This Data Processing Agreement (“Agreement”) forms part of and is incorporated into the agreement between the parties governing the provision and use of services (the “Primary Agreement”) and is effective from the effective date of the Primary Agreement (the “Effective Date”). 

The Primary Agreement is between is SAMPL TECHNOLOGIES LTD, a company incorporated and registered in England and Wales with company number 13069140, whose registered office is at 4th Floor, Park Gate 161-163 Preston Road, Brighton East Sussex BN1 6AF, United  Kingdom (“SAMPL”) and for the purposes of this Agreement the data processor (the “Data Processor”); and the other party named in the Primary Agreement in connection with the services provided by SAMPL to the other party pursuant to the Primary Agreement (“CLIENT”) and for the purposes of this Agreement the data controller (the “Data Controller”); and (together the “Parties”, and the “Party” shall be construed accordingly).

This Agreement sets out the terms on which SAMPL shall process personal data on behalf of the CLIENT in accordance with applicable data protection laws, including the UK General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 and any other applicable laws relating to the processing of personal data.

The Parties agree that the Data Processor will process ‘personal data’ (as defined in the GDPR) on behalf of the Data Controller in accordance with the terms and conditions of this Agreement with the purpose being the provision of the SAMPL services provided to CLIENT.

1. PREAMBLE

1.1      The Agreement sets out the rights and obligations of the Data Controller and the Data Processor, when processing personal data on behalf of the Data Controller.

1.2     The Agreement has been designed to ensure the Parties’ compliance with the GDPR and the Data Protection Act 2018.  

1.3     The Agreement shall take priority over any similar provisions contained in other contract for services, including without limitation any licence agreement or master service agreement agreed between the Parties.

1.4     The appendices attached to the Agreement form an integral part of the Agreement (the “Appendices”):

Appendix A (information about the processing) - contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

Appendix B (sub-processors) - contains a list of sub processors authorised by the Data Controller.

Appendix C (technical and organisational security measures) - contains the technical and organisational security measures to be implemented by the Data Processor.

1.5     The Agreement along with Appendices shall be retained in writing, including electronically, by both Parties.

1.6     The Agreement shall not exempt the Data Controller from obligations to which the Data Processor is subject pursuant to the GDPR, the Data Protection Act 2018 or other data protection legislation.

2. THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER

2.1       The Data Controller is responsible for ensuring that the processing of personal data complies with applicable data protection laws, including the GDPR, the Data Protection Act 2018 and, where applicable, the EU General Data Protection Regulation, together with any other applicable laws relating to the processing of personal data..

2.2     The Data Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.

2.3     The Data Controller shall be responsible, among other, for ensuring that the processing of personal data, which the Data Processor is instructed to perform, has a legal basis.

3. THE DATA PROCESSOR ACTS ACCORDING TO INSTRUCTIONS

3.1        The Data Processor shall process personal data only on documented instructions from the Data Controller, unless required to do so by applicable law to which the processor is subject. Such instructions shall be specified in Appendices A and D. Subsequent instructions can also be given by the Data Controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically.

3.2      The Data Processor shall immediately inform the Data Controller if instructions given by the Data Controller, in the opinion of the Data Processor, contravene the GDPR, the Data Protection Act 2018 and, where applicable, the EU General Data Protection Regulation. 

4. CONFIDENTIALITY

4.1      The Data Processor shall only grant access to the personal data being processed on behalf of the Data Controller to persons under the Data Processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.

4.2     The Data Processor shall at the request of the Data Controller demonstrate that the concerned persons under the Data Processor’s authority are subject to the abovementioned confidentiality.

5. SECURITY OF PROCESSING

5.1    Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational security measures (Appendix C) to ensure a level of security appropriate to the risk.

The Data Controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:

a. pseudonymisation and encryption of personal data;

b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures for ensuring the security of the processing.

5.2     According to Article 32 GDPR, the Data Processor shall also – independently from the Data Controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the Data Controller shall provide the Data Processor with all information necessary to identify and evaluate such risks.

5.3     Furthermore, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the Data Controller with information concerning the technical and organisational security measures already implemented by the Data Processor pursuant to Article 32 GDPR along with all other information necessary for the Data Controller to comply with the Data Controller’s obligation under Article 32 GDPR.

6. USE OF SUB-PROCESSORS

6.1     The Data Processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a “sub processor”).

6.2     The Data Processor shall submit the request for specific authorisation at least one month prior to the engagement of the concerned sub processor. The list of sub processors which may be engaged by the Data Processor can be found in Appendix B.

6.3     Where the Data Processor engages a sub processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in the Agreement shall be imposed on that sub processor by way of a contract or other legal act under applicable law in particular providing sufficient guarantees to implement appropriate technical and organisational security measures in such a manner that the processing will meet the requirements of the Agreement and the GDPR.

7. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

7.1     Any transfer of personal data to third countries or international organisations by the Data Processor shall take place in compliance with Chapter V GDPR. And should this be required the Parties shall enter into a United Kingdom International Data Transfer Addendum (“IDTA”).

7.2    The Data Processor may be required, in fulfilment of its obligations to the Data Controller, to:

a. transfer personal data to a Data Controller or a Data Processor in a third country or in an international organization;

b. transfer the processing of personal data to a sub processor in a third country; and

c. process the personal data in a third country.

8. ASSISTANCE TO THE DATA CONTROLLER
   

8.1 Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organisational security measures, in the fulfilment of the Data Controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the Data Processor shall, insofar as this is possible, assist the Data Controller in the Data Controller’s compliance with:

a. the right to be informed when collecting personal data from the data subject;

b. the right to be informed when personal data have not been obtained from the data subject;

c. the right of access by the data subject;

d. the right to rectification;

e. the right to erasure (right to be forgotten);

f. the right to restriction of processing;

g. notification obligation regarding rectification or erasure of personal data or restriction of processing;

h. the right to data portability;

i. the right to object; and

j. the right not to be subject to a decision based solely on automated processing, including profiling.

8.2 In addition to the Data Processor’s obligation to assist the Data Controller pursuant to Clause 8.1., the Data Processor shall furthermore, taking into account the nature of the processing and the information available to the Data Processor, assist the Data Controller in ensuring compliance with:

a. The Data Controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;

b. the Data Controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;

c. the Data Controller’s obligation to carry out a data protection impact assessment of the impact of the envisaged processing operations on the protection of personal data. If requested by CLIENT, SAMPL shall, at the cost of CLIENT, provide CLIENT with all reasonable assistance in order for CLIENT to conduct a data protection impact assessment;

d. the Data Controller’s obligation to consult the competent supervisory authority, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Data Controller to mitigate the risk.

9. NOTIFICATION OF PERSONAL DATA BREACH
   

9.1      In case of any personal data breach, the Data Processor shall, without undue delay after having become aware of it, notify the Data Controller of the personal data breach.

9.2      The Data Processor’s notification to the Data Controller shall, if possible, take place within 24 hours after the Data Processor has become aware of the personal data breach to enable the Data Controller to comply with the Data Controller’s obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.

9.3     In accordance with Clause 9.2, the Data Processor shall assist the Data Controller in notifying the personal data breach to the competent supervisory authority, meaning that the Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33(3)GDPR, shall be stated in the Data Controller’s notification to the competent supervisory authority:

a. The nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b. the likely consequences of the personal data breach;

c. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

10. ERASURE AND RETURN OF DATA

10.1     On termination of the provision of personal data processing services, the Data Processor shall be under obligation to return all the personal data to the Data Controller and delete existing copies unless applicable law requires storage of the personal data.

10.2     The Data Controller has the possibility to transfer data without assistance from the Data Processor using the Sampl platform. Data will automatically be deleted by the Data Processor 90 days after completion of each Campaign.

11. DATA PRIVACY COMMUNICATIONS

11.1     CLIENT warrants it will provide SAMPL with a monitored email address for all data privacy communications. Any instructions sent by the SAMPL to this address regarding data subject access requests or right to erasure (right to be forgotten) requests shall be deemed received within 24 hours.

11.2     Right to erasure (right to be forgotten): upon receipt of a valid Right to erasure request from a data subject or the CLIENT, the SAMPL is pre-authorized by the CLIENT to perform the following actions without further consultation:

a. Internal systems: upon receipt of a valid request, the SAMPL will immediately cease all processing of the data subjects personal data and UGC (defined below). Permanent erasure from all production systems will be completed within 30 days, in accordance with the SAMPL’s data retention and purging protocols.

b. User Generated Content (“UGC”): for the avoidance of doubt, any written reviews, images, or videos submitted by the data subject are considered personal data and will be deleted in their entirety as part of this process.

c. Third party propagation: where the SAMPL has been instructed to transmit reviews or UGC to third-party platforms (e.g., BazaarVoice) via API, the SAMPL will attempt to trigger the corresponding 'delete' or 'forget' endpoint if such an automated API is provided by the third party.

Notwithstanding the above, where a data subject has participated in a SamplPay campaign and received funds, the SAMPL shall retain transaction-related personal data as required by applicable tax and financial laws for a period of up to 7 years. During this period, such data shall be put 'beyond use' for marketing purposes.

12. LIABILITY

12.1     Subject to clause 12.2, the maximum aggregate liability of either Party under or in connection with this Agreement, whether in contract, tort (including negligence) or otherwise (including under an indemnity), shall in no circumstances exceed £1,000,000. The limitations of liability set forth in section 12 do not apply to liability arising from; (i) death or personal injury; (ii) fraud or fraudulent misrepresentation; or (iii) any matter for which liability cannot be limited or excluded under applicable law.

