This Data Processing Agreement (DPA) sets out the terms and conditions for the processing of personal data by Lahez on behalf of our customers, in compliance with GDPR Article 28.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between WHIKS Ltd ("Lahez", "we", "us"), a company registered in England and Wales, and our customers ("Controller", "you") for the processing of personal data in accordance with the General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR.
This DPA template is provided for informational purposes. A signed DPA may be required for certain enterprise customers or when processing sensitive personal data.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
WHIKS Ltd (the company operating the Lahez platform), a legal person which processes personal data on behalf of the controller.
Any information relating to an identified or identifiable natural person.
Any operation or set of operations performed on personal data, whether or not by automated means.
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation.
The Processor shall process personal data only on documented instructions from the Controller and shall ensure that persons authorised to process personal data have committed themselves to confidentiality.
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation.
The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security assessments.
The Processor may engage sub-processors with the Controller's general written authorisation. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors.
The Controller shall ensure that the processing of personal data is lawful and that the Processor has appropriate instructions for processing.
The Controller shall provide lawful, specific instructions for the processing of personal data.
The Controller shall ensure that the processing is lawful and has a valid legal basis under GDPR.
The Controller shall cooperate with the Processor in ensuring compliance with applicable data protection laws.
The Processor shall assist the Controller in fulfilling data subject rights requests and obligations under GDPR.
The Processor shall assist the Controller in responding to requests for exercising data subject rights.
The Processor shall notify the Controller without undue delay if it receives a request from a data subject.
The Processor shall assist the Controller in responding to data subject requests within the required timeframes under GDPR.
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
The Processor shall notify the Controller without undue delay after becoming aware of a breach, consistent with applicable law (including typical supervisory authority notification timelines under the GDPR where they apply).
The Processor shall cooperate with the Controller in investigating and remediating any data breach.
The Processor shall document any personal data breaches and maintain records of the facts, effects, and remedial action taken.
The Controller has the right to audit the Processor's compliance with this DPA and applicable data protection laws.
The Controller may request access to the Processor's facilities and records relevant to the processing of personal data.
The Processor shall cooperate with audits conducted by the Controller or its appointed auditors.
The Controller shall bear the costs of any audits, unless the audit reveals material non-compliance by the Processor.
Upon termination of the services, the Processor shall return or delete all personal data and certify deletion.
The Processor shall return all personal data to the Controller or delete it, at the Controller's choice.
The Processor shall certify deletion of personal data unless EU or Member State law requires storage.
The Processor shall provide written certification of compliance with this section within 30 days of termination.
For questions about this Data Processing Agreement or to request a signed DPA:
Email: privacy@whiks.com
Address:
WHIKS Ltd
128 City Road
London, EC1V 2NX
United Kingdom
Registered in England and Wales · Company number 17189817
Tel: +44 7988580234