Terms of Data Processing

1. Overview

References to the term "Data Processing Agreement" means this Agreement and the following schedules attached hereto:

Schedule 1: Services, Processing, Personal Data and Data Subjects

Schedule 2: Security Measures

 

We, Rais Opportunities Ltd. a company incorporated and registered in England and Wales under company number 09383407 whose registered office is 10 Cheyne Walk, Northampton, NN1 5PT (“Processor” in this Agreement)

and

You, the Client, (“Controller” in this Agreement),

hereinafter collectively referred to as “Parties” and individually “Party”, have agreed to enter into this Agreement to ensure compliance with the said provisions of the applicable data protection legislation (“Data Protection Legislation”) relating to the processing of Personal Data in relation to all processing of Personal Data by the Processor for the Controller.

 

2. Definitions

The terms and expressions set out in this Agreement shall have the following meanings:

2.1 Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998;

2.2 “Controller”, “Processor”, “Processing” and “Data Subject” shall have the meanings given to them in the Data Protection Legislation;

2.3 ICO means the Information Commissioner’s Office;

2.4 Personal Data means all such “personal data” as defined in the Data Protection Legislation as is, or is to be, processed by the Processor on behalf of the Controller;

2.5 Services means those services described in Schedule 1 which are provided by the Processor to the Controller and which the Controller uses for the purposes described in Schedule 1.

2.6 “Security Measures” means the security measures set out in Schedule 2

2.7 Standard Contractual Clauses means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries.

Clause, Schedule and paragraph headings shall not affect the interpretation of this agreement.

A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).

The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.

A reference to a company shall include any company, corporation or other corporate bodies, wherever and however incorporated or established.

Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.

 

It is agreed as follows:

3. Scope of Processing

3.1  The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to Data Protection Legislation, including its responsibility to establish the necessary legal basis for collecting, processing and transferring of Personal Data to the Processor.

The Controller shall inform the Processor of the legal basis on which they intend to collect, process and transfer personal data or when the Controller decides to change the way they intend to collect, process and transfer data. If the Controller shall use legitimate interest as a legal basis for collecting, processing and transferring Personal data of existing customers, it is the responsibility of the Controller to have taken the necessary steps to ensure that this legal basis has been suitably established and documented.

3.2 The terms of this Agreement supersede any other arrangement, understanding or agreement made between the Parties at any time relating to the protection of Personal Data.

3.3 This Agreement concerns the Processor's processing of Personal Data on behalf of the Controller in connection with the Processor's provision of the Services or otherwise as described in Schedule 1.

3.4 The nature and the purpose of the processing, including operations and activities, are specified in Schedule 1 but the Processor is only to carry out the Services, and only to process Personal Data received from the Controller:

3.4.1 for the purposes of those Services and not for any other purpose;

3.4.2 to the extent and in such manner as is necessary for those purposes; and

3.4.3 strictly in accordance with the express authorization and instructions of designated contacts at the Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Controller to the Processor).

3.5 The Processor, its Hosting Sub-processor, any other Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data (pursuant to and in accordance with clause 6) shall process the Personal Data only on behalf of the Controller and in compliance with its documented instructions and in accordance with the Data Processing Agreement, unless otherwise stipulated in applicable statutory laws.

3.6 The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller may infringe the Data Protection Legislation.

3.7 The Processor shall promptly comply with any request from the Controller requiring the Processor to amend, transfer or delete the Personal Data.

3.8 The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and all applicable legislation from time to time in force and any best practice guidance issued by the ICO.

3.9 Where the Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Controller it shall:

3.9.1 not process the Personal Data outside the European Union without the prior written consent of the Controller and, where the Controller consents to such a transfer, to comply with the transfer obligations of Chapter V of the Data Protection Legislation;

3.9.2 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as is required by law or any regulatory body including but not limited to the ICO;

3.9.3 implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested from the Controller;

3.9.4 when transferring any Personal Data be subject to the Standard Contractual Clauses or other legal basis for such transfer or disclosure; and

3.9.5 if so requested by the Controller (and within the timescales required by the Controller) supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access.

