Data Processing Agreement
This agreement covers the processing of data relating to the business of Hypnotic World Ltd (the “Controller”) by the assigned contractor (the “Processor”).
- The “Controller” - The data controller, Hypnotic World Ltd.
- The “Processor” - The party assigned to process Data on behalf of the Controller (e.g. a course tutor).
- “Data” - Data provided to the Processor by the either Controller or by persons related to the business of the Controller (e.g. prospective customers).
- “Contact Details” - Name, email address(es), postal/billing addresses, social media accounts and telephone number(s).
- “Order Details” - Order IDs, products/services ordered, order date, fulfillment status, customer contact details and other relevant order information.
Types of Data and Personal Data
The types of data which may be processed by the Processor include customers’ personal data such as:
Course student and workshop attendee data:
Name and Contact Details
Course test answers
Correspondence between Hypnotic World, tutors and students
Course module/workshop order progress
Prospective student data:
Name and Contact Details
Training interest type
Correspondence regarding training and enrolment
Attendees’ Contact Details
Tutors and Workshop Hosts:
Correspondence between the Processor and a customer or prospective customer. This may take the form of email, telephone or in-person communication.
Where required for the Controller’s purposes, the Processor may also use other forms of personal data.
The Processor may only use data for purposes of, and instructed by, the Controller. Such purposes may include:
- Management of the Controller’s courses
- Assessment of student test answers
- Support provided to Controller’s customers
- Arranging and hosting of training workshops
Other data processing purposes not listed above that are not agreed in advance by the Processor are prohibited.
The data may only be retained and processed by the Processor for the duration that it is needed for the purposes of the Controller’s business. Data may not be stored or processed beyond the duration of time that the Processor is providing the agreed services to the Controller.
Rights of the Controller
The Processor agrees to respect the rights of the Controller with regards to the Processing of Data. The Controller may update this agreement as needed at any time, and may terminate the agreement.
Responsibilities of the Processor
The Controller endeavours to protect all sensitive customer data and the Processor is expected to take their responsibilities seriously in maintaining the security of data. The Processor agrees:
- To fulfil their responsibilities with regard to the Data Protection Act (DPA) and General Data Protection Regulation (GDPR) and all other relevant legislation. Data may be stored and processed only in a manner which is permitted by law.
- To conduct Data Impact Assessments with respect to the processing of data.
- To ensure that a duty of confidence is maintained by all persons taking part in the processing of the Data.
- To take all reasonable measures to protect the Data.
- To report any suspected or actual data breaches with regards to the Data.
- Not to use, share, sell or distribute for purposes not permitted by this agreement.
- To respond in a co-operative, timely manner to requests made by the Controller with respect to the Data.
- To assist the Controller in enabling persons wanting to exercise their rights with regards to data processing.
- To remove any portions of the Data where processing is no required by law or is longer permitted or necessary.
- Not to provide any part of the Data to sub-contractors or third parties, unless authorized in writing by the Controller or required by law.
The Controller agrees to take precautions with regards to the protection of data from threats such as hacking or theft, including but not limited to:
- Maintain password protection and encryption with regards to electronic data.
- Refraining from accessing electronic forms of Data from insecure networks (e.g. shared wired or wireless networks).
- Shredding or securely destroying redundant Data stored in physical format (e.g. on paper).
- Refraining from sharing information with third parties not authorized to process the relevant data by the Controller.
- Avoiding the use of personal email accounts in correspondence. Please request a business email account from the Controller for such purposes.
The Processor agrees to cooperate fully with audits and inspections regarding the processing of the Data, and to provide any information necessary to assist in the Controller’s compliance with its obligations described in Article 28.
Both the Controller and Processor reserve the right to terminate this agreement at any time provided that notice is provided to the other party in a timely manner. If this agreement is terminated by either party, the Processor must return all data to the Controller and is required to cease the storage and processing of such data.