Data Processing Agreement

Customer and PrintNode have entered into a services agreement (Master Agreement) that may require PrintNode to process Personal Data on behalf of Customer.

This Personal Data Processing Agreement (DPA) sets out the additional terms, requirements and conditions on which PrintNode will process Personal Data when providing services to Customer under the Master Agreement.

This DPA contains the mandatory clauses required by Article 28(3) of the assimilated EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between Controllers and Processors.

1 Definitions and interpretation

The following definitions and rules of interpretation apply in this DPA.

1.1

“Business Purposes” means the services to be provided by PrintNode to Customer as described in the Master Agreement and any other purpose specifically identified in §16.2.

1.2

“Commissioner” means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

1.3

“Controller, Processor, Data Subject, Personal Data, Personal Data Breach and processing” have the meanings given to them in the Data Protection Legislation.

1.4

“Customer” means Customer of PrintNode and the party to a Master Agreement.

1.5

“Customer Personal Data” means any Personal Data which PrintNode processes in connection with this DPA, in the capacity of a Processor on behalf of Customer as set out in §16.1.2.

1.6

“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation: the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1.7

“PrintNode” means PrintNode Limited, a company incorporated and registered in England and Wales with company number 10383892, whose registered office is at 2 Manor Farm Court Old Wolverton Road, Old Wolverton, Milton Keynes, Buckinghamshire, England, MK12 5NN.

1.8

“PrintNode Personal Data” means any Personal Data which PrintNode processes in connection with this DPA, in the capacity of a Controller as set out in §16.1.1.

1.9

“Records” has the meaning given to it in §12.1.

1.10

“Subcontractor” has the meaning given to it in §8.1.

1.11

“Term” means this DPA’s term as defined in §10.1.2.

1.12

“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.13

This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

1.14

The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

1.15

A reference to writing or written includes email.

1.16

In the case of conflict or ambiguity between:

1.16.1

any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail; and

1.16.2

any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.

2 Personal Data types and processing purposes

2.1

Customer and PrintNode agree and acknowledge that for the purpose of the Data Protection Legislation:

2.1.1

PrintNode is the Controller of the PrintNode Personal Data;

2.1.2

Customer is the Controller and PrintNode is the Processor of Customer Personal Data;

2.1.3

Customer retains control of Customer Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to PrintNode; and

2.1.4

in relation to Customer Personal Data, §16.2 describes the subject matter, duration, nature and purpose of the processing and Customer Personal Data categories and Data Subject types in respect of which PrintNode may process Customer Personal Data to fulfil the Business Purposes.

2.2

Should the determination in §2.1.1 or §2.1.2 change, each party shall work together in good faith to make any changes which are necessary to §1, §2, §16 and/or §17.

2.3

Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the PrintNode Personal Data and Customer Personal Data to PrintNode and lawful collection of the same by PrintNode for the duration and purposes of this DPA.

3 PrintNode’s obligations

3.1

PrintNode will only process Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with Customer’s written instructions. PrintNode will not process Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. PrintNode must promptly notify Customer if, in its opinion, Customer’s instructions do not comply with the Data Protection Legislation.

3.2

PrintNode must comply promptly with any written instructions from Customer requiring PrintNode to amend, transfer, delete or otherwise process Customer Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3

PrintNode will maintain the confidentiality of Customer Personal Data and will not disclose Customer Personal Data to third parties unless Customer or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires PrintNode to process or disclose Customer Personal Data to a third party, PrintNode must first inform Customer of such legal or regulatory requirement and give Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

4 PrintNode’s personnel

4.1

PrintNode will ensure that all of its personnel engaged in the processing of Customer Personal Data:

4.1.1

are informed of the confidential nature of Customer Personal Data and are bound by confidentiality obligations and use restrictions in respect of Customer Personal Data;

4.1.2

have undertaken training on the Data Protection Legislation relating to handling Customer Personal Data and how it applies to their particular duties; and

4.1.3

are aware both of PrintNode duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

5 Security

5.1

PrintNode must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data, including, but not limited to, the security measures set out in §17.

