Legal and Compliance
Spearline Data Processing Agreement

1. INTERPRETATION

  • “Data” means the Personal Data processed by Spearline on behalf of the Client in connection with the Services; 
  • “MSA” means the Master Services Agreement in place between the Parties.
  • “Personal Data” means personal data as defined in Data Protection Law, as specified in Annex 1; 
  • “Permitted Third Party Service Provider” means a third party service provider listed in Annex 2 for the permitted processing activities listed therein and/ or otherwise approved by the Client in writing from time to time; and
  • “Personnel” means those employees of Spearline to whom disclosure of Data is necessary for the provision of the Services and who are appropriately trained in and committed to data security and confidentiality.

 

2. STATUS OF THE PARTIES

2.1 The parties acknowledge that, in relation to the Data, and for the purposes of Data Protection Law, Spearline is a Data Controller and Processor.

2.2 Sub-Processor

Spearline shall be permitted to sub-contract processing of Data to a Permitted Third Party Service Provider provided that Spearline shall remain responsible for the performance of the Permitted Third Party Service Provider’s data protection obligations. 

Spearline will give 7 days prior written notice before engaging with a new Sub-Processor, including details of the Processing to be undertaken by the Sub-Processor.

Please find a list of permitted third party service providers below:

  1. Amazon Web Services
  2. Google Cloud
  3. HubSpot

3. DATA PROCESSOR’S OBLIGATIONS

3.1 Spearline undertakes and agrees with the Client that: 

(a) it shall only process: 

  • Data strictly in accordance with the documented instructions of the Client under consideration of the GDPR legislation . The Data Protection Law will always have higher priority.
  • Data in accordance with the nature and purpose of the processing set out in Annex 1; 
  • the minimum volume of Data which is strictly necessary for the performance of the Services;
     

(b) any Processing of Data by Spearline shall be carried out in full compliance with Data Protection Law; 

(c) it shall inform the Client as soon as practicable if, in its opinion, it receives an instruction from the Client which infringes Data Protection Law; 

(d) it shall disclose Data only to those members of its Personnel to whom such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this Schedule and the MSA.

4. INTERNATIONAL TRANSFERS

Spearline uses the services of Permitted Third Party Service Providers, some of whom may be based outside of the European Economic Area (the “EEA”). To the extent the services of the Permitted Third Party Service Providers require a transfer or processing of Data outside of the EEA, such transfer shall be in compliance with Data Protection Law. 

Wherever your personal  information is transferred, stored or processed by Spearline, we will take reasonable e steps to safeguard the privacy of your personal information. 

 

These steps may include implementing standard contractual clauses where recognized by law, obtaining your consent or other lawful means of transferring personal information

6. AUDIT

6.1 Spearline will conduct at least annual audits of its personal data processing practices and its information technology and information security controls, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third party audit firm based on recognised industry best practices.

6.2 On the Client’s written request, Spearline will make any relevant audit reports or extracts thereof available to the Client for review. The Client shall treat such audit reports as Spearline’s confidential information under this Agreement.

7. SECURITY

Spearline shall implement appropriate security measures to prevent accidental or unauthorized, loss, destruction, damage, alteration, disclosure or unlawful or unauthorized access to any Data in the custody of Spearline, and Spearline shall ensure that its Personnel are aware of and comply with those measures.

8. DATA BREACH

8.1 Spearline shall promptly after becoming aware of it notify the Client of any unauthorized access to, or unauthorized use, alteration, disclosure, accidental loss or destruction of, any Data in the custody of Spearline (each a “data breach”).

8.2 In the event of any data breach, Spearline shall: 

  • take prompt action to investigate the cause of the data breach; 
  • promptly, assist the Client in complying with its obligations under Articles 32 to 36 of the GDPR.
  • take steps to immediately remediate any data breach, including any costs of remediation and/or fines incurred where the Data Breach is deemed to be caused by Spearline’s negligence.

9. DATA SUBJECT ACCESS REQUESTS AND COMPLAINTS

9.1 Data Subject access Requests
Spearline shall review and respond to any request from a Client to exercise any of his or her rights under Data Protection Law from any data subject within 30 days after the request has been received.

Who is my point of contact?

While a Data Protection Officer is not mandatory, Spearline is committed to protecting your data and have appointed the following representative as your point of contact :

Email: dps@spearline.com
OR
Data Protection Specialist,
Spearline HQ,
Skibbereen,
County Cork,
P81 H102

9.2 In the case of a complaint

If you are dissatisfied with how your data request is dealt with by Spearline, please contact our Data Protection Specialist so we rectify it.

