This Data Processing Agreement (the “Agreement”) is between a supplier (the “Supplier”) which is providing services to Brave Bison and the respective company within the Brave Bison group (“Brave Bison”).
This Agreement applies to Personal Data that the Supplier Processes on behalf of Brave Bison and Brave Bison Customers as part of the Purposes.
This Agreement is issued on behalf of Brave Bison so when we mention “Brave Bison” in this Agreement, we are referring to the relevant trader in the Brave Bison group. For information purposes, Brave Bison trades through Brave Bison Limited, Greenlight Digital Limited, Greenlight Commerce Limited, Social Chain Limited and Best Response Media Limited. Brave Bison, and its relevant traders, are incorporated and registered in England and Wales.
These provisions set out the additional terms, requirements and conditions on which the Supplier will Process Personal Data when providing services to Brave Bison and its customers provided pursuant to any agreement or statement of work between the parties (the “Supplier Agreement”). By continuing to receive the services, the Supplier agrees to the terms of this Agreement and such terms shall form part of the Supplier Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained UK law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors.
1. Definitions and interpretation
The following definitions and rules of interpretation apply in this Agreement.
1.1 Definitions
Affiliate | means with respect to a party, any other person controlling, controlled by, or under common control with, such party, for only so long as such control exists. For these purposes, “control” shall refer to: (i) the possession, directly or indirectly, of the power to direct the management or policies of a person, whether through the ownership of voting securities, by contract or otherwise, or (ii) the ownership, directly or indirectly, of more than 50 percent (50%) of the voting securities or other ownership interest of a person. |
Brave Bison Customer | means a customer (or its Affiliate) of any company within the Brave Bison Group, on whose behalf Brave Bison is processing Personal Data. |
Brave Bison Group | means any company which is an Affiliate of Brave Bison |
Commissioner | the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018). |
Controller, Processor, Data Subject, Personal Data and Personal Data Breach | have the meanings given to them in the Data Protection Legislation. |
Data Protection Legislation | all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR. the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018). the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. [and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications). and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party. |
Data Subject | the identified or identifiable living individual to whom the Personal Data relates. |
Processing, Processes, Processed, Process | any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties. |
Purposes | the Services to be provided by the Supplier to Brave Bison, any member of the Brave Bison Group and Brave Bison Customers as described in this Agreement and the accompanying Supplier Agreement. |
Standard Contractual Clauses (SCCs) | the ICO's International Data Transfer Agreement for the transfer of personal data from the UK and the ICO's International Data Transfer Agreement to EU Commission Standard Contractual Clauses and the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK, a completed copy of which comprises Annex B[or such alternative clauses as may be approved by the European Commission or by the UK from time to time. |
Term | this Agreement’s term as defined in Clause 7. |
UK GDPR | has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018. |
1.2 Interpretations and defined terms set forth in the Supplier Agreement apply to the interpretation of this Agreement.
1.3 In the case of conflict or ambiguity between other agreements and this Agreement relating to Data Protection Legislation, this Agreement prevails. Any terms not defined in this Agreement have the meanings given to them in Data Protection Legislation.
2. Personal Data types and Processing Purposes
2.1 Brave Bison and the Supplier agree and acknowledge that for the purpose of the Data Protection Legislation:
2.1.1 Brave Bison is a Controller and may be a Processor for Brave Bison Customers and the Supplier is the Sub-processor.
2.1.2 the Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Supplier.
2.1.3 the subject matter of the Processing under this Agreement is the purpose that involves the Processing of Personal Data on behalf of Brave Bison and Brave Bison Customers.
2.1.4 the duration of the Processing under this Agreement is for the duration of the Supplier Agreement.
2.1.5 the nature and purpose of the Processing under this Agreement is to deliver the services to Brave Bison and Brave Bison Customers as agreed in the Supplier Agreement. and
2.1.6 the Personal Data Processed for the Purposes of this Agreement varies according to the services provided and may include, but are not limited to:
Identity Data such as first name and last name.
Contact Data such as billing address, delivery address, email address and telephone numbers.
Financial Data such as bank account and payment card details.
