Data Processing and Security Terms

 
1. These Terms
1.1. We are Ethical Angel Limited, registered in England and Wales with company number 10760806 and registered address at Suite 216, 1 Filament Walk, Wandsworth, London, SW18 4GQ. Any reference to (“we”, “us” and “Ethical Angel”) is a reference to Ethical Angel Limited.
1.2. To contact us, please e-mail team@ethicalangel.com.
1.3. If we have to contact you we will do so by telephone or by writing to you at the email address or postal address you provided to us during your registration with us.
1.4. These Data Processing and Security Terms (“Terms”) set out the rights and obligations of Ethical Angel and private sector entities (“Members”) in processing personal data of Members’ employees, agents,  independent contractors and other third-party individuals (“Users”) when using the online platform at www.ethicalangel.com (“Platform”) to provide public benefit services to projects, global causes, and charities (“Beneficiaries”) and their users.
1.5. We may amend these Terms at any time by publishing the amendments on our website. Where this is the case, we will notify the amendments by e-mail to the Member at least 14 days before they enter into force. If the Member continues to use the Platform after this date, they will be deemed to have accepted the respective amendments.
1.6. These Terms form a part of the contract between the parties and shall apply for the term of the contract.
 
2. Personal data types and processing purposes
2.1. The Member and Ethical Angel acknowledge that for the purpose of applicable data protection legislation, the Member is the controller and Ethical Angel is the processor. Applicable data protection legislation includes the Data Protection Act 2018, Regulation 9(EU) 2016/679 (the”GDPR”) as it forms part of domestic law in the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and any guidance or codes of practice issued by the Information Commissioner from time to time (all as amended, updated or re-enacted from time to time).
2.2. The Member retains control of its Users’ personal data and remains responsible for its compliance obligations under the data protection legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Ethical Angel.
2.3. In entering into contract with Ethical Angel, the Member instructs Ethical Angel, subject to these Terms:
2.3.1. to process the following types of Users’ personal data: first name, surname, year of birth, email address;
2.3.2. to process Users’ personal data for the term of the contract (thereafter, Ethical Angel shall delete the personal data, but may anonymise copies of the data and use it indefinitely for research or statistical purposes); and
2.3.3. to process personal data for the purpose of allowing Users’ use of the Platform and their provision of services to Beneficiaries, namely for Users’ profile creation, logging in, creating credentials for reporting, and targeted matching.
 
3. Ethical Angel’s obligations
3.1. Ethical Angel will only process the personal data to the extent, and in such a manner, as is required for the purposes set out in Clause 2.3.3 in accordance with the Member's written instructions. Ethical Angel will not process the data for any other purpose or in a way that does not comply with these Terms or the data protection legislation.
3.2. Ethical Angel shall comply with any Member request or instruction requiring Ethical Angel to amend, transfer, delete or to stop or mitigate any unauthorised processing.
3.3. Ethical Angel will maintain the confidentiality of all personal data and will not disclose it to third parties unless the Member or these Terms specifically authorise the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Ethical Angel to process or disclose personal data, Ethical Angel shall first inform the Member of the legal or regulatory requirement and give the Member an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4. Ethical Angel will reasonably assist the Member with meeting the Member's compliance obligations under the data protection legislation, taking into account the nature of the Member's processing and the information available to Ethical Angel, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the data protection legislation.
3.5. Ethical Angel will ensure that its employees are informed of the confidential nature of the personal data and are bound by confidentiality obligations restrictions in respect of the personal data;
Ethical Angel shall maintain adequate information and records to enable the Member to verify Ethical Angel's compliance with its obligations under the contract and the applicable data protection legislation.
 
4. Member’s obligations

4.1. The Member warrants and represents that Ethical Angel's use of the personal data for the purposes set out and as instructed by the Member will comply with the data protection legislation.

5. Security

5.1. Ethical Angel has implemented policies and adopted appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of personal data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of personal data.  
5.2. Ethical Angel shall regularly assess and evaluate the effectiveness of its security measures and is in the process of obtaining ISO 27001 certification.

6. Personal data breach

6.1. Ethical Angel will promptly and without undue delay notify the Member if any personal data is lost or destroyed or becomes damaged, corrupted, or unusable. The Member may restore such personal data to the Platform at its own expense.
6.2. Ethical Angel will at its cost within 24 hours and without undue delay notify the Member if it becomes aware of any accidental, unauthorised or unlawful processing of the personal data, or any personal data breach.
6.3. Where Ethical Angel becomes aware of an event specified in Clause 6.2 above, it shall, without undue delay, also provide the Member with the following information:
6.3.1. a description of the nature of the event, including the categories and approximate number of both data subjects and personal data records concerned;
6.3.2. the likely consequences; and
6.3.3. a description of the measures taken or proposed to be taken to address the event, including measures to mitigate its possible adverse effects.
6.4. Promptly following any unauthorised or unlawful personal data processing or personal data breach, the parties will co-ordinate with each other to investigate the matter. Ethical Angel will at its cost reasonably co-operate with the Member in the Member's handling of the matter, including its notification to a supervisory authority.
6.5. Ethical Angel shall not inform any third party of any personal data breach without first obtaining the Member's prior written consent, except when required to do so by law.

7. Transfers of personal data and sub processors

7.1. The Platform uses Microsoft Azure as a third-party infrastructure provider and Ethical Angel has selected the United Kingdom for its data location.  Ethical Angel may transfer personal data outside the geographic region in which the data was collected, provided Ethical Angel does so in a manner which:
7.1.1. provides appropriate safeguards in relation to the transfer;
7.1.2. ensures the data subject has enforceable rights and effective legal remedies; and 
7.1.3. provides an adequate level of protection to any personal data that is transferred.
7.2. Ethical Angel shall not authorise any other third party or subcontractor to process the personal data without obtaining the Customer's prior written consent.

8. Complaints, data subject requests and third-party rights

8.1. Ethical Angel shall notify the Member immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the personal data or to the Member's compliance with the data protection legislation.
8.2. Ethical Angel shall without delay (but in any event within 24 hours) notify the Member if it receives a request from a User for access to their personal data or to exercise any of their related rights under the data protection legislation.
8.3. The parties shall provide to each other full co-operation and assistance in responding to any complaint, notice, communication or User request.

Last updated: 8th of February 2021