HelloKindred Data Processing Agreement

1. DEFINITIONS

   1. In this Data Processing Agreement defined terms shall have the same meaning, and the same rules of interpretation shall apply, as in the agreement between HelloKindred and the Customer. In addition, in this Data Protection Agreement the following definitions have the meanings given below.

      Applicable Data Protection Laws means:

      1. To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
      2. To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which HelloKindred is subject, which relates to the protection of personal data.

      Applicable Laws means:

      1. To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.
      2. To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which HelloKindred is subject.

      Customer Personal Data

      any personal data of which the Customer is the. controller or which the Customer is processing on behalf of another Controller (excluding HelloKindred).

      EU GDPR

      the General Data Protection Regulation ((EU) 2016/679).

      Purpose

      the services to be provided by the Provider to the Customer as described in a Statement of Work and any other purpose specifically identified in Annex B.

      UK GDPR

      has the meaning given to it in the Data Protection Act 2018.

   2. The terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.

2. DATA PROTECTION

   1. Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Applicable Data Protection Laws.

   2. The parties have determined that, for the purposes of Applicable Data Protection Laws:

      1. HelloKindred shall act as controller in respect of the Customer Personal Data and processing activities set out in Part 1 of Annex A; and
      2. HelloKindred shall process the Customer Personal Data set out in Part 2 of Annex A, as a processor on behalf of the Customer in respect of the processing activities set out in Part 2 of Annex A.

   3. Should the determination in clause 2.2 change, then each party shall work together in good faith to make any changes which are necessary to this clause 2 or the related Annexes.

   4. By entering into this Agreement, the Customer consents to (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by HelloKindred in connection with the processing of Customer Personal Data by HelloKindred as controller, provided these are in compliance with the then-current version of HelloKindred’s privacy policy available at https://helloHelloKindred.com/privacy-policy/ (Privacy Policy). In the event of any inconsistency or conflict between the terms of the Privacy Policy and this Agreement, the Privacy Policy will take precedence.

   5. Without prejudice to the generality of clause 2.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Personal Data to HelloKindred and lawful collection of the same by HelloKindred for the duration and purposes of this Agreement.

   6. In relation to the Customer Personal Data processed by HelloKindred as processor on behalf of Customer, Annex B sets out the scope, nature and purpose of processing by HelloKindred, the duration of the processing and the types of personal data and categories of data subject.

   7. Without prejudice to the generality of clause 2.2 HelloKindred shall, in relation to Customer Personal Data which it processes as processor on behalf of Customer:

      1. process that Customer Personal Data only on the documented instructions of the Customer, unless HelloKindred is required by Applicable Laws to otherwise process that Customer Personal Data. Where HelloKindred is relying on Applicable Laws as the basis for processing Customer Processor Data, HelloKindred shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer on important grounds of public interest. HelloKindred shall inform the Customer if, in the opinion of HelloKindred, the instructions of the Customer infringe Applicable Data Protection Legislation;
      2. implement the technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
      3. ensure that any personnel engaged and authorised by HelloKindred to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
      4. assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to HelloKindred), and at the Customer’s cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
      5. notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
      6. at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless HelloKindred is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 2.7.6 Customer Personal Data shall be considered deleted where it is put beyond further use by HelloKindred; and
      7. maintain records to demonstrate its compliance with this clause 2 and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this purpose, on reasonable written notice, no more than once per year.

   8. The Customer hereby provides its prior, general authorisation for HelloKindred to:

      1. appoint processors listed in a Statement of Work to process the Customer Personal Data, provided that HelloKindred:
         1. shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on HelloKindred in this clause 2;
         2. shall remain responsible for the failure of any such processor to meet its data protection obligations; and
         3. shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to HelloKindred’s reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify HelloKindred for any losses, damages, costs (including legal fees) and expenses suffered by HelloKindred in accommodating the objection.
      2. transfer Customer Personal Data outside of the UK as required for the Purpose, provided that HelloKindred shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer authorises HelloKindred to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).

Annex A – Role of the Parties

Part 1 – Where HelloKindred acts as a controller of Customer Personal Data

when processing personal data of Customer personnel for account management, billing, business administration and other customer relationship management purposes

Part 2 – Where HelloKindred acts as a processor of Customer Personal Data

any processing that occurs in the performance of the Services, including developing applications that process or analyse Customer Personal Data.

Annex B – Particulars of the processing

Subject Matter of Processing

Delivery of Services as defined in a Statement of Work

Duration of Processing

The term of the applicable Agreement.

Nature and Purpose of Processing

any processing that occurs in the performance of the Services, including developing applications that process or analyse Customer Personal Data

Type of Personal Data

[Name, Telephone Number, Work Location/Address, Work Email Address, Browser History]

Categories of Data Subject

Customer employees.
Prospective or actual customers of the Customer.