Technical Data such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, cookie data, cookie preferences, mobile device IDs and other technology.
2.2 The Supplier acknowledges that Brave Bison may itself be processing Personal Data on behalf of a Brave Bison Customer, who may be the controller or processor of such data. The Supplier agrees to provide reasonable co-operation to Brave Bison to enable Brave Bison to meet its obligations to such Brave Bison Customers.
3. Supplier’s obligations
3.1 The Supplier will only Process the Personal Data to the extent, and in such a manner, as is necessary for the Purposes in accordance with Brave Bison’s or Brave Bison’s Customer’s written instructions. The Supplier will not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Supplier must promptly notify Brave Bison if, in its opinion, Brave Bison’s or Brave Bison’s Customer’s instructions do not comply with the Data Protection Legislation.
3.2 The Supplier will:
3.2.1 ensure that its employees are informed of the confidential nature of the Personal Data, have undertaken training on the Data Protection Legislation relating to handling Personal Data and are aware of the Supplier’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
3.2.2 ensure that its employees process such Personal Data by committing themselves to appropriate obligations of confidentiality and will not disclose the Personal Data to third parties unless Brave Bison or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner) after notifying Brave Bison of this disclosure.
3.2.3 implement appropriate technical and organisational measures against unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Personal Data to ensure a level of security appropriate to the risks associated with Processing Personal Data.
3.2.4 taking into account the nature of the Processing and the information available to the Supplier, subject to payment of the Supplier’s reasonable and demonstrable costs and expenses, provide reasonable and appropriate assistance to Brave Bison, to the extent possible, in relation to:
the fulfilment by Brave Bison and the Controller’s respective obligations to respond to requests relating to the exercise of individuals’ rights under Data Protection Legislation where the Supplier Processes such individuals’ Personal Data pursuant to this Agreement. and
Brave Bison’s and the Controller’s compliance with its obligations under Data Protection Legislation relating to the security of Personal Data, notification of Personal Data breaches to the Commissioner and/or communication of Personal Data breaches to individuals (to whom such Personal Data relates), data protection impact assessments and prior consultation with supervisory authorities, in each case in relation to any Personal Data the Processor Processes pursuant to this Agreement.
3.2.5 notify Brave Bison without undue delay of the loss, unintended destruction, damage or corruption of part or all of the Personal Data and restore such Personal Data at its own expense as soon as possible after any accidental, unauthorised or unlawful Processing of the Personal Data or after becoming aware of a Personal Data breach.
3.2.6 keep detailed, accurate and up-to-date written records regarding any Processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the Purposes, categories of Processing, any transfers of Personal Data to a third country and related safeguards, and a general description of the technical and organisational security measures.
3.2.7 at the written request of Brave Bison or the Controller, amend, transfer delete or otherwise Process the Personal Data, or stop, mitigate, remedy any unauthorised Processing or return such Personal Data to Brave Bison after the end of the provision of the Purposes.
3.2.8 not Process or transfer any Personal Data outside the UK without obtaining Brave Bison’s prior written consent and where such consent is granted, the Supplier may only Process, or permit the Processing of the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals or the necessary SCCs have been executed to legitimise the transfer. and
3.2.9 make available to Brave Bison all information necessary to demonstrate compliance with the obligations in this Agreement.
4. Brave Bison’s instructions and obligations
To the extent the Supplier Processes any Personal Data on behalf of Brave Bison or Brave Bison Customers, the Supplier will Process such Personal Data only on Brave Bison’s or Brave Bison’s Customer’s documented instructions, unless required to do so by Data Protection Legislation. Where Data Protection Legislation requires otherwise, the Supplier will inform Brave Bison of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
4.1 The parties agree that this Agreement and the Supplier Agreement constitutes Brave Bison’s documented instructions for the Processing of Personal Data. Additional instructions outside the instructions will be subject to the prior written agreement between the parties.
4.2 On termination of the Supplier Agreement for any reason or expiry of its term, the Supplier will securely delete or destroy or, if directed in writing by Brave Bison, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
5. Sub-Processors
5.1 Notwithstanding any other provisions of the Agreement, the Supplier will not, without Brave Bison’s prior written consent, engage any third party sub-processors (the “Sub-Processors”) to Process any Personal Data under this Agreement.
