Legal and Compliance
Spearline Data Processing Agreement

1. INTERPRETATION

  • Data” means the Personal Data processed by Spearline on behalf of the Client in connection with the Services; 
  • MSA” means the master services agreement in place between the Parties.
  • Personal Data” means personal data as defined in Data Protection Law, as specified in Annex 1; 
  • Permitted Third Party Service Provider” means a third party service provider listed in Annex 2 for the permitted processing activities listed therein and/ or otherwise approved by the Client in writing from time to time; and
  • Personnel” means those employees of Spearline to whom disclosure of Data is necessary for the provision of the Services and who are appropriately trained in and committed to data security and confidentiality.

 

2. STATUS OF THE PARTIES

2.1 The parties acknowledge that, in relation to the Data, and for the purposes of Data Protection Law, Spearline is a data processor and the Client is the data controller.

3. DATA PROCESSOR’S OBLIGATIONS

3.1 Spearline undertakes and agrees with the Client that: 

(a) it shall only process: 

  • Data strictly in accordance with the documented instructions of the Client; 
  • Data in accordance with the nature and purpose of the processing set out in Annex 1; 
  • the minimum volume of Data which is strictly necessary for the performance of the Services; 

(b) any Processing of Data by Spearline shall be carried out in full compliance with Data Protection Law; 

(c) it shall inform the Client as soon as practicable if, in its opinion, it receives an instruction from the Client which infringes Data Protection Law; 

(d) it shall disclose Data only to those members of its Personnel to whom such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this Schedule and the MSA.

4. SUB-PROCESSORS

Spearline shall be permitted to sub-contract processing of Data to a Permitted Third Party Service Provider provided that Spearline shall remain responsible for the performance of the Permitted Third Party Service Provider’s data protection obligations. 

 5. INTERNATIONAL TRANSFERS

Spearline uses the services of Permitted Third Party Service Providers, some of whom may be based outside of the European Economic Area (the “EEA”). To the extent the services of the Permitted Third Party Service Providers require a transfer or processing of Data outside of the EEA, such transfer shall be in compliance with Data Protection Law. 

6. AUDIT

6.1 Spearline will conduct at least annual audits of its personal data processing practices and its information technology and information security controls, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third party audit firm based on recognised industry best practices.

6.2 On the Client’s written request, Spearline will make any relevant audit reports or extracts thereof available to the Client for review. The Client shall treat such audit reports as Spearline’s confidential information under this Agreement.

7. SECURITY

Spearline shall implement appropriate security measures to prevent accidental or unauthorised, loss, destruction, damage, alteration, disclosure or unlawful or unauthorised access to any Data in the custody of Spearline, and Spearline shall ensure that its Personnel are aware of and comply with those measures.

8. DATA BREACH

8.1 Spearline shall promptly after becoming aware of it notify the Client of any unauthorised access to, or unauthorised use, alteration, disclosure, accidental loss or destruction of, any Data in the custody of Spearline (each a “data breach”).

8.2 In the event of any data breach, Spearline shall: 

  • take prompt action to investigate the cause of the data breach; 
  • promptly, assist the Client in complying with its obligations under Articles 32 to 36 of the GDPR.

9. DATA SUBJECT REQUESTS AND COMPLAINTS

9.1 Spearline shall promptly notify the Client of any request from a data subject to exercise any of his or her rights under Data Protection Law or any complaint from any data subject. 

9.2 Spearline shall not accede to any such request or deal with any complaint except on the written instructions of the Client.

9.3 Spearline shall, on request by the Client and at the Client’s expense, and taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law. 

10. DESTRUCTION OF DATA

Upon termination of this Agreement, Spearline shall, upon the request of the Client, destroy all Data and shall certify such destruction in writing to the Client on request from time to time.

Data Destruction will be carried out as per GDPR legislation under consideration of the statutory retention periods.

11. WARRANTIES AND REPRESENTATIONS

The Client represents and warrants to Spearline, on a continuing basis for the duration of this Agreement that: 

  • all consents, if required, for the processing of all the Data by Spearline in the manner contemplated by this Agreement have been validly obtained and are in full force and effect; 
  • the Client has complied with all of its obligations (however arising) in respect of all the Data; and 
  • the processing by Spearline of the Data in the manner contemplated by this Agreement will not infringe the rights of any person under Data Protection Law in any jurisdiction other than Ireland.  

Annex 1

PERSONAL DATA

Item

Description

Details 

  1.  

Types of personal data to be processed

Name & e-mail address to provide access to the platform

IP Address, Browser & OS to assist with any troubleshooting issues

2.

Categories of data subjects

employee, contractor, any other individual

3.

Nature of the processing

Any operation or set of operations which may be performed on personal data or sets of personal data, whether or not by automated means, to include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4.

Purpose of the processing

Provision of the Services under the MSA

Annex 2

PERMITTED THIRD PARTY SERVICE PROVIDERS

  1. Amazon Web Services
  2. Google Cloud