Data Protection Addendum

Last Updated:

March 6, 2025

Download PDF

Introduction

The purpose of this Data Protection Addendum is to describe each party’s rights and obligations with respect to the processing of Customer Personal Data (defined below) by 24 Social.

In this Data Protection Addendum (and where used elsewhere in the Agreement):

  • Controller, Data Subject, Personal Data, Personal Data Breach, Process (or Processed), and Processor all have their respective meanings given in the GDPR.
  • Customer Personal Data means all Personal Data relating to any individuals employed or otherwise engaged by the clients or customers of the Customer.
  • End User Personal Data means Personal Data relating to End Users (as defined in the Cloud GTCs).
  • Data Protection Legislation means, as applicable, the Data Protection Act 2018, the UK retained General Data Protection Regulation (2016/679) (“GDPR”) (as defined in section 3(10) (as supplemented by section 205(4) of the Data Protection Act 2018), and the Privacy and Electronic Communications (EC Directive) Regulations 2000 and any applicable replacement or supplementary legislation governing the use and security of personal data.
  • Data Subject Request (DSR) means a request made by a Data Subject whose Personal Data is Processed by 24 Social under and/or in connection with the Services described in the relevant Order Form, which relates to the exercising of their data protection rights granted under Articles 12-22 of the GDPR.
  • EEA/UK means the European Economic Area and the United Kingdom.
  • Regulator means:
    • The UK Information Commissioner’s Office (the UK ICO); and
    • Any other regulatory, governmental, or independent public authority established pursuant to Article 51 (GDPR) with authority over all or any part of:
      1. The provision or receipt of the Services described in the relevant Order Form;
      2. The Processing of Customer Personal Data; or
      3. The Customer’s and/or 24 Social’s business.
  • Regulator’s Query means any and all inquiries made of 24 Social by a Regulator that relate to the Services described in the relevant Order Form or the Customer Personal Data.
  • Security Incident means any actual, alleged, or potential unauthorized disclosure, loss, destruction, compromise, damage, alteration, or theft of Customer Personal Data or any incident which may give rise to a Personal Data Breach.

The Agreement

The obligations contained in this Data Protection Addendum apply in addition to the other provisions of the Agreement that may concern the use and/or protection of End User Personal Data and Customer Personal Data (for example, the obligations contained in the confidentiality provisions).

GDPR Article 28(3)

The parties agree that, with respect to Customer Personal Data, the:

  • Subject matter, nature, and purpose of Processing of Customer Personal Data by 24 Social is the performance of Services, as outlined in the relevant Order Form.
  • Types of Customer Personal Data and categories of Data Subjects are as described in the Order Form.
  • [Drafting Note: For discussion] Duration of the Processing of Customer Personal Data will be the term of the Agreement.

Classification

The parties agree that, as between the parties and for the purpose of construing the Data Protection Legislation:

  • 24 Social will act as a Controller in relation to End User Personal Data collected by, or provided to, 24 Social under and/or in connection with the Agreement.
  • The Customer will act as a Controller in relation to the Customer Personal Data.
  • 24 Social will, in respect of the Customer Personal Data, be:
    • The Processor; or
    • Where the Customer is itself a Processor to its own customer, a sub-Processor.

As such, it is agreed that each party shall be responsible for complying with its obligations as Controller under the Data Protection Legislation.

The Customer warrants that all End User Personal Data and Customer Personal Data that it provides to 24 Social has been collected and disclosed in accordance with the Data Protection Legislation, including the fact that the Customer has the right to share such data with 24 Social (prior to such transmission taking place) and that all necessary consents have been obtained.

24 Social undertakes that it shall Process End User Personal Data only for the purposes of:

  1. Enabling, and to the extent necessary to enable, End Users to access and use the 24 Social Products.
  2. Providing the Services (the "Agreed Purpose").

The Processing described above may include:

  • Generating and managing login details and access to, and security of, the 24 Social Products.
  • As necessary in connection with “know-your-client”, anti-money laundering, and other compliance checks required to be taken under applicable laws.
  • Complying with its legal and regulatory obligations.
  • Internal administration.

Without prejudice to the above, 24 Social shall, in relation to End User Personal Data which it Processes under or in connection with this Agreement:

  • On request, provide the relevant End Users with the information referred to in Articles 13 and 14 of the GDPR (as applicable) and comply with its applicable obligations as a Controller.
  • Provide assistance as is reasonably required to enable the Customer to comply with Subject Rights Requests made to the Customer by any End Users within the time limits imposed by the Data Protection Legislation.
  • Maintain a record of Subject Rights Requests made to 24 Social by any End Users, the decisions made, and any information that was exchanged.
  • Not retain or Process any End User Personal Data for longer than is necessary to carry out the Agreed Purpose.

Rights of the Customer in connection with Customer Personal Data

If, in the course of the provision of the Services, 24 Social is required to Process any Customer Personal Data, then as between the parties, the Customer has the sole right to determine the purposes for which, and the manner in which, the Customer Personal Data will be Processed by 24 Social and may give written instructions to 24 Social in connection with the same from time to time (which instructions may require 24 Social to immediately cease Processing the Customer Personal Data).

For the avoidance of doubt, the parties each acknowledge and agree that 24 Social does not typically Process Customer Personal Data in the course of providing and making available the 24Social Products.

Obligations of 24 Social as a Processor / Sub-Processor of Customer Personal Data

With respect to Customer Personal Data, 24 Social shall:

  1. Comply with its obligations under the applicable Data Protection Legislation.
  2. Not Process any Customer Personal Data in a manner that results in the Customer breaching its obligations under the Data Protection Legislation.
  3. Delete or return all Customer Personal Data upon termination or at the Customer’s request unless required by law to retain it.
  4. Process the Customer Personal Data only on behalf of the Customer and in accordance with the Customer’s written instructions.
  5. Not modify, amend, disclose, or permit disclosure of any Customer Personal Data to any third party unless authorized in writing by the Customer.
  6. Ensure personnel handling Customer Personal Data are:
    • Given only necessary access.
    • Aware of confidentiality obligations.
    • Appropriately vetted and trained.
  7. Implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from unauthorized access, loss, or breach.
  8. Notify the Customer in writing of any Security Incident and take all necessary steps to prevent a repeat of the incident.
  9. Assist the Customer with compliance, including security obligations, data breach notifications, and regulatory inquiries.
  10. Not transfer Customer Personal Data outside the EEA/UK without written consent and legal safeguards.