Data Processing Adendum
Effective Date: 1st March 2025
Last Updated: 1st March 2025
1. Introduction
This Data Processing Addendum ("DPA") forms part of the [Service Agreement] ("Agreement") between Key and Box, a trading name of WatchLabs Ltd. ("Processor"), and users of our service ("Controller") (collectively, the "Parties"). This DPA reflects the Parties' agreement regarding the processing of Personal Data by the Processor on behalf of the Controller in connection with the services provided under the Agreement. The term of this DPA shall follow the term of the Agreement.
2. Definitions
The following terms have the meanings set out below:
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.
"Data Protection Law" means all applicable data protection and privacy laws, including the UK GDPR, EU GDPR, the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA), as applicable to the processing of Personal Data.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to assist in processing Personal Data on behalf of the Controller.
3. Scope and Applicability
This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in the course of providing services under the Agreement. The Parties agree to comply with the terms and conditions in this DPA concerning such Personal Data.
4. Roles and Responsibilities
The Controller is responsible for ensuring that it has a lawful basis for processing Personal Data and for obtaining Data Subject consent where required under applicable law.
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable Data Protection Law.
5. Processor Obligations
The Processor agrees to:
Process Data: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by law.
Confidentiality: Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security Measures: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, pseudonymisation, access controls, and regular security audits.
Personal Data Breach: Notify the Controller without undue delay, but no later than 24 hours after becoming aware of a breach.
Sub-processors: Not engage another processor without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, giving the Controller the opportunity to object to such changes.
Data Subject Rights: Assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests for exercising Data Subject rights.
Data Protection Impact Assessment: Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
Deletion or Return of Data: At the choice of the Controller, delete or return all Personal Data to the Controller after the termination of services, and delete existing copies unless Union or Member State law requires storage of the data.
Audit: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for, and contribute to, audits and inspections conducted by the Controller or another auditor mandated by the Controller.
6. Controller Obligations
The Controller agrees to:
Lawful Processing: Ensure that the processing of Personal Data, including its transfer to the Processor, has been and will continue to be carried out in accordance with the relevant provisions of applicable Data Protection Law.
Instructions: Provide documented instructions to the Processor that comply with applicable Data Protection Law.
Data Subject Rights: Be responsible for handling Data Subject requests and communications under applicable Data Protection Law.
7. Sub-Processors
The Processor shall not engage any Sub-processor without the prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes.
8. International Data Transfers
The Processor shall not transfer Personal Data to a third country or international organisation without the prior documented instructions from the Controller unless such transfer is required by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
9. Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights as set out in Chapter III of the GDPR.
