Back

Data Processing Agreement

DATA PROCESSING AGREEMENT

BETWEEN:

  1. The company or organisation who have contracted with Noonah for the provision of services and named in Noonah’s booking confirmation form or such other contractual documentation between the parties (the Customer); and
  2. Noonah Marketing Limited incorporated and registered in England and Wales with company number 07619471 whose registered office is at Underwood Cottage Bar Road, Baslow, Bakewell, Derbyshire, United Kingdom, DE45 1SF (Noonah).

WHEREAS

  1. The Customer and Noonah entered into a contract / booking confirmation form for the provision of Services from Noonah (the Master Agreement) which may require Noonah to process Personal Data on behalf of the Customer.
  2. This Data Processing Agreement (DPA) sets out the additional terms, requirements and conditions on which Noonah will process Personal Data when providing Services under the Master Agreement. 
  3. In Noonah’s documentation, both “Customer” and “Hirer” may be used interchangeably to mean “Customer”. Both “Provider” and “Noonah” may be used interchangeably to mean “Noonah”.

IT IS AGREED as follows:

  1. Definitions and interpretation 

The following definitions and rules of interpretation apply to this DPA.

1.1   Definitions:

Authorised Persons. The persons or categories of persons that the Customer authorises in writing to give Noonah processing instructions in respect of the Customer Data.

Business Purposes. The purpose of providing and supporting the Services or any other purpose specifically agreed in writing with the Customer.

Controller and Processor. As defined in the Data Protection Legislation.

Customer Data. Any Personal Data that is provided to Noonah by the Customer, or which Noonah collects on behalf of the Customer and which is processed by Noonah as a result of, or in connection with, the provision of the Services. 

Data Protection Legislation.  All legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Customer Data (including, without limitation, the privacy of electronic communications) and which may include, depending on the circumstances, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act) (“CCPA”), Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act), Connecticut’s Data Privacy Act, Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (collectively U.S. Privacy Laws), and the United Kingdom and/or European Union General Data Protection Regulation (Regulation (EU) 2016/679) (collectively the “GDPR”), and applicable subordinate legislation and regulations implementing those laws.

Data Subject. An individual who is the subject of Customer Data which may include the Customer, employees of the Customer and any member of the public who uses the Services.

Personal Data. Has the meaning assigned to the term (or the term ‘personal information’) in the Data Protection Legislation.

Personal Data Breach. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data transmitted, stored or otherwise processed. 

Processing, processes and process. Either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process.

Services. The products and services to be supplied by Noonah to the Customer under the Master Agreement.

1.2 This DPA is incorporated into the Master Agreement and is subject to its terms. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

1.3 In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.

2. Relationship and Customer Data typesses

2.1. This DPA applies to the extent that Noonah processes Customer Data as a Processor and/or sub-processor on behalf of the Customer in performing the Services. As between the parties, Noonah acts as a Processor and/or sub-processor and Customer acts as a Controller and/or Processor of the Customer Data when this DPA applies.

2.2. Where the Customer is not the Controller, the Customer:
2.2.1 will confirm the identity and contact details of the Controller to Noonah;
2.2.2 remains responsible as such as between Noonah and the Customer; and
2.2.3 warrants and represents that the Controller has provided written consent to the processing of the Customer Data by Noonah for the Business Purpose and in accordance with the Customer’s instructions.

2.3. In order to fulfil the Business Purposes, Noonah may be required to process the following categories of Customer Data: 
2.3.1. Identity data including first name, last name, username, title, date of birth, gender, videos, images, artwork and photographs; 
2.3.2. Contact data, including email address and telephone numbers;
2.3.3. Profile data including usernames and use of social media sites, interests, preferences, feedback and survey responses; and
2.3.4. Marketing data including preferences to receive marketing communications; 
2.3.5. Technical data including internet protocol (IP) address, browser types and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to connect to the Services;
2.3.6. Usage data including information about how a Data Subject uses the Services;
2.3.7. Additional information as may be directed by the Customer under the Master Agreement and/or in writing.

2.4 Unless the Customer instructs otherwise, Noonah will not collect any special categories of Personal Data about Data Subjects (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data), criminal convictions and offences.

