Data Processing

1 In this agreement, the following definitions apply:

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing, and appropriate technical and organisational measures: as defined in the Data Protection Legislation.

Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder)  and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party.

Domestic Law: the law of the United Kingdom or a part of the United Kingdom.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

2 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove, or replace, a party’s obligations or rights under the Data Protection Legislation.

3 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and Mo is the Processor. The scope, nature, and purpose of processing by Mo, the duration of the processing and the types of Personal Data and categories of Data Subject are as follows:

Scope, Nature & Purpose of processing: Processing personal data in relation to the provision of the Services, answering support queries, delivering usage reports, understanding usage to aid in product improvements, and enabling Authorised Users to provide thanks and feedback to other Authorised Users. 

Duration of the processing: The Subscription Term. 

Types of Personal Data: Names, contact details, job titles, IP addresses, passwords, data created in relation to the use of the Services.

Categories of Data Subject: Employees, agents, and contractors of the Customer.

4 Without prejudice to the generality of clause 1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Mo and/or lawful collection of the Personal Data by Mo on behalf of the Customer for the duration and purposes of this agreement.

5 Mo shall, in relation to any Personal Data processed in connection with the performance by Mo of its obligations under this agreement:

(a) process that Personal Data only on the documented written instructions of the Customer unless Mo is required by Domestic Law to otherwise process that Personal Data. Where Mo is relying on Domestic Law as the basis for processing Personal Data, Mo shall promptly notify the Customer of this before performing the processing required by the Domestic Law unless the Domestic Law prohibits Mo from so notifying the Customer;

(b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 

(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 

(d) not transfer any Personal Data outside of the UK unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:

(i) the Customer or Mo has provided appropriate safeguards in relation to the transfer;

(ii) the data subject has enforceable rights and effective legal remedies;

(iii) Mo complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and

(iv) Mo complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;

(e) assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(f) notify the Customer without undue delay on becoming aware of a Personal Data Breach;

(g) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Domestic Law to store the Personal Data; and

(h) maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits by the Customer or the Customer’s designated auditor and immediately inform the Customer if, in the opinion of Mo, an instruction infringes the Data Protection Legislation.

6

(a) The Customer consents to Mo appointing the processors set out on Mo’s third party processors webpage (mo.work/legal/third-party-processors) as third-party processors of Personal Data under this agreement. Mo confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this clause and in either case which Mo confirms reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Customer and Mo, Mo shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause.

(b) Mo may only authorise a new third-party-processor to process the Personal Data if:
(i) the Customer provides written consent prior to the appointment of each third-party-processor or is provided with an opportunity to object to the appointment of each subcontractor within 30 working days after Mo supplies the Customer with full details in writing regarding such third-party processor;
(ii) Mo enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer’s written request, provides the Customer with copies of the relevant excerpts from such contracts;
(iii) Mo maintains control over all of the Personal Data it entrusts to the subcontractor; and
(iv) the subcontractor’s contract terminates automatically on termination of this Agreement for any reason.

(c)Mo shall provide notice of a new subcontractor by:
(i) posting such subcontractor at the following webpage https://mo.work/legal/third-party-processors; and
(ii) sending an email to the last known email address for the Customer that Mo has on file.

(d) If the Customer does not object within thirty (30) days of receipt of the notice, it is deemed to have accepted the new subcontractor.

This Data Processing Agreement was last updated on 15th February 2024

Join our Community

Sign up to our monthly newsletter for industry insights, employee recognition tips, and news from the world of workplace digital transformation ⚡️