This Agreement is made on 30/03/2020
Parties to this Agreement:
MidasTouch Jewels by Patsy (MTJ) whose office is at 19 Overlea Avenue, Deganwy, Conwy, Wales, LL319TA (the “Processor”);
Background and Scope
The Processor has been appointed by a Data Controller to process personal data on behalf of the Data Controller.
The Processor wishes to engage the Sub-Processor to perform certain processing Services on its behalf on personal data as detailed in clause 3 of this Agreement.
In compliance with the provisions of Article 28 and 29 of the General Data Protection Regulation ((EU) 2016/679) (GDPR), the Processor and the Sub-Processor wish to enter into this processing Agreement.
The parties hereby mutually agree the following:
1. Definitions and Interpretation
1.1 In this Agreement the following words and phrases have the following meanings, unless inconsistent with the context or as otherwise specified:
“Annex” means the annex to this Agreement and which forms part of this Agreement;
“Data Protection Regulation or General Data Protection Regulation (GDPR)” hereafter referred to as the Regulation, means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Processor, data processor, data subject, personal data, special categories of personal data, personal data breach, supervisory authority, third parties, processing and appropriate technical and organisational measures”: as set out in the Data Protection Legislation in force at the time;
“Confidential Information” means all information disclosed by a party to the other party pursuant to this Agreement which is either designated as proprietary and/or confidential, or by its nature or the nature of the circumstances surrounding disclosure, should reasonably be understood to be confidential, including (but not limited to), information on products, customer lists, price lists and financial information;
“Data Protection Legislation”: means the Data Protection Act 2018, which incorporates the General Data Protection Regulation ((EU) 2016/679) (GDPR);
“Services” mean the Services as described in clause 3 of this Agreement;
“Sub-contract” and “sub-contracting” means the process by which either party arranges for a Third Party to carry out its obligations under this Agreement;
“Sub-Processor” means the party to whom specific processing obligations are sub-contracted as described in clause 3;
“Data Controller” means the Data Controller(s) that the Processor has an Agreement with relating to processing of personal data.
“Processing/Processing Operations” means a processing operation or set of processing operations with respect to personal data or sets of personal data, carried out by means of automated processes or otherwise, such as collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, aligning or combining, blocking, erasure or destruction.
“Third Party” means a natural or legal person, public authority, agency or body other than the data subject, Controller, processor and persons who, under the direct authority of the Controller or processor, are authorised to process personal data.
2.1 In consideration of the Processor engaging the Services of the Sub-Processor to process personal data on its behalf, the Sub-Processor must comply with the security, confidentiality and other obligations imposed on it under this Agreement and any applicable Data Protection Legislation or any other relevant laws.
2.2 In return for the provision of the Services by the Sub-Processor, the Processor shall pay the Sub-Processor the amounts as agreed in the Annex.
3. Description of the Services
3.1 The Processor hereby confirms the following instructions to the Sub-Processor with regard to the Services it is to render:
A brief description of the Services and processing activities
Promotion of handmade Jewellery from Midastouch Jewels website (wix) Etsy, Folksy, Facebook, Pinterest, iZettle.
The subject matter of the processing
Advertising and promotion of products and website, Purchasing and placing of orders, processing payments
The type/categories of personal data being handled
Name, Email, address, payment details, rings and wrist sizes
The purpose of the processing
The manufacture of handmade jewellery
3.2 The Processor must ensure that it has all necessary appropriate consents and notices in place, to enable lawful transfer of the personal data which belongs to the Data Controller to the Sub-Processor, for the duration and purposes of this Agreement.
4. Obligations of the Sub-Processor
The Sub-Processor agrees to:
4.1 Process the personal data only on the written instructions from the Processor, including with regard to transfers of personal data to a third country or an international organisation, unless required doing so by Union or Member State law to which the Sub-Processor is subject. In such a case, the Sub-Processor must:
Inform the Processor of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
Guarantee an adequate level of protection for such processing; and
Provide evidence of the level of protection described in (b) above to the Processor.
4.2 Perform any processing operations for only as long as and to the extent that is necessary for the performance of this Agreement. The Sub-Processor must, without delay, inform the Processor if, in its opinion, an instruction constitutes a violation of the GDPR or any other Data Protection Legislation.
