Legal
Data Processing Agreement
DATA PROCESSING AGREEMENT
Last Updated: February 2023
The provision of the Services by Jebra Limited ( Jebra ) may involve processing personal data on your behalf. Under EU Regulation 2016/679 General Data Protection Regulation (the GDPR) (Article 28, paragraph 3), an agreement in writing should be entered into between a customer and any organisation which processes personal data on its behalf governing the processing of that data. In ensuring compliance with the GDPR provisions, this Data Processing Agreement ( DPA ) shall apply to the processing and holding of your personal data by Jebra. This DPA forms part of the Terms of Service pursuant to which Jebra will provide you the Services.
1. DEFINITIONS
Data Processor shall have the meanings given to it in Article 4 of the GDPR;
Data Subject shall have the meaning given to it in Article 4 of the GDPR;
ICO means the UK's supervisory authority, the Information Commissioner's Office;
Personal Data means all such "personal data", as defined in Article 4 of the GDPR for as long as it is directly applicable in the United Kingdom and any successor legislation in the United Kingdom to the GDPR, as is, or is to be, Processed by Jebra on behalf of you, as described in the Terms;
Processing, ProcessProcessed and Processor shall have the meaning given to them in Article 4 of the GDPR;
Services means those services provided by Jebra to you and which you uses for the purposes described in the Terms;
Sub-Processor means a sub-processor appointed by Jebra to Process the Personal Data; and
Sub-Processing Agreement means an agreement between Jebra and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 9.
2. PROCESSING OF PERSONAL DATA
Jebra shall only process the Personal Data received from you (a) solely for the purposes of its performance of the Service and not for any other purpose; (b) to the extent and in such a manner as is necessary for those purposes; and (c) strictly in accordance with your express authorisation.
3. DATA PROTECTION COMPLIANCE
All instructions given by you to Jebra shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. Jebra shall act only on such written instructions from you unless Jebra is required by law to do otherwise (as per Article 29 of the GDPR). Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under the DPA or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
You hereby warrant, represent, and undertake that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and Processing.
Jebra shall ensure that its obligations under the DPA are satisfactorily performed in accordance with any and all applicable legislation from time to time in force in the United Kingdom (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO. Jebra shall provide all reasonable assistance (at your cost) to you in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
When processing the Personal Data on behalf of you, Jebra shall:
- only transfer the Personal Data to and/or process the Personal Data in a country outside the European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) ( EEA ) on instructions from you and only transfer and/or process the Personal Data in such a country where said country complies with the obligations for data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred;
- only transfer the Personal Data to any third party strictly subject to the terms of a suitable agreement, as set out in Clause 9;
- process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to you or as may be required by law (in which case, Jebra shall inform you of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
- implement appropriate technical and organisational measures, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure;
- if so requested by you (and within the reasonable timescales required by you) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
- keep records of all Processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the GDPR;
- make available to you any and all such information as is reasonably required and necessary to demonstrate Jebra's compliance with the GDPR;
- on reasonable notice provide you with any information reasonably required in order to assess and verify compliance with the provisions of the DPA and both Parties' compliance with the requirements of the GDPR; and
- inform you immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
4. RIGHTS OF DATA SUBJECT - ACCESS, COMPLAINTS, AND BREACHES
To the extent you, in your use or receipt of the Services, do not have the ability to correct, amend, restrict, block or delete Personal Data, Jebra will comply with requests by you to facilitate such actions. Jebra shall promptly notify you if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of that person's Personal Data. Jebra shall not respond to any such Data Subject request without your prior written consent except to confirm that the request relates to you. Jebra shall provide you with commercially reasonable cooperation and assistance in relation to handling of a Data Subject's request to the extent you do not have access to such Personal Data through its use or receipt of the Services, including by:
- providing you with full details of the complaint or request;
- providing the necessary information and assistance in order to comply with a Data Subject access request;
- providing you with any Personal Data it holds in relation to a Data Subject (within the timescales required by you); and
- providing you with any other information requested by you.
If Jebra becomes aware of any form of Personal Data breach, Jebra will immediately (i) notify you of the breach; (ii) investigate the breach and provide you information about the breach; (iii) take reasonable steps to mitigate the effects and to minimise any damage resulting from the breach; and (iv) co-operate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such breach.
