WhatsWhat
Home Investors Hub Magazine Events Members Blog Discounts & Offers Members Spotlight Interviews Podcast
Language
Register
WhatsWhat
Sign in Register
Compliance Data Processing Agreement (DPA) | WhatsWhat Prime

WHATSWHAT PRIME

Data Processing Agreement (DPA)

Pursuant to Article 28 GDPR

This Data Processing Agreement ("DPA") forms part of the Licensing Agreement between:

WhatsWhat Global Ltd, incorporated in Ireland ("Controller"),
and
[Licensed Partner Legal Name], ("Processor").

Effective Date: 2026-03-08

This DPA applies where the Processor processes personal data on behalf of the Controller in connection with the Visibility Assessment™, Visibility Ladder™, Visibility Index™, or related Prime ecosystem services.

1. Roles of the Parties

For the purposes of GDPR:

  • WhatsWhat Global Ltd acts as Data Controller.
  • The Licensed Partner acts as Data Processor.

The Processor shall process personal data only on documented instructions from the Controller.

2. Subject Matter of Processing

The Processor may process personal data strictly for:

  • Administering Visibility Assessments
  • Generating evaluation reports
  • Managing client onboarding
  • Operating authorised Prime services
  • Communicating with clients in relation to licensed services

No other processing is permitted.

3. Categories of Data Subjects

Data subjects may include:

  • Business owners
  • Company directors
  • Employees
  • Account users
  • Marketplace participants
  • Professional representatives

4. Categories of Personal Data

Processing may include:

  • Name
  • Email address
  • Phone number
  • Business details
  • Job title
  • Assessment inputs
  • Profile information
  • Technical usage data

The Processor shall not process special category data (Article 9 GDPR) unless expressly authorised in writing.

5. Duration of Processing

Processing shall continue:

  • For the duration of the Licensing Agreement
  • Until termination of the license
  • Or until written instruction from the Controller

Upon termination, personal data must be deleted or returned in accordance with Clause 11.

6. Processor Obligations

The Processor shall:

  • Process data only on documented instructions
  • Ensure personnel are subject to confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not engage another processor without prior written authorisation
  • Assist the Controller in responding to data subject requests
  • Assist in compliance with Articles 32–36 GDPR (security, breach notification, DPIAs)
  • Maintain records of processing activities
  • Make information available for audits

7. Security Measures

The Processor must implement:

  • Access controls
  • Secure password policies
  • Encrypted transmission (HTTPS)
  • Secure storage
  • Role-based data access
  • Device security controls

Security must reflect risk level.

8. Sub-Processors

The Processor shall not appoint sub-processors without:

  • Prior written approval from the Controller
  • Binding contractual safeguards
  • Equivalent GDPR compliance

The Processor remains fully liable for sub-processor actions.

9. International Transfers

The Processor shall not transfer personal data outside the EEA unless:

  • Appropriate safeguards exist
  • Standard Contractual Clauses are implemented
  • Written approval is obtained

10. Data Subject Rights

If the Processor receives a data subject request (e.g., access, deletion), it shall:

  • Notify the Controller immediately
  • Not respond directly unless authorised
  • Provide assistance where required

11. Data Deletion or Return

Upon termination of the Licensing Agreement:

  • The Processor shall delete or return all personal data
  • Confirm deletion in writing
  • Retain only data required by law

12. Data Breach Notification

The Processor must:

  • Notify the Controller within 48 hours of discovering a personal data breach
  • Provide details of the breach
  • Cooperate in remediation

The Processor shall not notify supervisory authorities without coordination.

13. Audit Rights

The Controller may:

  • Request documentation
  • Conduct remote compliance audits
  • Require evidence of security measures

Audit frequency must be reasonable.

14. Liability

Each party shall be liable in accordance with GDPR and the Licensing Agreement.

The Processor indemnifies the Controller for losses caused by:

  • Non-compliance with GDPR
  • Breach of this DPA
  • Unauthorised processing

15. Governing Law

This DPA is governed by the laws of Ireland. Disputes are subject to Irish courts.

16. Order of Precedence

In case of conflict between this DPA and the Licensing Agreement, this DPA prevails with respect to data protection matters.

Your experience on this site will be improved by allowing cookies. Terms & Privacy.