Fospha's Data Protection Agreement


THIS AGREEMENT is made between:

  • Fospha Limited, (with company number 08902419) which expression includes its subsidiaries, affiliates and holding company, whose registered office is at: Scale Space, 58 Wood Lane, London, United Kingdom, W12 7RZ (hereinafter referred to as “Party A”); and
  • You, the company defined in the accompanying Standard Terms and Conditions which accompanies this Data Protection Agreement(hereinafter referred to as “Party B”).

WHEREAS Party A and Party B (hereinafter referred to as the “Parties” and the "Receiving Party" or the "Disclosing Party" as the context so requires) for their mutual benefit wish to exchange certain information of a confidential nature in respect of discussions and work between them relating to improving Party B's marketing effectiveness (the “Purpose”) and wish to protect such information in the manner set out in this Agreement.



  • Definitions:
    • In this Agreement:
      • Controller, Data Subject, Processing, and Processor shall have the same meanings as are assigned to those terms in the GDPR (whereby Process and Processed shall be construed accordingly;
      • Corporate Data refers to any information that is owned, generated, or used by the Disclosing Party. This can include a wide range of data types, such as financial information, customer information, employee information, confidential business plans and strategies, research and development data, and other types of proprietary information;
      • Corporate Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, corporate data;
      • Data Protection Impact Assessment means an assessment of the impact of the envisaged Processing operations on the protection of Corporate Data;
      • Data Protection Laws means (i) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the processing of personal data to which a party is subject, including the Act and the GDPR (on and from 25 May 2018), as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (ii) any code of practice or guidance published by any relevant Regulator from time to time;
      • Data Processing Particulars means, in relation to any Processing: (i) the subject matter and duration of the Processing; (ii) the nature and purpose of the Processing; (iii) the type of Corporate Data being Processed; and (iv) the categories and types of Data;
      • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;
      • Staff: those persons employed or engaged by a Party or any of its subcontractors from time to time;
    • Term:
    • This Agreement shall be deemed to have commenced on signature date of the accompanying agreement between the parties and shall continue until it is terminated in accordance with the provisions of this Agreement.
      • This Agreement shall continue in force from the date hereof until the earliest of;
      • the date that this Agreement is terminated by mutual consent or by either party giving the other not less than one month’s written notice; and
      • the date upon which the Parties agree that this Agreement has been superseded by any further written agreement(s) entered into between them.
    • Data Protection
      • Each Party shall Process the Corporate Data only in connection with the Purpose. Each Party acknowledges that the factual arrangement between them dictates the role of each Party in respect of this Agreement, as to whether they are a Data Processor or Data Controller. Nothing within this Agreement relieves each Party of its own direct responsibilities and liabilities under the Data Protection Laws.
      • Each of the parties acknowledges and agrees that the Appendix (Data Processing Particulars) is an accurate description of the Data Processing Particulars.
      • Each party shall make due notification of any breaches of the Data Protection Laws to any relevant regulator. To the extent that each Party acts as a Data Processor, that Party (the Processing Party) undertakes to the other Party (the Controlling Party) that it will take all necessary steps to ensure that it operates at all times in accordance with the requirements of the Data Protection Laws and that the Processing Party will, at its own expense, assist the Controlling Party in discharging its obligations under the Data Protection Laws. The Processing Party shall not, whether by act or omission, cause the Controlling Party to breach any of its obligations under the Data Protection Laws.
      • The Corporate Data shall be the confidential information of Party B. Party A shall not disclose the Corporate Data to any third party (other than subcontractors appointed in accordance with clause 7) without the prior written consent of Party B.
      • The Processing Party (as defined in clause 3) shall (and shall procure that the subcontractor shall):
        • only Process the Corporate Data in accordance with this Agreement and any instructions of the Controlling Party (as defined in clause 3);
        • take, implement and maintain appropriate technical and organisational security measures which are sufficient to comply with at least the obligations imposed on the Controlling Party. In the event that the Processing Party becomes aware of any conflict or inconsistency between this clause, the Processing Party shall immediately notify the Controlling Party of such conflict or inconsistency.
        • permit the Controlling Party to audit the Processing Party's compliance with the requirements of this Agreement;
        • take all reasonable steps to ensure the reliability and integrity of any of the Staff who have access to the Corporate Data by ensuring that each member of Staff:
          • shall have undergone reasonable levels of training on Data Protection and in the care and handling of Corporate Data: and
          • shall have entered into appropriate contractually binding confidentiality undertakings and comply with the obligations set out in this clause 3,
          • and the Processing Party shall ensure that only such Staff required by it to assist it in meeting its obligations under this Agreement shall have access to such Corporate Data, and no other Staff shall have access to such Corporate Data;
        • inform the Controlling Party promptly and in any event within twenty-four (24) hours in the event that the Processing Party (or its Subcontractor) fails to comply with this clause 3, and within forty-eight (48) hours in the event that the Processing Party receives a Data Subject Request or Regulator Correspondence, and shall:
          • not disclose any Corporate Data in response to any Data Subject Requests or Regulator Correspondence without first consulting with, and obtaining the consent of, the Controlling Party: and
          • provide the Controlling Party with all reasonable co-operation and assistance required by the Controlling Party in relation to any such Data Subject Request or Regulator Correspondence.
        • comply with the obligations imposed upon a Processor under the Data Protection Laws; and
        • assist the Controlling Party to comply with the obligations imposed on the Controlling Party by the Data Protection Laws, including:
          • obligations relating to notifications required by the Data Protection Laws to the ICO and/ or any relevant Data Subjects: and
          • undertaking any Data Protection Impact Assessments
        • Upon, and in any case within twenty-four (24) hours of becoming aware of any actual or suspected, threatened or ‘near miss’ incident of accidental or unlawful destruction or accidental loss, alteration, unauthorised or accidental disclosure of, or access to, the Corporate Data or other Corporate Data Breach in relation to the Corporate Data or any obligations or duties owed by the Processing Party to the Controlling Party relating to the confidentiality, integrity or availability of Confidential Information, The Processing Party shall notify the Controlling Party of the incident or breach (and follow-up in writing), and shall thereupon: (i) conduct, or support the Controlling Party in conducting, computer forensic investigations and analysis that the Controlling Party requires in respect of such incident or breach; (ii) implement any actions or remedial measures to restore the security of the compromised Corporate Data and/or Confidential Information and which the Controlling Party considers necessary as a result of the breach; and (iii) support the Controlling Party to make any required notifications to any relevant regulator and affected Data Subjects.
        • The Processing Party shall not appoint any subcontractor to process any Corporate Data on behalf of the Controlling Party unless and until the Processing Party has:
          • provided the Controlling Party with full details of the proposed subcontractor (including the results of the due diligence undertaken in accordance with clause 7.2 below before its appointment;
          • undertaken thorough due diligence on the proposed subcontractor, including a risk assessment of the information governance-related practices and processes of the proposed subcontractor, which shall be used by the Processing Party to inform any decision on appointing the proposed subcontractor; and,
          • obtained the Controlling Party’s prior specific written consent to the appointment of the proposed subcontractor.

