Data Processing Addendum (DPA)

Corporate Governance | Privacy | GDPR | Privacy Policy

Updated: 1st March 2025

This Data Processing Addendum, including its annexes and the Standard Contractual Clauses, (“DPA”) is made by and between Pulsar Group Plc’s contracting entity (“Supplier”), and Customer, pursuant to the Subscription Terms and Conditions or Terms of Use or other written or electronic agreement between the parties (as applicable) (“Agreement”).

This DPA forms part of the Agreement and sets out the terms that apply when Customer Personal Data is processed by Supplier under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data is processed.

The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with Data Protection Legislation on the protection of natural persons regarding the processing of personal data.

The Parties agree to the following terms:

DEFINITIONS 

Capitalised definitions not otherwise defined herein shall have the meaning given to them in the General Data Protection Regulation (2016/679) of the European Parliament and of the Council, or in the Agreement between the parties, as applicable.

For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below: 

“Affiliate” means a business concern owned or controlled in whole or in part by another concern;

Applicable Law(s)” means all applicable data protection, privacy and electronic marketing legislation, including (as applicable) the GDPR, UK’s Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003, as well as any equivalent laws anywhere in the world, to the extent any such laws apply to Personal Data to be processed hereunder by Data Processor;

Data    Protection    Legislation” means any Applicable Law relating to the processing privacy and use of personal data, as applicable to the Supplier, the Customer and/or the Services, including:

  • Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”) ; 
  • the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the “UK GDPR” or “GDPR”);
  • the EU e-Privacy Directive (Directive 2002/58/EC);
  • any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

 “Data Controller” means the entity determining the means and purpose of processing of Personal Data;

“Data Processor” means the entity processing Personal Data on behalf of Data Controller;

“GDPR” means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council and any subsequent amendments, replacements, or supplements;

“Personal Data” or “PII” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, which is processed by The Data Processor;

Processing Services” means any services provided by the Data Processor, including any storage, software or platform services, pursuant to an agreement, purchase order, license or subscription; 

Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors or sub-processors established in third countries, as adopted by the European Commission from time to time under the GDPR, as applicable;

Restricted Transfer” means (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, in case whether such transfer is direct or via onward transfer;

SCCs” means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj; and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs” / “UK Addendum”) available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf;  

“Sub-processor” means any third party engaged directly by The Data Processor to process any Personal Data pursuant to or in connection with The Data Processor Services. The term shall not include employees or contractors of Data Processor.

SCOPE OF PROCESSING

  • The Data Processor shall process Personal Data as described in ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
  • The Data Processor shall process Personal Data as a Processor or Sub-processor acting on behalf of Data Controller as the Controller or Processor of such Personal Data, as applicable.
  • The Data Controller hereby instructs Data Processor to process Personal Data only for the limited purposes of providing Data Processor Services and solely for the benefit of Data Controller.
  • The Data Processor shall only process the Personal Data in accordance with, (i) the terms of this DPA, (ii) the terms of the Agreement between the Parties, (iii) solely on documented instructions from the Data Controller, unless processing is required by Applicable Laws (in which case, the Data Processor must inform the Data Controller in advance of such requirement, unless prohibited to do so by law), and (iv) in compliance with all Applicable Laws.
  • The Data Processor shall notify the Data Controller without undue delay if the Data Processor determines that it can no longer meet instructions of The Data Controller or its obligations under this DPA.
  • The Data Controller warrants that it shall not request or instruct the data processor to process personal data in any way that would breach applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR). The data controller shall ensure that all personal data provided to the data processor has been collected, processed and transferred in accordance with applicable laws and regulations, and that the data processor is authorised to process such personal data for the purposes set out in this Agreement.

SUB-PROCESSING

  • The Data Controller agrees that the Data Processor may engage existing Sub-processors as listed at https://www.pulsargroup.com/trustcentre/sub-processors/ 
  • The Data Processor shall not subcontract any processing of Personal Data to any additional third party without prior written consent of the Data Controller regarding each such subcontracting activity and third party. Notwithstanding the foregoing, the Data Controller authorises the Data Processor to engage Sub-processors, set out in Clause 2.1 above,  without limitation for the limited purposes of processing Personal Data as strictly necessary for the fulfillment of Data Processor’s obligations under the Agreement, provided that the Data Processor:
    • provides the Data Controller with thirty (30) days’ prior written notice of its intention to engage or replace a Sub-processor. Such notice shall be sent to the nominated Data Controller contact, and must include at least: (i) the name of the Sub-processor; (ii) the type of Personal Data processed by such Sub-processor and for which purposes; (iii) description of the data subjects whose Personal Data shall be Processed by such Sub-processor, and (iv) location of the Data Processing performed by such Sub-processor;
    • conducts the level of due diligence necessary to ensure that such Sub-processor can meet the requirements of this DPA and any Applicable Laws; and
    • ensures that the arrangement between the Data Processor and the Sub-processor is governed by a written contract binding on the Sub-processor, which (i) requires the Sub-processor to process Personal Data in accordance with this DPA or standards that are no less onerous than this DPA; and (ii) includes and relies on the Standard Contractual Clauses and UK Addendum, which shall form part of the contract between Data Processor and its Sub-processors and shall be binding on both Data Processor and its Sub-processor, to the extent that any Personal Data may be Processed by such Sub-processor outside of the EEA or UK. 

