Teamwork.com Data Processing Agreement
TEAMWORK CREW LIMITED (T/A TEAMWORK.COM)
This agreement regarding the processing of personal data (the “Data Processing Agreement”) regulates TEAMWORK CREW LIMITED, a company incorporated under the laws of Ireland, with registered number 313652, having its registered office at Teamwork Campus 1, Park House, Blackpool Retail Park, Blackpool, Cork, T23 F902 t/a Teamwork.com (the “Company”) activities in the processing of personal data on behalf of the client (the “Client”) and forms part of the general Terms of Service in which the parties have agreed the terms for the Company’s delivery of the services provided to the Client from time to time (the “Services”).
In consideration of the Client engaging the Company to provide the Services and for other good and valuable consideration receipt of which is hereby acknowledged by the Company, the Parties agree as follows:
1.1 Defined Terms: In this Agreement:
“Confidential Information” means all information, documents or reports, in whatever form communicated or recorded, relating to the Client, its business affairs or activities, including but not limited to Data, files, charts, records, lists, payment details and contact information relating to any employee, contractor, player or supporter of the Client; know-how, formulae, processes, specifications and software programs belonging or relating to the Client;
“Data” means the Personal Data processed by the Company on behalf of the Client in connection with the Services;
“Data Protection Acts” means the Data Protection Acts 1988-2003, as amended, revised, modified or replaced from time to time. Data Protection Acts in EU member states which incorporate the relevant terms of the GDPR (Regulation (EU) 2016/679) covers are relevant under the terms of the DPA only in matters pertaining to elements specifically covered by GDPR;
“Data Protection Law” means all legislation and regulations relating to the protection of personal data including (without limitation) the Data Protection Acts (as amended, revised, modified or replaced from time to time), the GDPR and all other statutory instruments, industry guidelines (whether statutory or non-statutory) or codes of practice or guidance issued by the Data Protection Commissioner relating to the processing of personal data or privacy or any amendments and re-enactments thereof;
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679);
“Loss” includes any claim, suit, proceeding, judgement, loss, liability, cost, expense, fee, penalty or fine;
“Personal Data” means personal data as defined in Data Protection Law, as specified in Schedule 1;
“Permitted Third Party Service Provider” means a third party service providers permitted to carry out processing activities;
“Personnel” means those employees of the Company to whom disclosure of Data is necessary for the provision of the Services and who are appropriately trained in and committed to data security and confidentiality; and
“Terms of Service” means the terms of service which govern the Client’s use of the Services.
Construction: In this Agreement, unless the contrary intention is stated, a reference to:
(a) ‘data controller’, ‘data processor’, ‘data subject’, ‘personal data’, ‘‘processing’ and ‘appropriate technical and organisational measures’ shall have the meanings given to them in the Data Protection Law;
(b) the singular shall include the plural and vice versa;
(c) either gender includes the other and the neuter, and vice versa;
(d) a person shall be construed as a reference to any individual, firm or Client, corporation, governmental entity or agency of a state or any association or partnership (whether or not having separate legal personality) or two or more of the foregoing;
(e) a person includes that person’s legal personal representatives, successors and permitted assigns;
(f) time shall be construed by reference to whatever time may from time to time be in force in Ireland;
(g) any agreement document or instrument is to the same as amended, novated, modified, supplemented or replaced from time to time;
(h) ‘this Agreement’ means the Clauses of, and the Schedules to, this Agreement, all of which shall be read as one document;
(i) a clause or other provision is a reference to a clause or provision of this Agreement, and any reference to a sub provision is, unless otherwise stated, a reference to a sub provision of the provision in which the reference appears;
(j) ‘including’ means comprising, but not by way of limitation to any class, list or category;
(k) a law includes any provision of any constitution, statute, statutory instrument, order, by-law, directive, regulation or decision of any governmental entity and any judicial or administrative interpretation of any of the foregoing, in each case, as amended, revised, modified or replaced from time to time; and
(l) ‘writing’ shall include a reference to any electronic mode of representing or reproducing words in visible form.
Certain Rules of Construction dis-applied:
(a) This Agreement shall be construed without regard to the rule of construction known as “ejusdem generis”.
(b) If any ambiguity or question of intent or interpretation arises, this Agreement shall be construed as if drafted jointly by the parties and no presumption or burden of proof shall arise favouring or disfavouring any party by virtue of the authorship of any of the provisions of this Agreement.
Exercise of powers of control: Where any obligation in this Agreement is expressed to be undertaken or assumed by any party, that obligation is to be construed as requiring the party concerned to exercise all rights and powers of control over the affairs of any other person which it is able to exercise (whether directly or indirectly) in order to secure performance of that obligation by each such person as if that person were bound by that obligation.
Headings: Headings and captions are to be ignored in the construction of this Agreement.
2) Status of the Parties
The parties acknowledge that, in relation to the Data, and for the purposes of Data Protection Law, the Company is a data processor and the Client is the data controller.
3) Data Processor Obligations
The Company undertakes and agrees with the Client that:
(a) it shall only process:
(i) Data strictly in accordance with the documented instructions of the Client;
(ii) Data in accordance with the nature and purpose of the processing set out in Schedule 1;
(iii) the minimum volume of Data which is strictly necessary for the performance of the Services;
(b) any Processing of Data by the Company shall be carried out in full compliance with Data Protection Law;
(c) it shall inform the Client as soon as practicable if, in its opinion, it receives an instruction from the Client which infringes Data Protection Law;
(d) it shall disclose Data only to those members of its Personnel to whom such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this Agreement and the Terms of Service, and shall procure that such persons are made aware of, and agree in writing to observe the obligations of confidentiality in Clause 5 and security in Clause 7;
(e) it shall not export or process any Data outside the European Economic Area without the Client's prior written consent. If the Client so requires as a condition of such consent, the Company shall, provide evidence of compliance with the requirements of chapter V of the GDPR; and
(f) it shall not perform the Services in such a way as to knowingly cause the Client to breach any of its obligations under Data Protection Law;
Authorisation: The Company shall be permitted to sub-contract processing of Data to a Permitted Third Party Service Provider provided that the Company shall remain responsible for all acts and omissions of Permitted Third Party Service Provider and the acts and omissions of those employed or engaged by the sub-contractors as if they were its own. An obligation on the Company to do, or to refrain from doing, any act or thing shall include an obligation on the Company to procure that its Personnel and the personnel of each Permitted Third Party Service Provider also do, or refrain from doing, such act or thing. The Company shall inform, in advance, in writing of any such change with regards to sub-contract processing.