5.2 Where Supplier has engaged with a Sub-Processor to fulfil the terms of the Supplier Agreement, the Supplier will inform Brave Bison of any intended changes concerning the replacement of any permitted Sub-Processor and give Brave Bison the opportunity to object to such changes.
5.3 Any Sub-Processor the Supplier engages will be subject to materially equivalent terms regarding data protection as are imposed on the Supplier pursuant to this Agreement.
5.4 Where any Sub-Processor fails to fulfil its obligations under Data Protection Legislation, the Supplier will remain liable for the performance of the Sub-Processor’s obligations.
6. Complaints, data subject requests and third-party rights
6.1 The Supplier must, at no additional cost to Brave Bison or Brave Bison Customers, take such technical and organisational measures as may be appropriate, and promptly provide such information to Brave Bison or Brave Bison Customers as Brave Bison or Brave Bison Customers may reasonably require, to enable Brave Bison or the Brave Bison Customers to comply with:
6.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the Processing and automated processing of Personal Data, and restrict the Processing of Personal Data. and
6.1.2 information or assessment notices served on Brave Bison or a Brave Bison Customer by the Commissioner under the Data Protection Legislation.
6.2 The Supplier must notify Brave Bison promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
6.3 The Supplier must notify Brave Bison within 5 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
6.4 The Supplier will give Brave Bison and Brave Bison Customers, at no additional cost to Brave Bison or Brave Bison Customers, its reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
6.5 The Supplier must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with Brave Bison's or Brave Bison Customers’ written instructions, or as required by domestic law.
7. Term
7.1 This Agreement will remain in full force and effect so long as:
7.1.1 the Supplier Agreement remains in effect. or
7.1.2 the Supplier retains any of the Personal Data related to the Supplier Agreement in its possession or control.
7.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Supplier Agreement in order to protect the Personal Data will remain in full force and effect.
7.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Supplier Agreement obligations, the parties may agree to suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the parties are unable to bring the Personal Data Processing into compliance with the Data Protection Legislation 6 weeks, either party may terminate the Supplier Agreement on not less than 30 working days on written notice to the other party.
8. Audit and inspections
8.1 Subject to clause 8.2 of this Agreement, the Supplier will allow for and contribute to audits (including inspections) conducted by Brave Bison or Brave Bison Customers or another auditor mandated by Brave Bison or Brave Bison Customers.
8.2 Any auditconducted pursuant to clause 8.1 of this Agreement is subject to the following conditions:
8.2.1 Brave Bison or the Brave Bison Customer will provide reasonable advance notice of any audit.
8.2.2 any audit may only be conducted during the Supplier’s normal business hours.
8.2.3 any audit must be conducted so as to cause minimal disruption to the Supplier’s normal business operations.
8.2.4 any auditor will enter into direct confidentiality obligations with the Supplier which are reasonably acceptable to the Supplier.
8.2.5 any audit will be limited only to the Supplier’s data Processing activities as part of its Services as a data processor to Brave Bison or Brave Bison Customers, and to such information as is reasonably necessary for Brave Bison or the Brave Bison Customer to assess the Supplier’s compliance with the terms of this Agreement.
8.2.6 as part of any audit, Brave Bison, Brave Bison Customer (or its auditor) will not have access to the Supplier’s Confidential Information. and
8.2.7 Brave Bison or the Brave Bison Customer will reimburse the Supplier’s reasonable costs and expenses associated with any audit.
9. Indemnity
9.1 The Supplier agrees to indemnify, keep indemnified and defend at its own expense Brave Bison against all costs, claims, damages or expenses incurred by Brave Bison or for which Brave Bison may become liable due to any failure by the Supplier or its employees, subcontractors or agents to comply with any of its obligations under this Agreement and/or the Data Protection Legislation.
9.2 Any limitation of liability set forth in the Supplier Agreement will not apply to this Agreement's indemnity or reimbursement obligations.
10. Notice
Any notice or other communication given to a party under or in connection with this Agreement should refer to the Customer Agreement and its terms.