 

  • The Data Controller may object to the engagement of any Sub-processor on reasonable privacy, data protection or security grounds. In such a case, the Data Processor shall only engage the Sub-processor for the provision of the Processing Services to the Data Controller after completing appropriate risk assessment and ensuring appropriate technical and organisational controls are in place. Should the Data Controller object to the engagement of the Sub-processor, the Data Controller may terminate or suspend its Agreement with the Data Processor, with immediate effect and without penalty.
  • The Data Processor shall remain fully liable to the Data Controller at all times for the performance of any of its Sub-processors obligations and its processing activities relating to Personal Data.

DATA PROCESSOR PERSONNEL

  • To the extent permissible under applicable law, the Data Processor shall conduct an appropriate background investigation of all employees or contractors of the Data Processor and who may have access to Personal Data (hereinafter: “Data Processor Personnel”), prior to allowing them such access. If the background investigation reveals that the Data Processor Personnel are not suited to access Personal Data, then Data Processor shall not provide the Data Processor Personnel with access to Personal Data.
  • The Data Processor shall ensure that all Data Processor Personnel: (i) have such access only as necessary for the purposes of providing the Data Controller with the Processing Services and complying with Applicable Laws; (ii) are contractually bound to confidentiality requirements no less onerous than this DPA; (iii) are provided with appropriate privacy and security training; (iv) are informed of the confidential nature of Personal Data, and required to keep it confidential; and (v) are aware of the Data Processor’s duties and obligations under this DPA.

SECURITY

  • The Data Processor represents and warrants that it has implemented and will maintain appropriate technical, physical, and organisational measures to protect the Personal Data against accidental or unlawful or accidental loss, alteration, destruction, unauthorised disclosure, or access and, in particular, where the processing involves the transmission of data over a network, against all anticipated unlawful forms of processing. 
  • Having regard to the state of the art and cost of their implementation, the Data Processor agrees and warrants that such measures shall ensure a level of security appropriate to the risks presented by the processing (including the risks of a Personal Data breach), and the nature of Personal Data to be protected, and without limitation shall ensure that such measures include:
    • the pseudonymisation and/or encryption of Personal Data, in transit and at rest; 
    • the ability to ensure the on-going confidentiality, integrity, availability, and resilience of processing systems and services; 
    • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and 
    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  • The Data Processor shall maintain security response incident plans for responding to and resolving events that compromise the confidentiality, integrity or availability of information and services. If Data Processor becomes aware that a Personal Data Breach has occurred, a notification email will be sent to affected clients within 24 hours.
  • The Data Processor shall keep records of its processing activities performed on behalf of Data Controller, which shall include at least: 
    • the details of the Data Processor as Personal Data Processor, any representatives, Sub-processors, data protection officers and Data Processor Personnel having access to Personal Data;
    • the categories of processing activities performed; 
    • information regarding cross-border data transfers (as further specified in Section 10 of this DPA), if any; and description of the technical and organisational security measures implemented in respect of the processed Personal Data.
  • Without derogating from Data Controller’s Audit Rights under Section 9 (AUDIT RIGHTS) of this DPA, the Data Controller reserves the right to inspect the records maintained by the Data Processor under this Section 4 (SECURITY) at any time.

DATA SUBJECT RIGHTS

  • The Data Processor shall reasonably assist the Data Controller in responding to requests to exercise Data Subject rights or Consumer rights (including any complaints regarding the processing of Personal Data) under Applicable Laws, including, without limitation, Data Protection Legislation (Data Subject Request(s)”).
  • The Data Processor shall:
    • promptly notify the Data Controller if it receives a Data Subject Request resulting from its own processing activities in respect of Personal Data; 
    • provide full cooperation and assistance in relation to any Data Subject Request; 
    • ensure that it does not respond to Data Subject Requests except on the documented instructions of the Data Controller or as strictly required by applicable laws to which the Data Processor is subject; and
    • Maintain electronic records of Data Subject Requests (under The Applicable Laws).