12.2    Neither Party shall be liable under this Agreement for any: (i) loss of profits, sales, business or revenue; (ii) business interruption or service failure; (iii) loss of anticipated savings; (iv) loss or corruption of data or information; (v) loss of business opportunity, goodwill or reputation; or (vi) any other special, indirect or consequential loss or damage arising and whether caused by tort (including negligence), breach of contract or otherwise, whether or not such loss or damage is foreseeable, foreseen or known. 

13. AUDIT AND INSPECTION

13. 1 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

14. AGREEMENT ON OTHER TERMS
14.1     The Parties may agree to other clauses concerning the provision of the personal data processing service specifying e.g. liability, as long as they do not contradict directly or indirectly the Agreement or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.

15. COMMENCEMENT AND TERMINATION

15.1    Both Parties shall be entitled to require the Agreement renegotiated if changes to applicable law or inexpediency of the Agreement should give rise to such renegotiation.

15.2  The Agreement cannot be terminated unless another agreement governing the provision of personal data processing services has been agreed between the Parties or as otherwise provided for in the Agreement.

15.3   If the provision of personal data processing services under this Agreement are terminated, the personal data, at the Data Controller’s choice, shall either be deleted or returned to the Data Controller. 

15.4   Any provision of this Agreement which is expressed to survive, or which by its nature or necessary implication is intended to survive termination or expiry (including, without limitation, provisions relating to confidentiality, data protection, audit, liability and governing law), shall remain in full force and effect.

16. NOTICES AND OTHER COMMUNICATIONS

16.1       Notices and other communications shall be sent to:

Sampl Technologies Limited for the attention of Privacy Department at:

Address: 4th Floor, Park Gate 161-163 Preston Road, Brighton 
East Sussex, BN1 6AF, United Kingdom

or 

Email: privacy@sampltech.com;

17. THIRD PARTY RIGHTS

17.1     No one other than a Party to this Agreement, their successors and permitted assignees shall have any right to enforce any of its provisions.

18. GOVERNING LAW

18.1    This Agreement and any dispute or claim arising out of, or in connection with it, its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England and Wales.

APPENDIX A   

INFORMATION ABOUT THE PROCESSING

A.1. The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is: 

To run targeted product sampling campaign(s) to generate first party data, capture product reviews and feedback and acquire new customers / consumers.

A.2. The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):

Capturing consumer requests for samples via digital advertising, processing orders and delivering personalised messages throughout the sampling process. Processing of CLIENT’s personnel details through business to business contact and in relation to the performance of a contract.

A.3. The processing includes the following types of personal data about data subjects:

Personal data (non sensitive) including: name, address, email, phone number, date of birth and location.

A.4. Processing includes the following categories of data subject:

Consumers, CLIENT’s personnel. 

A.5. The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when the Agreement commences. Processing has the following duration:

Data shall be processed for the duration of each individual campaign. Data shall be anonymised 90 days following the completion of each campaign (as applicable).

APPENDIX B   

SUB-PROCESSORS

B.1.        Approved sub processors

On commencement of the Agreement, the Data Controller authorises the engagement of the following sub processors: https://www.sampltech.com/sub-processors .

‍

APPENDIX C       

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

SAMPL shall implement appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR.

SAMPL acknowledges that the nature of the Services requires an appropriately high level of security to be maintained at all times. To ensure the ongoing Confidentiality, Integrity, and Availability (CIA) of Personal Data, SAMPL shall maintain a comprehensive Information Security Management System (ISMS).

SAMPL shall maintain ISO 27001:2022 certification (or a successor standard) for the required duration of the data processing. This certification serves as a primary baseline for SAMPL’s’s security posture, ensuring that all people, processes, and technology-based controls are audited by an independent third party to meet international best practices for information security.

Alongside the governance provided by the ISO framework, SAMPL implements the following security measures:

• Data Encryption: All Personal Data is encrypted using industry-standard protocols (e.g., TLS 1.2+) while in transit over public networks and remains encrypted at rest using AES-256 (or equivalent) within SAMPL’s’s production environments.
• System Availability & Uptime: SAMPL utilises high-availability architecture and load-balancing across multiple availability zones to ensure continuous service delivery and Sampl platform resilience.
• Business Continuity & Disaster Recovery (DR): SAMPL maintains a robust DR plan, including regular automated backups and validated recovery procedures designed to restore access to Personal Data in a timely manner in the event of a physical or technical incident.
• Access Control: Access to production environments is strictly limited to authorised personnel based on the "Principle of Least Privilege" and is protected by Multi-Factor Authentication (MFA).
• Vulnerability Management: Regular automated scanning is conducted to identify and remediate potential security risks within the Sampl platform infrastructure.