A. The terms of this DPA form part of the Agreement between the parties to the Order Form. On signing the Order Form all parties accept the terms and conditions set out in this DPA.
B. This DPA sets out the terms on which the Customer (as either, a data controller in its own right or as a data processor for a Customer Sub-client), appoints Yapily Ltd (or Yapily Connect) as data processor (or a sub-processor) and how Yapily Ltd (or Yapily Connect) will process personal data when providing services under the Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation (EU) 2016/679 between controllers and processors and the General Data Protection Regulation (EU) 2016/279.
C. This DPA does not address where Yapily Ltd (or Yapily Connect) acts as data controller in respect of personal data that the party collects for its own legal or contractual requirements falling outside of the scope of the Agreement; for more information refer to the Privacy Notice.
Capitalised terms used in this DPA but not defined here will have the meanings assigned to them in the Agreement. The following terms have the following meanings:
- “Addendum” means the International Data Transfer Addendum to the SCCs for international data transfers or such alternative as may be approved by the UK Information Commissioners Office or European Commission from time to time;
- “Agreement” means the Order Form, the Yapily Service Terms and any other terms identified as applying in the Order Form;
- “Controller” means the Customer;
- “Data Protection Legislation” means: (i) to the extent that the UK General Data Protection Regulation (as defined in section 3(10) as supplemented by section 205(4) of the DPA 2018) (“UK GDPR”) applies, the law of the United Kingdom which relates to the protection of personal data; and (ii) to the extent that the EU General Data Protection Regulation EU 2016/679 (“EU GDPR”) applies, the law of the European Union or any member state of the European Union to which Controller or Processor is subject, which relates to the protection of personal data;
- “EEA” means the European Economic Area;
- “IDTA” means the International Data Transfer Agreement or such alternative transfer agreements as may be approved by the UK Information Commissioners Office from time to time;
- “Personal Data” means the personal data set out in the Privacy Notice and any other personal data processed by Processor on behalf of Controller pursuant to or in connection with the Agreement;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Processor or any Sub-processor;
- “Privacy Notice” means the Yapily Privacy Notice available at https://www.yapily.com/legal/privacy-policy;
- “Processor” means Yapily or Yapily Connect as applicable and to the extent indicated on the Order Form: (i) where only Yapily provides services to the Customer under the Agreement, Yapily acts as the data processor; and (ii) where Yapily Connect also provides services to the Customer under the Agreement, Yapily Connect acts as the data processor and Yapily acts as Yapily Connect’s Sub-processor;
- “Standard Contractual Clauses” or “SCCs” means those clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, or any set of clauses approved by the European Commission which amends, replaces or supersedes them;
- “Sub-processor” means any data processor (including any affiliate of Processor) appointed by Processor to process Personal Data on behalf of Controller set out in Schedule 1;
- Terms such as “process/processing”, “data subject”, “data processor”, “data controller”, “personal data” and “data protection impact assessment” shall have the same meaning ascribed to them in the Data Protection Legislation. In the case of conflict or ambiguity between:(i) any provision contained in the body of this DPA and the Privacy Notice, the provision in the body of this DPA will prevail; (ii) any of the provisions of this DPA and the Agreement, the provisions of this DPA will prevail; and (iii) any of the provisions of this DPA and any executed Standard Contractual Clauses, IDTA or Addendum, the provisions of the executed Standard Contractual Clauses, IDTA or Addendum will prevail.
This DPA will remain in full force and effect for so long as: (a) the Agreement is in place; or (b) Processor otherwise retains any Personal Data related to the Agreement in its possession or control.
Processor shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 of the GDPR.
4. PROCESSING OF THE PERSONAL DATA
4.1 The subject matter, duration, nature and purpose of processing, the Personal Data types and data subject categories in respect of which Processor may process in accordance with this DPA are set out in the Privacy Notice.
4.2 Unless otherwise required by the Data Protection Legislation, Processor shall only process the Personal Data in accordance with Controller’s instructions unless the processing is otherwise required by applicable law to which Processor is subject, in which case Processor shall to the extent permitted by such law inform Controller of that legal requirement before processing that Personal Data.
