Updated September 2020
Data Controller and CCPA Terms (“Data Processing Terms”)
This page is referred to in the Data Processing section of our engagement letter or statement of work with you (“Engagement Letter”). A reference to we, us or our on this page means Frazier & Deeter, LLC (FD), and a reference to you or your on this page means the company or individual who is contracting with us.
Section 1 will apply when we are both acting as a Data Controller under the Data Protection Legislation and Section 2 will apply when we are acting as a Service Provider and you are acting as a Business in accordance with the California Consumer Privacy Act (CCPA). If you have any questions in regards to the circumstances in which we will be acting in these different capacities, please do not hesitate to get in touch with us at firstname.lastname@example.org.
In the event that Data Protection Legislation, the CCPA or appropriate guidance changes, we reserve the right to amend the requirements on this page to ensure our terms continue to comply with applicable laws.
Definitions and Interpretation
The following definitions and rules of interpretation apply in these Data Processing Terms:
- “Business”, “Personal Information” and “Service Provider” shall have the meanings given to them under the CCPA.
- “CCPA” shall mean the California Consumer Privacy Act 2018.
- “Controller to Controller Model Clauses” means the EU-controller to Non-EU/EEA controller standard contractual clauses annexed to European Commission Decision C(2004) 5721.
- “Data Protection Legislation” means: (i) the UK’s Data Protection Act 2018; and (ii) the EU’s General Data Protection Regulation (Regulation 2016/679) together with any applicable transposing, implementing or supplementary legislation.
- Any capitalised terms used but not defined on this page shall have the meanings given in the Data Protection Legislation.
SECTION 1: Where FD and Company are acting as Data Controllers
- Each party shall ensure that it Processes shared Personal Data fairly and lawfully, and that the Personal Data shared by it is not irrelevant or excessive for the purposes for which it is shared.
- Where relevant each party shall, in respect of shared Personal Data, ensure that their privacy notices are clear and provide sufficient information to the Data Subjects for them to understand what of their Personal Data the disclosing party is sharing with the receiving party, the circumstances in which it will be shared, the purposes and either the identity of the receiving party or a clear description of the type of organisation that will receive the Personal Data.
- Where required by the Data Protection Legislation, the receiving party undertakes to inform the Data Subjects of the purposes for which it will Process their Personal Data and provide all of the information that it must provide, in accordance with its own applicable laws, to ensure that the Data Subjects understand how their Personal Data will be Processed by the receiving party.
- The parties agree to provide reasonable assistance to each other as is necessary to enable them to facilitate Data Subjects exercising their rights under the Data Protection Legislation.
- The parties shall have in place appropriate technical and organisational security measures in order to: prevent unauthorised or unlawful Processing of shared Personal Data; prevent the accidental loss or destruction of, or damage to, the shared Personal Data; and ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage, and the nature of the shared Personal Data to be protected.
- The parties shall notify each other as soon as reasonably practicable after becoming aware of a Personal Data Breach and provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
- In the event of a dispute, claim, correspondence or query brought by or received from a Data Subject or Supervisory Authority concerning the Processing of shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
- The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or Supervisory Authority. The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
- If the receiving party Processes the shared Personal Data for the purposes of direct marketing, the receiving party shall ensure that the appropriate consent (if required) has been obtained from the relevant Data Subjects to allow the shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Legislation and effective procedures are in place to allow the Data Subject to “opt-out” (if applicable).
- Where an adequate protection measure for the international transfer of Personal Data is required under the Data Protection Legislation, the Controller to Controller Model Clauses will apply and the template elements will be as set out below:
Controller to Controller Model Contract Clauses: main body particulars
|Data Exporter||Those of our client as set out in the Engagement Letter.|
|Data Importer||Frazier & Deeter, LLC as set out in the Engagement Letter.|
|Governing law (clause ii(h)(iii))||For the purposes of clause II(h)(iii) of the Model Contract Clauses, the data importer shall Process the Personal Data in accordance with option (h)(i) (in accordance with the data protection laws of the country in which the data exporter is established).|
Annex B of the Controller to Controller Model Contract Clauses:
|Data Subjects||Our client and their contacts (where we are engaged by an individual), and the officers, representatives, agents and employees of our client (where we are instructed by a legal entity).|
|Purpose of the transfer(s)||To perform the services described in the Engagement Letter.|
|Categories of data||Name, address, financial records, proof of identity and any other data required to perform the services described in the Engagement Letter.|
|Recipients||Other professional service providers as required to perform the services or as required by law, such as financial regulatory authorities and money laundering service providers.|
|Special categories of data||None anticipated.|
|Data protection registration information of the data exporter||Exporter to provide on request by Frazier & Deeter, LLC.|
|Contact points for data protection enquiries||As set out in the Engagement Letter.|
The illustrative commercial clauses set out in the Model Contract Clauses are deemed deleted.
SECTION 2: CCPA Requirements
- Each party acknowledges that we are the Service Provider and you are the Business and we will Process the Personal Information which we handle for you only for the purposes described in, and for the duration of, our Engagement Letter.
- If we are aware that what you are asking us to do with Personal Information infringes applicable laws, we will notify you immediately (unless applicable laws prevent us from doing that) and we will not carry out what you are asking us to do.
- We will not use, retain, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing or by electronic or other means the Personal Information you provide to us to another business or a third party for monetary or other valuable consideration, lease, license, transfer, or other disclosure save as where necessary in order to carry out our obligations under the Engagement Letter including to our sub-processors.
- We will not retain, use, disclose, collect, sell, use, or otherwise process Personal Information for any purpose other than for the specific purposes set out in the Engagement Letter. For clarity, we may not retain, use, or disclose the Personal Information for any other commercial purposes outside of those set out in the Engagement Letter.
- We will implement appropriate security measures (both technical and organisational) so that the Personal Information you give to us is kept sufficiently secure. We will make sure that anyone we allow to Process Personal Information for you is subject to written confidentiality commitments – for the avoidance of doubt this will include our employees. We will also ensure that any of our employees who handle the Personal Information on our behalf are aware of these Data Processing Terms and have undergone reasonable appropriate training.
- At your cost, we will provide you with reasonable assistance to demonstrate compliance with the CCPA, including but not limited to: (i) ensuring compliance with security, breach notification, impact assessments and prior consultation obligations; (ii) responding to: (a) any consumer request to exercise their rights under the CCPA; and (b) any other correspondence, enquiry or complaint received in connection with our Processing of your Personal Information; and (iii) permitting reasonable audits, no more than one per calendar year.
- If we become aware of a Personal Information breach in relation to the Personal Information which you provide to us, we will inform you within forty-eight (48) hours of becoming aware of a and help you to fulfil any data breach reporting obligations you may have under the CCPA.
- You approve our using sub-processors for providing the services to you, and we accept that we will be responsible to you for any breach of this page caused by our sub-processors (subject to the terms and conditions of our engagement letter). We use sub-processors to support our service offerings, billing, and marketing and relationship management activities. If we add sub-processors in addition to this list, we will update this notice. It is your responsibility to check this page from time to time if you want to monitor any changes on the type of sub-processors we use. We will enter into a contract with any sub-processors under which the sub-processor agrees to comply with obligations equivalent to those set out in these Data Processing Terms.
- Promptly following termination or expiry of our Engagement Letter with you, we will cease to use the Personal Information and delete all copies and extracts of the Personal Information in accordance with professional standards, unless required to retain a copy in accordance with any applicable laws.
If you have any questions, please contact us at email@example.com.
If you would like to save a copy of this agreement, click here for the PDF.