Fresha Partner Terms of Business
DATA PROTECTION ADDENDUM
If you use the Fresha Services, this Data Protection Addendum ("Data Protection Addendum" or "DPA") is incorporated into and forms part of the Fresha Partner Terms of Business and/or other applicable agreement entered into between the Partner and Fresha (the "Agreement").
This Data Protection Addendum sets out the requirements for Fresha's processing of personal data on behalf of the Partner for the purposes of providing the Fresha Services.
These additional terms take effect from the date the Partner enters into the Agreement. In the event of any conflict between the terms of this Data Protection Addendum and the terms of the Agreement, the terms (including definitions) of this Data Protection Addendum shall prevail so far as the subject matter concerns the processing of personal data.
In addition to the defined terms set out in the Fresha Partner Terms of Business, the following words and expressions shall have the following meanings:
"Adequate Country" means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner's Office ("ICO") and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the GDPR.
"Affiliate" means, with respect to any party, any corporate entity that directly or indirectly Controls, is Controlled by, or is under Common Control with, such party (for so long as such Control exists). An entity "Controls" another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in "Common Control" if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
"Data Protection Laws" means:
- in the European Union, the General Data Protection Regulation 2016/679 (the "GDPR"), and
- in the UK, the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the "UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications,("ePrivacy Regulation")).
"Data Subject Request" means a request from or on behalf of a data subject to exercise any rights in relation to their Personal Data under Data Protection Laws.
"EEA" means the European Economic Area and Switzerland.
"End Users" means Partner's designated employees and agents who are authorised by Partner to access and use the Fresha Services, Fresha Marketplace and Fresha Widget.
"EU SCCs" means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the approved version of which is available at http://data.europa.eu/eli/dec_impl/2021/914/oj), including the applicable modules along with the corresponding appendices.
"2010 SCCs" means the model clauses for the transfer of personal data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission's Decision 2010/87/EU of 5 February 2010 and at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 and which along with the Appendices to the 2010 SCCs included in appendix 1 to this Data Protection Addendum, form a part of the Agreement
"Personal Data" means, for the purposes of this Data Protection Addendum, all Partner Client personal data which is uploaded into the Fresha Services by Partner (or directly by a Partner Client) and accessed, stored or otherwise processed by Fresha as a processor.
"Security Breach" means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by Fresha or its sub-processors, or any other identified or unidentified third party.
"Supervisory Authority" means in the UK, the Information Commissioner's Office ("ICO") (and, where applicable, the Secretary of State or the government), and in the EEA, an independent public authority established pursuant to the GDPR.
"UK" means the United Kingdom.
"controller", "data subject", "personal data" and "processor" have the meanings ascribed to them in the Data Protection Laws.
Roles and compliance with Data Protection Laws
Partner is the controller of Partner Clients' Personal Data, and Fresha is the processor of Partner Clients' Personal Data.
Each party will comply with applicable Data Protection Laws. As between the parties, Partner shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired, including so that the processing described hereunder may be lawfully undertaken by Partner and Fresha.
Each party shall appoint an individual within its organisation authorised to respond to enquiries regarding the Personal Data, and provide the other party with contact information for this individual. Each party shall deal with such enquiries promptly.
Description of Processing
(i) in order to provide the Fresha Services or
(ii) per Partner's instructions in writing,
which shall include the Agreement, or via the Fresha Services. Nothing in this Agreement shall prevent or restrict Fresha from anonymising and using such data in accordance with the Agreement, and to improve Fresha's products and services. To the extent any such data is considered personal data, Fresha shall process such data in accordance with applicable Data Protection Laws.
The subject matter, nature and purposes, duration of the processing, and the types of data and categories of data subjects are as follows:
Subject Matter of the Processing
Fresha's provision of Fresha Services, Fresha Marketplace, and Fresha Widget under the Agreement, including its processing of Personal Data under this Agreement, to Partner;
Nature and Purposes of the Processing
The nature and purposes of the processing are the collection, storage, duplication, deletion, analysis, pseudonymisation, anonymisation, provision and disclosure of Personal Data as described in the Agreement, and as pursuant to providing the Fresha Services to Partner and any further instructions by Partner in writing.