3.10 On at least 5 days' prior notice, the Processor shall permit persons authorised by the Controller to enter into the premises in which the Processor carries out their work to process Personal Data provided by the Controller, and to inspect the Processor’s facilities, equipment, documents and electronic data relating to the processing of the Personal Data.

3.11 The Processor shall notify the Controller (within two working days) if it happens to receive:

3.11.1 A request from a Data Subject to have access to that person’s Personal Data; or

3.11.2 A complaint or request relating to the Controller’s obligations under the Data Protection Legislation.

3.12 The Processor agrees to provide the Controller with full co-operation and assistance in relation to any complaint or request made, including by:

3.12.1 providing the Controller with full details of the complaint or request;

3.12.2 complying with a data access request within the relevant timescale and in accordance with the Controller’s instructions;

3.12.3 providing the Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Controller);

3.12.4 providing the Controller with any information requested by the Controller;

3.13 notify the Controller immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of any of the Personal Data.

 

4. Security Measures

4.1 The Processor shall implement appropriate technical and organisational measures as stipulated in Data Protection Legislation and/or measures imposed by the ICO to ensure an appropriate level of security and these are outlined in Schedule 2.

4.2 The Processor shall assess the appropriate level of security and take into account the risks related to the processing, including risk for accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Person Data transmitted, stored or otherwise processed.

4.3 The Processor will not be liable to the Controller for any delay or failure to perform its obligation to securely process the Personal Data where the delay or failure results from any cause beyond the Processor’s reasonable control, including acts of God, labour disputes or other industrial disturbances, electrical or power outages, utilities or other telecommunications failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, acts or orders of government, acts of terrorism, or war.

4.4 All transmissions of Personal Data between the Processor and the Controller or between the Processor and any third party shall be done by means of adequate encryption.

4.5 The Processor shall provide the Controller with general descriptions of the Processor's and its Sub-processors' technical and organisational measures implemented to ensure an appropriate level of security.

4.6 The Processor shall provide reasonable assistance to the Controller, taking into account relevant information available to the Processor, if the Controller is obliged to perform an impact assessment and/or consult ICO in connection with the processing of Personal Data. The Controller shall bear any costs accrued by the Processor related to such assistance.

 

5. Notification of any Breach

5.1  The Processor shall notify the Controller without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed ("Personal Data Breach"). The Controller is responsible for notifying the Personal Data Breach to the ICO within 72 hours of becoming aware of any such breach.

5.2 The notification to the Controller shall as a minimum describe (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences, in the reasonable opinion of the Processor, of the Personal Data Breach; (iii) the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.3 In the event the Controller is obliged to communicate a Personal Data Breach to the Data Subjects, the Processor shall assist the Controller, including the provision, if available, of necessary contact information to the affected Data Subjects. The Controller shall bear any costs related to such assistance provided by the Processor and to such communication to the Data Subject. The Processor shall nevertheless bear such costs if the Personal Data Breach is caused by circumstances for which the Processor is responsible.

 

6. Sub-Processing

6.1 The Processor shall store Personal Data within a facility provided by a specific Processor (“Hosting Sub-processor”), whose name and details the Controller may request at any time. The role and location of this Hosting Sub-processor is explained within Schedule 1.

6.2 The Processor shall not engage another any other Processor (“Sub-processor”) in the processing of the Personal Data without the written consent of the Controller. The Processor shall inform the Controller of any intended changes concerning the addition of, or replacement of the Hosting Sub-processor or any other Sub-processors, and the Controller has the right to object to such changes.

6.3 According to the Agreement between the Processor and the Hosting Sub-processor, The Hosting Sub-processor shall implement reasonable and appropriate measures designed to help the Processor secure Personal Data against accidental or unlawful loss, access or disclosure. But it is the sole responsibility of the Processor to provide sufficient guarantees to the Controller to implement appropriate technical and organisational measures to comply with Data Protection Legislation.

6.4 The Processor is responsible for properly configuring and using the service offerings provided by the Hosting Sub-Processor and for taking appropriate action to secure, protect and backup the Controller’s Personal Data in a manner that will provide appropriate security and protection.

6.5 The Processor shall ensure that its data protection obligations set out in this Agreement and the Data Protection Legislation are imposed to any other Sub-processors by way of a written agreement.

