This Company Data Protection Policy template is ready to be tailored to your company’s needs and should be considered a starting point for setting up your employment policies.
Policy brief & purpose
Our Company Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.
With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
This policy refers to all parties (employees, job candidates, customers, suppliers etc.) who provide any amount of information to us.
Who is covered under the Data Protection Policy?
Employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.
Policy elements: Data processing agreement
This Data Processing Agreement (“DPA”) is entered into by the GDC entity (“GDC”) and the individual or company (the “Partner”) identified in the Partner Enrollment Form and governs the processing of personal data pursuant to the provision of services by GDC. From the Effective Date stipulated on the Partner Enrollment Form, this DPA shall apply to any and all agreements between the parties and their Affiliates from time to time.
This DPA is incorporated into the Engage Terms (as amended from time to time) and constitutes a legally binding agreement between the parties. Collectively, the DPA, the Partner Enrolment Form and the Engage Terms are referred to as the “Agreement”. In the event of any conflict or inconsistency between any of the terms of the Agreement the following order of preference shall prevail: (i) the Partner Enrollment Form; (ii) the DPA; and (iii) the Engage Terms.
- Definitions and Interpretation. The following definitions apply to this DPA:
1.1 “Affiliate(s)” means in respect of either party at any time, any person or legal entity controlled by or controlling or under the common control of that party. Any reference to the parties shall include reference to their Affiliates;
1.2 “Controller” means the legal person that determines the purposes and means of the processing of Personal Data.
1.3 “Data Subject” means the individual to whom the Personal Data relates;
1.4 “Data Protection Laws” means any applicable laws, government-issues rues, regulations, directives and requirements (as amended from time to time) related to the privacy of Personal Data and apply to GDC or Partner;
1.5 “EEA” means the European Economic Areas;
1.6 “End User” means individual human end users who interact with the GDC widget on the Partner sites;
1.7 “End User Personal Data” means Personal Data about an End User which GDC collects from End Users directly via the GDC widget, including GDC’s own UUID, IP address (which GDC translates into geo-location and deletes the last octet) and some other user agent data (for example, information about which device and browser the End User is using to access the widget);
1.8 “Partner Personal Data” means the Personal Data (such as the Partner’s employee’s name and email address) which the Partner provides to GDC in order to use the GDC services and which GDC requires in order to service the Partner’s account.
1.9 “Partner Sites” means the web properties, applications or platforms identified in the Partner Enrolment Form;
1.10 “Personal Data” means any information about an identified and/or identifiable natural person or household which GDC processes pursuant to the Agreement and which may include the End User Personal Data and/or the Customer Personal Data (as applicable);
1.11 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, End User Persona Data or Partner Personal Data transmitted, stored or otherwise processed by GDC;
1.12 “Sub-processor” means sub-contractors and/or replacement sub-contractors (as the case may be) which process personal data on behalf of GDC from time to time.
- Nature and Scope of Processing. The parties agree to process Personal Data pursuant to the purposes set forth in this DPA and per applicable laws. GDC shall process Personal Data for the following purposes:
2.1 End User Personal Data to provide online recommendations to End Users who interact with the GDC’s Partner Sites; and
2.2 Partner Personal Data to provide the services to the Partner pursuant to the Agreement.
3. Role of Parties. The parties acknowledge and agree that they are each independent controllers and businesses in respect of End User Personal Data and Partner Personal Data. Each Party shall be individually and separately responsible for complying with the obligations that apply to it as an independent Controller under Data Protection Laws.
- Lawful Basis.
4.1 End User Personal Data. Partner acknowledges that GDC relies on Partner’s lawful basis for processing End User Personal Data as GDC does not have a direct relationship with an End User. Accordingly, Partner warrants that: (i) to the extent required under applicable Data Protection Laws will establish a lawful basis for processing End User Personal Data (ii) if Partner relies on legitimate interest, it has completed a legitimate interest assessment which has considered GDC’s provision of the services; and (iii) if the Partner relies on consent, the Partner shall disclose GDC to an End User via a consent management platform per the IAB methodology and must pass GDC a clear consent or no consent signal (i.e. the Partner must not send GDC a null or invalid signal if a consent management platform is implemented).
4.2 Partner Personal Data. Partner acknowledges that GDC’s lawful basis for processing Partner Personal Data is contractual, as the Partner Personal Data is required in order for GDC to perform its obligations under the Agreement.
- Data Subject Rights. As independent controllers, the parties acknowledge and agree that each party shall promptly inform the other if it receives a request from a Data Subject exercising its rights under the Data Protection Laws. To the extent applicable, each party shall direct the Data Subject to the other party in order to enable such party to respond directly to such Data Subject’s request. Taking into account the nature of the processing, each party shall (if requested in writing and at the requesting party’s sole cost and expense) provide reasonable assistance to the other party, to fulfil the Data Subject’s request and/or in relation to any mandatory obligations applicable to the other party as an independent controller under Data Protection Laws.
