Data Transfer Agreement
- Introduction
- Service Level Agreement
- End User Licence Agreement
- User Acceptance Testing Procedure
- Royal Mail Services Addendum
- Data Transfer Agreement
- EU Standard Contractual Clauses
- International Data Transfer Addendum
- Privacy Policy
- Intersoft Services Agreement
- Underlying Services Terms and Conditions
DATA TRANSFER AGREEMENT
Version 13, 20 October 2023
This data transfer agreement (the "DTA") forms part of the Intersoft Services Agreement entered into by the parties (the "Services Agreement") and supplements the data processing clauses in the Services Agreement. This DTA applies in relation to international transfers of personal data that are restricted under EU and/or UK data protection laws.
- Definitions
1.1 In this DTA, in addition to the words and phrases defined in the Services Agreement:
"Applicable Safeguards" means:
(a) in relation to Restricted Transfers under the EU GDPR, the EU Standard Contractual Clauses; and
(b) in relation to Restricted Transfers under the UK GDPR, the EU Standard Contractual Clauses as modified by the UK Addendum;
"EU GDPR" means the EU General Data Protection Regulation 2016/679, as amended, superseded or replaced from time to time;
"EU Standard Contractual Clauses" means the Standard Contractual Clauses in the annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as referenced in and adapted in accordance with Attachment 1;
"Inter-Party Transfer" means a Restricted Transfer of Relevant Personal Data made by the Customer to Intersoft or by Intersoft to the Customer;
"Relevant Personal Data" means:
(a) the Customer Personal Data;
(b) any other Personal Data that is provided or made available directly or indirectly by the Customer to Intersoft, or by Intersoft to the Customer, under or in connection with the Services Agreement from time to time;
"Restricted Transfer" means an international transfer of Personal Data that is:
(a) restricted under Article 44 of the EU GDPR and is not to a jurisdiction or sector that the Commission has decided ensures an adequate level of protection under Article 45 of the EU GDPR; and/or
(b) restricted under the Article 44 of the UK GDPR and is not to a jurisdiction or sector that is the subject of adequacy regulations under Section 17A of the Data Protection Act 2018;
"Subsequent Transfer" means a Restricted Transfer of Relevant Personal Data:
(a) by Intersoft to any third party, or by any third party acting on behalf of Intersoft, where the Relevant Personal Data was provided or made available directly or indirectly by the Customer to Intersoft; or
(a) by the Customer to any third party, or by any third party acting on behalf of Customer, where the Relevant Personal Data was provided or made available directly or indirectly by Intersoft to the Customer;
"UK GDPR" means EU GDPR as incorporated into UK law by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as amended, superseded or replaced from time to time; and
"UK Addendum" means the UK addendum to the EU Standard Contractual Clauses issued or proposed by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as referenced in Attachment 4.
- Term
2.1 This DTA shall come into force on the Effective Date and shall continue in force until the termination of the Services Agreement.
- Transfers
3.1 The parties agree that all Inter-Party Transfers shall be subject to the Applicable Safeguards, which are deemed in each case to be adapted and/or completed using the information set out or referenced:
(a) in relation to Inter-Party Transfers made by the Customer acting as controller to Intersoft acting as controller or processor, in Attachment 1, Attachment 2 and Attachment 4 (as appropriate); and
(b) in relation to Inter-Party Transfers made by Intersoft acting as controller or processor to the Customer acting as controller, in Attachment 1, Attachment 3 and Attachment 4 (as appropriate).
3.2 In relation to Subsequent Transfers of Personal Data provided or made available by the Customer to Intersoft, Intersoft must ensure that the Applicable Safeguards shall apply; and in relation to Subsequent Transfers of Personal Data provided or made available by Intersoft to the Customer, the Customer must ensure that the Applicable Safeguards apply. A party that is obligated to ensure that Applicable Safeguards apply with respect to a Subsequent Transfer must promptly, following receipt of a written request from the other party, provide to the other party reasonable written evidence of those Applicable Safeguards and their execution.
