Data processing agreement

This Data Processing Agreement (“DPA”) is incorporated into, and is subject to the terms and conditions of, the MyEva Contract between Us and You.

All capitalised terms not defined in this DPA shall have the meanings set forth in the MyEva Contract.

This is version 18 of this DPA (09 May 2023).

1 Definitions

“Authorised User” has the same meaning as set out in the MyEva Contract;

“Authorised User Data” means any personal data that You give to Us relating to Authorised Users to process on your behalf as a processor in the course of providing the Service and in order to engage directly with your Authorised Users, as more particularly described in this DPA;

“Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under the MyEva Contract, including, where applicable;

“Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii) (or in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union); in each case, as may be amended, superseded or replaced;

“EEA” means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, and Switzerland;

“MyEva Contract” means the agreement which governs the provision of the Service to You;

“Security Incident” means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorised disclosure of or access to, Authorised User Data on systems managed or otherwise controlled by Us;

“Sensitive Data” means data that falls within the definition of “special categories of data” under the GDPR or any other applicable Data Protection Laws;

“Sub-processor” means any processor engaged by Us to assist in fulfilling its obligations with respect to providing the Service pursuant to the MyEva Contract or this DPA;

The terms “personal data”, “controller”, “processor” and “processing” shall have the meaning given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly;

2 Roles and Responsibilities

2.1 Parties’ roles. You are the controller of Authorised User Data, and We shall process Authorised User Data only as a processor acting on your behalf as described in the section 11 of this DPA.

2.2 Purpose limitation.  We shall process Authorised User Data only for the purposes described in this DPA and in accordance with your documented lawful instructions, except where otherwise required by applicable law.  The parties agree that the MyEva Contract sets out your complete and final instructions to Us in relation to the processing of Authorised User Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.

2.3 Prohibited data. You will not provide (or cause to be provided) any Sensitive Data to Us for processing under the MyEva Contract, and We will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.

2.4 Your compliance.  You represent and warrants that (i) You have complied, and will continue to comply, with all applicable Data Protection Laws in respect of its collecting of Authorised User Data and transferring to Us for the purposes of providing the Service and all processing instructions You issue to Us; and (ii) You have provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Us to process Authorised User Data for the purposes described in the MyEva Contract.  You shall have sole responsibility for the accuracy, quality, and legality of Authorised User Data as provided by You to Us and the means by which You acquired Authorised User Data.

2.5 Notification obligations regarding your instructions.  We shall promptly notify You in writing, unless prohibited from doing so under Data Protection Laws, if we become aware or believes that any data processing instruction from You violates Data Protection Laws.

3 Sub-processing

3.1 Authorised Sub-processors.  You agree that We may engage Sub-processors to process Authorised User Data on your behalf. Information regarding the Sub-processors currently engaged by Us is available on request.  We shall notify You if We adds or removes Sub-processors at least 10 days prior to any such changes.

3.2 Objection to Sub-processors.  You may object in writing to Our appointment of a new Sub-processor within five (5) calendar days of receiving notice in accordance with Section 3.1 above, provided that such objection is based on reasonable grounds relating to data protection.  In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution.  If no such resolution can be reached, We will, at Our sole discretion, either not appoint such Sub-processor, or permit You to suspend or terminate the affected Service in accordance with the termination provisions in the MyEva Contract without liability to either party (but without prejudice to any fees incurred by You prior to suspension or termination).

3.3 Sub-processor obligations.  We shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Authorised User Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Us to breach any of Our obligations under this DPA.

4 Security

4.1 Security Measures.  We shall implement and maintain technical and organisational security measures prescribed by EU Data Protection Laws to protect Authorised User Data from Security Incidents and to preserve the confidentiality, integrity and availability of Authorised User Data and in any event in accordance with ISO 27001 (“Security Measures”)

4.2 Confidentiality of processing.  We shall ensure that any person who is authorised by Us to process Authorised User Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.3 Updates to Security Measures.  You acknowledge that the Security Measures are subject to technical progress and development and that We may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to You.

