Data Processing Addendum

1.  INTRODUCTION

1.1.  If you are a Project Owner, we may make functionality within your account on Crowdfunder.co.uk available to you that allows you to send emails or other messages to Backers.

1.2.  Data Protection Laws apply to the Processing of the Personal Data in those messages which include the requirement that specific provisions are included the terms of our agreement.

1.3.  To the extent that we are, for the purposes of Data Protection Laws, a Processor of the Personal Data we process when you use this functionality, the terms of this Data Processing Addendum will apply.

1.4.  This Data Processing Addendum, as amended by us from time to time forms part of our Terms of Use and, as a result, our agreement with you.  The latest version of this Data Processing Addendum is located at www.crowdfunder.co.uk/dpa.

2.  DEFINITIONS

2.1. The expressions defined in our Terms of Use will have the same meanings when used in this DPA. We also use a few additional definitions to make this DPA easier to read:

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process and Processing have the respective meanings given to them (and equivalent expressions) in Data Protection Laws, and Project Owner Personal Data means the Personal Data set out in the Description of Processing where such data is Processed by us as a Processor on your behalf;
Data Protection Laws any applicable data protection legislation in force from time to time relating to the Services (including the UK GDPR as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) and the Privacy and Electronic Communications Regulations 2003 (as amended)), or any successor legislation;
Documented Instructions instructions you provide to us from time to time by using the Services;
DPA this Data Processing Addendum;
Liabilities all losses, reasonable costs, charges, expenses, legal and other professional costs awarded against, suffered, incurred or paid by us or you, as applicable (and Liability will be construed accordingly); and
Services the functionality we make available to you within your account on Crowdfunder.co.uk that allows you to send emails or other messages to Backers.

2.2. You acknowledge and agree that:

2.2.1.  you are a Controller and that we are a Processor for the purposes of Processing Project Owner Personal Data; and

2.2.2.  we are a Controller in relation to any Processing described in our Privacy Policy and Cookie Policy.

2.3. In respect of any Project Owner Personal Data Processed by us, we will:

2.3.1.  only Process Project Owner Personal Data in accordance with your Documented Instructions from time to time unless we are required by Data Protection Laws applicable to us to Process that data otherwise than in accordance with those instructions (in which case we will notify you unless the law prohibits us from doing so on public interest grounds);

2.3.2.ensure that those of our staff who have access to and/or Process Project Owner Personal Data are committed to keeping Project Owner Personal Data confidential;

2.3.3.implement appropriate technical and organisational measures to protect against accidental, unlawful or unauthorised destruction, loss, alteration or disclosure of, or access to, Project Owner Personal Data in accordance with our obligations under Data Protection Laws;

2.3.4.with your general authorisation (which you provide by accepting the Terms) engage other Processors to Process the Project Owner Personal Data (Sub-Processor) provided we have entered into an agreement with them containing obligations materially equivalent to those applicable to us in this DPA and provided we notify you of any intended changes concerning the addition or replacement of Sub-Processor(s) and provide you with the opportunity to object to such changes.  Any objections must be notified to us in writing within 14 days of the date of our notice to you, which you agree may be sent to you by email.  If we do not receive an objection from you within such period, you will be deemed to have given your authorisation for us to use such Sub-Processor. If you object within such period or after we notify you in writing that a Sub-Processor we propose does not accept some or all of the obligations set out above in this DPA (or after we notify you in writing that an existing Sub-Processor is no longer bound by some or all of those obligations), then we or you may terminate your account on Crowdfunder.co.uk or withdraw access to the Services without liability on giving seven (7) days’ written notice to the other party;

2.3.5.not transfer any Project Owner Personal Data outside of the United Kingdom and European Economic Area (EEA) if such transfer would directly cause you to breach your obligations relating to personal data transfers under Article 44 of the UK GDPR.  In relation to all other transfers, you consent to us and any of our Sub-Processors transferring Project Owner Personal Data outside the UK or EEA;

2.3.6.provide such assistance (at your cost and to such extent permitted by Data Protection Laws) as you may reasonably require in responding to any request from a Data Subject and in ensuring compliance with your obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with any data protection regulators. In no event will we be obliged to respond directly to any such request or correspondence unless specifically required to do so by law; and

2.3.7.for the sole purpose of demonstrating our compliance with this DPA, provide such information as you reasonably require, or where, in our reasonable opinion, the provision of information alone is not reasonably sufficient for that purpose, allow for and contribute to an audit (including inspection) of the relevant parts of our business by up to two (2) of your representatives (in each case, at your cost, including any auditors’ or administrative fees).  You will give not less than one (1) month’s written notice prior to the date you wish to conduct the audit and will conduct any such audit no more than once per calendar year at such time and date that is convenient for us (except where required otherwise by a data protection regulator with competent jurisdiction).  You will promptly notify us in writing of any non-compliance discovered by such audit. You will not disclose to any third party (other than, where applicable, the external auditor performing the audit) any information or reports obtained or produced in connection with any such audit and will use such information and reports solely for the purposes of meeting your regulatory audit requirements and/or confirming our compliance with the requirements of this DPA. You will ensure that you take reasonable steps and any steps we request to minimise any interruption to our business when exercising your rights under this paragraph 2.3.7.  If a third party conducts the audit, we may object to the auditor if the auditor is, in our reasonable opinion, not suitably qualified or independent, our competitor or a competitor of our shareholders, or otherwise manifestly unsuitable. If we object, we may require you to appoint another auditor or to conduct the audit yourself.