LEGAL DISCLOSURE AND PERSONAL DATA BREACH

  • The Data Processor shall notify the Data Controller within twenty-four (24) hours after becoming aware of:
    • any request for disclosure of Personal Data by a Supervisory Authority and/or any other law enforcement authority or court unless prohibited under criminal law specifically requiring the Data Processor to preserve the confidentiality of a law enforcement investigation;
    • any security incident that affects the confidentiality, integrity or availability of information;
    • any Personal Data breach reasonably suspected or known to be affecting Personal Data. 
  • The Data Processor shall provide the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform the Data Subjects or data protection authorities of the Personal Data breach under the Applicable Laws. Other than as required by law, the Data Processor shall not make any public statements or other disclosures about a Personal Data breach affecting Personal Data without the Data Controller’s prior written consent, which may be provided, at Data Controller’s discretion, on a case-by-case basis.
  • The Data Processor shall provide the Data Controller with the following details, where possible:
    • The nature of the Personal Data Breach, including the categories of Data Subjects concerned and the categories of Personal Data and data records concerned;
    • The measures proposed or taken by Data Processor in cooperation with Data Controller to address the Personal Data Breach; and
    • The measures the Data Controller could take to mitigate the possible adverse effects of the Personal Data Breach.
  • The Data Processor shall take any actions necessary to investigate any suspected or actual Personal Data breach and mitigate any related damages.
  • The Data Processor shall fully cooperate with the Data Controller and take such steps as are directed by the Data Controller to assist in the investigation, mitigation, and remediation of any such Personal Data breach.

DELETION OR RETURN OF PERSONAL DATA

  • Upon expiration or termination of the Agreement between the parties, the Data Processor shall, at the choice of the Data Controller, promptly delete or return all copies of Personal Data in its and/or any of its Sub-processors’ possession or control, except as required to be retained in accordance with Applicable Laws. In such a case, the Data Processor warrants that it will guarantee the confidentiality of the Personal Data and will not actively process Personal Data anymore and will guarantee the return and/or destruction of the Personal Data as requested by the Data Controller when the legal obligation to not return or destroy the information is no longer in effect. 
  • Upon prior written request by the Data Controller, an authorised member of the Data Processor shall provide written confirmation to the Data Controller that the Data Processor has fully complied with this section.

PROVISION OF INFORMATION AND ASSISTANCE

  • The Data Processor shall cooperate and reasonably assist the Data Controller with any data protection impact assessments, prior consultations regarding relevant competent data protection authorities and with any other assistance related to compliance with the obligations of the Data Controller pursuant to Data Protection Legislation and other Applicable Laws. The scope of such assistance shall be limited to the processing of the Personal Data by The Data Processor.

AUDIT RIGHTS

  • The Data Processor shall make available to the Data Controller, upon written request, all information necessary to demonstrate compliance with this DPA and with any Applicable Laws, including industry-standard third-party audit certifications.
  • The Data Controller may conduct audits or inspections at the Data Processor’s premises no more than once per year during the Term of the Agreement, provided that at least fourteen (14) business days’ prior notice is given.
  • The Data Controller will cover all associated costs, including reasonable expenses of the Data Processor. These audits are to allow the Data Controller to access information necessary to assess the Data Processor’s handling of personal data and ensure both parties comply with their legal obligations under Article 28(3).
  • Any third-party auditor shall be subject to confidentiality obligations. The Data Processor may object to the selection of an auditor if it reasonably believes that the auditor does not guarantee confidentiality, security or otherwise puts at risk the Data Processor’s business.