3.3 The Applicable Safeguards applying between the Customer and Intersoft are hereby incorporated into the Services Agreement, but only with respect to each specific Inter-Party Transfer and the Relevant Personal Data that is the subject of each specific Inter-Party Transfer.
- Protection and conflicts
4.1 If Applicable Safeguards under both the EU GDPR and the UK GDPR apply, then those provisions specifying a higher standard of protection for the relevant Personal Data shall apply in place of those specifying a lower standard of protection.
4.2 If there is a conflict between the Applicable Safeguards as applied by this DTA and the provisions of the Services Agreement, then those provisions specifying a higher standard of protection for the relevant Personal Data shall apply in place of those specifying a lower standard of protection.
- Changes
5.1 Intersoft may by giving at least 30 days' written notice to the Customer change the Applicable Safeguards that apply to any Restricted Transfers to the extent permitted by the EU GDPR and/or the UK GDPR, and in particular:
(a) with respect to the EU GDPR, if the Commission decides that new or alternative standard contractual clauses shall apply;
(b) with respect to the UK GDPR, if the UK Secretary of State makes regulations specifying that new or alternative standard contractual clauses shall apply.
5.2 The parties acknowledge that Applicable Safeguards may cease to be required by this DTA, and accordingly may cease to apply:
(a) with respect to the EU GDPR, because of a Commission decision that a jurisdiction or sector ensures an adequate level of protection under Article 45 of the GDPR;
(b) with respect to the UK GDPR, because of adequacy regulations under Section 17A of the Data Protection Act 2018.
5.3 Without prejudice to Intersoft's rights under Clause 5.1, if any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to Restricted Transfers carried out under the Services Agreement, then the parties shall use their best endeavours promptly to agree such variations to this DTA as may be necessary to remedy such non-compliance.
ATTACHMENT 1 (ADAPTATIONS TO EU STANDARD CONTRACTUAL CLAUSES)
|
Provision
|
Adaptation |
|
Clause 7 |
Clause 7 shall be included.
|
|
Clause 9
|
The "GENERAL WRITTEN AUTHORISATION" text shall apply, and the "SPECIFIC WRITTEN AUTHORISATION" text shall be deleted.
The time period referenced in paragraph 1 of that text shall be 7 days.
|
|
Clause 11
|
The optional text in Clause 11 shall be omitted. |
|
Clause 17
|
With respect to Modules 1,2 and 3, the "OPTION 1" text shall apply, and the "OPTION 2" text shall be omitted.
The relevant law of specified in the Services Agreement as being applicable to the clauses shall govern the clauses.
|
|
Clause 18
|
The courts specified in the Services Agreement shall resolve disputes arising from the clauses.
|
A copy of the EU Standard Contractual Clauses, adapted in accordance with this document, can be seen at https://legal.intersoft.co.uk/eu-standard-contractual-clauses.
