This Data Processing Agreement (the “Agreement”) is between a customer (the “Customer”) which is receiving services from Brave Bison (the “Provider”) and the respective company within the Brave Bison group. This Agreement applies to Personal Data that Brave Bison Processes on the Customer’s behalf as part of the Purposes.
This Agreement is issued on behalf of Brave Bison so when we mention “Provider” in this Agreement, we are referring to the relevant trader in the Brave Bison group responsible for Processing your Personal Data. For information purposes, Brave Bison trades through Brave Bison Limited, Greenlight Digital Limited, Greenlight Commerce Limited and Best Response Media Limited. Brave Bison, and its relevant traders, are incorporated and registered in England and Wales.
These provisions sets out the additional terms, requirements and conditions on which the Provider will Process Personal Data when providing services provided pursuant to any agreement or statement of work between the parties (the “Customer Agreement”). By continuing to receive the services, the Customer agrees to the terms of this Agreement and such terms shall form part of the Customer Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained UK law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors.
1. Definitions and interpretation
The following definitions and rules of interpretation apply in this Agreement.
the Services to be provided by the Provider to the Customer as described in this Agreement and the accompanying Customer Agreement.
the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
Controller, Processor, Data Subject, Personal Data and Personal Data Breach
have the meanings given to them in the Data Protection Legislation.
has the meaning given to it in section 6, DPA 2018.
Data Protection Legislation
all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR. the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018). the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. [and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications). and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party.
the identified or identifiable living individual to whom the Personal Data relates.
Processing, Processes, Processed, Process
any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties.
Standard Contractual Clauses (SCCs)
the ICO's International Data Transfer Agreement for the transfer of personal data from the UK and the ICO's International Data Transfer Agreement to EU Commission Standard Contractual Clauses and the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK, a completed copy of which comprises Annex B[or such alternative clauses as may be approved by the European Commission or by the UK from time to time.
this Agreement’s term as defined in Clause 7.
has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 Interpretations and defined terms set forth in the Customer Agreement apply to the interpretation of this Agreement.
1.3 In the case of conflict or ambiguity between other agreements and this Agreement relating to Data Protection Legislation, this Agreement prevails. Any terms not defined in this Agreement have the meanings given to them in Data Protection Legislation.
2. Personal Data types and Processing Purposes
2.1 The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:
2.1.1 the Customer is the Controller and the Provider is the Processor.
2.1.2 the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.
2.1.3 the subject matter of the Processing under this Agreement is the purpose that involves the Processing of Personal Data on the Customer’s behalf.
2.1.4 the duration of the Processing under this Agreement is for the duration of the Customer Agreement.
2.1.5 the nature and purpose of the Processing under this Agreement is to deliver the services to the Customer as agreed in the Customer Agreement.
2.1.6 the Personal Data Processed for the Purposes of this Agreement varies according to the services provided and may include, but are not limited to:
Identity Data such as first name and last name.
Contact Data such as billing address, delivery address, email address and telephone numbers.
Financial Data such as bank account and payment card details.
Technical Data such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, cookie data, cookie preferences, mobile device IDs and other technology on the devices you use to access our services. and
Third Party Data such as data from the relevant Sub-Processor.
3. Provider’s obligations
3.1 The Provider will only Process the Personal Data to the extent, and in such a manner, as is necessary for the Purposes in accordance with the Customer’s written instructions. The Provider will not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instructions do not comply with the Data Protection Legislation.
3.2 The Provider will:
3.2.1 ensure that its employees are informed of the confidential nature of the Personal Data, have undertaken training on the Data Protection Legislation relating to handling Personal Data and are aware of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
3.2.2 ensure that its employees process such Personal Data by committing themselves to appropriate obligations of confidentiality and will not disclose the Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner) after notifying the Customer of this disclosure.
3.2.3 implement appropriate technical and organisational measures against unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Personal Data to ensure a level of security appropriate to the risks associated with Processing Personal Data.
3.2.4 taking into account the nature of the Processing and the information available to the Provider, subject to payment of the Provider’s reasonable and demonstrable costs and expenses, provide reasonable and appropriate assistance to the Customer, to the extent possible, in relation to:
the fulfilment by the Customer of the Customer’s obligations to respond to requests relating to the exercise of individuals’ rights under Data Protection Legislation where the Provider Processes such individuals’ Personal Data pursuant to this Agreement.
the Customer’s compliance with its obligations under Data Protection Legislation relating to the security of Personal Data, notification of Personal Data breaches to the Commissioner and/or communication of Personal Data breaches to individuals (to whom such Personal Data relates), data protection impact assessments and prior consultation with supervisory authorities, in each case in relation to any Personal Data the Processor Processes pursuant to this Agreement.
3.2.5 notify the Customer without undue delay the loss, unintended destruction, damage or corruption of part or all of the Personal Data and restore such Personal Data at its own expense as soon as possible, any accidental, unauthorised or unlawful Processing of the Personal Data or after becoming aware of a Personal Data breach.
3.2.6 keep detailed, accurate and up-to-date written records regarding any Processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the Business Purposes, categories of Processing, any transfers of Personal Data to a third country and related safeguards, and a general description of the technical and organisational security measures.
3.2.7 at the written request of the Customer, amend, transfer delete or otherwise Process the Personal Data, or to stop, mitigate, remedy any unauthorised Processing or return such Personal Data to the Customer after the end of the provision of the Purposes.