If a subcontractor is appointed by the Processing Party in accordance with this clause 3.7, the Processing Party shall ensure that such subcontractor is bound by the terms of a contract that imposes on the subcontractor substantially similar data protection obligations as those set out in this clause 7. Where the subcontractor fails to fulfil its data protection obligations or information security obligations, the Processing Party shall remain fully liable to the Controlling Party for the performance of the subcontractor’s obligations.

  • The Processing Party hereby indemnifies, and shall keep indemnified, the Controlling Party and keep the Controlling Party held harmless from and against:
    • except to the extent covered by clauses 8.2 or 3.8.3 any losses suffered or incurred by, awarded against or agreed to be paid by the Controlling Party to the extent arising from the Processing Party's failure to comply with this clause 7;
    • any fines levied by any relevant regulator on the Controlling Party, or the costs of an investigative, corrective or compensatory action required by any relevant regulator, or of defending a claim made by any relevant regulator, where those fines, costs or claims have arisen as a result of a breach of this clause 3; and
    • any losses suffered or incurred by, awarded against or agreed to be paid by the Controlling Party pursuant to a claim, action or challenge made by a third party against the Controlling Party as a result of the Processing Party's failure to comply with this clause.
  • Upon the cessation of the services or the termination of this Agreement, for whatever reason, the Processing Party will, at the choice of the Controlling Party, delete or return all existing copies of the Controlling Party’s Corporate Data or any Corporate Data which the Controlling Party is the Controller of which the Processing Party received pursuant to this Agreement to the Controlling Party, unless the Data Protection Laws or other relevant laws require storage of the Corporate Data. To the extent where the Processing Party continues to process Corporate Data for the Controlling Party, this clause will survive the termination, for whatever reason, of the Agreement.

Appendix: Data Processing Particulars

The subject matter and duration of the Processing


What Corporate Data is being processed?

 We will process aggregated web traffic and marketing data

 Why is it being Processed?

For Analytics purposes – measuring and calculating the key performance indicators (such as "Return On Advertising Spend", "Customer Acquisition Cost" and "Cost Per Purchase") in order to more efficiently advertise. 

How is it being Processed?

The Fospha service is hosted and operates within a secured cloud service. Client corporate data will be processed and stored within the service, providing reports and analysis of the marketing data.14

For how long is it being Processed? 

There is currently 3 years of data being processed. This will grow over time and depend on the storage available as part of the contract and service provided.

The categories and types of Personal Data being Processed


None of the following types of data is being processed:

·       data concerning racial or ethnic origin,

·       political opinions,

·       religious or philosophical beliefs,

·       trade union membership,

·       genetic data,

·       biometric data for the purpose of uniquely identifying a natural person,

·       data concerning health  

·       data concerning a natural person’s sex life or sexual orientation