4.4 Security Incident response.  Upon becoming aware of a Security Incident, We shall: (i) notify You without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by You; and (iii) promptly take reasonable steps to contain and investigate any Security Incident.  Our notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgement by Us of any fault or liability with respect to the Security Incident.

4.5 Your responsibilities.  Notwithstanding the above, You agree that except as provided by this DPA, You are responsible for your secure use of the Service, including securing your account authentication credentials, protecting the security of Authorised User Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Authorised User Data uploaded to the Service.

5 Security Reports and Audits

5.1 Audit rights.  We shall make available to You all information reasonably necessary to demonstrate compliance with the Data Protection Laws and allow for and contribute to audits, including inspections by You in order to assess compliance with this DPA.  You acknowledge and agree that You shall exercise your audit rights under this DPA (including this Section 5.1) by instructing Us to comply with the audit measures described in Sections 5.2 and 5.3 below.

5.2 Security reports.  You acknowledge that We are regularly audited against United Kingdom Accreditation Service (UKAS) standards by independent third-party auditors and internal auditors respectively.  Upon written request, We shall supply (on a confidential basis) a summary copy of Our most current audit report(s) (“Report”) to You, so that You can verify the Our compliance with the audit standards against which it has been assessed and this DPA.

5.3 Security due diligence.  In addition to the Report, We shall respond to all reasonable requests for information made by You to confirm the Our compliance with this DPA, including responses to information security, due diligence and audit questionnaires, by making additional information available regarding its information security program upon your written request, provided that You do not exercise this right more than once per calendar year.

6 Cross-border Transfers

6.1 Authorised Transfers.  We currently engage some US-based processors to provide services such as data analytics and marketing communications.  We shall only engage with processors based in other countries outside the UK or the EEA where we consider that there are adequate safeguards provided for your data, with individual rights standards that meet the Data Protection Laws and the use of these processors is necessary in the fulfilment of our obligations to you.   Information regarding the processors currently engaged by Us who operate outside of the UK or the EEA is available on request.

6.2. Cross-border Security. If Authorised User Data processed under this DPA is transferred from the UK or a country within the EEA to a country outside the UK or the EEA which do not ensure an adequate level of data protection within the meaning of Data Protection Laws, We shall ensure that the Authorised User Data is adequately protected. To achieve this, We shall, unless agreed otherwise, rely on the European Commission approved Standard Contractual Clauses or the UK International Data Transfer Agreement (in all contracts concluded on or after 22 September 2022) for the transfer of personal data from the UK or the EEA to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories for the transfer of Authorised User Data or such other legally enforceable mechanisms for transfer as may be prescribed under Data Protection Laws from time to time.

7 Return or Deletion of Data

7.1 Deletion on termination.  Upon termination or expiration of the MyEva Contract, We shall (at your election) delete, return or permanently de-identify all Authorised User Data (including copies) in our possession or control, except that this requirement shall not apply to the extent We are required by applicable law to retain some or all of the Authorised User Data, or to Authorised User Data we have archived on back-up systems, which Authorised User Data We shall securely isolate, protect from any further processing and eventually delete in accordance with Our deletion policies, except to the extent required by applicable law.

8 Data Subject Rights and Cooperation

8.1 Data subject requests. The Service provides You with a number of controls that You may use to retrieve, correct, delete or restrict Authorised User Data, which You may use to assist it in connection with your obligations under the Data Protection Laws, including your obligations relating to responding to requests from data subjects or applicable data protection authorities.  We shall provide reasonable cooperation to assist You to respond to any requests from individuals or applicable data protection authorities relating to the processing of Authorised User Data under the MyEva Contract.  In the event that any such request is made to Us directly, We shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact You) or legally required, without your prior authorisation.  If We are required to respond to such a request, We shall promptly notify You and provide You with a copy of the request unless We are legally prohibited from doing so.  For the avoidance of doubt, nothing in the MyEva Contract (including this DPA) shall restrict or prevent Us from responding to any data subject or data protection authority requests in relation to personal data for which We are a controller.