Duration of Processing
Fresha will process the Personal Data for the duration of the Agreement, or until the processing is no longer necessary for the purposes described in this Agreement.
Types of Data
Any Personal Data that Partner in its discretion uploads into the Fresha Services will be processed under this Agreement. Partner may not upload, request (e.g. in a Customer booking form) or otherwise process special category data (e.g. health data).
Partner's staff data may include: first name, last name, contact information, job/role title, services provided/qualified for, and access permissions. Customer data may include: first name, last name, contact information, booking data.
Categories of Data Subjects
Data Subjects may include any Customers, Partner staff, or other individuals whose personal data is processed via the Fresha Services, in each case about whom Personal Data is provided to Fresha via the Fresha Services by, or at the direction of, Partner.
Fresha will notify Partner (unless prohibited by applicable law) if it is required under applicable law to process Personal Data other than pursuant to Partner's instructions. Fresha will, as soon as reasonably practicable upon becoming aware, inform the Partner if, in Fresha's opinion, any instructions provided by the Partner infringe the GDPR, UK GDPR or any applicable local data protection laws.
Technical and organisational security measures
Fresha will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Fresha will provide a summary of its security measures upon written Partner request.
Fresha will ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under obligations of confidentiality.
Security breaches, data subject requests & further assistance
Fresha will notify Partner of any Security Breach without undue delay, and where feasible within 72 hours of becoming aware of the Security Breach.
Data subject requests
Fresha will promptly notify Partner if it receives a Data Subject Request. Fresha may respond to a Data Subject Request solely to confirm that such request relates to Partner, and will not otherwise respond to a Data Subject Request. Partner acknowledges and agrees that the Fresha Services include features which will allow Partner to manage Data Subject Requests directly through the Fresha Services without additional assistance from Fresha. If Partner does not have the ability to address a Data Subject Request, Fresha will, upon Partner's written request, provide reasonable assistance to facilitate Partner's response to the Data Subject Request to the extent such assistance is consistent with applicable law; provided that Partner will, at Fresha's discretion, be responsible for paying for any reasonable costs incurred or fees charged by Fresha for providing such assistance.
Taking into account the nature of processing and the information available to Fresha, Fresha will provide such assistance as Partner reasonably requests in relation to Partner's obligations under Data Protection Laws with respect to:
(a) data protection impact assessments;
(b) required notifications to the Supervisory Authority under Data Protection Laws and/or required communications to data subjects by the Partner in response to a Security Breach; or
(c) Partner's compliance with its obligations under the GDPR or UK GDPR (as applicable) with respect to the security of processing.
Partner grants a general authorisation to Fresha to appoint its Affiliates or third parties as sub-processors to support the performance of the Fresha Services, including data centre operators, cloud-based software providers, and other outsourced support and service providers. Fresha will maintain a list of sub-processors and will notify Partner of new and replacement sub-processors to the list thirty (30) days prior to them starting sub-processing of Personal Data. Fresha will consider any of Partner's reasonable objections to a new sub-processor. If Partner has a reasonable objection to any new or replacement sub-processor and there is no option available for Partner to use the Fresha Services without use of that sub-processor, Partner's sole and exclusive remedy is to terminate the Agreement, only in relation to the Fresha Services to which the proposed new sub-processor's processing of Personal Data relates or would relate, by providing 10 day's advance written notice to Fresha.
Fresha will enter into a written contract with each sub-processor which imposes on such sub-processor terms no less protective of Personal Data than those imposed on Fresha in this Agreement (the "Relevant Terms"). Fresha shall be liable to Partner for any breach by such sub-processor of any of the Relevant Terms to the extent required under Data Protection Laws.
Partner agrees that its use of the Fresha Services may involve the transfer of Personal Data to, and processing of Personal Data in, locations outside of the UK and/or EEA (such as for purposes of providing support to Partner), including processing in any country in which Fresha, its Affiliates and authorized Sub-processors perform the Fresha Services. Fresha will ensure any such transfer or other processing complies with applicable Data Protection Laws.
