Our agreement with you
This Data processing agreement applies to the extent that Legado Technologies Limited processes personal data on behalf of Legado Corporate Partners (the Corporate Partner), which together with:
- Your Contract schedule
- Legado Business terms
- Legado Service user terms
- Legado Privacy policy
form the contract between you (“the ‘end user’”) and us. This agreement supersedes any written or oral representations, statements, understandings or agreements.
Any obligation imposed on the supplier under this agreement in relation to the processing of personal data shall survive any termination or expiration of the main agreement.
With regard to the subject matter of this agreement, in the event of any conflict or inconsistency between any provision of the main agreement and any provision of this agreement, the provision of this agreement shall prevail. In the event of any conflict or inconsistency between the main agreement or this agreement and the standard contractual clauses, as applicable, the UK International Data Transfer Agreement or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall prevail.
Definitions
- The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning as described in Data protection laws;
- “Agreement” means this Data processing agreement;
- “Authorised sub-processors” means (a) those sub-processors set out in the agreement (Authorised Sub-processors).
- “Commissioner” means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018);
- “Data Protection Laws” means:
- To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data and privacy.
- To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier or the Corporate Partner is subject, which relates to the protection of personal data and privacy.
- “EU GDPR”: the General Data Protection Regulation ((EU) 2017/679);
- “EEA” means the European Economic Area;
- “Personal data” means the data described (details of processing of personal data) and any other personal data processed by the supplier on behalf of the Corporate Partner pursuant to or in connection with the main agreement;
- “Main agreement” means the Legado Business terms into which this agreement is incorporated;
- “Sub-processor” means any data processor (including any affiliate of Legado) appointed by Legado to process personal data on behalf of the Legado Corporate Partner (the Corporate Partner).
- “Supervisory authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; (b) the Commissioner; and (c) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
- “Supplier” means Legado Technologies Limited, provider of the service;
- “The Corporate Partner” the company, firm, corporation or public authority who has purchased license to make available the platform to their End Users
- “The End User” means the individual whom the Corporate Partner has made the Legado platform available to;
- “The Service” means the service described in the Legado Business terms.
- “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
Processing of personal data
Data controller and data processor
The parties agree that:
- the Corporate Partner is a data controller and that,
- the supplier is a data processor
for the purposes of processing personal data.
Each party shall at all times in relation to processing connected with the main agreement, comply with data protection laws.
Details of the processing of personal data
As required by Article 28(3) GDPR, the information below outlines the details of the personal data processed by Legado on behalf of the Corporate Partner.
The supplier shall only process the types of personal data relating to the categories of data subjects for the purposes of the main agreement and for the specific purposes in each case as set out therein and shall not process, transfer, modify, amend or alter the personal data or disclose or permit the disclosure of the personal data to any third party other than in accordance with the Corporate Partner’s documented instructions and the data protection laws, unless processing is required by applicable law to which the supplier is subject, in which case the supplier shall to the extent permitted by such law inform the Corporate Partner of that legal requirement before processing that personal data.
The supplier will reasonably assist the Corporate Partner with meeting the Corporate Partner’s compliance obligations under the data protection laws, taking into account the nature of the supplier’s processing and the information available to the supplier, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the data protection laws.
| Subject Matter | Employee or customer of the Corporate Partner |
| Duration | The Supplier will continue to process any data in accordance with the Corporate Partner’s instructions until the Corporate Partner deletes data from Legado or the main agreement ends, whichever is first – except where a requirement exists to retain data for legal or regulatory purposes. Any such data are retained in accordance with this provision shall continue to be subject to the security and confidentiality restrictions contained in this Agreement. |
| Nature and purpose | Employee vetting and screening Customer due diligence to meet risk, legal, compliance standards |
| Types of personal data | Name, personal email address, telephone number, an identification card, professional registration details, National Insurance Number. Image of identification documents. |
The supplier shall immediately inform the Corporate Partner, if in its opinion, an instruction pursuant to the Main Agreement or this agreement infringes data protection laws.