 

7. Warranties and Indemnities

7.1 Each party warrants to the other that it will process the Personal Data in compliance with this Agreement and in accordance with the Data Protection Legislation.

7.2 The Parties shall each be liable for and shall indemnify (and keep indemnified) each other against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demand incurred by the other which arise directly or in connection with any data processing activities which are subject to this Agreement.

7.3 Our total liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise arising in connection with the performance or contemplated performance of the Data Processing Agreement shall in all circumstances be limited to the cover We are provided with by our Cyber and Data Insurance policy.

 

8.Confidentiality

8.1 The Processor shall maintain the Personal Data processed by the Processor on behalf of the Controller in confidence, and in particular, unless the Controller has given written consent for the Processor to do so, the Processor shall not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Controller to any third party. The Processor shall not process or make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of the Services to the Controller.

8.2 The Controller is subject to a duty of confidentiality regarding any documentation and information, received by the Processor, related to the Processor's and its Sub-processors' implemented technical and organisational security measures.

8.3 The obligations in this Clause 7 shall continue for a period of five years after the cessation of the provision of Services by the Processor to the Controller. Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed by the ICO or a court. Both parties shall, however, where possible, discuss together the appropriate response to any request from the ICO or court for disclosure of information.

 

9. Term and Termination

9.1 The Processing Agreement is valid for as long as the Processor processes Personal Data on behalf of the Controller.

9.2 In the event of the Processor's breach of the Processing Agreement, the Controller may elect to(i) instruct the Processor to stop further processing of Personal Data with immediate effect; (ii) terminate the Processing Agreement with immediate effect; and/or (ii) claim its losses, costs, damages and/or expenses incurred, pursuant to the indemnity set out under clause 7.3, subject always to the provisions of the agreement(s) pursuant to which the Services are provided.

9.3 The Processor shall, upon the termination of this Agreement and at the choice of the Controller, delete or return all the Personal Data to the Controller, unless otherwise stipulated otherwise in the Data Protection Legislation. The Processor shall document in writing to the Controller that deletion has taken place.

 

10 General

10.1 This Agreement may only be amended by the Parties subject to mutual consent and in accordance with the Data Protection Legislation.

10.2 The Processor shall not sub-contract to any third party any of its rights or obligations under this Agreement save for where permitted by the Parties under this Agreement.

10.3 The Processor accepts the obligations in this Agreement in consideration of the payment of £1 from the Controller which the Processor hereby acknowledges

10.4 Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

10.5 This Agreement shall be governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.

 

Schedule 1 – Services, Processing, Personal Data, and Data Subjects

1. SERVICES

The  “Services” referred to in Sub-Clause 1.5 means the provision of a Customer Data Management platform that automatically manages and processes the Controller’s customers data, enabling them to provide a more relevant shopping experience for their customers.

The Controller uses the Services for the following purpose[s]: to administer the Controller’s Business through the provision of performance reporting and to enable more relevant shopping experience for the Controller’s customers through insights and metadata that can be used when communicating to customers.

2. PROCESSING

Processing of data will take place in a secure location using a Hosting Sub-Processor who provides a scalable data storage facility within the EU, which the Processor accesses remotely via a secure connection.

The definition of processing data includes: obtaining, recording or holding data or carrying out any operation or set of operations on data, including but not limited to: alteration, adaptation, retrieval and consultation, dissemination, deletion.

In short, the Hosting Sub-Processor will hold data and the Processor will obtain, record and carry out operations on the data including alteration, adaptation, retrieval and consultation, dissemination, deletion

Therefore Personal Data will be subject to the following basic processing activities:

  • Data are retrieved by the Processor from sources that the Controller provides access to such as their e-commerce database, their Google Analytics database and their email marketing database.

