Arken.legal Limited Data Protection Policy

Last Reviewed: 20th December 2023

1 DEFINITIONS AND INTERPRETATION

 In this Policy all capitalised terms shall have the same meaning as in Arken’s Standard Terms and Conditions. Additionally, the following words and expressions shall have the following meanings:

“Agreement” means the most recent version of Arken’s Standard Terms and Conditions published by Arken on our Site.

“Data Controller” means You and/or Authorised Users.

“Data Processor” means Us (except in relation to the provision of Third Party Services).

“Data Processor Personnel” means the Data Processor and/or each of its Sub-Processors and the officers, employees, agents, consultants, representatives and other personnel of each of the Data Processor and each Sub-Processor.

“Data Protection Legislation” means the European Directives 95/46 and 2002/58/EC (as amended by Directive 2009/139/EC) and any legislation and/or regulation implementing or made pursuant to them including but not limited to the Data Protection Act 1998, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation, EU 2016/67), and including, where applicable, the guidance and codes of practice issued by the supervisory authorities (including the Information Commissioner).

“Good Industry Practice” means (in relation to any activity and under any circumstances) exercising the same skill, expertise and judgment and using facilities and resources of a similar or superior quality as would be expected from a person who: (a) is skilled and experienced in providing the services in question, seeking in good faith to comply with his or her contractual obligations and seeking to avoid liability arising under any duty of care that might reasonably apply; (b) takes all proper and reasonable care and is diligent in performing his or her obligations; and (c) complies with all applicable law.

“Request” means a subject access request or request to erase or correct Personal Data.

“Security Breach” means any actual loss, unauthorised or unlawful destruction, alteration, or unauthorised disclosure of, or access to the Personal Data (accidental or otherwise) and/or any other irregularity in processing the Personal Data.

“Sensitive Personal Data” has the meaning given to it in the Data Protection Legislation.

“Sub-Processor” means any sub-contractor to which the Data Processor has sub-contracted, or in the future may sub-contract, any of its obligations under Arken’s Standard Terms and Conditions and in performing such obligations the sub-contractor will receive and process Personal Data including Amazon Web Services, Google Analytics, Cloudflare, Mailgun, Auth0, Stripe, Chargebee, Zoho, Redash or as otherwise notified by the Data Processor in writing from time to time.

“Working Days” means Monday to Friday, excluding Public and Bank Holidays, in England & Wales.

  • For the purposes of this Policy Data Subject, Personal Data, Processing, transfer (in the context of Personal Data transfers) and appropriate technical and organisational measures shall be interpreted in accordance with the implementation of Directive 95/46/EC, or other applicable Data Protection Legislation, in the relevant jurisdiction.

    PROCESSING PERSONAL DATA

 

  • In providing the Services, the Data Processor shall process Personal Data on behalf of the Data Controller. The type of Personal Data to be Processed, and the categories of Data Subjects are set out in Annex 2 (Details of Personal Data Processed).
  • Both parties will comply with all applicable requirements of Data Protection Legislation. This Policy is in addition to, and does not relieve, remove or replace, a party’s obligations under Data Protection Legislation.
  • For the avoidance of doubt, where the Data Controller is receiving Third Party Services, it is the third party service provider and not Arken who will be the Data Processor.

 

RESTRICTIONS ON USE OF PERSONAL DATA

 