5.2

Customer acknowledges and agrees that it has reviewed the security measures in §17 and it confirms that those measures are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard of the state of technological development and the cost of implementing any security measures.

6 Personal Data Breach

6.1

PrintNode will within 48 hours and in any event without undue delay notify Customer if it becomes aware of:

6.1.1

the loss, unintended destruction or damage, corruption, or unusability of part or all of Customer Personal Data. To the extent reasonably practicable, PrintNode will restore such Customer Personal Data at its own expense as soon as possible;

6.1.2

any accidental, unauthorised or unlawful processing of Customer Personal Data; or

6.1.3

any Personal Data Breach.

6.2

Where PrintNode becomes aware of §6.1.1, §6.1.2 and/or §6.1.3 above, it shall, without undue delay, also provide Customer with the following information:

6.2.1

description of the nature of §6.1.1, §6.1.2 and/or §6.1.3, including, to the extent possible, the categories of in-scope Customer Personal Data and approximate number of both Data Subjects and Customer Personal Data records concerned;

6.2.2

the likely consequences; and

6.2.3

a description of the measures taken or proposed to be taken to address §6.1.1, §6.1.2 and/or §6.1.3, including measures to mitigate its possible adverse effects.

6.3

Immediately following any accidental, unauthorised or unlawful Customer Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, PrintNode will reasonably co-operate with Customer in its handling of the matter, including:

6.3.1

assisting with any investigation;

6.3.2

facilitating interviews with PrintNode’s employees, former employees and others involved in the matter including its officers and directors;

6.3.3

making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Customer; and

6.3.4

taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Customer Personal Data processing.

6.4

PrintNode will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of Customer Personal Data and/or a Personal Data Breach without first obtaining Customer’s written consent, except when required to do so by domestic law.

6.5

PrintNode agrees that Customer has the sole right to determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in Customer’s discretion, including the contents and delivery method of the notice. Customer shall not offer any remedy to affected Data Subjects without the prior written approval of PrintNode, such approval not to be unreasonably withheld or delayed.

6.6

PrintNode will cover all reasonable expenses associated with the performance of the obligations under §6.1 to §6.3 unless the matter arose from Customer’s specific written instructions, negligence, wilful default or breach of this DPA, in which case Customer will cover all reasonable expenses.

6.7

PrintNode will also reimburse Customer for actual reasonable expenses that Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that PrintNode caused such, including reasonable costs of notice and any remedy as set out in §6.5.

7 Cross-border transfers of Personal Data

7.1

PrintNode (and any Subcontractor) may transfer or otherwise process the Customer Personal Data outside the UK without obtaining Customer’s prior written consent, but only in accordance with Customer’s instructions.

7.2

PrintNode may only process, or permit the processing of, the Customer Personal Data outside the UK under the following conditions:

7.2.1

PrintNode is processing or permitting the processing of the Customer Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or

7.2.2

PrintNode participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that PrintNode (and, where appropriate, Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR.

8 Subcontractors

8.1

PrintNode may only authorise a third party (Subcontractor) to process the Customer Personal Data if:

8.1.1

the Subcontractor is listed in §16.3 or Customer is provided with an opportunity to object to the appointment of each Subcontractor within 14 working days after PrintNode supplies Customer with full details in writing regarding such Subcontractor;

8.1.2

PrintNode enters into a written contract with the Subcontractor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Customer’s written request, provides Customer with copies of the relevant excerpts from such contracts; and

8.1.3

PrintNode maintains control over all of the Customer Personal Data it entrusts to the Subcontractor.

8.2

Where Customer objects to the appointment of any new Subcontractor pursuant to §8.1.1, PrintNode may terminate the Master Agreement with immediate effect by giving written notice to Customer.

9 Complaints, Data Subject requests and third-party rights

9.1

PrintNode must take such technical and organisational measures as may be appropriate, and promptly provide such information to Customer as Customer may reasonably require, to enable Customer to comply with:

9.1.1

the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Customer Personal Data, object to the processing and automated processing of Customer Personal Data, and restrict the processing of Customer Personal Data; and

9.1.2

information or assessment notices served on Customer by the Commissioner under the Data Protection Legislation.