  • Data are processed to create a single de-duplicated view of the customer, their purchase and contract history

  • Data are automatically analysed to create metadata that helps the Controller to measure business performance through a customer lens and understand how they can improve their service to their customers

  • Certain metadata are then provided back to systems used by the Controller to communicate with their customers through, for the Controller to communicate to customers in a more relevant manner

  • All data are stored in the facility provided by the Hosting Sub-Processor

3. PERSONAL DATA

The Personal Data processed concern the following type and categories, including any special categories of data:

  • Transactional data – what a customer has purchased and when

  • Contact data – Name, email address, postal addresses, phone numbers for a customer

  • Browsing data – the source of website visits, if they’ve been captured

  • Email campaigns data – Opens and clicks from email campaigns

4. DATA SUBJECTS

The Personal Data processed concern the following categories of Data Subjects:

  • The Controller’s customers

  • The Controller’s Users of the rais Services (this can include both employees and sub-contractors of the Controller)

     

Schedule 2 – Security Measures

The following are the Security Measures referred to in Sub-Clauses 1.6:

1. The Processor will ensure that in respect of all Personal Data it receives from or processes on behalf of the Controller it maintains security measures to a standard appropriate to:

1.1 the harm that might result from unlawful or unauthorised processing or accidental loss, damage or destruction of the Personal Data; and

1.2 the nature of the Personal Data.

2. In particular, the Processor shall:

2.1 have in place and comply with a security policy which:

2.1.1 defines security needs based on a risk assessment;

2.1.2 allocates responsibility for implementing the policy to a specific individual or members of a team;

2.2.3 is provided to the Controller on or before the commencement of this Agreement;

2.2.4 is disseminated to all relevant staff; and

2.2.5 provides a mechanism for feedback and review.

2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;

2.3 prevent unauthorised access to the Personal Data;

2.4 ensure its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;

2.5 have secure methods in place for the transfer of Personal Data whether in physical form (for instance, by using couriers rather than post) or electronic form (for instance, by using encryption);

2.6 put password protection on computer systems on which Personal Data is stored and ensure that only authorised personnel are given details of the password;

2.7 take reasonable steps to ensure the reliability of employees or other individuals who have access to the Personal Data;

2.8 ensure that any employees or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Agreement;

2.9 ensure that none of the employees or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller;

2.10 have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including:

2.10.1 the ability to identify which individuals have worked with specific Personal Data;

2.10.2 having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the Act; and

2.10.3 notifying the Controller as soon as any such security breach occurs.

2.11 have a secure procedure for backing up and storing back-ups separately from originals;

2.12 have a secure method of disposal of unwanted Personal Data including for back-ups, disks, printouts and redundant equipment.

Schedule 3 - GDPR support from RAIS 

The following section illustrates how We will help You with consumer ‘rights requests’

For the purposes of the information below, any reference to “Processor”, “We”, “Us” or “Ourselves” means, Rais Opportunities Ltd. and any reference to “Controller” or “You” means you, the Client. 

RIGHT OF ACCESS REQUESTS

A data subject may make a subject access request (“SAR”) at any time to find out more about the personal data which the Controller holds about them. We will make it easier for the Controller to fulfil such requests by providing You with access to the data subject’s “customer profile” page which includes details of the data held about them. You are not obliged to actually provide the specific details of the data held unless the data subject makes a right of data portability request (see below). In such cases we will provide You with an export feature that will allow You to export data from our platform and share it with a data subject in an appropriate format e.g. Microsoft Excel spreadsheet or Adobe PDF file. 

RIGHT TO RECTIFICATION OR DATA QUALITY REQUESTS

A data subject may inform the Controller that personal data held by the Controller is inaccurate or incomplete, requesting that it be rectified. In such cases We will provide the Controller the means to update personal data about the data subject within our platform. 

IMPORTANT: any update made on Our platform to an email address, first name or last name, will update the Controller’s email marketing platform accordingly, but not their e-commerce system.

Example 1. A data subject, who has made a previous purchase, states that the email address they are getting emails to is incorrect, then the Controller can use our platform to input a new email address against this data subject and unsubscribe the previous email address for them. This will subsequently update the email marketing platform in order to ensure that email campaigns are sent to the correct email address. It will not update the email address used to make the purchase, on the e-commerce platform. 

Example 2. A data subject, who has made a previous purchase, states that their postal address has changed, because they are no longer paying for their postal redirection service. The Controller finds this customer on their e-commerce platform and updates their billing address (it’s important that the update is made to the billing address as this is the address RAIS uses when it comes to providing address details for Direct Mail). RAIS consequently receives a notification from the e-commerce platform and updates this customer with their new address details. If the Controller chooses to only update the data subject’s address in RAIS, then RAIS will not update the e-commerce platform. Please note that RAIS will always be updated by source data systems like your e-commerce platform. So if a customer repurchases and provides a new or amended billing address then RAIS will be updated again.  

