The Customer and Supportal Technologies Limited (trading as Cordless) ("Cordless", "we", "our" or "us") entered into a pricing plan incorporating our terms and conditions (together, the "Agreement"). This DPA is between Cordless and the Customer (each a "Party" and collectively the "Parties"), pursuant to the Agreement.
In the event that we process any User Data and/or Customer End User Data of individuals located in the UK or the EEA, or of any Customer who is established in the UK or the EEA, this Data Processing Agreement (the "DPA") shall be supplemental to the Agreement and apply to the processing of such User Data and/or Customer End User Data. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
The Parties agree that this DPA will replace any existing data protection agreement or similar agreement the Parties may have previously entered into in connection with the Services.1. DEFINITIONS
1.1. Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following capitalised terms used in this DPA shall be defined as follows:
“Personal Data”, “Data Subject”, “Processing”, “Controller”, “Data Controller”, “Processor”, “Data Processor” and “Supervisory Authority” shall have the respective meaning given to them in the UK GDPR or EU GDPR law (as applicable).
"Controller" has the meaning given in the UK GDPR.
"Customer End User" means an end user of the Customer.
"Customer End User Data" means the "personal data" relating to each Customer End User.
"Data Protection Laws" means the UK Data Protection Legislation and any other European Union legislation (including the EU GDPR) relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data (including, without limitation, the privacy of electronic communications).
"EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
"Ex EEA Transfer" the export of personal data to a country or territory outside the EEA other than a country or territory ensuring an adequate level of protection of personal data as determined by the European Commission.
"Ex UK Transfer" the export of personal data to a country or territory outside the UK when such transfer is not governed by an adequacy decision made by the Secretary of State in the UK in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any User Data and/or Customer End User Data.
"Services" means any and all of the services provided under this Agreement and/or made available to Customer by Cordless from time to time pursuant to a Purchase or Order Form.
"Software" has the same meaning given in the Agreement.
“Sub-processor" means any legal entity, including a subcontractor, engaged by Cordless to Process all or part of the Personal Data for Cordless on behalf of the Customer.
"UK Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
"UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
"User" means an employee, consultant, contractor or any person using or accessing the Services or Site via Customer’s Account.
"User Data" means the "personal data" relating to each User.2. DATA PROCESSING
2.1. Customer as Controller. The Customer and Cordless acknowledge that for the purpose of Data Protection Laws, the Customer is the controller and Cordless is the processor.
2.2. Customer Compliance. The Customer retains control of the personal data and remains responsible for its compliance obligations under applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Cordless.
2.3. Nature and Purpose of Processing. Annex A describes the subject matter, duration, nature and purpose of processing in respect of which Cordless may process personal data in order to provide the Services and fulfil its obligations under the Agreement.
2.4. Instructions for Data Processing
(a) We will only process User Data and/or Customer End User Data in accordance with the Customer’s written instructions, unless processing is required by UK, European Union or Member State law to which we may be subject, in which case we shall, to the extent permitted by UK, European Union or Member State law, inform the Customer of that legal requirement before processing such data. The Agreement and this DPA shall be the Customer’s complete and final instructions to us in relation to the processing of such data.
(b) We will comply with the Customer's written instructions requiring us to amend, transfer, delete or otherwise process User Data/Customer End User Data, or to stop, mitigate or remedy any unauthorised processing, unless legally prohibited from doing so.
(c) We will notify the Customer if, in our opinion, the Customer’s instructions would not comply with Data Protection Laws.
(d) The Customer hereby represents that this DPA complies, to its reasonable knowledge, with all Applicable Data Protection Laws and contains all provisions required by such laws. Considering the nature of the Services, the Customer acknowledges that the Processing of Personal Data under this DPA may be subject to various Applicable Data Protection Laws, even those which are not explicitly mentioned in this DPA, depending on the territorial extent of Customer’s usage of the Services. The Customer is responsible for informing Cordless without undue delay about any discrepancy between this DPA and the requirements of the Applicable Data Protection Laws.
2.5. Additional processing. Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and us with regards to any additional instructions for processing.
2.6. Required consents. Where required by applicable Data Protection Laws, Customer will ensure that it has obtained or will obtain all necessary consents for the processing of User Data and/or Customer End User Data by us in accordance with the Agreement. Customer is responsible for the accuracy, quality, and legality of the User Data and/or Customer End User Data, and the means by which Controller acquired such personal data.3. TRANSFER OF PERSONAL DATA
3.1. Authorised Sub-processors. Subject to this section 3, Cordless is hereby given general authorisation to engage Sub-processors without obtaining any further written, specific authorisation from Customer.
3.2. Cordless hereby represents that it will Process Personal Data under this DPA exclusively in the country of Cordless’s residence and in the countries designated in the list of Cordless’s Sub-processors maintained under Annex B.