4.3 Processing must occur under the responsibility of Data Controller. Neither the Processor nor the Sub-Processor or any natural person acting under the authority of the Processor or Sub-Processor, have any control over the purpose and means of the processing and must not take decisions on matters such as the use of personal data, the retention period of the personal data processed by the Sub-Processor, and the disclosure of personal data to Third Parties. If the Sub-Processor has an independent obligation on the basis of statutory regulations or rules of professional conduct that apply to the Sub-Processor, the Sub-Processor must inform the Processor thereof prior to the conclusion of this Agreement. If the Sub-Processors independent obligations change during the term of this Agreement, due to amended statutory regulations or rules of professional conduct, this may be a reason for the Processor to terminate this Agreement. The Processor shall inform the Data Controller about this any such obligation.
4.4 Comply with any applicable Data Protection Legislation and regulations. For the avoidance of doubt, nothing within this Agreement relieves the Sub-Processor of its own direct responsibilities and liabilities under the GDPR or any other relevant Data Protection Laws or regulations.
4.5 Refrain from engaging Third Parties to perform certain work if this results in these Third Parties processing personal data, unless the Processor has given its prior written consent. In that case, the Sub-Processor must be obliged to impose (in writing) all obligations under this Agreement on those Third Parties.
4.6 Forward any questions or requests from data subjects relating to their personal data to the Processor without delay and in any event within  working days. Where possible, the Sub-Processor must assist the Processor in meeting its obligations in handling requests by data subjects within the scope of exercising their rights.
4.7 Not disclose or otherwise reveal any personal data that is the subject of this Agreement to a data subject or Third Party, unless otherwise stated in this Agreement or required by law or a court or official authority’s decision. In the event that the Sub-Processor must disclose such personal data due to law or a court or official authority’s decision, the Sub-Processor shall notify the Processor of the disclosure immediately, unless this is prohibited by applicable law or a court or official authority’s decision.
4.8 Considering the nature of the Processing and the data available to the Sub-Processor, the Sub-Processor must provide assistance to the Processor in meeting its statutory obligations with respect to the processing operations that are part of this Agreement, particularly in respect of security and personal data breaches.
4.9 The Sub-Processor shall maintain and make available to the Processor on request, a record of all categories of processing activities carried out on behalf of the Processor containing:
The name and contact details of the Sub-Processor and its Data Protection Officer or Data Representative;
The categories of processing activities performed;
Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;
A general description of the technical and organisational security measures it has implemented.
5. Security measures
5.1 The Sub-Processor must implement the security measures set out in the Annex to this Agreement. In addition, the Sub-Processor guarantees to have implemented adequate and appropriate safeguards with respect to the technical and organisational security measures relating to the processing operations to be performed, as required by the Data Protection Legislation.
5.2 The security measures the Sub-Processor have implemented as per this clause 5 must have a level of security appropriate to the nature of the personal data and the scope, context, purposes, costs of the security measures and the risks of the processing.
5.3 The Sub-Processor must take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
5.4 The Sub-Processor must be able to evidence to the Processor its compliance with the policy rules or guidance of the supervisory authority, or must be able to demonstrate that the technical and organisational measures that it has implemented provide at least an equivalent level of protection. If these policy rules or guidance are amended, the Sub-Processor must ensure and demonstrate that the level of protection it provides complies with these policy rules or guidance within  months of publication.
5.5 The Sub-Processor must apply the codes of conduct and certifications approved by the supervisory authority unless the Sub-Processor is able to demonstrate that the measures it has implemented guarantee at least a comparable level of protection or that the relevant codes of conduct and certifications do not apply to the processing operations under this Agreement.
5.6 The Sub-Processor must periodically, but at least once a year, evaluate whether the level of protection remains adequate in view of the state of the art, the nature of the personal data processed and the scope, context, purposes, and risks of the Processing. The Sub-Processor must report on this in writing to the Processor.
5.7 The Processor has the right to inspect the manner in which the Sub-Processor complies with the security measures at any time. Any costs of an inspection must be borne by the Processor. The Sub-Processor must provide all information necessary to demonstrate compliance with the obligations laid down in this Agreement in a timely manner.
6. Data Breaches
The Sub-Processor, taking into account the nature of processing and the information available to the Sub-Processor, shall:
6.1 Assist the Processor in meeting its obligations to keep personal data secure;
6.2 Notify the Processor without undue delay upon the Sub-Processor becoming aware of a Personal Data Breach affecting the personal data which is the subject of this Agreement.