If you are unsure about the process to go through when fulfilling right to rectification requests, then please contact support@rais.io for help!

RIGHT TO ERASURE REQUEST

A data subject may request that the Controller erases the personal data it holds about them if it is no longer necessary for the Company to hold that personal data with respect to the purpose for which it was originally collected or processed or if they wish to withdraw their consent to the Controller holding and processing their personal data. In such cases We will provide You with the means to erase the personal data held about this data subject on our platform effectively anonymising them. This will consequently unsubscribe any email addresses we hold on the data subject within your email marketing platform. 

IMPORTANT: RAIS syncs with a single email list. If you use multiple email lists through programmes like Mailchimp, you dramatically increase the risk of not fulfiling right to erasure requests. This is because unsubscribe actions within Mailchimp are associated with individual lists. If a data subject exists on multiple lists then You must ensure that they are unsubscribed from all lists they are a member of. RAIS will only unsubscribe them from the list we sync with (usually your main marketing list). 

WHY UNSUBSCRIBE AND NOT DELETE:  deleting an email address actually carries a greater risk of re-subscribing that email address at a later date, especially when switching email marketing platforms. We therefore strongly recommend that you maintain a suppression list of unsubscribed email address, which you take with you if you switch email marketing platforms. That way any email address which was earlier deleted is less likely to be added to the new platform as subscribed. 

If you are unsure about the process to go through when fulfilling right to erasure requests, then please contact support@rais.io for help! 

RIGHT TO RESTRICT PROCESSING REQUESTS

A data subject may request that the Controller ceases processing the personal data it holds about them.  In such cases We will enable the Controller to retain only the amount of personal data pertaining to that data subject that is necessary to ensure that no further processing of their personal data takes place. 

Simply put this means that we provide You with the ability to unsubscribe the data subject from all marketing activities. This will continue to allow Us to process any future transactions that the data subject may make in order for you to carry out business performance analysis. 

RIGHT OF DATA PORTABILITY REQUESTS

A data subject may request that the Controller provides them with a copy of the personal data held on them in order to transfer it to another Data Controller. In such cases our export feature, mentioned above in the Right of Access section, will enable this to happen, as You will be able to export data from RAIS and provide it to the data subject. 

RIGHT TO OBJECT REQUESTS

A data subject has the right to object to the Controller processing their personal data based on a) legitimate interests (including profiling), b) direct marketing (including profiling), and c) processing for scientific and/or historical research and statistics purposes. 

In the case of legitimate interest, unless you can prove otherwise, You will have to stop processing by using Our delete feature that will anonymise the data subject and their data. 

In the case of direct marketing, You will have to stop processing by using Our delete feature that will anonymise the data subject and their data. 

In the case of processing for scientific and/or historical research and statistics purposes, the data subject must, ‘demonstrate grounds relating to his or her particular situation’. This is a harder one to manage. Depending on the grounds the data subject provides, You can either choose to use the delete feature to anonymise them or the unsubscribe feature to maintain processing for analysis purposes but stop processing for marketing purposes. 

RIGHTS RELATING TO AUTOMATED DECISION-MAKING

This is an important one. The GDPR states that:

In the event that the Controller uses personal data for the purposes of automated decision-making and those decisions have a legal (or similarly significant effect) on data subjects, data subjects have the right to challenge to such decisions under the Regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.

Firstly, the automated decision making we provide you with includes our automated analysis of data subjects and subsequent assignment of data subjects to segments (e.g. lifecycle segments, email marketing segments etc.), which creates metadata tags about the data subject. 

But importantly, you decide how to use this metadata. It is not automatically used in an autonomous manner. We therefore do not believe that any processes You deploy which use these automatically generated metadata have a legal (or similarly significant effect) on data subjects. 

A legal effect might include whether or not to grant a data subject a loan, mortgage etc, based on the data subject inputting data into an online form and an algorithm automatically processing that data and deciding whether to grant the loan or not. You can see in such cases how such automated processing can have a legal effect or similar on a data subject and how there is no human interaction involved at all.