1.1. This Data Processing Agreement (“DPA“) is entered into pursuant to a Subscription Order placed by the Customer for the provision of Subscription Services by the Company, and forms part of the Contract agreed between the parties. It sets out the terms and conditions that apply specifically to the processing of personal data by the Company in the course of providing the Subscription Services to the Customer.
1.2. In this DPA, the following words and expressions have the meanings set out below:
1.2.1. “Applicable Laws” means:
a) to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom; and
b) to the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the Company is subject.
1.2.2. “Applicable Data Protection Laws” means:
a) to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data; and
b) to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Company is subject, which relates to the protection of personal data.
1.2.3. “Business Day” means a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
1.2.4. “Contract” means the contract for the provision of Subscription Services consisting of the Subscription Order and the Company’s Subscription Services Terms and Conditions, along with any other documents referred to therein.
1.2.5. “Customer” means the individual or business entity named as such in the Subscription Order.
1.2.6. “Customer Personal Data” means any personal data which the Company processes in connection with the Contract, in the capacity of a processor on behalf of the Customer.
1.2.7. “EU GDPR” means the General Data Protection Regulation ((EU) 2016/679).
1.2.8. “Permitted Purposes” means the purposes for which the Customer Personal Data may be processed, as set out in paragraph 2.5.1 of this DPA.
1.2.9. “Subscription Order” means an order for Aico HomeLINK subscription services in the form prescribed by the Company, completed and signed by the Customer.
1.2.10. “Subscription Services” means the Company’s subscription services listed on the Subscription Order, which are to be provided by the Company to the Customer via https://www.aico.co.uk or any other website notified by the Company to the Customer from time to time, as more particularly described in the Documentation.
1.2.11. “UK GDPR” has the meaning given to it in the Data Protection Act 2018.
1.3. For the purposes of this DPA, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.
2.1. Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This paragraph 2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Applicable Data Protection Laws.
2.2. The parties have determined that, for the purposes of Applicable Data Protection Laws, the Company shall process the personal data set out in Annex 1 to this DPA, solely as a processor on behalf of the Customer.
2.3. The Customer will ensure that it has all necessary appropriate consents and notices in place to enable (i) lawful transfer of the Customer Personal Data to the Company and (ii) lawful collection of the same by the Company, for the duration and purposes of the Subscription Services.
2.4. In relation to the Customer Personal Data, Annex 1 sets out the scope, nature and purpose of processing by the Company, the duration of the processing and the types of personal data and categories of data subject.
2.5 Without prejudice to the generality of paragraph 2.1, the Company shall, in relation to Customer Personal Data:
2.5.1. process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process the Customer Personal Data to the extent reasonably necessary for the provision of the Subscription Services, unless the Company is required by Applicable Laws to otherwise process that Customer Personal Data. Where the Company is relying on Applicable Laws as the basis for processing Customer Personal Data, the Company shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Company from so notifying the Customer on important grounds of public interest. The Company shall inform the Customer if, in the opinion of the Company, the instructions of the Customer infringe Applicable Data Protection Laws;
2.5.2. implement the technical and organisational measures set out in the Documentation to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
2.5.3. ensure that any personnel engaged and authorised by the Company to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
2.5.4. assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Company), and at the Customer’s cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
2.5.5. notify the Customer within one Business Day on becoming aware of a personal data breach involving the Customer Personal Data;
2.5.6. at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Contract (unless the Company is required by Applicable Law to continue to process that Customer Personal Data). For the purposes of this sub-para. 2.5.6, Customer Personal Data shall be considered deleted where it is put beyond further use by the Company; and
2.5.7. maintain records to demonstrate its compliance with this paragraph 2.5.
2.6. The Customer hereby provides its prior, general authorisation for the Company:
2.6.1. to appoint HomeLINK Technologies LTD (registered in England with company number 09930635, whose registered office is at First Floor, 350 Bristol Business Park, Bristol, United Kingdom BS16 1EJ), Ei Unlimited Company trading as Ei Electronics (registered in the Republic of Ireland with company number 114252, whose registered office is at Shannon Industrial Estate, County Clare, Ireland V14 H020) and other processors to process the Customer Personal Data, provided that the Company:
a) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Company under this DPA;
b) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Company; and
c) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Company’s reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify the Company for any losses, damages, costs (including legal fees) and expenses suffered by the Company in accommodating the objection;
2.6.2. to transfer Customer Personal Data outside of the UK as required for the Permitted Purposes, provided that:
a) the Company shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws; and
b) the countries to which Customer Personal Data is transferred and the locations in which Customer Personal Data is held are located either (i) in the European Economic Area or (ii) in another country that is covered by UK adequacy regulations. For these purposes, the Customer shall promptly comply with any reasonable request of the Company, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the Commissioner from time to time (where the UK GDPR applies to the transfer).
2.7. Either party may, at any time on not less than 30 days’ notice, revise this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this DPA).
This Annex describes the categories of data subject whose personal data will be processed by the Company on behalf of the Customer; the types of personal data to be processed; the nature, scope and purpose of the processing; and the duration of the processing.
| Category of data subject | Types of personal data | Nature, scope and purpose | Duration* |
| Admin Account holder | Name Email address Company name Company telephone number Work address |
The data is required in order to set up the Admin account through which the Customer will operate the Subscription Services | For the duration of the Subscription Services and for not more than 1 year thereafter |
| Authorised Users | Name Email address Telephone number (landline or mobile) Company name Job title Work address |
The data is required in order to set up Authorised Users with access to the Subscription Services and to enable them to use the Subscription Service | For the duration of the Subscription Services and for not more than 1 year thereafter |
| Notification contact points | Name Email address Telephone number (landline or mobile) |
The data is required in order to set up the contacts who are to receive notifications about the premises and systems being monitored via the Subscription Services | For the duration of the Subscription Services and for not more than 1 year thereafter |
| End users/occupiers | Name Address and UPRN (Unique Property Reference Number) Email address Residency start date Residency end date |
The data is required in order to allow the occupants of the premises in which the Subscription Services have been installed to access the End User Application that allows occupants to view data relating to the premises and to allow the Customer to apply additional safeguarding where necessary | For the duration of the Subscription Services and for not more than 1 year thereafter |
* Where the same data subject falls into more than one category – for example, if an Admin Account holder is also an Authorised User – then the applicable duration will be the longest duration stated in the relevant rows of the above table. Data that does not fall within the definition of “Customer Personal Data” (as stated in this DPA) and personal data that has been anonymised may be retained and processed for longer periods than stated in the above table.