ATTACHMENT 2 (TRANSFER INFORMATION – CUSTOMER TO INTERSOFT)
ANNEX I
- LIST OF PARTIES
Data exporter(s):
|
1. |
|
|
Name: |
The Customer, as identified in the Services Agreement |
|
Address: |
As specified in the Services Agreement |
|
Contact person’s name, position and contact details: |
As specified in the Services Agreement |
|
Activities relevant to the data transferred under these Clauses: |
Contracting for, receiving and enabling the administration of the Services to be provided by Intersoft under the Services Agreement |
|
Signature and date: |
By signing the Services Agreement, the parties have agreed the provisions of the Applicable Safeguards |
|
Role (controller/processor): |
Controller |
Data importer(s):
|
1. |
|
|
Name: |
Intersoft, as identified in the Services Agreement |
|
Address: |
As specified in the Services Agreement |
|
Contact person’s name, position and contact details: |
As specified in the Services Agreement |
|
Activities relevant to the data transferred under these Clauses: |
Contracting for, providing and administering the Services to be provided to the Customer under the Services Agreement |
|
Signature and date: |
By signing the Services Order Form, the parties have agreed the provisions of the Applicable Safeguards |
|
Role (controller/processor): |
Processor (except where specified as controller in B below) |
- DESCRIPTION OF TRANSFER
|
Categories of data subjects whose personal data is transferred |
(1) & (2) Shipment addressees (3) Customer personnel* |
|
Categories of personal data transferred |
(1) Address and shipment data (names, business names, addresses, phone numbers, email address, public IP addresses, shipment information) (2) Tracking data (tracking event codes, tracking number, tracking event date, tracking event time) (3) Business identity and contact information (names, business names, addresses, phone numbers, email address, job title); support ticket information |
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. |
(1), (2) & (3) None
|
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
(1) When uploaded by Customer to Intersoft systems, typically on a regular basis (2) When data is pushed from a Customer web instance to a Customer endpoint (3) When Intersoft is onboarding the Customer |
|
Nature of the processing |
(1) & (2) Processing by Intersoft in the course of the provision of the Services (3) Processing by Intersoft in managing its relationship with Customer |
|
Purpose(s) of the data transfer and further processing |
(1) & (2) Provision of the Services (3) Enabling the provision of the Services, the provision of support to the Customer, communications between the parties, invoicing and billing, accounting, general administration, the negotiation and execution of contracts and orders, sending notifications to the Customer, marketing |
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
(1) & (2) In accordance with Clause 19 of the Services Agreement (3) In accordance with the Intersoft privacy policy |
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
(1) & (2) In accordance with Clause 19 of the Services Agreement (3) In accordance with the Intersoft privacy policy |
*Intersoft acts as controller with respect to the category (3) transfers.
- COMPETENT SUPERVISORY AUTHORITY
|
Identify the competent supervisory authority/ies in accordance with Clause 13 |
As specified in the Services Agreement |
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
|
Measure |
Description |
|
As specified in Attachment 5 |
As specified in Attachment 5 |
ANNEX III
LIST OF SUB-PROCESSORS
Not applicable, as the Customer has granted to Intersoft general authorisations in relation to the appointment of sub-processors.
ATTACHMENT 3 (TRANSFER INFORMATION – INTERSOFT TO CUSTOMER)
ANNEX I
- LIST OF PARTIES
Data exporter(s):
|
1. |
|
|
Name: |
Intersoft, as identified in the Services Agreement |
|
Address: |
As specified in the Services Agreement |
|
Contact person’s name, position and contact details: |
As specified in the Services Agreement |
|
Activities relevant to the data transferred under these Clauses: |
Contracting for, providing and administering the Services to be provided to the Customer under the Services Agreement |
|
Signature and date: |
By signing the Services Order Form, the parties have agreed the provisions of the Applicable Safeguards |
|
Role (controller/processor): |
Processor (except where specified as controller in B below) |
Data importer(s):
|
1. |
|
|
Name: |
The Customer, as identified in the Services Agreement |
|
Address: |
As specified in the Services Agreement |
|
Contact person’s name, position and contact details: |
As specified in the Services Agreement |
|
Activities relevant to the data transferred under these Clauses: |
Contracting for, receiving and enabling the administration of the Services to be provided by Intersoft under the Services Agreement |
|
Signature and date: |
By signing the Services Order Form, the parties have agreed the provisions of the Applicable Safeguards |
|
Role (controller/processor): |
Controller |
- DESCRIPTION OF TRANSFER
|
Categories of data subjects whose personal data is transferred |
(1) & (2) Shipment addressees |
|
Categories of personal data transferred |
(1) Address and shipment data (names, business names, addresses, phone numbers, email address, public IP addresses, shipment information) (2) Tracking data (tracking event codes, tracking number, tracking event date, tracking event time) |
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. |
(1) & (2) None |
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
(1) & (2) When transferred to the Customer at the instigation of the Customer using Intersoft systems, typically on a regular basis |
|
Nature of the processing |
(1) & (2) Processing via Intersoft's systems at the instigation of the Customer in the course of the provision of the Services |
|
Purpose(s) of the data transfer and further processing |
(1) & (2) Receipt of the Services |
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
(1) & (2) In accordance with the Customer's (or other relevant controller's) privacy policy |
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
(1) & (2) In accordance with the Customer's (or other relevant controller's) privacy policy |
- COMPETENT SUPERVISORY AUTHORITY
|
Identify the competent supervisory authority/ies in accordance with Clause 13 |
As specified in the Services Agreement |
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
|
Measure |
Description |
|
As specified in the security policy document(s) referenced in the Services Agreement or otherwise agreed by the parties. |
As specified in the security policy document(s) referenced in the Services Agreement or otherwise agreed by the parties. |
ANNEX III
LIST OF SUB-PROCESSORS
Not applicable, as the Customer acts as controller with respect to all relevant transfers.