- Transparency Obligations The parties acknowledge their respective transparency obligations where Personal Data being processed is obtained directly from the Data Subject or where such Personal Data is obtained from a third party. To that effect, the parties shall display appropriate privacy notices to Data Subjects (as required by applicable laws) and Partner shall provide GDC, at GDC’s request, with signed attestations describing how Partner gave notice to the Data Subject in accordance with applicable Data Protection Laws and include an example of such notice.The contact email for GDC for matters relating to Data Subject rights is firstname.lastname@example.org
- Personnel. GDC agrees that any GDC personnel engaged in the processing of Personal Data shall be informed of the confidential nature of the Personal Data, receive appropriate training and have executed confidentiality agreements. In addition, GDC shall restrict personnel’s access to Personal Data to only those who require access to such data in order to provide the services pursuant to the Agreement.
- Sub-processors. GDC shall ensure that (i) each of its Sub-processors enter into a written agreement subjecting such sub-processor to equivalent obligations with respect to Personal Data as imposed under this DPA and Data Protection Laws; and (ii) the foregoing written agreement shall contain terms which require the Sub-processor to put in place appropriate technical and organisational measures. Partner acknowledges that GDC may engage third parties (including its Affiliates) in connection with the provision of the services pursuant to the Agreement.
- Sharing of Personal Data. In respect of the Personal Data, the Partner agrees that it shall not share personal data with GDC which contains any special categories of Personal Data (as defined in the Data Protection Laws). In respect of Partner Personal Data, GDC shall receive it only in furtherance of the parties’ business relationship.
- Data Security. GDC shall maintain appropriate technical and organisational measures for the protection of the security, confidentiality and integrity of the Personal The security measures GDC uses to protect Personal Data are outlined in our Security Statement. If GDC becomes aware of a Personal Data Breach in respect of the Personal Data it shall notify the Partner in writing as soon as reasonably practicable (and no later than 48 hours after discovery), and GDC shall take such steps as it deems necessary and reasonable in order to remediate the cause of the Personal Data Breach.
- Data Retention. GDC shall delete Partner Personal Data when requested by the Partner. In respect of End User Personal Data, the retention period for each of the cookies GDC uses (whether its own or on our behalf by third parties) is stated on the cookies table. GDC shall not retain an individual data point for more than 13 months.
- Compliance. At the Partner’s sole cost and expense, GDC shall upon prior written request, make available to the Partner such information reasonably necessary to demonstrate GDC’s compliance with the obligations under this DPA. In addition the parties shall notify the other party in writing (i) if, in its opinion, an instruction from the other party infringes Data Protection Laws; and (ii) if a party receives a complaint, notice or allegation from any data protection authority or similar body alleging non-compliance with Data Protection Laws in relation to this DPA or services rendered under the Agreement.
- International Transfers. GDC may transfer or otherwise process Personal Data outside of the EEA (including via a Sub-processor) provided that such transfer is made in compliance with Data Protection Laws, including, if applicable, EU Standard Contractual Clauses, certification under the EU-US Privacy Shield or a European Commission positive adequacy decision under Article 45 of the GDP GDC is EU-US Privacy Shield certified and has in place the EU Standard Contractual Clauses for inter-company transfers.
- CCPA. For the purposes of the California Consumer Act 2018 (the “CCPA“), as amended, GDC is a “business” and not a “service provider” per the definitions ascribed in the CC To the extent that GDC receives and interprets consent signals from a Partner’s consent management mechanisms (including, but not limited to, the IAB CCPA Compliance Framework) GDC is doing so in order to abide by the End User’s choice and shall not be deemed to be a service provider on the Partner’s behalf.
- Term and Termination. This DPA shall commence on the Effective Date and shall continue as long as the Technology is implemented on the Partner Site(s).
16.1 Neither Party shall be in breach of this DPA nor liable for delay in performing, or failure to perform, any of its obligations under the Agreement if such delay or failure results from events, circumstances or causes beyond its reasonable control.
16.2 Failure or delay in exercising any right or remedy under this DPA shall not constitute a waiver of such (or any other) right or remedy.
16.3 The Partner shall not assign or otherwise transfer its rights or its obligations under this Agreement, in whole or in part, without the prior written consent of GDC.
16.4 Except as expressly stated otherwise, nothing in this DPA shall create or confer any rights or other benefits in favor of any person other than a party to this DPA.
16.5 The invalidity, illegality, or unenforceability of any term of this DPA shall not affect the remainder of the DPA.
16.6 This DPA shall be governed by the laws specified in the Engage Terms.