DATA PROCESSING AGREEMENT

PARTIES

  1. This Data Processing Agreement (“DPA”) forms part of the eras Ltd’s Terms of Service, or other agreement governing the use of eras Ltd’s services (“Agreement”) entered by and between you, the Customer (as defined in the Agreement) (collectively, “you”, "your”, “Controller”, “Customer”), and eras Ltd (“eras”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by eras Ltd solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.
  2. This Agreement is between eras Ltd (herein after called ‘eras Ltd’ or ‘‘We / Us / Our’) whose registered [United Kingdom] with company number 01832022 whose registered office is at [Providence Court, 105 Denmark Street, Diss, Norfolk, IP22 4WN] and the Customer (herein after called ‘the Controller’ or “Your/Yours”):

BACKGROUND

  1. The Processor (eras Ltd) is in the business of providing psychometric products and consultancy services ("Services").
  2. You and eras Ltd entered into an agreement (“Terms and Conditions”) that governs the provision of Services that may require Us to process Personal Data on Your behalf.
  3. This Personal Data Processing Agreement ("Agreement") sets out the terms, requirements and conditions on which (we will process Personal Data when providing the Services to You. This Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation 2016/679 (UK GDPR) for contracts between controllers and processors.
  4. The meaning of various terms like Personal data, Controller, Processor, Data Breach, International Data Transfer Agreements etc. are same as described under UK data protection laws (UK GDPR and DPA 2018).

AGREED TERMS

  1. DEFINITIONS AND INTERPRETATION

    The following definitions and rules of interpretation apply in this Agreement.

    1. Definitions:

      "Data Subject" means an individual who is the subject of Personal Data.

      "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Supplier as a result of, or in connection with, the provision of the Services; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

      "Processing, processes and process" means either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.

      "Data Protection Legislation" the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.

      "UK Data Protection Legislation" all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. 

      "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

      The terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.

    2. The Appendices form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Appendices.
    3. A reference to writing or written includes faxes and email.
    4. In the case of conflict or ambiguity between:
      1. any provision contained in the body of this Agreement and any provision contained in the Appendices, the provision in the body of this Agreement will prevail; and
      2. the terms of any accompanying invoice or other documents/ Appendices to this Agreement and any provision contained in the Appendices, the provision contained in the Appendices will prevail; and
  2. HOW THE USER ACCEPTS THIS AGREEMENT, AND WHEN THIS AGREEMENT STARTS

    1. The User accepts the terms and conditions of this agreement when the client signs into The Psychometric Portal for the first time, or in the case of Bureau clients when they supply the details of the assessment participants.
    2. The client may terminate the agreement in writing (e-mail) at which point we will remove all of their data. Assessment participants must contact the client (as the data controller) and request that their data be removed.
    3. If the User is not willing to accept these terms and conditions and therefore decides not to enter into this agreement, it should contact the Provider and is not permitted to use Eras Ltd Service.
  3. GENERAL TERMS

    1. The parties acknowledge and agree that for the purpose of the Data Protection Legislation, Customer is the controller and eras Ltd are the processor.
    2. The terms “Controller” and “Processor” below hereby signify Customer and eras Ltd, respectively.
    3. Customer retains control of the Personal Data and remain responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Us.
    4. Appendix A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which eras Ltd may process in order to provide the Services.
  4. PROCESSOR'S OBLIGATIONS

    1. eras will only process the Personal Data to the extent, and in such a manner, as is necessary to provide the Services and in accordance with Customer’s written instructions. eras Ltd will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. eras Ltd must promptly notify Customer if, in its opinion, Customer’s instruction would not comply with the Data Protection Legislation.
    2. eras Ltd must promptly comply with any request or instruction from Customer requiring Us to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
    3. eras Ltd will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless Customer or this Agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Us to process or disclose Personal Data, eras Ltd must first inform Customer of the legal or regulatory requirement and give Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
    4. eras Ltd will reasonably assist Customer with meeting Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of Our processing and the information available to eras Ltd, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
    5. eras Ltd must promptly notify Customer of any changes to Data Protection Legislation that may adversely affect eras performance of the Services.
    6. eras Ltd must, at no additional cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to You as You may reasonably require, to enable You to comply with:
      1. the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
      2. information or assessment notices served on You by any supervisory authority under the Data Protection Legislation.
    7. eras must notify Customer immediately if eras receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
  5. SECURITY

    1. eras must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
  6. SUB-PROCESSSOR

    1. eras may only authorise a third party (sub-processor) to process the Personal Data if:
      1. eras Ltd enters into a written contract with the sub-processor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Customers written request, provides You with copies of such contracts;
      2. eras Ltd maintains control over all Personal Data it entrusts to the subcontractor; and
      3. the sub-processor’s contract terminates automatically on termination of this Agreement for any reason.
    2. Where the subcontractor fails to fulfil its obligations under such written agreement, eras remains fully liable to Customers for the sub-processor’s performance of its agreement obligations.
    3. eras (or any sub-processor) must not transfer or otherwise process Personal Data outside the European Economic Area (EEA) without ensuring that the contract with the sub-processor complies with the terms agreed in master agreement, the Agreement and the appropriate safeguards outlined in Appendix B.
  7. PERSONAL DATA BREACH

    1. eras will promptly and without undue delay, notify Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.
    2. eras Ltd will not inform ICO or any third party of any Personal Data Breach without first obtaining Customer’s prior written consent, except when required to do so by law.
  8. NOTICE

    1. Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to:
    2. For Us: [Data Officer, eras Ltd, Providence Court, 105 Denmark Street, Diss, Norfolk IP22 4WN, data@eras.co.uk]
    3. Clause Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to: does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

APPENDICES

APPENDIX A: PERSONAL DATA PROCESSING PURPOSES AND DETAILS

Subject matter of processing: To process Personal Data as is necessary to provide the Services and as further instructed by Customers in its use of the Services.

Duration of Processing: For Term of this Agreement unless otherwise requested by Customer.

Nature of Processing: Services

Personal Data Categories

  • Name
  • Address
  • Email address
  • Telephone number
  • Gender
  • Job title
  • Organisation

Data Subject Types

  • Clients (portal admins)
  • Assessment participants

APPENDIX B

Cross-border Data Transfers: eras' appropriate safeguards for processing Personal Data outside of the EEA in order to comply with cross-border transfer restrictions:

  • International Data Transfer Agreement
  • Standard Contractual Clauses with UK Agreement