| IWSR
If you have any questions about this policy, including any requests to exercise your legal rights, please contact us by:
This policy was last updated on 5th June 2024.
We store your data on our servers and third party servers which are based both in the UK and outside of the UK.
When working with third parties we may need to transfer your personal data outside of the UK and / or EU.
Whenever we transfer your personal information outside of the UK and the EU, we ensure it receives additional protection as required by law. To keep this policy as short and easy to understand as possible, we haven’t set out the specific circumstances when each of these protection measures are used. You can contact us using the contact details above for more detail on this.
We will only retain your personal information for as long as we need it unless we are required to keep it for longer to comply with our legal, accounting or regulatory requirements.
In some circumstances we may carefully anonymise your personal data so that it can no longer be associated with you, and we may use this anonymised information indefinitely without notifying you. We use this anonymised information to improve our products and services.
You have various other rights under applicable data protection laws, including the right to:
You also have the right to lodge a complaint with us or the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales. If you are based in the EU you can find your relevant supervisory authority here.
Please keep in mind that privacy law is complicated, and these rights will not always be available to you all of the time.
You can go to IWSR’s subscription centre and select or change your contact preferences at any time. A link to the subscription centre can be found at the bottom of all IWSR marketing emails.
1.1 “Agreed Purpose” means the performance by IWSR of its obligations under the Agreement including the promotion of the IWSR Products by IWSR.
1.2 “Customer Data” means the following types of Personal Data relating to Customer or its personnel may be shared with IWSR in connection with its provision of the products or services: name, gender, address, data or birth, email address and financial information.
1.3 “Data Protection Law” means, where applicable, the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (“UK GDPR”); the Data Protection Act 2018 (“DPA 2018”); and the European Privacy and Electronic Communications Directive (Directive 2002/58/EC) (as updated by Directive 2009/136/EC), each as amended or replaced from time to time and all other national, international, regional, federal or other laws related to data protection and privacy that are applicable to any territory where IWSR processes personal data or is established.
1.4 “Personal data”, “personal data breach”, “controller”, “processor”, “processing”, “data subject” and “supervisory authority” shall have the meanings ascribed to them under Data Protection Law.
1.5 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021.
2.1 All capitalised terms used but not otherwise defined in this DPA shall have the meaning given to them in the Agreement.
2.2 To the extent any provision of this DPA conflict with any term of the Agreement, the relevant provision of this DPA shall prevail.
3.1 For the purposes of this DPA, the Customer and IWSR agree that IWSR acts as a processor and Customer acts as a controller in respect of the Customer Data.
3.2 The particulars of the processing are set out in the Schedule.
Customer shall comply with its obligations under Data Protection Law and shall in particular:
4.1 Ensure that it is entitled to transfer the relevant Customer Data to IWSR so that IWSR may lawfully use, process and transfer the Customer Data in accordance with the Agreement on the Customer’s behalf; and
4.2 The relevant data subjects have been informed of such use, processing, and transfer as required by all applicable Data Protection Laws.
IWSR shall comply with its obligations under Data Protection Law and shall in particular:
5.1 Only process the Customer Data for: (i) the Agreed Purpose; (ii) as instructed by the Customer; and (iii) as necessary to comply with IWSR’s requirements under any applicable law;
5.2 If IWSR is aware that the Customer’s processing instructions infringe applicable laws, IWSR shall notify the Customer immediately (unless prevented from doing so by applicable laws) and not carry out the relevant processing;
5.3 Maintain all appropriate technical and organisational measures to ensure security of the Customer Data including protection against unauthorised or unlawful processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of the Customer Data) taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the likelihood and severity of risk in relation to the rights and freedoms of the data subjects;
5.4 Ensure that all persons authorised by IWSR to process the Customer Data are subject to either contractual or statutory obligations of confidentiality;
5.5 Provide reasonable assistance to Customer to demonstrate its compliance with the Data Protection Law, including but not limited to: (i) ensuring compliance with its security, breach notification, impact assessment and prior consultation obligations; and (ii) responding to (a) any request from a data subject to exercise its rights under Data Protection Law (without responding to that request unless authorised to do so by the Customer); and (b) any other correspondence or enquiry received in connection with the processing of the Customer Data;
5.6 Notify the Customer without undue delay as soon as it becomes aware of any personal data breach in connection with the Customer Data;
5.7 Maintain appropriate records and information in compliance with Data Protection Law and on request by the Customer, make available such records information necessary to demonstrate IWSR’s compliance with this DPA and otherwise permit, and contribute to, audits carried out by the Customer (or its authorised representative); and
5.8 On termination or expiry of the Agreement, destroy or return (as the Customer directs) all Customer Data in its power, possession or control and delete all existing copies of such data except to the extent IWSR is required to retain a copy the personal data by law.
If an adequate protection measure for the international transfer of personal data is required under the Data Protection Law and has not otherwise been arranged by the parties, the Standard Contractual Clauses shall be incorporated into this DPA in the schedule as if they had been set out in full.
7.1 The Customer authorised IWSR to engage the sub-processors listed at Schedule 1, subject to: (i) IWSR entering into a written agreement with such sub-processors containing obligations which comply with Data Protection Law; and (ii) IWSR remaining liable for any breach of this DPA that is caused by its sub-processors.
7.2 IWSR shall inform the Customer of any changes concerning the addition or replacement of other sub-processors thereby giving the Customer the opportunity to reasonably object to such changes.
Subject to the limitation of liability provisions in the Agreement, to the extent that Customer has an entitlement under Data Protection Law to claim from IWSR compensation paid by the Customer to a data subject as a result of a breach of Data Protection Law to which IWSR contributed, IWSR shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant data subject.
The Customer and IWSR shall agree in good faith any reasonable changes required to this DPA to comply with any changes to Data Protection Law.
1.1 To the extent clause 6.1 applies and the transfer is made from a UK or EU based Customer to an IWSR entity based outside of the UK or EU, this Schedule 1 and the following terms shall apply: Module 4 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Processor, the importer is a Controller and the transfer requires such additional protection.
2.1 For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:
2.2 For the purposes of clause 8.1(d) of the EU SCCs, at the end of the provision of the processing services the exporter shall delete all Personal Data and shall certify to the importer that it has done so, if requested to provide such certification by the importer in writing.
2.3 For the purposes of clauses 17 and 18 of the EU SCCs, the laws and courts of Ireland shall apply.
The Parties
3.1 Exporter (Processor): IWSR
3.2 Importer (Controller): Customer
Description Of Data Processing
3.3 Categories of data subjects: End licence users.
3.4 Categories of personal data transferred: Customer Data.
3.5 Sensitive data transferred: None.
3.6 Frequency of the transfer: Continuous.
3.7 Nature of the processing: Storage and use.
3.8 Purpose of the processing: For the Agreed Purpose.
3.9 Duration of the processing: For the duration of the Agreement.
3.10 Sub-Processor Transfers: As set out at clause 7. The approved sub-processors are:
3.11 Competent Supervisory Authority: As set out at paragraph 2.1.
3.12 Technical and Organisational Measures:
Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also helps us make improvements.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.