2.4. You will:

2.4.1.comply with Data Protection Laws at all times and shall not do anything that would cause us to breach those laws.  In particular, you will ensure that all Documented Instructions you provide to us comply with Data Protection Laws;

2.4.2.be and remain solely responsible for the content of the Description of Processing and for determining the lawful basis and conditions for the Processing of all Project Owner Personal Data in connection with our Terms;

2.4.3.not seek our assistance in respect of any activities or tasks that can be performed by you, including using the Services;

2.4.4.not send any messages to any Backers or any other person using the Services without first obtaining any necessary consents (and shall not send any such messages to any person that has withdrawn their consent or otherwise objected to receiving such messages); and

2.4.5.immediately notify us in writing if the Description of Processing is inaccurate or incomplete at any time together with full details.

2.5. To the extent permitted by law, we accept no liability for any:

2.5.1.inaccurate data (including Personal Data) provided to you as part of the Services to the extent that such inaccuracy arises from incorrect data provided by you, any Data Subjects or any sources that are not Sub-Processors; or

2.5.2.representations, guarantees or conditions that the Services or the Project Owner Personal Data is fit for a particular purpose or will meet your requirements.

2.6. We will not be liable for any Liabilities in connection with this DPA or the Services to the extent that we are not in any way responsible for the event giving rise to the Liabilities or you are responsible for the Liabilities, in each case, in accordance with Article 82 of the UK GDPR.

2.7. We will have no obligation to comply (nor any Liability for non-compliance) with your use of the Services or any of your instructions which in our opinion will or are likely to:

2.7.1.  vary the provisions of our Terms or the scope of the Services;

2.7.2.  be inconsistent with the Description of Processing; or

2.7.3.  breach any Data Protection Laws.

2.8. We will immediately notify you if, in our opinion, any Documented Instructions you provide to us breach Data Protection Laws (however you acknowledge and agree that we are not obliged to monitor your use of the Services in any way). We will notify you without undue delay if any Project Owner Personal Data is compromised as a result of a Personal Data Breach.  You will not rely on any of the notices we provide to you under this paragraph 2.8, which you acknowledge and agree does not constitute legal advice. You will seek independent legal advice if you wish to determine whether any instruction received by us and which we believe breaches Data Protection Laws, is in fact a breach or likely to be a breach of those laws. You agree that any notice provided to you relating to a Personal Data Breach is provided without any admission of liability.

2.9. Except to the extent applicable laws required us to store it, we will promptly delete Project Owner Personal Data Processed by us solely as a Processor if you write to us instructing us to delete it. Otherwise, we will delete that data on the earlier of the date:

2.9.1.  twelve (12) months from the end of the Fundraising Period for your Project or when your Project otherwise ends (but only for the data relating to that Project) unless you instruct us in writing to retain that data for a longer, reasonable period; or

2.9.2.  sixty (60) days from the date we close your account for any reason.

2.10. You may choose to request in writing at any time during the periods set out in paragraph 2.9 that we return the relevant Project Owner Personal Data to you and we will comply with that request unless we have already deleted the requested data.

2.11. We and you acknowledge and agree that the contents of any messages that you send using the Services will comply with our Terms but will otherwise be solely determined by you.

DESCRIPTION OF PROCESSING

Processing of Project Owner Personal Data

Subject matter: Processing in connection with communications you send to Backers relating to your Project

Nature: Collection, communication, transmission, storage, retrieval, alteration, deletion and destruction.

Duration: As described in paragraph 2.9 of this DPA.

Purposes of the Processing

The Processing is necessary for the following purposes:

To provide the Services, namely the sending of electronic messages to Backers about your Projects.

Data Subjects

The Project Owner Personal Data relates to the following categories of Data Subjects:

Backers.

Categories of Personal Data

The Project Owner Personal Data Processed falls within the following categories:

Contact details relating to Backers and the contents of your messages to them.

Special categories of Personal Data and/or criminal offence/conviction data

The Project Owner Personal Data Processed falls within the following special categories of Personal Data/criminal offence/conviction data:

None. You acknowledge and agree that the Services are not designed and not intended to Process any special category personal data or personal data relating to criminal offences/convictions.

Rights and obligations of the controller

Your rights and obligations as a Controller in relation to the Project Owner Personal Data are as set out in this DPA and Data Protection Laws.