To the extent Fresha's processing relates to a transfer which is subject to the UK GDPR (except if in an applicable Adequate Country), the parties agree that the 2010 SCCs will apply and are incorporated into this Agreement, and Fresha is the 'data importer' and will comply with the obligations of the 'data importer' in the 2010 SCCs accordingly and Partner is the 'data exporter' and will comply with the obligations of the 'data exporter' accordingly. The following terms shall apply to the 2010 SCCs:
(a) Annexes 1 and 2 in appendix 1 of this Data Protection Addendum contain the information required by Annexes 1 and 2 of the 2010 SCCs;
(b) Partner may exercise its right of audit under clause 5(f) of the 2010 SCCs as set out in, and subject to the requirements of, clause 8 of this Data Processing Addendum;
(c) Fresha may appoint sub-processors under clause 11 of the 2010 SCCs as set out, and subject to the requirements of, clause 6 of this Data Processing Addendum.
To the extent Fresha's processing relates to a transfer which is subject to the EU GDPR (except if in an applicable Adequate Country), the parties agree to implement the EU SCCs (including, where applicable, Module 2 (C2P) of the EU SCCs, along with the corresponding appendices). Such implemented EU SCCs, once agreed between the parties, will apply and will be deemed to be incorporated into this DPA.
Fresha may (i) replace either the EU SCCs or the 2010 SCCs with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any standard contractual clauses approved by an applicable Supervisory Authority, and (ii) make reasonably necessary changes to this clause 7 by notifying Partner of the new transfer mechanism or content of the new standard contractual clauses (provided their content is in compliance with the relevant decision or approval), as applicable.
To the extent that Fresha transfers any Personal Data to a sub-processor (including any Fresha Affiliates) that processes Personal Data outside the UK or EEA (except if in an Adequate Country), the parties agree that Fresha shall ensure that such transfer complies with Data Protection Laws. For these purposes, Partner mandates Fresha to sign the applicable standard contractual clauses on Partner's behalf with any relevant sub-processor.
Audit and Records
Partner may exercise its right of audit under Data Protection Laws through Fresha providing Partner with, subject to any relevant confidentiality terms, such information in Fresha's possession or control as may be necessary to demonstrate compliance with its obligations under this Data Protection Addendum (including an audit report by a registered and independent external auditor demonstrating that Fresha's technical and organizational measures are sufficient and in accordance with an accepted industry audit standard). Fresha may provide additional information in its possession or control to a Supervisory Authority that requests additional information in relation to the data processing activities carried out by Fresha under this Data Protection Addendum.
Partner agrees to thoroughly review and provide due consideration to such third-party certifications, audits or reports as Fresha may provide (in order to demonstrate its compliance with its obligations under this Data Protection Addendum) before making any request for additional information or inspection hereunder.
To the extent that Partner is unable to confirm Fresha's compliance with this Data Protection Addendum under this clause 8, in the event of any Security Breach, or upon the instruction of a Supervisory Authority, Fresha shall permit Partner (or their respective appointed third party auditors) to carry out an audit of Fresha's premises and operations to the extent reasonably required to confirm Fresha's compliance with this Data Protection Addendum. Partner must give Fresha reasonable prior notice of such intention to audit, conduct its audit during normal business hours, ensure auditors have agreed to appropriate confidentiality obligations, and be at Partner's cost.
Deletion or return of data
Partner will have up to thirty (30) days following termination or expiry of the Agreement or completion of the Fresha Services to download its Partner Client Data via the Fresha Services export functionality, after which period Fresha may delete such Partner Client Data.
Notwithstanding the foregoing, Fresha may retain Personal Data beyond termination or expiry solely if, and for so long as, such Personal Data must be retained in order to comply with applicable law.
Limitation of liability
Fresha's maximum aggregate liability to Partner under or in connection with Data Protection Addendum shall not under any circumstances exceed the maximum aggregate liability of Fresha to the Partner as set out in the Agreement. Nothing in this Data Protection Addendum will limit Fresha's liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under applicable law.
Appendix 1 to the Model Clauses
This appendix forms part of the clauses and must be completed by the parties.
Data exporter: The data exporter is the Partner.
Data importer: The data importer is Fresha.
Description of data processing: Clause 3 of this DPA describes the categories of data subjects, categories of data, special categories of data and processing operations.
Appendix 2 to the Standard Contractual clauses
This appendix forms part of the clauses and must be completed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with clauses 4(d) and 5(c) (or document/legislation attached): Fresha will provide a summary of its relevant technical and organisational security measures upon written Partner request.