Data Processing Agreement

Last updated: March 2024

BACKGROUND

The Customer and MEDDICC entered into Terms of Service (TOS) that may require MEDDICC to process Personal Data on behalf of the Customer.
This Personal Data Processing Agreement (DPA) sets out the additional terms, requirements and conditions on which MEDDICC will process Personal Data when providing Services under the TOS (‘the Services’). This DPA contains the mandatory clauses required by Article 28(3) of UK GDPR (the retained EU law version of the General Data Protection Regulation ((EU) 2016/679)).

AGREED TERMS

This DPA is incorporated into the TOS, in the event of conflict between the two, the provisions of the DPA shall prevail.  

Defined terms in this DPA unless indicated otherwise, shall have the same meaning as in Data Protection Legislation.

Data Protection Legislation shall mean “all applicable data protection and privacy legislation in force from time to time including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data”.

MEDDICC and the Customer acknowledge that for the purposes of the Data Protection Legislation, in so far as the processing of Personal Data through MEDDICC’s performance of the Services is concerned (the ‘Customer Data’) the Customer is the Controller and MEDDICC is the Processor.  Further details regarding Customer Data are outlined in Schedule 1.  

MEDDICC and the Customer will comply with the requirements of Data Protection Legislation.

The Customer retains control of the Customer Data and remains responsible for its compliance obligations under Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to MEDDICC. The Customer shall ensure that all individuals who provide written instructions are authorised to do so.  

MEDDICC shall, in relation to the Customer Data:

(a)    process the Customer Data only on written instructions of the Customer.  The scope, nature purpose and duration of the processing and the Customer Data categories and Data Subject types are described in Schedule 1;
(b)    keep the Customer Data confidential;
(c)    comply with the Customer's reasonable instructions with respect to processing the Customer Data;
(d)     not transfer the Customer l Data outside of the UK unless, in accordance with the Data Protection Legislation, MEDDICC ensures that:
(i) the transfer is to a country approved as providing an adequate level of protection for the Personal Data; or 
(ii) there are appropriate safeguards in place for the transfer of the Personal Data; or
(iii) binding corporate rules are in place; or 
(iv) one of the derogations for specific situations applies to the transfer.  
(e)    assist the Customer at the Customer's cost in responding to any data subject access requests and to ensure compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, privacy impact assessments and consultations with supervisory authorities or regulators;
(f)    notify the Customer without undue delay on becoming aware of a Personal Data Breach or communication which relates to the Client's or MEDDICC's compliance with the Data Protection Legislation;
(g)    at the written request of the Customer, delete or return the Customer Data (and any copies of the same) to the Customer on termination of the TOS unless required by the Data Protection Legislation to store the Customer Data; 
(h)    maintain complete and accurate records and information to demonstrate compliance with this Clause 7 and allow for audits by the Customer or the Client's designated auditor; and 
(i)     inform Customer if, in its opinion, an instruction infringes Data Protection Legislation.

MEDDICC shall ensure that they have in place appropriate technical or organisational measures, to protect against unauthorised or unlawful processing of the Customer Data and against accidental loss or destruction of, or damage to, the Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

The Customer acknowledges and consents generally to the appointment by MEDDICC of third parties as sub-processors of the Customer Data being processed under this DPA.  Here is a current list of the sub-processors that MEDDICC has appointed.

MEDDICC confirms that a) it shall impose on all sub-processors the same data protection obligations as set out in this DPA and shall remain liable for the actions of its sub-processors.  

MEDDICC shall give the Customer notice of the appointment of any new sub-processors and provide the Customer with full details of the processing to be undertaken by the sub-processor, thereby giving the Customer the opportunity to object to such appointment. If MEDDICC so notifies the Customer  of any changes to sub-processors and the Customer objects to such changes, the Customer will be entitled to terminate this DPA (without liability for either party, and such termination will be deemed to be a no-fault termination) provided always that the Customer has reasonable grounds for objecting to such changes by reason of the changes causing or being likely to cause the Customer to be in breach of the Data Protection Legislation.

The Customer agrees to indemnify, keep indemnified and defend at its own expense MEDDICC against all costs, claims, damages or expenses incurred by MEDDICC or for which MEDDIC may become liable due to any failure by the Customer or its employees, subcontractors or agents to comply with any of its obligations under this DPA and/or the Data Protection Legislation, in particular any failure by the Customer to comply with the provisions of Clause 6.

Any limitation of liability set forth in the TOS will not apply to this DPA's indemnity or reimbursement obligations. The total aggregate liability of whatever nature, whether in TOS, tort or otherwise, of MEDDICC for any losses whatsoever and howsoever caused arising from or in any way connected with the DPA shall be limited to the total value of the fees actually received by MEDDICC in the 12 months preceding this claim under the TOS between the Parties to which this DPA relates. Notwithstanding the foregoing, nothing in this DPA limits either party’s liability which can not be legally limited, including (but not limited to) liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation.  

SCHEDULE 1

INSTRUCTIONS REGARDING PROCESSING, CUSTOMER DATA AND DATA SUBJECTS

SCOPE, NATURE AND PURPOSE OF THE PROCESSING

MEDDICC shall be processing the Customer Data, received from the Customer, for the purpose of providing Services to the Customer under the TOS.  
DURATION OF THE PROCESSING
The duration of the TOS.

TYPES OF PERSONAL DATA
First name, last name, work email address, employer, account information, job title, geographic region.

CATEGORIES OF DATA SUBJECT
Representatives, Employees, Customers, Staff of Customers