Data Processing Agreement
Pursuant to art. 28 of the General Data Protection Regulation as retained in domestic law in the
United Kingdom of Great Britain and Northern Ireland known as the UK GDPR.
An order processed on this website, known as “the client”
Inspire Loyalty Limited, having its registered office at Scottish Provident Building, 7 Donegall
Square West, Belfast, Northern Ireland, BT1 6JH (the “Processor”).
1. Subject matter, term, personal data processed
(1) Subject matter
o The Processor shall carry out the following processing activities:
1) Facilitate and maintain a loyalty programme for local patrons to register and earn
point for food and beverage spend at the client’s venue
pursuant to a contract between Inspire Loyalty Ltd and the client
2) Provide support to the Controller with staff and member business enquiries
regarding the loyalty programme.
3) Respond to and fulfil Data Subject requests.
4) Send monthly email statements to members of the loyalty programme.
o The term of this DPA corresponds to the terms of the main contract of business
between Inspire Loyalty Ltd and the client.
(3) Categories of personal data
o The categories of personal data processed are:
billing, invoicing and payment data
(4) Categories of Data Subjects
o The personal data collected and processed related to:
2. Technical and Organisational Measures
(1) Prior to the execution of this DPA, the Processor shall demonstrate that all necessary technical
and organisational measures, specifically with regard to the detailed performance of this DPA,
have been adopted and shall, upon request, provide documented evidence thereof to the controller.
Data Processing Agreement
Upon acceptance by the Controller, such documented measures become binding part of
this DPA and are attached to it. Insofar as an inspection/audit by the Controller shows the
necessity for amendments, such amendments shall be implemented by mutual agreement.
(2) The Processor shall guarantee security in accordance with Article 28 Paragraph 3 Point c, and
Article 32 UK GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 UK
GDPR. Such measures shall guarantee data security and a protection level appropriate to the risk
concerning confidentiality, integrity, availability, and resilience of the systems. The state of the
art, implementation costs, the nature, scope and purposes of processing as well as the likelihood
of data breaches and the severity of risks to the rights and freedoms of natural persons possibly
resulting thereof within the meaning of Article 32 Paragraph 1 UK GDPR must be taken into
(3) The technical and organisational measures are subject to technical and technological progress
and development. Hence, the Processor may adopt alternative adequate measures adapted to the
changed technological environment. When doing so, the processing security level may not be
reduced. Substantial changes must be documented.
3. Rectification, restriction and erasure of data
(1) On behalf of the Controller, the Processor will rectify, erase or restrict the processing of
personal data that is being processed upon the Data Subject’s request. The Processor shall fulfil
such request in accordance with the UK GDPR, Data Protection Act 2018 and Privacy and
Electronic Communications Regulations (PECR) (as amended from time to time). The Controller
reserves its right to provide instructions to the Processor in respect of any rectification, erasure or
restriction of personal data. The Processor will act in accordance with such instructions.
(2) The Processor shall keep records of all Data Subject’s requests and steps undertaken to fulfil
such requests and make available to the Controller upon its written request, a copy such records.
4. Quality assurance and other duties of the Processor
In addition to complying with the provisions of this DPA, the Processor commits to meet all
applicable statutory requirements set forth at Articles 28 to 33 UK GDPR. Therefore the Processor
ensures, in particular, compliance with the following requirements:
• The Processor is not required to appoint a Data Protection Officer. Mr/Ms Steve Risk, Inspire
Loyalty Ltd, 07920 018083, firstname.lastname@example.org is designated as the Contact Person on
behalf of the Processor.
Processing activities under this DPA shall only be performed by such employees or
collaborators and agents that have been instructed by the Processor about the appropriate
dealing with personal data and have been contractually subjected to confidentiality pursuant to
art. 28 par. 3 (b) and art. 32 UK GDPR. The Processor and any person acting under its
authority who has access to personal data, shall not process that data unless upon instructions
by the Controller, including the powers granted under this DPA, unless they are required to do
so by statutory law.