CROSS-BORDER DATA TRANSFER

  • Personal Data may be transferred from the European Union (“EU”) and/or the United Kingdom (“UK”) to countries that offer adequate levels of data protection under or pursuant to the adequacy decisions published by the relevant data of EU (“Adequacy Decision”) as applicable, without any further safeguard being necessary.
  • If the Processing of Personal Data by the Data Processor includes transfers from EU and/or UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognised compliance mechanism as may be adopted by the Data Processor for the lawful transfer of personal data as defined in the GDPR, then the SCCs shall apply, and/or the International Data Transfer Addendum (“IDTA”) in respect to transfers from the UK.
  • In relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
    • Module One or Module Two will apply, as applicable, as described in ANNEX 1: DESCRIPTION OF PROCESSING/TRANSFER
    • in Clause 7, the optional docking clause will apply;
    • in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be 30 days;
    • in Clause 11, the optional language will not apply;
    • in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
    • in Clause 18(b), disputes shall be resolved before the courts of Ireland;
    • Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA;
    • Annex 2 of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA.
  • In relation to Restricted Transfers of Personal Data protected by UK GDPR, the UK IDTA will apply completed as follows:
    • the IDTA will apply the EU SCCs (completed as set out in Clause 11.4) to Restricted Transfers of Customer Personal Data from the UK;
    • Tables 1 – 3 of the UK IDTA shall be deemed completed with the relevant information set out in this DPA and the EU SCCs (completed as set out in Clause 11.4);
    • Table 1 of the UK IDTA shall be deemed signed by Customer and Supplier upon the entry into force of the Agreement, and the start date specified in Table 1 of the UK IDTA shall be deemed completed with the date of entry into force of this Agreement;
    • In Table 4, the options “Importer” and “Exporter” shall be deemed selected.
  • The Data Processor shall ensure that each Sub-processor engaged in the processing of such Personal Data shall comply with the Data Processor’s obligations of the SCCs and/or the IDTA where applicable, and the Data Controller shall comply with the Data Controller’s obligations, in each case under the applicable SCCs. If requested by the Data Controller, The Data Processor will ensure and procure that its Sub-processor(s) enter into SCCs, and/or the IDTA where applicable, with the Data Controller directly;

INDEMNIFICATION

  • Subject to Clause 11.2, the Data Processor shall indemnify, to the extent provided by the Data Processor’s Personal Identifiable Information (hereinafter: “PII”), defend, and hold harmless the Data Controller and its respective officers, directors, and employees from and against claims and proceedings and all liability, loss, costs, fines, and expenses (including reasonable legal fees) arising in connection with (i) Data Processor’s unlawful or unauthorised Processing, destruction of, or damage to any Personal Data; and/or (ii) the Data Processors (including the Data Processor’s Personnel and Data Processor’s Sub-processors) failure to comply with its obligations under this DPA or any further instructions as to such Processing given in writing by the Data Controller in accordance to this DPA.
  • The Supplier’s liability under this DPA shall be limited in accordance with the Limitation of Liability as detailed in the Agreement.

MISCELLANEOUS

  • This DPA, including the attached SCC, may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. Delivery of an executed counterpart of a signature page to this DPA by fax or by email of a scanned copy, or execution and delivery through an electronic signature service, shall be effective as delivery of an original executed counterpart of this DPA.
  • Severance: Should any provision of this DPA be determined invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
  • Notice: All notices required under this DPA shall be sent to the Data Controller and Data Processor by email.
  • Order of Precedence: In the event of any conflict between the terms of this DPA and other documents binding on Parties, the terms of these documents will be interpreted according to the following order of precedence: (i) the Standard Contractual Clauses, solely to the extent applicable in accordance with Section 10 above; (ii) this DPA; (iii) any terms of the Agreement, license or subscription, pursuant to which Data Processor Services are provided.
  • Modifications by the Data Processor: the Data Processor may by at least forty-five (45) calendar days’ prior written notice to the Data Controller, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under, any Data Protection laws, to allow processing of Personal Data to be made (or continue to be made) without breach of that Data Protection law. Pursuant to such notice, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the lawful requirements identified in the Data Processor’s notice as soon as is reasonably practicable. 
  • Modifications by the Data Controller: the Data Controller may by at least thirty (30) calendar days’ prior written notice to the Data Processor, vary the terms of this DPA and/or any SCCs applicable pursuant to Section 10 of this DPA, as necessary to allow the Processing of Personal Data to be made (or continue to be made) without breach of applicable Data Protection Laws, or to otherwise protect the interests of the Data Controller, in each case as reasonably determined by Data Controller at its discretion. If the Data Processor objects to said variations within the notice period, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in notice from the Data Controller as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days of such notice, then the Data Controller may, by written notice to the other Party, with immediate effect and without penalty, terminate the Agreement to the extent that it relates to the Data Processor’s Services which are affected by the proposed variations (or lack thereof). 
  • Governing Law and Jurisdiction: this DPA, and any dispute, controversy, proceedings or claim of whatever nature arising out of or in any way relating to this DPA or its formation (including any non-contractual disputes or claims), shall be governed by and construed in accordance with the laws specified in the Agreement. The courts specified in the Agreement shall have exclusive jurisdiction.
  • This DPA is entered into and becomes binding between the Parties with effect from the date of signature of the Agreement.