You may wish to make a complaint to the Office of the Data Protection Commissioner via any of the following means:

Telephone : +353 (0) 761 104 800 or LoCall 1890 252 231

Email : info@dataprotection.ie

Postal Address: Data Protection Commission, Canal House, Station  Road, Portarlington, R32 AP23, County Laois

9.3 Spearline shall, on request by the Client and at the Client’s expense, and taking into account the nature of the processing, assist the Client by appropriate technical and organizational measures, for the fulfillment of the Client’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law. 

10. DESTRUCTION OF DATA

Upon termination of the Data Processing Agreement, Spearline shall, upon the request of the Client, destroy all Data and shall certify such destruction in writing to the Client on request from time to time.

Data Destruction will be carried out as per GDPR legislation under consideration of the statutory retention periods.

11. WARRANTIES AND REPRESENTATIONS

The Client represents and warrants to Spearline, on a continuing basis for the duration of this Agreement that: 

  • all consents, if required, for the processing of all the Data by Spearline in the manner contemplated by this Agreement have been validly obtained and are in full force and effect; 
  • the Client has complied with all of its obligations (however arising) in respect of all the Data; and 
  • the processing by Spearline of the Data in the manner contemplated by this Agreement will not infringe the rights of any person under Data Protection Law in any jurisdiction other than Ireland.  

Last update of the agreement 09/02/2023



ANNEX 1: DATA CATEGORIES

1. Customer / Clients

2. Suppliers

3. Other
(Applicants, website user, Prospective customers)

a) the categories of “personal data”:

– Your name

– Your job title

– Your company name

– Your company address(es)

– Your company email address(es)

– Your contact phone number(s)
– Username

– Passwords (encrypted)
– Password reminders

– Employment details which you have provided
– Online Identifiers (IP, Cookies)
– Device information

– Records of Service offering subscriptions
– Payments history


b) “special categories of personal data”:

– Is not collected 


c) categories of data relating to criminal offenses

– Is not collected 


d) “processed” by the Spearline (as such terms are defined in GDPR):

As listed under (a) and (b) and c)

a) the categories of “personal data”:

– Your name

– Your job title

– Your company name

– Your company address(es)

– Your company email address(es)

– Your contact phone number(s)
– Username

– Passwords (encrypted)
– Password reminders
Online Identifiers (IP, Cookies) 

– Device information
– Payments history


b) “special categories of personal data”:

– Is not collected 


c) categories of data relating to criminal offenses

– Is not collected 


d) “processed” by the Spearline (as such terms are defined in GDPR):

As listed under (a) and (b) and c)

a) the categories of “personal data”:
– Name

– email address

– phone number

– Your Job title
– Location

– Online Identifiers (IP, Cookies) 

– Device information

For processing Job applications:

– Name

– Your Date of birth

– Your current job title

– Your address(es)

– Your email address(es)

– Your contact phone number(s)

– Employment details which you have provided
– Username

– Passwords (encrypted)
– Password reminders

– Location

– Online Identifiers (IP, Cookies) 

– Device information


b) “special categories of personal data”:

– May be collected during Job applications 


c) categories of data relating to criminal offenses

– Is not collected 


d) “processed” by the Spearline (as such terms are defined in GDPR):

As listed under (a) and (b) and c)









ANNEX 2: DATA PURPOSE

Consent

You may agree or explicitly consent to the collection and use of your data as set out in Spearline’s privacy statement in the contract documents.

You may agree or explicitly consent to the collection and use of your data as set out in Spearline’s  privacy statement, when you tick the “Yes, I’m in”  or the “I opt-in” options on the Spearline website.

Contract

We may use your personal data to fulfill contractual obligations or in circumstances where you have asked us to do something before the contract, such as providing a quote or demo.

Any operation or set of operations which may be performed on personal data or sets of personal data, whether or not by automated means, to include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Legal Obligation

We may use your data in circumstances where it is necessary because we have to comply with a legal obligation, under Irish or EU law.

Legitimate Interests

We may use your data for our legitimate interests. This can include business purposes, like

(i) where the processing enables us to enhance, modify, personalize or otherwise improve our services/communications for the benefit of our customers
(ii) to identify and prevent fraud
(iii) to  enhance the security of our network and information systems
(iv) to  better understand how people interact with our websites
(v) to determine the effectiveness of promotional campaigns and advertising.

Vital Interests

We may use your data in circumstances where, for example, it could save a person’s life and the processing is necessary

We may use your data in circumstances where, for example, it could save a person’s life and the processing is necessary.