Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into by and between:

1. The Customer (“Controller”); and

2. Bilberry Technologies Ltd trading as Adclear, a company registered in England and Wales with company number 15536855, whose registered office is at 85 Great Portland Street, London, England, W1W 7LT (“Processor” or “Adclear”).

(each a “Party” and together the “Parties”)

This DPA forms part of the  Agreement or other written or electronic agreement between the Parties for the provision of the Services (the “Agreement”) and reflects the Parties' agreement with regard to the Processing of Personal Data.

1. Definitions

1.1. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:

  • “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Processor” shall have the same meanings as in the Data Protection Laws.
  • “Data Protection Laws” means any laws and relating to privacy or the use or processing of data relating to natural persons, including EU Regulation 2016/679 (“GDPR”) and the Data Protection Act 2018 (“DPA”) and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and any laws or regulations ratifying, implementing, adopting, supplementing or replacing the forgoing; in each case, to the extent in force, and as such are updated, amended or replaced from time to time. 
  • “Services” means the services provided by Adclear to the Controller as described in the Agreement.
  • “Sub-processor” means any third party appointed by or on behalf of the Processor to Process Personal Data on behalf of the Controller in connection with the Agreement.

2. Processing of Personal Data

2.1. Roles of the Parties. The Parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller and Adclear is the Processor. Where the Customer is a Processor on behalf of a third-party Controller (including its Affiliates), the Customer warrants that its instructions and actions with respect to that Personal Data, including its appointment of Adclear as another Processor, have been authorised by the relevant Controller.

2.2. Processor’s Instructions. Adclear shall only Process Personal Data on the Controller’s documented instructions, which shall include the terms of the Agreement and this DPA, and any other instructions given by the Controller and acknowledged by Adclear from time to time.

2.3. Details of Processing. The subject-matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are set out in Annex 1 to this DPA.

3. Processor’s Obligations

Adclear shall:

3.1. Confidentiality. Ensure that any personnel it authorises to Process the Personal Data are subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they do not Process the Personal Data for any other purpose.

3.2. Security. Implement and maintain appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. Such measures shall be appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss and the nature of the data to be protected.

3.3. Sub-processing.
a) The Controller provides general written authorisation for Adclear to engage Sub-processors to support the provision of the Services. Adclear shall maintain an up-to-date list of its Sub-processors and shall make it available to the Controller upon request.
b) Adclear shall ensure that it has a written agreement with each Sub-processor which imposes data protection obligations that are at least as protective as those set out in this DPA. Adclear shall remain fully liable to the Controller for the performance of the Sub-processor’s data protection obligations.

3.4. Data Subject Rights. Taking into account the nature of the Processing, provide reasonable assistance to the Controller, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under the Data Protection Laws.

3.5. Personal Data Breaches. Notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting the Controller's Personal Data, providing the Controller with sufficient information to allow it to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

3.6. Data Protection Impact Assessment. Provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities which the Controller reasonably considers to be required by the Data Protection Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.

3.7. Deletion or Return of Data. Upon termination of the Agreement, and at the written direction of the Controller, Adclear shall delete or return all Personal Data to the Controller. Adclear may retain Personal Data to the extent required by applicable law, provided that such Personal Data is protected from any further Processing except to the extent required by such law.

3.8. Audits and Records. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as stipulated in the Agreement.

4. Controller’s Obligations

The Controller warrants that:
4.1. It has complied, and will continue to comply, with all applicable Data Protection Laws.
4.2. The Personal Data provided to Adclear for Processing has been collected and transferred lawfully.
4.3. Its documented instructions for the Processing of Personal Data will comply with the Data Protection Laws.

5. International Transfers

Adclear shall not transfer any Personal Data to a country outside the United Kingdom or EU unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Data Protection Laws. Such measures may include (without limitation) transferring Personal Data to a country that has been deemed to provide an adequate level of protection for personal data, or by entering into the UK’s International Data Transfer Agreement or the UK Addendum to the EU’s Standard Contractual Clauses.

6. Data Usage and AI Restrictions

In line with the Agreement, and except as explicitly directed by the Controller, Adclear shall not use, nor authorise the use of, any Personal Data (including Employee Data or Submitted Content) for the purpose of creating, training, or improving any generative or other artificial intelligence or machine learning models, applications, or technologies.

7. General

7.1. Precedence. In the event of a conflict between the terms of this DPA and the Agreement, this DPA shall prevail in matters of data protection. 

7.2. Liability. The limitations on liability set out in the Agreement shall apply to all claims arising from or in connection with this DPA.

7.3. Governing Law and Jurisdiction. This DPA and any dispute or claim arising out of it shall be governed by and construed in accordance with the laws of England and Wales. The parties agree to submit to the exclusive jurisdiction of the courts of England and Wales.