3. Noonah’s obligations

3.1. Noonah will:
3.1.1. only process the Customer Data:
a. for the Business Purposes;
b. in accordance with the Master Agreement;
c. in accordance with the Customer’s written instructions from Authorised Persons; and
d. in a manner that provides no less than the level of privacy protection required of it by Data Protection Legislation;
3.1.2. notify the Customer if, in Noonah’s opinion, the Customer’s instruction would not comply with the Data Protection Legislation;
3.1.3. if a law, court, regulator or supervisory authority requires Noonah to process or disclose Customer Data, where possible, inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice; 
3.1.4. take reasonable steps to ensure the reliability, integrity and trustworthiness of all of Noonah’s employees with access to the Customer Data ensure that all employees:
a. are informed of the confidential nature of the Customer Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Data;
b. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
c. are aware both of Noonah’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA;
3.1.5. only retain Customer Data for as long as reasonably necessary to fulfil the Business Purposes which will, as standard, be a maximum period of 12 months following provision of the Services or such other period as may be agreed between the parties in writing. It is the responsibility of the Customer to communicate its data retention policy to Noonah for Noonah’s review.  Where it is able to comply with such data retention policy, Noonah will provide its acceptance of the same in writing;
3.1.6. reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of Noonah’s processing of the Customer Data and the information available to Noonah, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation. Such assistance will be at the cost of the Customer; and
3.1.7. inform the Customer, unless legally prohibited, of any requirement by Data Protection Laws to process any Customer Data for a reason other than the Business Purposes. 

3.2. Noonah will not:
3.2.1. disclose the Customer Data to any Data Subject or to a third party other than:
a. at the Customer’s request or instruction;
b. to a Sub-processor ;or
c. otherwise as provided for in this DPA or as required by law;
3.2.2. combine the Customer Data with Personal Data that Noonah receives from or on behalf of any third party unless directed to do so by the Customer or as otherwise permitted by Data Protection Legislation. For the avoidance of doubt, this shall not prevent Customer Data being stored on the same server as other Personal Data;
3.2.3. provide the Customer with any remuneration in exchange for Customer Data. The parties agree that the Customer has not ‘sold’ (as such term is defined by the CCPA) Customer Data to Noonah;

3.3. If Noonah becomes aware of any changes to Data Protection Legislation that may adversely affect Noonah’s performance of Services, it will notify the Customer of such changes. 

4. Security

4.1. Noonah will implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Customer Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Data.

4.2. Noonah will implement such measures to ensure a level of security appropriate to the risk involved, which may include:
4.2.1. the pseudonymisation and encryption of Customer Data;
4.2.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.2.3. the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and 
4.2.4. a process for regularly testing, assessing and evaluating the effectiveness of security measures.

5. Sub-processors

5.1. The Customer agrees that the Provider may use Sub-Processor(s) as required to process the Personal Data in line with the Business Purposes. Should the Customer require more details of the Sub-Processor(s) then, upon request, the Provider will send the list of Sub-Processors relevant to the Services.

5.2. Noonah enters into  contractual arrangements with its Sub-processors on industry standard terms requiring their compliance with the Data Protection Legislation and, where possible,  binding them to at least a comparable level of data protection and information security to that of this DPA. Subject to the limitations of liability contained in the Master Agreement, Noonah will be liable for the acts and omissions of its Sub-processors to the same extent it would be liable under the terms of this DPA if Noonah had performed such acts or omissions itself.

6. Cross-border transfers of Customer Data

6.1. Noonah (or any Sub-processor) may transfer or otherwise process Customer Data outside the UK and European Economic Area (EEA) provided that: 
6.1.1. Noonah or its Sub-processor is processing the Customer Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
6.1.2. Noonah or its Sub-processor participates in a valid cross-border transfer mechanism under the Data Protection Legislation, and ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as may be required by the GDPR.

7. Complaints, data subject requests and third party rights

7.1. Noonah will take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, at the cost of the Customer, to enable the Customer to comply with:
7.1.1. the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
7.1.2. information or assessment notices served on the Customers by any supervisory authority under the Data Protection Legislation.

7.2. Noonah will notify the Customer within 5 working days if it receives:
7.2.1. a request from a Data Subject for access to their Customer Data or to exercise any of their related rights under the Data Protection Legislation.
7.2.2. any complaint, notice or communication that relates to the processing of the Customer Data or to either party’s compliance with the Data Protection Legislation in respect of the Customer Data.

7.3. Noonah will give the Customer its full cooperation and assistance, at the cost of the Customer, in responding to any complaint, notice, communication or Data Subject request.

8. Records and Audit

8.1. Noonah will keep written records regarding the processing of Customer Data it carries out (“Records”) and has in place internal policies regarding privacy and security. Upon reasonable request and no more than once per year, Noonah will provide the Customer with the Records and Noonah’s privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA. Such information provided will be Noonah’s Confidential Information

8.2. Where required by law, and to the extent not satisfied by the provision of the information pursuant to clause 11.2, Noonah will permit the Customer to audit Noonah’s compliance with this DPA (Audit). Noonah will give the Customer such assistance as is reasonably necessary to conduct the Audit, which may include: 
8.2.1. remote electronic access to, and copies of the Records and any other information held at Noonah’s premises or on systems storing Customer Data;
8.2.2. inspection of all Records and, where reasonably practicable and under the direct control of Noonah, the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process or transport Customer Data.