5. DATA PROTECTION OFFICER
If you have appointed a Data Protection Officer in accordance with Article 37 of the GDPR, you shall provide the contact details of said officer to Jebra.
6. LIABILITY AND INDEMNITY
You shall be liable for, and shall indemnify (and keep indemnified) Jebra in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, Jebra and any Sub-Processor arising directly or in connection with:
- any non-compliance by you with the GDPR or other applicable legislation;
- any Personal Data processing carried out by Jebra or Sub-Processor in accordance with instructions given by you that infringe the GDPR or other applicable legislation; or
- any breach by you of its obligations under the DPA, except to the extent that Jebra or Sub-Processor is liable.
Subject to the Terms, Jebra shall be liable for any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against you arising directly or in connection with Jebra's Personal Data Processing activities that are subject to the DPA only to the extent that the same results from Jebra's breach of the DPA and not to the extent that the same is or are contributed to by any breach of the DPA by you.
You shall not be entitled to claim back from Jebra or Sub-Processor any sums paid in compensation by you in respect of any damage to the extent that you are liable to indemnify Jebra or Sub-Processor under Clause 9.
Nothing in the DPA (and in particular, this paragraph) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party's direct obligations under the GDPR.
7. INTELLECTUAL PROPERTY RIGHTS
All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either you or Jebra) shall belong to you or to any other applicable third party from whom you have obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). Jebra is licensed to use such Personal Data under such rights only for the term of the Terms of Service, for the purposes of the Service, and in accordance with the DPA.
8. CONFIDENTIALITY
Jebra shall maintain the Personal Data in confidence, and in particular, unless you have given written consent for Jebra to do so, Jebra shall not disclose any Personal Data supplied to Jebra by, for, or on behalf of, you to any third party. Jebra shall not process or make any use of any Personal Data supplied to it by you otherwise than in connection with the provision of the Service to you.
Jebra shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
The obligations set out in in this Clause 8 shall continue for a period of five (5) years after the cessation of the provision of Service by Jebra to you.
Nothing in the DPA shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
9. APPOINTMENT OF SUB-PROCESSORS
By accepting the terms of this Data Processing Agreement, you give your prior general written authorisation for Jebra to appoint Sub-Processors of its choosing. In the event that Jebra appoints a Sub-Processor, Jebra shall:
- enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon Jebra by the DPA and which shall permit both Jebra and you to enforce those obligations; and
- ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the GDPR.
In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, Jebra shall remain fully liable to you for failing to meet its obligations under the DPA.
10. DETAILS OF DATA PROCESSING
Subject-matter of the processing
Your usage of our data analytics and marketing systems.
Duration of the processing
For the duration of the Terms of Service pursuant to which Jebra provides you with the Services.
Nature and purpose of the processing
- Setting up your account with us;
- Administering your account;
- Sending you communications, including marketing;
- Understanding your use of our Services;
- Facilitating social media sharing in some cases if you choose to do so;
- Other legal requirements, such as those relating to audit, fraud and security.
Types of personal data
Contact details, social media ID, transaction data, system usage data, correspondence with you.
Categories of Data Subject
Any of your employees who create an account with us/correspond with us.
11. DELETION AND/OR DISPOSAL OF PERSONAL DATA
Jebra shall, at the written request of you, delete (or otherwise dispose of) the Personal Data or return it to you in the format(s) reasonably requested by you within a reasonable time after the earlier of the following:
- the end of the provision of the Service under the Terms of Service; or
- the processing of that Personal Data by Jebra is no longer required for the performance of Jebra's obligations under the Terms of Service.
Following the deletion, disposal, or return of the Personal Data under this clause, Jebra shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case Jebra shall inform you of such requirement(s) in writing.
12. CONSIDERATION
Jebra accepts the obligations in the DPA in consideration of the payment of the subscription fee from you under the Terms of Service.
13. LAW AND JURISDICTION
The DPA (including any non-contractual matters and obligations) shall be governed by, and construed in accordance with, the laws of England and Wales.
Any dispute, controversy, proceedings or claim between the Parties relating to the DPA shall fall within the dispute resolution procedure pursuant to Terms of Service.