(UK GDPR)

This Data Processing Agreement ("Agreement") forms part of the Terms of Service between:

CP Agency Ltd, a company incorporated in England and Wales, trading as Hassan Iqbal, CreativePixels, Creative Hosting, Monthly Design, and other associated trading names ("CP", "we", "us", "our"),

and

The Client ("Client", "you", "your").

This Agreement applies where CP processes personal data on behalf of the Client in connection with the services provided.

1. Definitions

Terms used in this Agreement have the meanings given to them in the UK GDPR and the Data Protection Act 2018, including "personal data", "processing", "controller", and "processor".

For the purposes of this Agreement:

• The Client is the Data Controller
• CP is the Data Processor

2. Scope and Purpose of Processing

CP will process personal data only:

• To provide the services agreed in the applicable Proposal
• In accordance with the Client's documented instructions
• As required to comply with applicable law

Processing activities may include collecting, storing, hosting, accessing, modifying, transmitting, or deleting personal data as necessary to deliver the services.

3. Categories of Data and Data Subjects

The personal data processed may include, depending on the services:

• Names
• Contact details
• User account information
• Website or platform usage data
• Form submissions or customer enquiries
• IP addresses and technical identifiers

Data subjects may include:

• Website visitors
• Customers
• Users
• Employees or representatives of the Client

The exact nature of data processed depends on how the Client uses the services.

4. CP's Obligations as Processor

CP agrees to:

• Process personal data only on documented instructions from the Client
• Ensure that persons authorised to process personal data are subject to confidentiality obligations
• Take appropriate technical and organisational measures to protect personal data
• Not engage another processor without complying with Section 6 below
• Assist the Client in meeting its obligations under UK GDPR where reasonably required
• Delete or return personal data at the end of the services, unless retention is required by law

5. Security Measures

CP implements reasonable technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

These measures may include, where appropriate:

• Access controls and authentication
• Encryption in transit and at rest (where supported)
• Secure hosting environments
• Regular updates and security patching
• Limiting access to authorised personnel only

No system can be guaranteed to be completely secure, and CP does not warrant that security incidents will never occur.

6. Sub-Processors

The Client authorises CP to engage sub-processors to assist in providing the services.

Sub-processors may include:

• Hosting and cloud infrastructure providers
• Email and communications platforms
• Analytics, monitoring, or support tools
• Group companies or subsidiaries wholly owned and operated by CP

CP will ensure that any sub-processor is subject to data protection obligations that are no less protective than those set out in this Agreement.

A list of categories of sub-processors may be provided on request.

7. International Data Transfers

Where personal data is processed outside the UK or EEA, CP will ensure that appropriate safeguards are in place in accordance with UK GDPR, including the use of approved transfer mechanisms where required.

8. Data Subject Rights

CP will, where reasonably possible:

• Notify the Client if it receives a request from a data subject
• Assist the Client in responding to data subject requests, taking into account the nature of the processing

CP is not responsible for responding directly to data subject requests unless expressly instructed by the Client.

9. Personal Data Breaches

CP will notify the Client without undue delay after becoming aware of a personal data breach affecting personal data processed under this Agreement.

CP will provide reasonable information to assist the Client in meeting its notification obligations under UK GDPR.

10. Audits and Information

Upon reasonable written request, CP will make available information necessary to demonstrate compliance with this Agreement.

Audits or inspections:

• Must be reasonable and proportionate
• Must not unreasonably disrupt CP's business
• May be satisfied through documentation, certifications, or third-party reports where appropriate

11. Client Responsibilities

The Client is responsible for:

• Determining the lawful basis for processing personal data
• Providing lawful instructions to CP
• Ensuring that personal data provided to CP is accurate and lawfully obtained
• Complying with its own obligations as Data Controller under UK GDPR

12. Limitation of Liability

Liability arising from this Agreement is subject to the limitations set out in the Terms of Service.

Nothing in this Agreement limits liability where such limitation is not permitted under applicable law.

13. Term and Termination

This Agreement remains in effect for as long as CP processes personal data on behalf of the Client.

On termination of the services, CP will, at the Client's option and subject to applicable law:

• Delete personal data, or
• Return personal data and delete remaining copies

14. Governing Law

This Agreement is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

15. Order of Precedence

In the event of any conflict:

• This Data Processing Agreement
• The Terms of Service
• Any applicable Proposal
  

Signatures

CP Agency Ltd

Name: _______________________

Title: _______________________

Date: _______________________

Signature: _______________________

Client

Name: _______________________

Title: _______________________

Date: _______________________

Signature: _______________________

Need to Discuss Data Processing?

Get in touch to discuss your data processing requirements or request a copy of this agreement.

Contact us