8.3. Such Audits will be carried out:
8.3.1. not more than once in any 12 month period;
8.3.2. on at least 30 days’ written notice;
8.3.3. in such manner to minimise any disruption to Noonah’s business; and
8.3.4. at the Customer’s sole cost and expense, and Noonah may charge a reasonable fee for any such assistance.

9. Customer obligations

9.1. The Customer retains control of the Customer Data and remains responsible for its own compliance obligations under the Data Protection Legislation, including providing any required notices and obtaining any required consents to and from Data Subjects, and for the processing instructions it gives to Noonah.

9.2. The Customer will:
9.2.1. comply with the Data Protection Legislation;
9.2.2. not do anything that could cause Noonah to be in breach of Data Protection Legislation; 
9.2.3. reasonably cooperate with Noonah in all matters covered by this DPA;
9.2.4. not provide Customer Data to Noonah except through agreed mechanisms, and without prejudice to the foregoing, the Customer represents and warrants that it shall only transfer Customer Data to Noonah using secure, reasonable and appropriate mechanisms;
9.2.5. not take any action that would render the provision of Customer Data to Noonah a ‘sale’ under U.S. Privacy Laws or a ‘share’ under the CCPA (or equivalent concepts under U.S. Privacy Laws); and
9.2.6. not take any action that would render Noonah not a ‘service provider’ under the CCPA or ‘processor’ under U.S. Privacy Laws.

10. Personal Data Breach

10.1. Noonah will promptly, and without undue delay, notify the Customer if it becomes aware of:
10.1.1. any Customer Data being lost or destroyed or becoming damaged, corrupted, or unusable;
10.1.2. any Personal Data Breach by Noonah or its Sub-processors.

10.2. If Noonah becomes aware of the above it will, without undue delay, also provide the Customer with the following information:
10.2.1. description of the nature of the incident, including the categories and approximate number of both Data Subjects and Customer Data records concerned;
10.2.2. the likely consequences, so far as Noonah is aware,; and
10.2.3. description of the measures taken, or proposed to be taken to address the breach, including measure to mitigate its possible adverse effects.

10.3. Following any Personal Data Breach, the parties will coordinate with each other to investigate the matter. Noonah will reasonably cooperate with the Customer in the Customer’s handling of the matter, including:
10.3.1. assisting with any investigation conducted by the Customer;
10.3.2. providing the Customer with physical access to any facilities and operations affected if reasonably required and within Noonah’s control;
10.3.3. facilitating interviews with Noonah’s employees, and (where possible) former employees and others involved in the matter;
10.3.4. making available relevant records, logs, files, data reporting and other materials reasonably required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
10.3.5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach.

Noonah reserves the right to charge the Customer an administration fee for its involvement in such investigation where Noonah is not found to be at fault.

10.4. Except when required to do so by law and save for any Sub-processors involved, Noonah will not inform any third party of any Personal Data Breach without first obtaining the Customer’s prior written consent.

10.5. If a Personal Data Breach occurs or is occurring, or Noonah becomes aware of a breach of any of its obligations under this DPA or the Data Protection Legislation, Noonah will:

10.5.1. promptly conduct its own investigation to determine the cause; and
10.5.2. remedy any deficiencies identified by the investigation as soon as reasonably practicable.

11. Term

11.1. This DPA will remain in full force and effect so long as:
11.1.1. the Master Agreement remains in effect; or
11.1.2. Noonah retains any Customer Data in its possession or control.

11.2. Any provisions of this DPA and/or the Master Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Customer Data will remain in full force and effect.

11.3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Master Agreement, the parties will suspend the processing of Customer Data until that processing complies with the new requirements, if the parties are unable to bring the Customer Data processing into compliance with the Data Protection Legislation within a reasonable time period, either party may terminate that element of the services provided under the Master Agreement on written notice to the other party.

12. Data return and destruction

12.1. At the Customer’s request, Noonah will give the Customer a copy of or access to all or part of the Customer Data in its possession or control in the format and on the media reasonably specified by the Customer.

12.2. On termination of the Master Agreement for any reason or expiry of its term or once the data retention period has come to an end (where such data retention policy was accepted by Noonah in writing), Noonah will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Customer Data in its possession or control.

12.3. If any law, regulation, or government or regulatory body requires Noonah to retain any documents or materials that Noonah would otherwise be required to return or destroy, it will, where permitted by law, notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

12.4. If requested by the Customer, Noonah will certify in writing that it has destroyed the Customer Data.