3.3. The locations described in Section 3.2. may include countries located outside the EEA and the UK. Where the Processing of Personal Data is subject to the European Data Protection Law, the Parties shall not transfer Personal Data to any Location Subject to Appropriate Safeguards, unless the Parties have taken measures necessary to ensure that the transfer complies with the applicable European Data Protection Law.
3.4. Liability of Sub-processors. We will at all times remain responsible for compliance with our obligations under the DPA and will be liable to the Customer for the acts and omissions of any sub-processors approved by the Customer as if they were our acts and omissions (subject to the terms of the Agreement).
3.5. Transfers of Personal Data.
The Customer agrees to the transfer of personal data outside of the UK/EEA as set out in Annex B (as updated from time-to-time).4. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
4.1. Cordless Security Obligations. Taking into account the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out at Annex C.
4.2. Compliance. Upon request by the Customer, we will make available all information reasonably necessary to demonstrate compliance with this DPA.
4.3. Security Incident Notification. If we or any Sub-processor become aware of a Security Incident we will (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
4.4. Cordless Employees and Personnel. We will treat the User Data and Customer End User Data as confidential information of the Customer, and shall ensure that any employees or other personnel have agreed to protect the confidentiality and security of User Data and Customer End User Data.
4.5. Assistance. We will provide reasonable assistance in meeting the Customer ’s compliance obligations under Data Protection Laws, taking into account the nature of our processing and the information available to us, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with relevant data protection authorities.5. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
5.1. Data Subject Requests. Save as required or where prohibited under applicable law, we will notify the Customer of any request received by us or any Sub-processor from a data subject in respect of personal data included in the User Data or Customer End User Data, and will not respond to the data subject. The Customer shall be solely responsible for responding substantively to any such data subject request or communications involving personal data.
5.2. Changes. We will provide the Customer with the ability to correct, delete, block, access or copy the User Data or Customer End User Data in accordance with the functionality of the Services.
5.3. Disclosure. We will maintain the confidentiality of User Data and Customer End User Data and will not disclose such data to third parties unless the Customer or the Agreement specifically authorises such disclosure, or as required by domestic law, court or regulator. If a domestic law, court or regulator requires us to process or disclose personal data to a third party, we must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless we are legally prohibited from giving such notice.6. DATA RETURN AND DESTRUCTION
6.1. Return. We will at the Customer’s request return any Customer Data/User Data in our standard format.
6.2. Deletion/Destruction. On termination of the Agreement for any reason or expiry of its term we will immediately cease processing User Data and Customer End User Data and will within 30 days of being instructed in writing by the Customer either securely delete or destroy or return (and not retain, except as required for record keeping purposes or required by law), all of the personal data related to this Agreement in our possession.7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
7.1. To the extent required under applicable Data Protection Laws, we will provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any supervisory authority of the Customer, in each case solely in relation to Processing of User Data or Customer End User Data and taking into account the nature of the processing and information available to us.8. LIABILITY
8.1. In no event shall Cordless's cumulative liability exceed either the total amounts paid or payable by the Customer during the twelve (12) months preceding the claim that gives rise to such damages, or one hundred pounds (£100) if pertaining to a free trial. This applies regardless of whether such damages arise under contract, warranty, tort (including negligence or strict liability), or any other theory of liability, even if Cordless has received oral or written notice of the possibility of such damages.
8.2. Cordless will not be liable for any claim brought by a data subject arising from any action by Cordless to the extent that such action resulted directly from the Customer’s instructions. In such case, the Customer shall indemnify, keep indemnified and defend at its own expense Cordless against all associated costs, claims, damages or expenses incurred by Cordless.
8.3. Each Party shall on their own be liable for any administrative fines that a supervising authority may impose due to their processing.9. TERMINATION
9.1. This DPA will remain in full force and effect so long as the Agreement remains in effect and will terminate immediately upon termination of the Agreement.10. MISCELLANEOUS
10.1. This DPA and all non-contractual or other obligations arising out of or in connection with it are subject to the governing law of England and Wales.
10.2. This DPA constitutes the entire agreement between the Parties with regards to its subject matter, and supersedes and extinguishes all previous DPAs, agreements and understandings between the Parties, whether written or oral, relating to its subject matter.ANNEX APERSONAL DATA PROCESSING PURPOSES AND DETAILS
Data Controller: Customer
Data Processpr: Cordless
Business purpose: For the provision of Services, pursuant to the Agreement.
Data subjects: Customer End User.
Duration of processing: For the duration of the Agreement, unless otherwise agreed in writing.
Nature of processing: Storage, transmission and use in order to provide the Services.
Customer End User data we process:
- Call recordings
- Call transcripts
- Phone number
- Helpdesk customer information (Customer names)
- Phone numbers
Sensitive personal data: None.
Subject matter of processing: The processing is needed in order to enable the provision of Services pursuant to the Agreement.