DATA PROCESSING AGREEMENT
This Data Processing Agreement (Agreement) sets out the terms, requirements and conditions on which JACK ROE (C.S.) LIMITED (a company incorporated and registered in England and Wales with company number 03265265) or, as the context requires, TAPOS SOFTWARE LIMITED (a company incorporated and registered in England and Wales with company number 14009359), will process Customer Personal Data (as defined below) under the Software Licence and Support Agreement for the licence, maintenance and support of the “TaPoS” software between you, the customer (Customer), and the Provider (as defined below) (Master Agreement).
This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
This Agreement is supplemental to, and forms an integral part of, the Master Agreement and is effective upon its incorporation into the Master Agreement, as specified in the Master Agreement.
We may update this Agreement from time to time. We will let you know when we do by email.
1.1 The following definitions apply in this Agreement.
- Applicable Laws means:
- to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom; or
- to the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the Provider is subject.
- controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.
- Customer Personal Data any personal data which the Provider processes in connection with the Master Agreement, in the capacity of a processor on behalf of the Customer.
- Data Protection Laws means:
- to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data; or
- to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Provider is subject, which relates to the protection of personal data.
- EU GDPR the General Data Protection Regulation ((EU) 2016/679).
- Provider the licensor of the “TaPoS” software and provider of maintenance and support services in respect of the same as provided for under the Master Agreement, being either Jack Roe (C.S.) Limited (company number 03265265) or Tapos Software Limited (company number 14009359).
- UK GDPR has the meaning given to it in the Data Protection Act 2018.
1.2 This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement.
In the case of conflict or ambiguity between any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.
2.1 The Provider and the Customer will comply with all applicable requirements of Data Protection Laws. This clause 2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Data Protection Laws.
The parties have determined that, for the purposes of Data Protection Laws, the Provider shall process the Customer Personal Data as a processor on behalf of the Customer. Should this determination change, then each party shall work together in good faith to make any changes which are necessary to this clause 2.
2.2 Without prejudice to the generality of clause 2.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Provider and lawful collection of the same by the Provider for the duration and purposes of this Agreement.
The table below sets out the scope, nature and purpose of processing of Customer Personal Data by the Provider, the duration of the processing and the types of personal data and categories of data subject.
Scope, nature and purpose of processing
Processing Customer Personal Data as necessary to provide the services to the Customer in accordance with the Master Agreement
Duration of processing
The term of this Agreement (as described in clause 3.1)
Categories of data subject
Customers and potential customers of the Customer, including individuals who purchase cinema tickets or other items from the Customer, who sign up to the Customer’s site, membership or loyalty programme, or who otherwise provide their data to the Customer.
Types of personal data
Names, addresses, email addresses, phone numbers, [data required for payment processing such as home/billing address and account details, user data, membership and loyalty information, details of sales concluded using the Provider’s software, personal information such as the number of people in the data subject’s household and behavioural information including preferences and purchasing habits and any other personal data which the Customer asks the data subjects to provide as part of the Customer’s configuration of the software.
2.3 Without prejudice to the generality of clause 2.1 the Provider shall, in relation to Customer Personal Data:
(a) process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process the Customer Personal Data for the purposes set out in the table at clause 2.4, unless the Provider is required by Applicable Laws to otherwise process that Customer Personal Data. Where the Provider is relying on Applicable Laws as the basis for processing Customer Processor Data, the Provider shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer on important grounds of public interest. The Provider shall inform the Customer if, in the opinion of the Provider, the instructions of the Customer infringe Applicable Data Protection Legislation;
implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, having regard to the state of technological development and the cost of implementing any measures;
(b) ensure that any personnel engaged and authorised by the Provider to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Provider), and at the Customer’s cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(c) notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Master Agreement unless the Provider is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 2.5(f) Customer Personal Data shall be considered deleted where it is put beyond further use by the Provider; and
(d) maintain records to demonstrate its compliance with this clause 2 and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this purpose, on reasonable written notice.
2.4 The Customer hereby provides its prior, general authorisation for the Provider to:
(a) appoint processors to process the Customer Personal Data, provided that the Provider:
(i) shall ensure that the terms on which it appoints such processors comply with Data Protection Laws, and are consistent with the obligations imposed on the Provider in this clause 2;
shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Provider; and
(ii) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Provider’s reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify the Provider for any losses, damages, costs (including legal fees) and expenses suffered by the Provider in accommodating the objection; and
(b) transfer Customer Personal Data outside of the UK as required in connection with the performance of the Services, provided that the Provider shall ensure that all such transfers are effected in accordance with Data Protection Laws.
3.1 This Agreement will remain in full force and effect so long as the Master Agreement remains in effect or the Provider retains any of the Personal Data related to the Master Agreement in its possession or control.
Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.
4.1 The Provider may vary this Agreement by giving at least 30 days’ prior written notice to the Customer.
Notwithstanding anything to the contrary contained in the Master Agreement, the Provider may give notice of a change to this Agreement by email and such notice shall be deemed at the time of transmission.