8.2 If a law enforcement agency sends Us a demand for Authorised User Data, We shall attempt to redirect the law enforcement agency to request that data directly from You.  As part of this effort, We may provide your basic contact information to the law enforcement agency.  If compelled to disclose Authorised User Data to a law enforcement agency, then We shall give You reasonable notice of the demand to allow You to seek an appropriate remedy, unless We are legally prohibited from doing so.

8.3 Data Protection Impact Assessment (DPIA). To the extent required under applicable Data Protection Laws, We shall provide all reasonably requested information regarding the Service to enable You to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

9 Limitation of Liability

9.1 Each party’s liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the MyEva Contract.

9.2 Any claims against Us under or in connection with this DPA shall be brought solely against the entity that is a party to the MyEva Contract.

9.3 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

10 Relationship with the MyEva Contract

10.1 This DPA shall remain in effect for as long as We carry out Authorised User Data processing operations on your behalf or until termination of the MyEva Contract (and all Authorised User Data has been returned or deleted in accordance with Section 7.1 above).

10.2 The parties agree that this DPA shall replace any existing Data Processing Agreement or similar document that the parties may have previously entered into in connection with the Service.

10.3 In the event of any conflict or inconsistency between this DPA and the MyEva Contract, the provisions of the following documents (in order of precedence) shall prevail: this DPA; and then the MyEva Contract.

10.4 Except for any changes made by this DPA, the MyEva Contract remains unchanged and in full force and effect.

10.5 Notwithstanding anything to the contrary in the MyEva Contract (including this DPA), We shall have a right to collect, use and disclose data relating to the use, support and/or operation of the Service (“Service Data”) for its legitimate business purposes, such as billing, account management, technical support, and product development.  To the extent any such Service Data is considered personal data under Data Protection Laws, We shall be responsible for and shall process such data in accordance with Data Protection Laws. For the avoidance of doubt, this DPA shall not apply to Service Data.

10.6 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

10.7 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the MyEva Contract, unless required otherwise by applicable Data Protection Laws.

11 Details of Data Processing

11.1 We will process data in accordance with the following details:

(a) Subject matter: The subject matter of the data processing under this DPA is the Authorised User Data.

(b) Duration: The duration of the data processing under this DPA is until the expiration or termination of the MyEva Contract in accordance with its terms.

(c) Purpose: We shall only process Authorised User Data for the following purposes: (i) processing to perform the Service in accordance with the MyEva Contract; (ii) processing initiated You in your use of the Service; and (ii) processing to comply with any other reasonable instructions provided by You (e.g., via email or support tickets) that are consistent with the terms of the MyEva Contract (individually and collectively, the “Purpose”).

(d) Nature of the processing: We provide an Employee Benefits Platform and other related services to Authorised Users, as more particularly described in the MyEva Contract..

(e) Categories of data subjects: Authorised Users being employees, agency personnel or independent contractors.

(f) Types of Authorised User Data: You may upload, submit or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by You in your sole discretion, and may include the following types of personal data:

  • Employee full name
  • Employee DOB
  • Employee NI number
  • Employee home address
  • Employee start date
  • Employee hours per week
  • Employee email address
  • Confirmation on salary exchange
  • Confirmation on salary exchange optional
  • Monthly data upload processed for leavers/joiners
  • Scheme data – matching rules

(g) Sensitive Data: We do not want to, nor do We intentionally, collect from You or process any Sensitive Data in connection with the provision of the Service.

(h) Processing Operations: Authorised User Data will be processed in accordance with the MyEva Contract (including this DPA) and may be subject to the following processing activities:

  • Storage and other processing necessary to provide, maintain and improve the Service provided to You pursuant to the MyEva Contract; and/or
  • Disclosures in accordance with the MyEva Contract and/or as compelled by applicable law.