Keep Confidential: The Company shall keep confidential the Confidential Information and shall not, without the prior written consent of the Client, use, disclose, copy or modify the Confidential Information other than as necessary for the exercise of its rights, and performance of its obligations, under this Agreement.
Notify Misuse: The Company shall give notice to the Client of any unauthorised use, disclosure, theft or other loss of the Confidential Information immediately upon becoming aware of it.
Mandatory Disclosure: If the Company is required by law or by any order of any court or governmental or regulatory authority to disclose the Confidential Information, it shall promptly notify the Client of receipt of notice of that requirement and, at the request and cost of the Client, shall assist it in opposing any such disclosure.
Conduct of Audit: At least yearly, the Company will conduct audits of its personal data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
Audit Reports: On the Client's written request, the Company will make all of the relevant audit reports available to the Client for review. The Client shall treat such audit reports as the Company's confidential information under this Agreement.
In full compliance with Article 28 3.(h) the processor will make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Implement Appropriate Security Measures: The Company shall implement appropriate security measures to prevent accidental or unauthorised, loss, destruction, damage, alteration, disclosure or unlawful or unauthorised access to any Data in the custody of the Company, and the Company shall ensure that its Personnel are aware of and comply with those measures. These measures are fully detailed on our Company website. Teamwork Security
8) Data Breach
Notify Breach: The Company shall promptly after becoming aware of it notify the Client of any unauthorised access to, or unauthorised use, alteration, disclosure, accidental loss or destruction of, any Data in the custody of the Company (each a “data breach”).
Obligations in Case of Breach: In the event of any data breach, the Company shall:
(a) take prompt action to investigate the cause of the data breach;
(b) promptly, assist the Client in complying with its obligations under Articles 32 to 36 of the GDPR.
9) Data Subject Requests and Complaints
Notification: The Company shall promptly notify the Client of any request from a data subject to exercise any of his or her rights under Data Protection Law or any complaint from any data subject.
No Accession: The Company shall not accede to any such request or deal with any complaint except on the written instructions of the Client.
Assistance: The Company shall, on request by the Client and at the Client’s expense, and taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law.
Destruction of Data
Upon termination of this Agreement, the Company shall, upon the request of the Client, immediately destroy all Data and shall certify such destruction in writing to the Client on request. The Client can request to have the data returned to them in a usable format prior to termination. The Client can request to have the data exported in a readable format prior to the destruction of data. The Client can at any stage during the course of the contract request in writing to have data deleted and destroyed. The Company will comply with this request adhering to all relevant legislation.
Term and Termination
Term: This Agreement shall come into force on the date of signature of this agreement in conjunction with our Terms of Service and shall continue in full force and effect until the termination or expiry of the subscription for the Services whereupon the Company’s authority to process Data in accordance with this Agreement shall terminate automatically, unless otherwise agreed between the parties in writing.
Warranties and Representations
The Client represents and warrants to the Company, on a continuing basis for the duration of the Agreement that:
(a) all consents, if required, for the processing of all the Data by the Company in the manner contemplated by this Agreement have been validly obtained and are in full force and effect;
(b) the Client has complied with all of its obligations (however arising) in respect of all the Data; and
(c) the processing by the Company of the Data in the manner contemplated by this Agreement will not infringe the rights of any person under Data Protection Law in any jurisdiction other than Ireland.
Severability: If the whole or any part of a provision of this Agreement is or becomes illegal, invalid or unenforceable, that will not affect the legality, validity or enforceability of the remainder of the provision in question or any other provision of this Agreement.
Binding on Successors: This Agreement and all of its provisions shall be binding upon and inure to the benefit of the parties and their respective heirs, executors, administrators, successors and permitted assigns.
Counterparts: This Agreement may be executed in two or more counterparts, each of which shall be deemed to be an original, but all of which together shall constitute one and the same instrument.
Governing law: This agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Ireland.
Jurisdiction: The courts of the Republic of Ireland shall have exclusive jurisdiction to hear, determine and settle any dispute arising out of or in connection with this Agreement or any related non-contractual obligations and the parties submit to the exclusive jurisdiction of the Irish courts. The parties waive any objection to the Irish courts on grounds that they are an inconvenient or inappropriate forum to settle any such dispute.
Schedule 1 PERSONAL DATA
(a) Types of personal data to be processed;
(i) e.g. name, address, telephone number, e-mail address,
(ii) e.g. bank details, card details
(iii) e.g. company name, company address, company e-mail address, company telephone number
(iv) e.g. other relevant information required for the provision of our services
(b) Categories of data subjects
(i) e.g. site visitor
(ii) e.g. employee
(iii) e.g. contractor
(c) Nature of the processing will include; collection, recording, storage, adaptation or alteration, retrieval, use, analysis, combination, erasure, and destruction of data).
(d) Purpose of the processing is to provide a Software as a Service to you the Client in an efficient and effective manner allowing us to clearly identify the client or its representatives and to allow effective communication to the client and its representatives.