ANNEX 1: DETAILS OF PROCESSING

A. LIST OF PARTIES

UK and EU Customers

Data Flow Controller Controller Processor DPA SCCs
Supplier provides PII to Customer Supplier Customer Not required
Customer uploads PII to Supplier Customer  Supplier Yes Not required
Customer sends account PII to Supplier Supplier Customer Not required

 

NA and APAC Customers

Data Flow Controller Controller Processor DPA SCCs Exporter Importer
Supplier provides PII to Customer Supplier Customer  Yes Module 1 (C-C) Supplier Customer
Customer uploads PII to Supplier Customer  Supplier Yes Module 2 (C-P) Customer Supplier
Customer sends account PII to Supplier Supplier Customer Yes Module 1 (C-C) Customer Supplier

 

Name of Data exporter/importer: Customer or Supplier, depending on the data flow (see above table)
Address: As set forth in the Agreement
Contact person’s name, position, and contact details: As set forth in the Agreement
Activities relevant to the data transferred under these Clauses: See Annex 1(B) below
Signature and date: This Annex I shall automatically be deemed executed when the Agreement is executed by Customer
Role (controller/processor): Customer or Supplier, depending on the data flow (see above table)

 

B. DESCRIPTION OF PROCESSING/ TRANSFER

 

Categories of Data Subjects whose personal data is transferred Module One

CRM:

  • Customer’s employees

Product: 

  • Influencers and public users of social media
  • Individuals referenced in the Customer Data
Modules Two

Product Uploads

  • Other categories as determined by any information provided by the Customer in fulfilling their Controller Purposes.
Categories of Personal Data transferred Module One

CRM:

  • Account Data which constitutes Personal Data, such as name, email and contact information as well as Customer billing address.

Product:

  • Personal data from online sources may include: name, social media handles, photographs, general location and other information which an individual makes public via posts on social media channels.
  • Additions for Vuelio:  email address, phone numbers, social media profiles and URLs, overview of work/professional history (where available), any other personal data included within the Customer’s Additions, including information relating to certain Influencers (in order to develop CRM with Influencers) such as records of prior conversations
Modules Two 

Product Uploads

  • Other categories as determined by any information provided by the Customer in fulfilling their Controller Purposes.
Sensitive data transferred (if applicable) and applied restrictions or safeguards Supplier does not knowingly collect any sensitive data or any special categories of data (as defined under Applicable Data Protection Legislation).
Frequency of the transfer Continuous.
Nature and purpose(s) of the data transfer and Processing Module One

CRM:

  • Provision of services: personal data contained in Account Data will be processed to manage the account, including to access Customer’s account and billing information, for identity verification, to maintain or improve the performance of the Services, to provide support, to investigate and prevent system abuse, or to fulfill legal obligations.

Product:

  • Supplier will process personal data as necessary to provide the Services under the Agreement. Supplier does not sell Customer’s Personal Data and does not share such Personal Data with third parties for compensation or for those third parties’ own business interests. Additional details about Supplier’s products & services can be found at https://www.pulsargroup.com/
Modules Two

Product Uploads

  • Personal data provided by the Customer can be added or uploaded to the Supplier products to assist fulfilment of their Controller Purposes.
Retention period (or, if not possible to determine, the criteria used to determine the period) Module One

CRM: 

  • Supplier will process Account Data as long as required (a) to provide the Services to Customer; (b) for Supplier’s lawful and legitimate business needs; or (c) in accordance with applicable law or regulation. Account Data will be stored in accordance with the Privacy Policy

Product:

  • Upon termination or expiry of this Agreement, Supplier will (at Customer’s election) delete or return to Customer all Customer Personal Data in its possession or control as soon as reasonably practicable and within a maximum period of 30 days of termination or expiry of the Agreement, save that this requirement will not apply to the extent that Supplier is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data Supplier will securely isolate and protect from any further processing, except to the extent required by applicable law.
Module Two

As above.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing Module One

Supplier will restrict the onward sub-processor’s access to Customer Personal Data only to what is strictly necessary to provide the Services, and Supplier will prohibit the sub-processor from processing the Personal Data for any other purpose.

Supplier imposes contractual data protection obligations, including appropriate technical and organisational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Legislation.

Supplier will remain liable and accountable for any breach of this DPA that is caused by an act or omission of its sub-processors.
Module Two

As above.
Identify the competent supervisory authority/ies in accordance with Clause 13 Module One

Where the EU GDPR applies, the competent supervisory authority shall be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. Where the UK GDPR applies, the UK Information Commissioner’s Office.
Module Two

As above.

 

ANNEX 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Data Processor agrees to implement the following technical and organisational security measures to ensure the confidentiality, integrity, and availability of Personal Data: https://www.pulsargroup.com/trust-centre/security-measures/