9.2

PrintNode must notify Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Customer Personal Data or to either party’s compliance with the Data Protection Legislation.

9.3

PrintNode must notify Customer immediately if it receives a request from a Data Subject for access to their Customer Personal Data or to exercise any of their other rights under the Data Protection Legislation.

9.4

PrintNode will give Customer, at Customer’s cost, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9.5

PrintNode must not disclose the Customer Personal Data to any Data Subject or to a third party other than in accordance with Customer’s written instructions, or as required by domestic law.

10 Term and termination

10.1

This DPA will remain in full force and effect so long as:

10.1.1

the Master Agreement remains in effect; or

10.1.2

PrintNode retains any of the Customer Personal Data related to the Master Agreement in its possession or control (“Term”).

10.2

Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Customer Personal Data will remain in full force and effect.

10.3

If PrintNode fails to comply with the terms of this DPA Customer may, without prejudice to any other right or remedy available to it, terminate the Master Agreement immediately on written notice to PrintNode without further liability or obligation.

11 Data return and destruction

11.1

At Customer’s request, PrintNode will give Customer, or a third party nominated in writing by Customer, a copy of or access to all or part of the Customer Personal Data in its possession or control in the format and on the media reasonably specified by Customer.

11.2

On termination of the Master Agreement for any reason or expiry of its term, PrintNode will securely delete or destroy or, if directed in writing by Customer within 10 working days of such date, return and not retain, all or any of the Customer Personal Data related to this DPA in its possession or control.

11.3

If any law, regulation, or government or regulatory body requires PrintNode to retain any documents or materials or Customer Personal Data that PrintNode would otherwise be required to return or destroy, it will notify Customer in writing of that retention requirement, giving details of the documents, materials or Customer Personal Data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

11.4

PrintNode will certify in writing to Customer that it has destroyed the Customer Personal Data within five days after it completes the deletion or destruction.

12 Records

12.1

PrintNode will maintain records regarding PrintNode’s (and any Subcontractor’s) processing of the Customer Personal Data (“Records”).

12.2

PrintNode will ensure that the Records are sufficient to enable Customer to verify PrintNode’s compliance with its obligations under this DPA and PrintNode will provide Customer with copies of the Records upon request.

12.3

Customer and PrintNode must review the information listed in the Annexes to this DPA whenever requested by Customer to confirm its current accuracy and update it when required to reflect current practices.

13 Audit

13.1

PrintNode will permit Customer and/or its third-party representatives to conduct reasonable audits of PrintNode’s compliance with its obligations under this DPA, on reasonable written notice at a frequency of not more than once per year.

13.2

The frequency restrictions set out in §13.1 shall not apply where Customer is directly required by the Commissioner or other in-scope regulator to audit PrintNode’s compliance with its obligations under this DPA.

14 Warranties

14.1

PrintNode warrants and represents that:

14.1.1

its personnel engaged in the processing of Customer Personal Data and any other person or persons processing the Customer Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;

14.1.2

it and anyone operating on its behalf will process the Customer Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments; and

14.1.3

it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Master Agreement’s contracted services.

14.2

Customer warrants and represents that PrintNode’s expected use of the Customer Personal Data for the Business Purposes and as specifically instructed by Customer will comply with the Data Protection Legislation.

15 Limitation of liability

15.1

Nothing in this DPA will exclude, limit or restrict PrintNode’s liability for:

15.1.1

death or personal injury caused by its negligence;

15.1.2

fraud or fraudulent misrepresentation; or

15.1.3

any other liability which may not be limited or excluded by law.

15.2

Subject to §15.1, PrintNode shall not be liable to Customer for any of the following loss or damage, in each case arising out of or in connection with this DPA (including without limitation as a result of breach of contract, negligence or any other tort, under statute or otherwise), and regardless of whether PrintNode knew or had reason to know of the possibility of the loss, injury or damage in question:

15.2.1

any loss (whether direct or indirect) of revenue or profits;

15.2.2

any loss (whether direct or indirect) of anticipated savings;

15.2.3

any loss (whether direct or indirect) of goodwill or injury to reputation;

15.2.4

any loss (whether direct or indirect) of business opportunity;

15.2.5

any data losses (whether direct or indirect);

15.2.6

any loss (whether direct or indirect) of or corruption to data, software or information; or

15.2.7

indirect or consequential loss or damage.