6.2.1 Such notification shall as a minimum:
Describe the nature of the personal data breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of personal data records concerned;
Communicate the name and contact details of Sub-Processor’s data protection officer or other relevant contact from whom more information may be obtained;
Describe the likely consequences of the personal data breach; and
Describe the measures taken or proposed to be taken to address the personal data breach.
6.2.2 Co-operate with the Processor and to take such reasonable commercial steps as are directed by the Processor to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
6.3 The Processor is responsible for immediately notifying the Data Controller about any Personal Data Breach as described in this clause 6.
7.1 The Sub-Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
7.2 In particular, the Sub-Processor agrees that, save with the prior written authorisation of the Processor, it must not disclose any personal data supplied to the Sub-Processor by, for, or on behalf of, the Processor to any Third Party.
7.3 The Sub-Processor must not make any use of any personal data supplied to it by the Processor otherwise than in connection with the provision of Services to the Processor and as agreed in this Agreement.
7.4 The obligations in clauses 7.1, 7.2 and 7.3 above must continue for a period of [five] years after the cessation of the provision of Services by the Sub-Processor to the Processor.
7.5 Nothing in this Agreement must prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties must however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.
8.1 The Processor is not liable for any damage suffered by the Sub-Processor as a result of a failure to comply with the GDPR or other laws or regulations.
8.2 The Sub-Processor indemnifies the Processor against claims by the Data Controller or Third Parties on the grounds of damage resulting from failure to comply in a correct, complete or timely manner by the Sub-Processor with the provisions of this Agreement. This indemnification applies not only to the damage that the Data Controller or Third Parties may have suffered (both material and immaterial), but also to the costs the Processor must incur in connection therewith, for example in any legal proceedings, and to the costs of any fines imposed on the Processor as a result of acts by the Sub-Processor.
8.3 The Sub-Processor is liable for all damage suffered by the Processor as a result of the failure by the Sub-processor to comply, or to comply correctly or fully, with the obligations set out in this Agreement or failure to comply, or to comply correctly or fully, with the agreed instructions relating to the performance of this Agreement or any obligations under the Data Protection Legislation.
9. Price and payment
9.1 The Processor agrees to pay the Sub-Processor for the Services the amounts described in the Annex.
9.2 Any amount mentioned in this Agreement is VAT exclusive.
9.3 Invoices must be paid within a period of  days following receipt thereof.
10. Audits and Inspections
The Sub-Processor agrees to:
10.1 Make available to the Processor all information necessary to demonstrate compliance with the obligations laid down in this Agreement and Article 28(3)(h) of the GDPR;
10.2 Allow for and contribute to audits, including inspections, conducted by the Processor or another auditor mandated by the Processor.
10.3 Inform the Processor if, in its opinion, an instruction pursuant to this section infringes the GDPR or other Union or Member State Data Protection Legislation.
11. Transfer to third countries
11.1 The Sub-Processor may not, without the prior written consent of the Processor, transfer personal data outside the European Economic Area (EEA). If the Processor approves of such transfer, the Standard Contractual Clauses will apply to personal data that is transferred outside the EEA, to any country that is not recognised by the European Commission as providing an adequate level of protection for personal data. Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply if the Sub-Processor has adopted Binding Corporate Rules for Processors or an alternative recognised compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA.
11.2 The Processor shall within reasonable cause be entitled to withdraw its consent to third country transfers provided under clause 11.1. In such case, the Sub-Processor shall immediately cease with the transfer and shall, upon the Processor request, provide written confirmation of this.
12. Term and Termination
12.1 This Agreement shall continue in full force and effect from 30/03/2020
12.2 Either Party has the right to terminate the Agreement, partially or entirely, forthwith by sending a written notice of termination to the other party specifying the reasons for the termination, if any of the following events occur:
12.2.1 The other party materially breaches any of its obligations under this agreement;
12.2.2 The other party breaches any of its obligations under this Agreement and, notwithstanding a written request from the non-breaching party to remedy such a breach, fails to comply with such a request within a period of  days following such notice;
12.2.3 An event of force majeure prevails for a period exceeding  months; or
12.2.4 The other party becomes insolvent or enters liquidation, a petition in bankruptcy is filed for it or a receiver is appointed.
