The following definitions and rules of interpretation apply in this Agreement.
| Term | Definition |
| Agreement | means the Data Processing Agreement as set out herein. |
| Applicable Law | means laws, statutes or ordinances, rules, treaties, regulations, permits, licences, approvals, interpretations, and orders of courts or governmental authority that is binding upon or applicable to a Party or this Agreement, as amended unless specified otherwise (including, for clarity, the Data Protection Legislation). |
| Authorised Persons | means the persons or categories of persons that the Client authorises to give the Supplier documented personal data processing instructions as identified in Client Personal Data Processing Particulars and from whom the Supplier agrees solely to accept such instructions. |
| Business Days | means any day except any Saturday, any Sunday, or bank holiday, when Banks in London are open for business. |
| Business Purposes | means for the purpose of the provision of the products and/or their services to be provided by the Supplier to the Client as described in the Master Agreement and any other purpose specifically identified in the Client Personal Data Processing Particulars. |
| Client Personal Data | means any information relating to an identified or identifiable living individual that is processed by the Supplier on behalf of the Client because of, or in connection with, the provision of the products and/or services under the Master Agreement. |
| Commencement Date | means the date the Supplier starts processing Personal Data for the Client. |
| Company Affiliate | means the entity that directly or indirectly Controls, is Controlled by, or is under common Control with the Supplier from time to time. Any reference to The Supplier includes its company affiliates. |
| Control | means the beneficial ownership of more than 50% of the issued share capital of a company or the legal power to direct or cause the direction of the management of the company and Controlled shall be construed accordingly. |
| Controller | means the natural or legal person, public authority, agency or any other entity or person who alone or jointly with others determines the purposes and means of the processing of Personal Data. |
Data Protection Legislation |
means: • all applicable data protection and privacy legislation in force from time to time in the UK including without limitation, the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018”); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to the Client or Supplier relating to the use of personal data (including, without limitation, the privacy of electronic communications) • to the extent the the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) applies, the law of the European Union or any member state of the European Union to which the Client or Supplier is subject, which relates to the protection of Personal Data. • any other applicable local laws to which the Client or Supplier is subject, relating to the processing of Personal Data, privacy of electronic communications, or the protection of an individual’s privacy. |
| Data Subject | means a natural person who can be identified, whether directly or indirectly, including by reference to an identification number or to one or more factors specific to their physical, psychological, mental, economic, cultural, or social identity. |
| Data Subject Request | means a request made by a Data Subject under Data Protection Legislation to exercise their rights thereunder. |
| DPA 2018 | means the data Protection Act 2018 of the United Kingdom. |
| EEA | means the European Economic Area. |
| SCCs | means applicable (1) for EU residents – means Module 2 of the 2021 European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors establishes in third countries (controller-to-processor transfers); and/or when applicable to UK resident Personal Data (a) the UK International Data Transfer Agreement (DTA) or (b) the UK International Data Transfer Addendum to the EU Standard Contractual Clauses for the transfer of Personal Data from the United Kingdom to third parties established in third countries. |
| GDPR | means the General Data Protection Regulation ((EU) 2016/679). |
| Heightened Cybersecurity Requirements | means any laws, regulations, codes, guidance (from regulatory and advisory bodies, whether mandatory or not), international and national standards, industry schemes and sanctions, which are applicable to either the Client or its end users relating to security of network and information systems and security breach and incident reporting requirements, which may include the Network and Information Systems Regulations 2018 (SI 506/2018), all as amended or updated from time to time. |
| ICO | means the Information Commissioners Office, the competent data protection authority within the United Kingdom (UK). |
| Master Agreement | means all agreements and terms entered into between the Parties for the provision of Supplier products and services (whether before or after the Commencement Date of this Agreement) and includes terms which apply specifically to Cintra Source, Cintra SaaS, outsourced payroll or other services as listed on the Services Schedule. |
| Parties | means the Supplier and the Client collectively and Party shall mean either both a Party or individually. |
| Personal Data | means any information relating to an identified or identifiable Data Subject or as otherwise defined as such in Data Protection Legislation. |
| Personal Data Breach | means a breach of security leading to the accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data. |
| Processing, processes, processed, process | means any activity that involves the use of Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties. |
| Processor | means a natural or legal person, public authority, agency, or, other body which processes personal data on the instruction of and behalf of the Controller. |
| Sub-processor | means the same as in the Data Protection Legislation. |
| Supervisory Authority | means the competent data protection authority which is established in a jurisdiction under its privacy laws with competence in its privacy matters. A list of which can be found here. |
| System Messages | means messages on Cintra Cloud or messages sent through Cintra Secure Portal. |
| UK Data Protection Legislation | means all applicable data protection and privacy legislation in force from time to time in the UK without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and the guidance and codes of practice issued by the Commissioner, and which are applicable to a Party. |
| UK GDPR | means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. |
• This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement
• The schedules and annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes its annexes and schedules.
• Any words that follow ‘include’, ‘includes’, ‘including’, ‘in particular’ or any similar words and expressions shall be construed as illustrative only and shall not limit the sense of any word, phrase, term, definition, or description preceding those words.
• A reference to legislation includes all subordinate legislation made from time to time under that law and is a reference to that legislation as amended, extended, re-enacted or consolidated from time to time.
• Any obligation on a Party not to do something includes an obligation not to allow that thing to be done.
• A reference to this Agreement or to any other agreement or document referred to in this Agreement is a reference to this Agreement or such other agreement or document as varied or novated (in each use, other than in breach of the provisions of this Agreement) from time to time.
• In the case of conflict or ambiguity between the Clients agreements related to the processing of the Client Personal Data, the documents will have the following order of the precedence:
- Any completed SCC (where applicable);
- the Agreement; and then
- the Master Agreement.