15.3

Subject to §15.1 and §15.2 the aggregate liability of PrintNode (including, but not limited to, its respective partners, officers, employees, contractors, directors, subcontractors and agents) under or in connection with this DPA whether in contract, tort (including, but not limited to, negligence) or otherwise shall be limited to £25,000 (twenty-five thousand pounds sterling).

This DPA has been entered into on the date the Master Agreement is executed.

16 Annex A — Personal Data processing purposes and details

16.1

Role of the parties:

16.1.1

Where PrintNode acts as a Controller:

16.1.1.1

when processing PrintNode Personal Data contained within correspondence between Customer or Customer’s staff, PrintNode’s staff and/or documents relating to the establishment, management, audit, operation, and communication (on which PrintNode may wish to rely on to establish its rights and liabilities under the Master Agreement) in respect of the Master Agreement for the provision of the contracted services; and

16.1.1.2

when processing PrintNode Personal Data of Customer or Customer’s staff for marketing purposes.

16.1.2

Where PrintNode acts as a Processor:

Save as set out in §16.1.1, when processing the Customer Personal Data of Data Subjects whose Personal Data is collected through the services provisioned under the Master Agreement.

16.2

Particulars of processing:

16.2.1

Subject matter of processing: the performance of PrintNode’s duties under the Master Agreement.

16.2.2

Duration of processing: for the term of the Master Agreement and for such time afterwards as required for the parties to exercise their rights and obligations under §11.

16.2.3

Nature of processing: the processing of Customer Personal Data to enable PrintNode to comply with its duties under the Master Agreement.

16.2.4

Business Purposes: to enable PrintNode to perform its duties under the Master Agreement.

16.2.5

Personal Data categories: identity data, contact details and such other Personal Data categories as relevant.

16.2.6

Data Subject types: Customer’s staff, clients or customers of Customer and/or such clients’ or customers’ staff and such other Data Subjects whose Personal Data is processed by PrintNode in connection with the performance of its duties under the Master Agreement.

16.3

Approved Subcontractors: PrintNode does not use any Subcontractors to process Customer Personal Data.

17 Annex B — Security measures

17.1

Encryption at rest: Customer Personal Data is always encrypted when stored on an SSD, HDD or other non-volatile storage medium.

17.2

Encryption in transit: Customer Personal Data is always encrypted when transmitted over a public network. This includes transmission of data in API calls, transmission of printing data to the PrintNode Client and transmission of data between PrintNode systems for backup and replication purposes.

17.3

Secure datacentres: PrintNode’s servers are colocated in secure data centres. Physical access to PrintNode’s servers is permitted only for PrintNode authorised personnel or for data centre staff who carry out maintenance, configuration or repair services on PrintNode’s instructions.

17.4

Network security (firewalls, VPN): PrintNode’s networks are firewalled and configured for minimal attack surface. Administrative access is only allowed through a corporate VPN.

17.5

Minimal retention: PrintNode discards Customer Personal Data as soon as it is no longer required to perform the services as described in the Master Agreement.

17.6

Secure disposal of assets: Physical assets which have stored Customer Personal Data are securely erased and/or physically destroyed when they cease to be used by PrintNode.

17.7

Security policy (passwords, removeable media etc.): PrintNode’s internal security policy enforces best security practices, including usage of strong passwords, restrictions on mobile device usage, the principle of least privilege for logical access to systems and services and usage of multi-factor authentication.

17.8

Need-to-access basis: PrintNode employees have access to Customer Personal Data only to the extent necessary to perform their duties.

17.9

No testing on live data: PrintNode does not use real data for testing purposes.

17.10

Secure server config: PrintNode’s servers, network devices and other infrastructure are deployed with a secure default configuration which disables unused services, network ports and other potential attack vectors.

17.11

Code testing and review: PrintNode’s software development methodology mandates both automated and manual code review as well as automated testing.