The Corporate Partner warrants to and undertakes to the Supplier that: (i) it is entitled to disclose the Personal Data to the Supplier; all data subjects of the personal data; (ii) it has and will maintain for the term of the Agreement a valid lawful basis to process and share the Personal Data with the Supplier; (iii) it will ensure that the Personal Data is accurate and is kept up to date; (iv) all data subjects of the Personal Data have been or will be provided with appropriate privacy notices and information in accordance with Data protection laws; (v) where the legal basis relied on is consent or explicit consent, all consents have been obtained in accordance with Data protection laws to establish and maintain for the relevant term the necessary legal grounds, under Data protection laws for transferring the Personal Data to the Supplier to enable the Supplier to process the personal data in accordance with this Agreement and the Main Agreement.
Liability
The Corporate Partner acknowledges that the Supplier is reliant on the Corporate Partner for direction as to the extent to which it is entitled to use and process the personal data. Consequently, the supplier will not be liable for any claim arising from any action or omission by the supplier to the extent that such action or omission resulted from the Corporate Partner’ s express instructions. The liability provisions in the Main Agreement shall apply to this agreement. Nothing in this Agreement shall exclude or limit any party’s liability which cannot legally be limited or excluded by applicable laws.
Processor personnel
The supplier shall treat all personal data as strictly confidential and shall inform all its employees, agents, contractors and/or authorised sub-processors engaged in processing the personal data of the confidential nature of such Personal Data.
The supplier shall take reasonable steps to ensure the reliability, integrity, and trustworthiness of any employee, agent, contractor and/or authorised sub-processor who may have access to the personal data, ensuring in each case that access is limited to those persons or parties who need to access the relevant personal data, as necessary for the purposes set out above in the context of that person’s or party’s duties to the supplier.
The supplier shall ensure that all such persons or parties involved in the processing of personal data are subject to:
- confidentiality undertakings or are under an appropriate statutory obligation of confidentiality;
- have undertaken training on the data protection laws relating to handling personal data and how it applies to their particular duties;
- are aware both of the Corporate Partner’s duties and their personal duties and
- obligations under the data protection laws and this agreement; and
- user authentication processes when accessing the personal data.
Security
The supplier shall implement appropriate technical and organisational measures to ensure a level of security of the personal data appropriate to the risks that are presented by the processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
More information about Legado commitment to security can be found here.
Sub-processing
Authorised sub-processors
| Entity name | Sub-processing activities |
| Microsoft Azure | Cloud computing platforms for all application infrastructure including; web servers, databases, and DNS. |
| Pipedrive UK Ltd | Marketing automation and customer relation management. |
| Zendesk, Inc | Online ticketing and customer support services. |
Appointing sub-processors
The supplier shall not engage any sub-processor to process personal data other than with the prior specific or general written authorisation of the Corporate Partner. As at the date of the main agreement or (if later) implementation of this agreement, the Corporate Partner hereby authorises the supplier to engage those sub-processors set out in the table above (authorised sub-processors) or those specifically outlined in the Contract schedule.
Changes to sub-processors
In the case of general written authorisation, the supplier shall inform the Corporate Partner of any intended changes concerning the addition or replacement of other processors with 10 working days’ notice, thereby giving the Corporate Partner the opportunity to object to such changes.
With respect to each Sub-processor, the Supplier shall:
- Sub-processor due diligence
Carry out adequate due diligence on each sub-processor to ensure that it is capable of providing the level of protection for the personal data as is required by this agreement including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of data protection laws and this agreement;
- Agreement with sub-processors
Include terms in the contract between the supplier and each sub-processor which contains terms substantially the same as those set out in this agreement, in particular, in relation to requiring appropriate technical and organisational data security measures agreement and shall supervise compliance thereof;
- Transfer of personal data outside of the UK and EEA
Insofar as that contract involves the transfer of personal data outside of the UK and EEA, transfer to a territory which is subject to adequacy regulations under the Data protection laws to a territory provides adequate protection for the privacy rights of individuals; or incorporate valid cross-border transfer mechanism under Data protection laws; or such other mechanism as directed by the Corporate Partner into the contract between the supplier and each sub-processor to ensure the adequate protection of the transferred personal data, provided it is compliant with the Data protection laws, or such other arrangement as the Corporate Partner may approve as providing an adequate protection in respect of the processing of personal data in such third country(ies); and
- Sub-processor failure
Remain fully liable to the Corporate Partner for any failure by each sub-processor to fulfil its obligations in relation to the processing of any personal data.