5.1 Subject to the following, Processor shall not engage any Sub-processor to process Personal Data other than with the prior specific or general written authorisation of Controller. At the Effective Date, Controller authorises Processor to engage the following Sub-processors:
- Where Yapily Connect acts as Processor then Yapily Ltd is appointed as Sub-processor;
- Those entities stated in the page entitled “Sub-Processor Information” and found at Schedule 1 as updated from time to time in accordance with 5.3; and
- Such other ancillary Sub-processors for the facilitation of Processor’s products and services as stated in the Privacy Notice.
5.2 With respect to each Sub-processor, Processor shall:
- include terms in the contract between Processor and Sub-processor which are substantially similar to those set out in this DPA; and
- remain fully liable to Controller for any failure by each Sub-processor to fulfil its obligations in relation to the processing of any Personal Data.
5.3 Processor shall notify Controller of any addition or replacement of its appointed Sub-processors and Controller may object to any new appointment within 5 working days. If no objection is received, the appointment shall be deemed approved. If Controller raises an objection within the 5 working-day period, the parties shall enter into good faith discussions to find a mutually acceptable resolution. If no resolution is achieved within 15 working days of the original notification, Processor reserves the right to terminate the Agreement immediately.
6. INTERNATIONAL TRANSFERS
Processor shall not transfer Personal Data outside the UK and/or EEA unless it has ensured appropriate safeguards are in place which may include entering into Standard Contractual Clauses, the IDTA or Addendum and where applicable incorporate such terms into the contract between Processor and Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as Processor may reasonably determine as providing adequate protection in respect of the processing of Personal Data in such third country(ies).
7. DATA SUBJECT RIGHTS
Processor shall, without undue delay, notify Controller if it receives a request from a data subject under any Data Protection Legislation in respect of their Personal Data and shall provide reasonable assistance to enable Controller to fulfil any of its obligations to its data subjects.
8. INCIDENT MANAGEMENT
In the case of a Personal Data Breach, Processor shall, without undue delay, notify Controller of the same, providing Controller with sufficient information to meet any of its obligations to report a Personal Data Breach under the Data Protection Legislation.
9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Processor shall, at Controller’s reasonable written request and taking into account the nature of the processing and information available to Processor, provide reasonable assistance with meeting Controller’s compliance obligations under the Data Protection Legislation, including responding to: (i) a data protection impact assessments required under Data Protection Legislation; and (ii) a consultation with the UK Information Commissioner’s Office or the State Data Protection Inspectorate of the Republic of Lithuania.
10. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
Processor shall, as soon as reasonably practicable after receipt of a written request from Controller to do so following termination of the Agreement, either: (i) return a complete copy of all Personal Data processed by Processor to Controller; or (ii) delete all copies of Personal Data processed by Processor unless Processor is required to retain the same by Applicable Law or internal policy. Where Processor retains any Personal Data the terms of this DPA shall continue to apply in accordance with clause 3 and Processor shall not use the Personal Data for any other purpose that the scope of this DPA.
11. AUDIT RIGHTS
Processor shall make available to Controller on reasonable written request all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections conducted by Controller or a third party auditor mandated and professionally appointed by Controller provided such audit only includes premises where Processor processes Personal Data in which case this shall only take place during business hours, on reasonable prior notice. Any such audits shall be limited to once per calendar year and shall be carried out with professionalism and with as little disruption to Processor’s business as possible.
This table provides information about third party Sub-processors used by the Yapily Group in providing its products and services:
|Entity Name||Services||Corporate Location|
|*Amazon Web Services EMEA SARL (“Amazon”) https://aws.amazon.com/privacy/||Data storage in Frankfurt, EU||Washington, USA|
|Google Cloud Platform, Google LLC (“Google”) https://policies.google.com/privacy?hl=en-US||Data storage in London, UK (primary) and Belgium (secondary)||California, USA|
|Salesforce UK Limited||Internal management solution, hosted in London, UK||London, UK|
|Zendesk||Customer support, hosted in Ireland/Germany||California, USA|
*Not currently in use but intention to engage Amazon as a Sub-processor in the next 24 months
Last Updated: September 2023