3.2.8 not Process or transfer any Personal Data outside the UK without obtaining the Customer’s prior written consent and where such consent is granted, the Provider may only Process, or permit the Processing of the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals or the necessary SCCs have been executed to legitimise the transfer.
3.2.9 make available to the Customer all information necessary to demonstrate compliance with the obligations in this Agreement.
4. The Customer’s instructions and obligations
4.1 To the extent the Provider Processes any Personal Data on the Customer’s behalf, the Provider will Process such Personal Data only on the Customer’s documented instructions, unless required to do so by Data Protection Legislation. Where Data Protection Legislation requires otherwise, the Provider will inform the Customer of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
4.2 The parties agree that this Agreement and the Customer Agreement constitutes the Customer’s documented instructions for the Processing of Personal Data. Additional instructions outside the instructions will be subject to the prior written agreement between the parties, including in relation to any additional fees that the Customer is required to pay to the Provider for carrying out such instructions.
4.3 The Customer will ensure that:
4.3.1 its instructions regarding the Processing of any Personal Data and the provision or otherwise making available to the Provider of any Personal Data, in each case will comply with all applicable laws (including Data Protection Legislation).
4.3.2 the Provider’s Processing of any Personal Data in accordance with the Customer’s instructions will not cause the Provider to be in breach of any applicable laws (including Data Protection Legislation).
4.4 The Customer acknowledges and agrees that the Customer shall be responsible for providing all necessary information and notices to Data Subjects in respect of the Processing of any Personal Data pursuant to this Agreement in each case in accordance with Data Protection Legislation.
4.5 On termination of the Customer Agreement for any reason or expiry of its term, the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
4.6 The Customer acknowledges and agrees that on termination of the Customer Agreement for any reason or expiry of its term, the Provider will not be able to destroy any or all of the Personal Data related to this Agreement in its back-up systems.
5.1 Notwithstanding any other provisions of the Agreement, the Provider will not, without the Customer’s prior written consent, engage any third-party sub-processors (the “Sub-Processors”) to Process any Personal Data under this Agreement other than those set out in the Agreement listed in the link 'Sub-Processors'.
5.2 From time to time, the Provider may engage with different Sub-Processors to fulfill the terms of the Customer Agreement. The Provider will inform the Customer of any intended changes concerning the replacement of any permitted Sub-Processor and give the Customer the opportunity to object to such changes.
5.3 Any additions or changes to the Provider’s engagement with its Sub-Processors will be reflected in the list and the list will be updated accordingly.
5.4 Other than the approved Sub-Processors (each of which provide services and Process Personal Data subject to the terms of the relevant Sub-Processor’s data processing agreement (“Data Processing Terms”) which such Data Processing Terms shall apply in place of the terms of this Agreement as between the Provider and the Customer to the extent of any conflict between the Data Processing Terms and this Agreement), any Sub-Processor the Provider engages will be subject to materially equivalent terms regarding data protection as are imposed on the Provider pursuant to this Agreement.
5.5 Where any Sub-Processor fails to fulfil its obligations under Data Protection Legislation, the Provider will remain liable for the performance of the Sub-Processor’s obligations, subject to the exclusions and limitations of liability under this Agreement or the relevant Data Processing Terms.
6. Complaints, data subject requests and third-party rights
6.1 The Provider must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
6.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the Processing and automated processing of Personal Data, and restrict the Processing of Personal Data. and
6.1.2 information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.
6.2 The Provider must notify the Customer promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
6.3 The Provider must notify the Customer within 5 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
6.4 The Provider will give the Customer, at no additional cost to the Customer, its reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
6.5 The Provider must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with the Customer's written instructions, or as required by domestic law.
7.1 This Agreement will remain in full force and effect so long as:
7.1.1 the Customer Agreement remains in effect. or
7.1.2 the Provider retains any of the Personal Data related to the Customer Agreement in its possession or control (Term).
7.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Customer Agreement in order to protect the Personal Data will remain in full force and effect.
7.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Customer Agreement obligations, the parties may agree to suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the parties are unable to bring the Personal Data Processing into compliance with the Data Protection Legislation 6 weeks, either party may terminate the Customer Agreement on not less than 30 working days on written notice to the other party.
8. Audit and inspections
8.1 Subject to clause 8.2 of this Agreement, the Provider will allow for and contribute to audits (including inspections) conducted by the Customer or another auditor mandated by the Customer.
8.2 Any audit conducted pursuant to clause 8.1 of this Agreement is subject to the following conditions:
8.2.1 the Customer will provide reasonable advance notice of any audit.
8.2.2 any audit may only be conducted during the Provider’s normal business hours.
8.2.3 any audit must be conducted so as to cause minimal disruption to the Provider’s normal business operations.
8.2.4 any auditor will enter into direct confidentiality obligations with the Provider which are reasonably acceptable to the Provider.
8.2.5 any audit will be limited only to the Provider’s data Processing activities as part of its Services as a data processor to Customer, and to such information as is reasonably necessary for Customer to assess the Provider’s compliance with the terms of this Agreement.
8.2.6 as part of any audit, Customer (or its auditor) will not have access to the Provider’s Confidential Information.
8.2.7 Customer will reimburse the Provider’s reasonable costs and expenses associated with any audit.
The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
Any notice or other communication given to a party under or in connection with this Agreement should refer to the Customer Agreement and its terms.