Subscribe to get good news

Be the first to hear about upcoming classes, workshops and events

Data Protection Agreement

1. Data Protection

1.1. For the purpose of this Schedule, in addition to the definitions set out in the main body of the Agreement, the following terms shall have the following meanings:

Controller, Data Subject, Processor, Process, Personal Data 

Shall each have the meaning given to them in Data Protection Legislation. 

Data Protection Legislation

means, for such time as they are in force in England and Wales, the DPA 2018, the GDPR and all related legislation which may supplement, amend, implement or replace them and which relates to the protection of individual’s rights in their personal data and the protection of their privacy.

DPA 2018

Data Protection Act 2018.


means Regulation (EU) 2016/679 from time to time in force in the UK and/or such legislation as may give effect to its terms in England and Wales.

2. Controller’s obligations

2.1. Mamma and you agree that for the purposes of Data Protection legislation that Mamma shall be the Controller and you shall be the Data Subject in respect of any Personal Data which identifies you and is transferred from you to Mamma in accordance with this Agreement.

2.2. We shall process Personal Data in accordance with our Privacy Policy.

2.3. You confirm that you are duly and lawfully authorised to transfer or otherwise transmit any Personal Data we receive from you, including Personal Data of third parties, and that we can Process such Personal Data as an independent Controller.

2.4.You hereby authorise us to hold and process Personal Data relating to you, or other third parties where you transfer that Personal Data to us, and to transfer such Personal Data to third parties in connection with the provision of the Mamma Services. 

3. Processor’s obligations

3.1. Mamma and you further agree that Mamma shall be the Controller and you shall be a Processor in respect of any Personal Data which identifies Data Subjects other than the parties to this Agreement which may be Processed in connection with the provision of the Professional Services to Users under this Agreement

4. Details of Processing

4.1. Subject matter. The subject matter of Processing under this Data Protection Agreement is Personal Data relating to Users.

4.2. Duration. The duration of Processing shall be for the term of the Agreement. 

4.3. Purpose and Nature of Processing. The purpose of Processing shall be to perform Mamma’s obligations under the Agreement or in accordance with the documented instructions of Mamma. The User Data shall be Processed in any nature as is strictly necessary to perform its obligations under the Main Agreement.

4.4. Types of User Data. User’s contact details.

4.5. Categories of Data Subjects. Users.

5. Data Protection Warranties

5.1. Each party warrants to the other that it will Process the Personal Data in compliance with all applicable Data Protection Legislation.

5.2. Where a party to this Agreement becomes a Processor pursuant to it, it warrants that:

5.2.1. Process the Personal Data in accordance with Mamma’s documented instructions;

5.2.2. ensure that persons with access to the Personal Data are subject to a duty of confidentiality or are under an appropriate statutory obligation of confidentiality;

5.2.3. having regard to the reasonably available state of the art of technological development, the nature of the Processing in question, the cost of implementation, and the material risk to the rights of affected Data Subjects, the Processor will take appropriate technical and organisational measures to secure relevant Personal Data against the unauthorised or unlawful Processing and against the accidental loss or destruction;

5.2.4. it will not transfer any Personal Data outside of the European Economic Area without the prior authorisation of the Controller or as is strictly necessary for the performance of its obligations hereunder;

5.2.5. it will assist Mamma in ensuring compliance with Mamma’s obligations pursuant to Article 32 through to Article 36 (inclusive) of the GDPR.

5.2.6. it will promptly report to the Controller any actual or suspected data breach concerning Personal Data that relates to this Agreement which comes to its attention and shall in relation to such breaches: do all such things as reasonably necessary to assist the Controller in mitigating the effects of the data breach; implement any measures necessary to restore the security of any compromised Personal Data; work with the Controller to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and not do anything which may damage the reputation of the Controller or that party’s relationship with the relevant Data Subjects, save as required by law.

5.2.7. it shall provide all requested assistance in ensuring the Controller’s compliance with its obligations under Chapter III of the GDPR;

5.2.8. it shall at the choice of the Controller, delete or return all personal data to the Controller on request by the Controller;

5.2.9. it will, on request, take reasonable steps to demonstrate to the Controller, to the extent that is reasonable given the nature of the Processing in question, that it complies with Data Protection Legislation and allow for audits, including inspections, conducted by the Controller (or its appointed representatives); and

5.2.10. immediately inform the Controller if, in its opinion, any instruction given by the Controller infringes Data Protection Legislation

6. Indemnity

6.1. The Processor agrees to indemnify and keep indemnified and defend at its own expense the Controller against all costs, claims, damages or expenses incurred by the Controller or for which the Controller may become liable due to any failure by the Processor or its employees or agents to comply with any of its obligations pursuant to this Schedule.

7. Appointment of sub-contractors

7.1. The Processor may not authorise any third party to Process Personal Data provided by the Controller without the prior written consent of the Controller and without first obliging them to treat that Personal Data to the same standard as it is obliged to do so in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Legislation.

7.2. Where that third party Processor fails to fulfil its data protection obligations, the initial Processor shall remain fully liable to the Controller for the performance of that other Processor’s obligations.