12.3 Upon the termination or expiry of this agreement, any rights and obligations of the parties, accrued prior to the termination or expiry thereof shall continue to exist.
12.4 Within 30 days following termination of this Agreement the Sub-Processor shall, at the direction of the Processor, either:
(a) Return all personal data passed to the Sub-Processor by the Processor or on its behalf for processing; or
(b) On receipt of instructions from the Processor, destroy all such data unless the Sub-Processor is prohibited from doing so by any applicable law.
12.5 The Sub-Processor may retain personal data to the extent required by Data Protection Legislation and only to the extent and for such period as required by Data Protection Legislation and always provided that the Sub-processor must ensure the confidentiality of all such personal data and must ensure that such data is only processed as necessary for the purpose(s) specified in the Data Protection Legislation requiring its storage and for no other purpose. If this applies, the Sub-Processor must inform the Processor of this obligation prior to the conclusion of the Agreement.
12.6 The costs of collecting and transferring personal data upon termination of this Agreement must be borne by the Sub-Processor. The same must apply to the costs of the destruction of the personal data. The Processor must be entitled to have a Third Party expert determine whether the data is indeed no longer present in the Sub-Processor systems. The costs for this Third Party expert must be borne by the Sub-Processor if the expert finds that the Sub-Processor have failed to destroy the personal data correctly, completely or in time.
12.7 The Sub-Processor must provide written certification to the Processor that it has fully complied with this section within  days of the termination date.
13. Transferability of the Agreement
13.1 Unless the parties have jointly agreed otherwise in writing, neither party shall be permitted to transfer this Agreement and the rights and obligations under this Agreement to another party.
14. Entire agreement
14.1 This Agreement contains the entire Agreement and understanding between the parties with respect to the subject matter hereof and supersedes and replaces all prior agreements or understandings, whether written or oral, with respect to the same subject matter that are still in force between the parties.
14.2 Any amendments to this Agreement, as well as any additions or deletions, must be agreed in writing by both the parties.
14.3 Whenever possible, the provisions of this Agreement must be interpreted in such a manner as to be valid and enforceable under the governing law stated as per clause 17.
14.4 A change in the personal data processed, the reliability requirements or the privacy regulations, including the GDPR, or any requirements of the Processor’s client, the Data Controller, may give cause to supplement or amend this Agreement. If this leads to significant adjustments in this Agreement, or if the Sub-Processor is unable to provide adequate protection, this may be a reason for the Processor to terminate this Agreement.
15.1 Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement must remain valid and in force. The invalid or unenforceable provision must be either:
(i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible,
(ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
16. Notifications under the Agreement
16.1 All notices under this Agreement from one party to the other shall be in writing and delivered by email, messenger or registered mail to the parties’ above-mentioned address or to the addresses last registered with the Companies House.
16.2 Notices shall be deemed to have been received by the recipient:
If delivered by courier; at the time of delivery,
If sent by registered mail: on the 3rd working day after submission for postal conveyance to the party’s postal address specified in the introduction or to the addresses last registered with the Companies House, or
If sent by email: following confirmation of receipt by the other party.
17. Governing Law
17.1 This Agreement must be governed by and construed exclusively in accordance with the national law of the Member state in which the Processor is established.
AS WITNESS this Agreement has been signed on behalf of each of the parties by its duly authorised representative on the date first above written.
'SIGNED' (by means of publishing on this site) on behalf of PROCESSOR Patsy Tyldesley
1. Description of the pricing model
Pricing is calculated by cost of manufacture including materials and time taking to make each item; cost of overheads such as fees by host sites (Etsy, Folksy), Cost of promotions advertising on Etsy, Folksy, Pinterest, Facebook, Instagram, cost of processing moneys from iZettle, PayPal and banking charges; cost of wages and profit, cost of packaging and postage.
2. Technical and Organisational Security Measures
2.1 In compliance with its obligations under clause 4 with regard to the processing of personal data on behalf of the Processor, the Sub-Processor, as a minimum requirement, must implement appropriate technical and organisational measures to comply with the requirements of the GDPR. This includes the requirements stated in Article 32 of the GDPR being:
2.1.1 The pseudonymisation and encryption of personal data;
2.1.2 The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
2.1.3 The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
2.1.4 A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.