Data Processing Addendum

See also: Privacy Policy Cookie Policy

DATA PROCESSING ADDENDUM FOR SPRINTLAW UK

Version Date: 20 September 2024

This Data Processing Addendum for Sprintlaw (“DPA”) is incorporated into and forms part of the Agreement and Engagement Letter between Sprintlaw (UK) Ltd (“Sprintlaw”, “Processor”, “we”, or “us”) and the Customer (“Controller” or “you”). This DPA outlines the terms under which Sprintlaw processes Personal Data on behalf of the Customer in accordance with applicable Data Protection Laws. In the event of any conflict, the following order of precedence applies: (a) UK International Data Transfer Agreement (IDTA) or International Data Transfer Addendum; (b) this DPA; (c) any documents attached to the DPA; and (d) the Agreement.

1. DEFINITIONS

For the purposes of this DPA:

1.1 “Controller”, “Processor”, “Data Subject”, and other relevant terms have the meanings assigned under the applicable Data Protection Laws.

1.2 “Data Protection Laws” refer to all applicable laws related to privacy, data protection, and data security, including the GDPR, UK GDPR, the Data Protection Act 2018, PECR, and other relevant legislation governing the processing of personal data under this Agreement.

1.3 “Personal Data” means any information relating to an identified or identifiable natural person that is processed under this Agreement.

1.4 “Special Categories of Data” are defined under GDPR, including data related to health, which require additional protections and lawful bases for processing.

2. SCOPE AND PURPOSES OF PROCESSING

2.1 Roles of the Parties: The Customer acts as the Controller, and Sprintlaw serves as the Processor for the processing of Personal Data. This DPA applies to Sprintlaw’s processing activities on behalf of the Customer as detailed in the Agreement.

2.2 Scope and Purpose: The processing of Personal Data is strictly limited to providing the services outlined in the Agreement, including the use of our eSignature tool and associated legal services. Sprintlaw processes Personal Data solely based on documented instructions from the Customer.

2.3 Processing Special Categories of Data: When processing Special Categories of Data, including sensitive information, Sprintlaw will:

•Adhere to the Customer’s documented instructions.

•Implement appropriate security measures to ensure the protection of such data.

3. RESPONSIBILITIES OF THE CUSTOMER

3.1 Lawful Basis for Processing: The Customer ensures that it has a lawful basis for processing Personal Data, including obtaining explicit consent from Data Subjects where necessary, especially for Special Categories of Data.

3.2 Data Subject Rights: The Customer is responsible for managing Data Subject rights requests, including access, rectification, erasure, and restriction of processing, in compliance with GDPR and other applicable Data Protection Laws.

3.3 Data Protection Impact Assessments (DPIAs): The Customer will conduct DPIAs where required and inform Sprintlaw of any processing activities that may pose high risks to Data Subjects’ rights and freedoms.

3.4 Instructions for Processing: The Customer will provide clear and documented instructions for Sprintlaw to follow when processing Personal Data, including any specific requirements for Special Categories of Data.

4. RESPONSIBILITIES OF SPRINTLAW

Sprintlaw commits to:

4.1 Confidentiality: Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations.

4.2 Notification of Issues: Promptly inform the Customer of any concerns or issues related to the processing of Personal Data.

4.3 Assistance with Assessments: Support the Customer in conducting Data Protection Impact Assessments (DPIAs) as required by Data Protection Laws, particularly for high-risk processing activities.

4.4 Processing Special Categories of Data:

•Sprintlaw will process such data strictly according to the Customer’s documented instructions and in compliance with this DPA.

•Implement appropriate security measures to protect Special Categories of Data.

5. DATA SECURITY

Sprintlaw will implement robust technical and organisational measures to safeguard Personal Data, including:

5.1 Security Measures: Employ appropriate security protocols such as encryption and access controls to protect Personal Data from unauthorised access or breaches.

5.2 Regular Assessments: Conduct periodic security assessments and audits to ensure ongoing compliance with GDPR Article 32.

6. DATA BREACH NOTIFICATION

6.1 Breach Reporting: Sprintlaw will notify the Customer promptly in the event of a Data Breach involving Personal Data.

6.2 Breach Mitigation: Take immediate steps to mitigate any risks associated with the breach and support the Customer in fulfilling its notification obligations under GDPR.

7. SUB-PROCESSORS

7.1 Use of Sub-Processors: The Customer authorises Sprintlaw to engage sub-processors to deliver certain services. Sprintlaw ensures that sub-processors adhere to data protection obligations consistent with this DPA and Data Protection Laws.

7.2 Sub-Processor List: Sprintlaw maintains an updated list of sub-processors available here and will notify the Customer of any significant changes. The Customer retains the right to object to new sub-processors if there are legitimate concerns regarding Data Protection Laws.

7.3 Example Sub-Processor: Sprintlaw may utilise partners such as Annature Pty Ltd for specific services like eSignature. All sub-processors handle Personal Data in compliance with this DPA and relevant Data Protection Laws under a Sub-Processor Agreement.

8. INTERNATIONAL DATA TRANSFERS

Sprintlaw may transfer Personal Data outside the UK only when necessary and in compliance with Data Protection Laws. Such transfers will be conducted using appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA) or other lawful bases under Data Protection Laws.

9. DATA RETENTION AND DELETION

9.1 Retention Period: Sprintlaw will retain Personal Data only for the duration necessary to fulfil the purposes outlined in the Agreement, unless a longer retention period is required by law.

9.2 Deletion or Return of Data: Upon termination or expiration of the Agreement, Sprintlaw will either delete or return all Personal Data, at the Customer’s discretion.

10. AUDIT RIGHTS

Sprintlaw agrees to provide reasonable assistance to the Customer in demonstrating compliance with this DPA and applicable Data Protection Laws. The Customer may request audits annually, with reasonable prior notice, to review Sprintlaw’s processing activities.

11. MISCELLANEOUS

11.1 Amendments: Any amendments to this DPA must be made in writing and signed by both parties.

11.2 Governing Law: This DPA is governed by the laws of the United Kingdom.