Data Processing Agreement

GDPR Compliance Notice
Last Updated: 05/01/18

1. The Controller (Website Visitor) and the Processor ( entered into a service provider agreement that requires the Processor to process Personal Data on behalf of the Controller.
2. This Agreement is to ensure there is proper arrangements in place relating to personal data passed from the Controller to the Processor.
3. This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation.
4. The parties wish to record their commitments under this Agreement.
5. This Data Processing Agreement modifies the agreement between the Parties based on the Processor’s Standard Terms for clients available at

Definitions and Interpretation
In this Agreement:
1. “Data Protection Laws” means the Data Protection Act 1998, together with successor legislation incorporating GDPR;
2. “GDPR” means the General Data Protection Regulation;
3. “Services” means the provision of Affiliate Marketing services
4. Relevant personal data means personal data that the Processor processes on behalf of the Controller in connection with performing services for or obligations owed to Controller, pursuant to the Agreement;
5. Controller, data subject, personal data, personal data breach, processor, processing and sensitive data shall each bear the meanings given to them in the GDPR

Data Processing
The Processor agrees to process the Data for the Controller only in accordance with Data Protection Laws and in particular on the following conditions:
1. The Processor shall only process the Data
(1) On instructions from the Controller
(2) Only process the Data for completing the Service
2. Data provided to the Processor for provision of the Service is pseudonymous, non-sensitive, largely technical and not related to behavior, predictions or evaluations of consumer interest or personalities.
3. Ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement (ii) have received comprehensive training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);
4. The Processor have agreed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR
5. Taking into account the nature of the processing, assist the Controller by appropriate technical measures, in so far as this is possible, for the fulfilment of the Controllers obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR
6. Assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the ICO etc, taking into account the nature of processing and the information available to the Processor (Article 28, para 3(f) GDPR);
7. Immediately contact the Controller if there is any personal data breach or incident where the Data may have been compromised.

Sub Processors
The Processor shall not involve any third party in the processing of the Data without the consent of the Controller. Such consent may be withheld without reason. If consent is given a further processing agreement will be required (Article 28, para 3(d) GDPR);

Category of Data Subjects
For the provision of the Service to the Controller, the Processor collects data related to Users (which could be Visitors, Members or Subscribers) of the Controller.

Data Minimization
The Processor will only process and retain data related to Users who engaged with the Service provided by the Processor

Personal Data Categories
The Controller decides which Data to provide to the Processor. Personal Data Categories the Controller may provide are
1. Tracking (Device Identifier, IP Address)
2. Contact (User Identifier, Email Address)

Processor shall undertake:
1. The appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to data transmitted, stored or otherwise processed. Pseudonymization and encryption of relevant personal data where possible;
2. Immediately notify Controller of any personal data breach affecting or capable of affecting relevant personal data, and provide the Controller with all co-operation and assistance reasonably requested by the Controller to enable the Controller to notify the personal data breach to the relevant supervisory authority and relevant data subjects (as determined by the Controller)

Following full termination of the provision of the Service to the Controller, the Data Processor will delete all Personal Data in its possession as provided on request, except to the extent the Data Processor is required by Applicable law to retain some or all of the Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Data from any further processing). The terms of this Data Processing Agreement will continue to apply to such Data.