  • In processing Personal Data on behalf of the Data Controller, the Data Processor shall:
  • process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or the proper performance of its obligations under the Agreement or as is required by law or any regulatory body. The Data Processor may only correct, delete or block the Personal Data processed on behalf of the Data Controller as and when instructed to do so by the Data Controller or, if applicable, a Data Subject;
  • process the Personal Data only in accordance with the written instructions from the Data Controller or as otherwise lawfully and reasonably notified in writing (including via email) by the Data Controller to the Data Processor during the term of the Agreement (and the Data Controller hereby instructs the Data Processor to process that Personal Data as required to perform its obligations under the Agreement). If the Supplier is required to process the Personal Data for any other purpose by European Union or Member State law, the Data Processor will inform the Data Controller of this legal requirement to the extent permitted to do so by European Union or Member State law; and ensure that Personal Data is only processed by Data Processor Personnel who are reasonably required to do so in order to enable the Data Processor to comply with its obligations under the Agreement.
  • The Data Processor shall ensure that any Data Processor Personnel to whom Personal Data is disclosed are obliged to keep the Personal Data confidential.
  • The Data Controller specifically authorises the appointment of any Sub-Processor identified in this Policy, Annex 1 or Annex 2 and generally authorises the Data Processor to appoint further or alternative Sub-Processors. Where the Data Processor appoints or replaces a Sub-Processor it shall:
  • notify the Data Controller not less than 30 days in advance of any intended changes concerning the addition or replacement of such Sub-Processors. If the Data Controller wishes to object to such changes, it must do so within 30 days of receiving such notice, by notifying the Data Processor in writing accompanied by its reasons for such objection. Following any such objection, the Data Processor may engage with the Data Controller to provide alternatives or assurances in relation to such change. If the Data Controller (acting reasonably in relation to its legal or regulatory compliance obligations) continues to object to such changes the Data Controller may, within 30 days of receipt of the original notice, terminate on written notice without penalty the relevant services directly affected by that change. Where the Data Controller does not provide such written notice of such termination, or continues to use such services following the change, it shall be deemed to have accepted such change;
  • remain fully liable for all acts or omissions of any Sub-Processor engaged by it (and such engagements shall be on such Sub-Processors’ terms of business which incorporate data protection obligations which are the same or not less onerous in their effect as those set out in this Policy.
  • The Data Processor shall not acquire any right, title or interest in and to any of the Personal Data disclosed to it by the Data Controller.

 

SECURITY PROVISIONS

 

  • In processing Personal Data on behalf of the Data Controller, the Data Processor shall implement and shall ensure that it has in place at all times appropriate technical and organisational measures to prevent unlawful or unauthorised processing, accidental or unlawful destruction, damage, accidental loss, alteration, unauthorised disclosure of or access to the Personal Data in accordance with the compliance principles contained in Annex 1 and the Data Protection Legislation.
  • As soon as reasonably practicable following a request from the Data Controller, the Data Processor shall provide to the Data Controller all information reasonably necessary to demonstrate and ensure compliance with Clause 4.1 save that the Data Processor shall not be obliged to disclose specific security information which would jeopardise the security of the Software, Service or the Personal Data.
  • The Data Processor shall back up the Personal Data in accordance with its Back-Up Policy.

5 RESTRICTION ON TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

  • The Data Processor shall not transfer Personal Data outside the EEA without the express prior written consent of the Data Controller (and the Data Controller hereby instructs and authorises the Data Processor to transfer Personal Data outside the EEA where required for the provision of the Services, including but not limited to where Personal Data is accessed by or on behalf of the Data Controller from outside the EEA, and where the Data Controller has been notified that an authorised Sub-Processor is located or stores or accesses Personal Data outside the EEA).
  • Where the Data Controller gives consent to a transfer outside the EEA, the Data Processor shall take such steps as may reasonably be required by the Data Controller on an ongoing basis to ensure there is adequate protection for such Personal Data in accordance with applicable Data Protection Legislation, which may include the Data Processor (or, where applicable, the Data Processor’s affiliate, Sub-Processor or other relevant third party) entering into the standard contractual clauses set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 for the transfer of Personal Data to processors established in third countries (“Standard Contractual Clauses” with the Data Controller (as determined by the Data Controller) in the form prescribed by the European Commission (as may be amended by agreement of the Parties for compliance with applicable Data Protection Legislation requirements).

