-Processors:
- Not engage any Sub-Processor/Sub-Contractor to process Personal Data without the prior written approval of the Controller (such consent not to be unreasonably withheld), provided that regardless of such consent the Processor remains accountable for adherence to all requirements of the DPT concerning the handling of Personal Data;
- The Controller grants the Processor general permission to replace any of its Sub-Processors or to add a new Sub-Processor. However, before any such substitution or addition, the Processor must inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, thus allowing the Controller the opportunity to object to such changes. If no objection is raised within 30 days, the proposed replacement or addition will be considered accepted. If an objection is raised, and the Parties do not reach an agreement within 30 days from the day the objection is raised, the Processor has the right to proceed with the proposed addition or replacement, and the Controller has the right to terminate the DPT immediately at no cost and without the need to provide notice.
- Ensure that obligations akin to those set out in this clause 3 are included in all contracts between the Processor and permitted Sub-Contractors who will be processing Personal Data;
- Ensure that its Sub-Processor/Sub-Contractors do not transfer to or access any Personal Data from a Country outside of the European Economic Area without the prior written consent of the Controller;
3.4.4.2 International Data Transfers: The Processor shall adhere to the Controller’s directives regarding transfers of Personal Data to a Country outside of the European Economic Area unless the Processor is required, pursuant to Applicable Laws, to transfer Personal Data outside the European Economic Area, in which case the Processor shall inform the Controller in writing of the relevant legal requirement before any such transfer occurs, unless the relevant law prohibits such notification on important grounds of public interest;
3.4.4.3 Staff Confidentiality: The Processor shall ensure that any persons employed by the Processor to process Personal Data are subject to legally enforceable obligations of confidentiality concerning the Personal Data and shall ensure that only such persons employed by it to provide the Services have undergone training in Data Protection and in the care and handling of Personal Data;
3.4.4.4 Security Measures: The Processor shall implement appropriate technical and organisational measures to guard against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to Personal Data considering the potential harm that might result from such unauthorized or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be necessary to ensure compliance with Article 32 of the GDPR;
3.4.4.5 Data Subject Rights:
- The Processor shall promptly notify the Controller if it receives a request from a Data Subject (Data Subject Access Request) under any Data Protection Legislation concerning Personal Data; and
- Ensure that it does not respond to that request except on the documented instructions of the Controller or as required by applicable Data Protection Legislation to which the Processor is subject, in which case the Processor shall to the extent permitted by applicable Data Protection Legislation inform the Controller of that legal requirement before the Processor responds to the request; and
- Taking into account the nature of the data processing activities undertaken by the Processor, provide all possible assistance and cooperation (including without limitation putting in place appropriate technical and organisational measures) to enable the Controller to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation;
3.4.4.6 Data Breaches: The Processor shall provide information and assistance upon request to enable the Controller to notify Data Security Breaches to the Information Commissioner and / or to affected individuals and / or to any other regulators to whom the Controller is required to notify any Data Security Breaches;
3.4.4.7 Data Protection Impact Assessments:
The Processor shall provide input into and carry out Data Protection Impact Assessments in relation to the Processor’s data processing activities;
3.4.4.8 Deletion or Return of Data:
Upon termination of the DPT, at the choice of the Controller, the Processor shall securely delete or return all Personal Data to the Controller and delete all existing copies of the Personal Data unless and to the extent that the Processor is required to retain copies of the Personal Data in accordance with Applicable Laws in which case the Processor shall notify the Controller in writing of the Applicable Laws which require the Personal Data to be retained;
3.4.4.9 Audits:
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this clause 3 and allow for and contribute to audits, including inspections, conducted by or on behalf of the Controller or by the Information Commissioners Office (ICO) pursuant to Article 58(1) of the GDPR.
3.4.5 The Processor shall not transfer any Personal Data outside of the European Economic Area and/or the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
- the Controller or the Processor has provided appropriate safeguards in relation to the transfer;
- the Data Subject has enforceable rights and effective legal remedies;
- the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
- the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
4. General terms
4.1 Breach Identification and Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a breach if:
4.1.1 the Processor or any Sub-Contractor engaged by, or on behalf of, the Processor suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data; or
4.1.2 the Processor or any Sub-Contractor engaged by, or on behalf of, the Processor receives any data security breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation.
In each case, the Processor shall provide full cooperation, information, and assistance to the Controller concerning any such data security breach, compliance notice, or communication.
4.2 Access
Upon request the Processor shall allow the Controller, the ICO, and its representatives access to the Processor’s premises, records, and personnel to assess the Processor’s compliance with its obligations under the DPT.
4.3 Confidentiality
Each Party must keep the DPT and information it receives about the other Party and its business in connection with the DPT (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
- disclosure is required by law;
- the relevant information is already in the public domain.
5. Governing law and jurisdiction
The DPT is governed by the laws of England and Wales. The DPT and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) is governed by and shall be construed and interpreted in accordance with the laws of England and Wales, and the Parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.
Termination:
5.1 Either Party, at its sole discretion, may terminate the DPT in writing (with email sufficing) at any time and for any or no reason with a 30-day notice period.
5.2 On termination of the DPT for whatever reason, the Processor shall cease to process the Personal Data and Confidential Information and shall arrange for the prompt and safe return of all of the Personal Data and Confidential Information, processed under the terms of the DPT to the Controller, together with all copies of the Personal Data in its possession or control or that of its agents or contractors, within such time and by such secure means as the Controller shall provide for in writing at the time of termination of the DPT.
5.3 Termination of the DPT shall not affect any rights or obligations of either Party which have accrued prior to the date of termination and all provisions which are expressed to, or do by implication, survive the termination of the DPT shall remain in full force and effect.
6. Notices
All notices required under the DPT shall be deemed sufficient if in writing and delivered personally (with an initially dated receipt), by registered mail, or by email.
Any such notice will be deemed to have been delivered:
- when delivered if delivered personally or by registered mail; or
- on the next Business Day when sent by email.
The Parties undertake to give notice of any changes in their contact information, by observing the procedures set forth herein.
APPENDIX 1: Data Processing Activities
Description of data
This Appendix 1 includes the processing activities carried out by the Processor as required by Article 28(3) GDPR.
These are as follows:
- None
Categories of data subjects
The Controller has defined the following Data Subject categories from whom the Personal Data as defined above will be collected:
- Customers
Lawful basis of data processing
The Controller has determined the following lawful basis to process personal data under the Data Protection Act 2018/GDPR 2016:
- Consent of the Data Subjects
Processing activities
The Processor will carry out the following activities and utilize the Sub-Contractor(s) stated:
- Digital Ocean: Data hosting provider, Frankfurt