Data subject rights
The Supplier shall without undue delay, and in any case within two (2) working days, notify the Corporate Partner if it receives a request from a data subject under any data protection laws in respect of personal data, including requests by a data subject to exercise rights in chapter 3 of GDPR, and shall provide full details of that request.
The supplier shall cooperate as reasonably requested by the Corporate Partner to enable the Corporate Partner to comply with any exercise of rights by a data subject under any data protection laws in respect of personal data and to comply with any assessment, enquiry, notice or investigation under any data protection laws in respect of personal data or the main agreement, which shall include:
- the provision of all information reasonably requested by the Corporate Partner within any reasonable timescale specified by the Corporate Partner in each case, including full details and copies of the complaint, communication or request and any personal data it holds in relation to a data subject;
- where applicable, providing such assistance as is reasonably requested by the Corporate Partner to enable the Corporate Partner to comply with the relevant request within the timescales prescribed by data protection laws; and
- implementing any additional technical and organisational measures as may be reasonably required by the Corporate Partner to allow the Corporate Partner to respond effectively to relevant complaints, communications or requests.
Personal data breach management
In the case of a personal data breach, the supplier shall without undue delay notify the personal data breach to the Corporate Partner providing sufficient information which allows the Corporate Partner to meet any obligations to report a personal data breach under data protection laws. Such notification shall as a minimum:
- describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of personal data records concerned;
- communicate the name and contact details of the supplier’s data protection officer or other relevant contact from whom more information may be obtained; and
- describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Supplier co-operation
The supplier shall fully cooperate with the Corporate Partner and take such reasonable steps as are directed by the Corporate Partner to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the Corporate Partner to (i) perform a thorough investigation into the personal data breach, (ii) formulate a correct response and to take suitable further steps in respect of the personal data breach in order to meet any requirement under data protection laws.
Public Statement
The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The supplier shall not inform any third party without first obtaining the Corporate Partner’s prior written consent, unless notification is required by law to which the supplier is subject, in which case the supplier shall to the extent permitted by such law inform the Corporate Partner of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Corporate Partner before notifying the personal data breach.
Data protection impact assessments and consultation
The supplier shall, at the Corporate Partner’s request, provide reasonable assistance with any data protection impact assessments and any consultations with any supervisory authority of the Corporate Partner’s as may be required.
Deletion or return of controller personal data
The supplier shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of personal data by the supplier; or (ii) termination of the main agreement, at the choice of the Corporate Partner securely dispose of personal data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the supplier to store such personal data or where a requirement exists to retain data for legal or regulatory purposes. Any such data are retained in accordance with the provision shall continue to be subject to the security and confidentially restrictions contained in the Agreement.
Audit rights
The supplier shall make available to the Corporate Partner on request all information necessary to demonstrate compliance with this agreement and data protection laws and allow for and contribute to audits, including inspections by the Corporate Partner or another auditor mandated by the Corporate Partner of any premises where the processing of personal data takes place.
The supplier shall permit the Corporate Partner or another auditor mandated by the Corporate Partner during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Corporate Partner may satisfy itself that the provisions of data protection laws and this agreement are being complied with.
The supplier shall provide full cooperation to the Corporate Partner in respect of any such audit and shall at the request of the Corporate Partner, provide evidence of compliance with its obligations under this agreement and data protection laws.
International transfers of controller personal data
The supplier shall not (permanently or temporarily) process the personal data nor permit any authorised sub-processor to (permanently or temporarily) process the personal data in a country outside of the UK and EEA without an adequate level of protection, other than in respect of those recipients in such countries listed in the Contract Schedule (Authorised Transfers of Personal Data), unless authorised in writing by the Corporate Partner in advance.