 

ASSISTANCE WITH COMPLIANCE

 

  • The Data Processor shall comply (and undertakes to ensure that the Data Processor Personnel do likewise) at all times with the requirements of the Data Protection Legislation and shall perform its obligations under the Agreement in such a way as to assist the Data Controller in complying with its obligations under the Data Protection Legislation taking into account the nature of the Processing and the information available to the Data Processor.
  • The Data Processor will at the cost of the Data Controller permit and arrange all reasonable access and assistance required for audits (including but not limited to inspection) by the Data Controller (and/or its auditors, representatives and/or any supervisory or government body, including the Information Commissioner (excluding where any representative is a competitor of the Data Processor)) in relation to compliance with this Policy subject to reasonable and appropriate confidentiality undertakings being given by the Data Controller’s auditors or representatives to inspect and audit the Data Processor’s Processing activities.
  • The Data Processor will assist the Data Controller, at the Data Controller’s cost, if it receives a Request from a Data Subject in relation to his or her Personal Data (insofar as this is possible).
  • The Data Processor will assist the Data Controller in respect of any complaint received by it from a Data Subject about the processing of his or her Personal Data and providing (at the same time) the Data Controller with details and a copy of the complaint.
  • The Data Processor shall where lawfully permitted, promptly notify the Data Controller of any communication from a regulatory authority in respect of a matter which concerns the Data Controller.
  • The Data Processor will promptly and properly deal with and respond to any and all reasonable requests and enquiries made by the Data Controller relating to its processing of the Personal Data.
  • The Data Processor will maintain records of processing activities carried out on behalf of the Data Controller containing the information prescribed in applicable Data Protection Legislation (including but not limited to the type of Personal Data processed and the purposes for which they are processed). The Data Processor shall make these records available to the Data Controller and supervisory authorities if and when required by such parties.
  • The Data Processor shall notify the Data Controller as soon as reasonably practicable upon it becoming aware that it is or is likely to become unable to comply with either its obligations under the Agreement or Data Protection Legislation, and/or the Data Controller’s requirements or instructions (whether specific or general) regarding the processing of the Personal Data.
  • If the Data Processor suspects or becomes aware of a Security Breach, it shall:
  • without undue delay on becoming aware of a Security Breach notify the Data Controller;
  • provide the Data Controller (as soon as is possible, and in no circumstance more than 24 hours after receiving a limited request) with such information that the Data Controller may reasonably request and that is available for collection relating to the Security Breach:
  • unless otherwise agreed with the Data Controller in writing, take action to stop the Security Breach, investigate the Security Breach and to identify, prevent and mitigate the effects of the Security Breach and to carry out any recovery or other action reasonably necessary to remedy the Security Breach; and
  • not release or publish any filing, communication, notice, press release, or report concerning the Security Breach without the Data Controller’s prior written approval (except where it is required to do so by applicable law).

 

Annex 1

 1 Access control to premises and facilities

The Data Processor will ensure or require of its Sub-Processors that controls are maintained to prevent unauthorised physical access its Sub-Processors premises, datacentres or facilities holding personal data but has no obligation to provide security or back-ups of data other than as stated in the Agreement.

2 Access control to systems

Appropriate technical and organisational measures for user identification and authentication will be maintained in accordance with Good Industry Practice to prevent unauthorised access to IT systems.

3 Access control to data

Appropriate measures will be maintained in accordance with Good Industry Practice to prevent authorised users from accessing data beyond their authorised access rights and prevent the unauthorised modification or disclosure of data. Authorised users shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty).

4 Disclosure control

Appropriate measures will be maintained, including encryption, to prevent the unauthorised access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged.

5 Data Processing

Data is processed automatically by the Service.

 

Annex 2

 DETAILS OF PERSONAL DATA PROCESSED

Categories of Personal Data

Personal data which identifies the data subject and their personal characteristics including names, addresses, contact details, age, sex, date of birth, marital status, details of dependants as may be included by the Data Controller in the use of the Service. The examples given are not exhaustive.

Special categories of data

Sensitive Personal Data including physical or mental health or condition, racial or ethnic origin, political opinions, religious or other beliefs of a similar nature, trade union membership, sexual life. The examples given are not exhaustive.

Categories of data subjects

Individuals relating to whom Personal Data is held or used. The data subjects are the clients of the Data Controller.

Description of Processing Activities

Processing of any Personal Data is incidental to the Services provided by the Data Processor. No access to changes to, or other processing of any Personal Data is carried out as part of the Service other than as may be required on the specific written instructions of the Data Controller.