ATTACHMENT 4 (UK ADDENDUM)
A copy of the UK Addendum can be seen at https://contract.intersoft.co.uk/uk-international-data-transfer-addendum.
ATTACHMENT 5 (INTERSOFT SECURITY MEASURES)
Intersoft has implemented and will maintain appropriate technical and organisational measures, internal controls and information security routines intended to protect Customer Data.
Intersoft maintains and enforces various policies, standards and processes designed to secure Personal Data and other data to which Intersoft employees are provided access. Following is a description of some of the core technical and organisational security measures implemented by Intersoft.
Physical Security. Intersoft will maintain commercially reasonable security systems at all Intersoft sites at which an information system that uses or houses Personal Data is located. Intersoft reasonably restricts access to such Personal Data appropriately.
Organisational Security. Intersoft will implement security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.
Intersoft implements a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations; physical security controls; security practices and security incident reporting.
Intersoft will conduct periodic risk assessments and review and, as appropriate, revise its information security practices at least annually or whenever there is a material change in Intersoft’s business practices that may reasonably affect the security, confidentiality or integrity of Personal Data, provided that Intersoft will not modify its information security practices in a manner that will weaken or compromise the confidentiality, availability or integrity of Personal Data.
Intersoft carries out due-diligence checks on its data processing partners & service providers to ensure ongoing compliance and minimisation of data related incidents.
Incident Management. Intersoft maintains an information security incident management program that provides timely response and notification as appropriate to security incidents to protect personal data.
Monitoring. Intersoft monitors its systems by logging security-related events, alerting on suspicious activity, and conducting further analysis
Network Security. Intersoft maintains network security using commercially available equipment and industry standard techniques, including firewalls, DDOS protection, Multi-factor authentication, intrusion detection and/or prevention systems, access control lists and routing protocols.
Access Control. Intersoft will maintain appropriate access controls, including, but not limited to, restricting access to Personal Data to the minimum number of Intersoft personnel who require such access to perform their duties.
Intersoft will require personnel to comply with its Information Security Program prior to providing personnel with access to Personal Data.
Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Data.
User administration procedures define user roles and their privileges, and how access is granted, changed and terminated; address appropriate segregation of duties.
All employees of Intersoft are assigned unique User-IDs.
Access rights are implemented adhering to the “least privilege” approach.
Data Security. Intersoft will encrypt, using industry-standard encryption, all sensitive data that Intersoft: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; and (iii) stores on portable devices, where technically feasible. Intersoft will safeguard the security and confidentiality of all encryption keys associated with encrypted Sensitive Information / Personal Data.
Data masking will be implemented where feasible to minimize exposure of sensitive data.
Virus and Malware Controls. Intersoft installs and maintains anti-virus and malware protection software on the system to protect Personal Data from anticipated threats or hazards and protect against unauthorized access to or use of Personal Data.
Availability. Intersoft has the functionality of restoring from backups for business-critical processes and restoring the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
Third party hosting providers are utilised to provide stable & secure infrastructure to improve the availability of Intersoft's products and services.