• Technical and Organisational Measures
Implementation of and compliance with all appropriate Technical and Organisational Measures
in the framework of this DPA, in particular as set forth at art. 32 UK GDPR. The Processor shall
periodically monitor the internal processes and the technical and organisational measures to
ensure that processing within its area of responsibility is in accordance with the requirements.
The Processor shall grant verifiability of the technical and organisational measures to the Controller as part of
the Controller’s supervisory powers referred to in sec. 6 of this contract.
• Cooperation with Supervisory Authorities
The Controller and the Processor shall cooperate, on request, with the supervisory authority.
The Controller shall be informed immediately of any inspections and measures executed by the
supervisory authority, insofar as they relate to the activities under this DPA. This also applies
insofar as the Processor is under investigation or is party to an investigation by a competent
authority in connection with infringements to any provision regarding the processing of
personal data in connection with the processing of this DPA. Insofar as the Controller is
subject to an inspection by the supervisory authority, an administrative fine, a
preliminary injunction or criminal procedure, a liability claim by a Data Subject or by a third
party or any other claim in connection with the processing of data by the Processor as of this
DPA, the Processor shall make every effort to support the Controller.
(1) The Processor may outsource part of the processing activities pursuant to this DPA to Sub-
processors that, as far as legally required, shall be subject to the contractual obligations resulting
from art. 28 par. 4 UK GDPR.
The Processor currently commissions the following Sub-processors on the condition of a
contractual agreement in accordance with Article 28 paragraphs 2-4 UK GDPR:
(3) The transfer of personal data to any Sub-processor shall only take place after all above-
mentioned conditions for the appointment of Sub-processors have been met.
(4) The Processor shall bear full responsibility and liability for the activities of its Sub-
processors. Any change in the list of Sub-processors shall be notified to the Controller without
undue delay, giving the Controller the option to object. In case of objection, the Processor retains
the right to terminate the Contract with the Controller without notice.
(5) In particular, in case a Sub-processor should provide its services outside the United Kingdom, the Processor shall ensure compliance with EU Data Protection Regulations by appropriate
measures, as described at sec. 2 of this DPA.
6. Supervisory powers of the Controller
(1) Upon consultation with the Processor, the Controller has the right to carry out inspections or
to have them carried out by an auditor to be designated on a case-by-case basis. The auditor
shall have the right to assess the Processor’s compliance with this DPA in his business operations
by means of random checks, which are ordinarily to be announced in advance.
(2) The Processor shall allow the Controller to verify compliance with its obligations as provided by
Article 28 UK GDPR. The Processor undertakes to give the Controller the necessary information on
request and, in particular, to demonstrate the implementation of the technical and organisational
(3) Evidence of such measures, which may not only concern the activities under this DPA, may
also be provided by
compliance with approved Codes of Conduct pursuant to Article 40 UK GDPR;
certification according to an approved certification procedure in accordance with Article 42
current auditors certificates, reports or excerpts from reports provided by independent
bodies (e.g. auditor, data protection officer, IT security department, data protection
a suitable certification by IT security or data protection auditing.
(4) The Processor may charge a reasonable fee to the Controller for enabling inspections.
7. Assistance to the Controller
(1) The Processor shall assist the Controller in complying with the obligations concerning the
security of personal data, keeping evidence of informed consent, reporting of data breaches, data
protection impact assessments and prior consultations set forth at Articles 32 to 36 of the UK
ensuring adequate protection standards through technical and organisational measures,
taking into account the type, circumstances and purposes of processing, the likelihood of
data breaches and the severity of the risk to natural persons possibly resulting thereof
ensuring immediate detection of infringements
reporting data breaches without undue delay to the Controller
assisting the Controller in answering to data subjects’ requests or the exercise of their
collect on behalf of and provide to the Controller (in a format acceptable to the Controller)
all informed consent confirmations of the Data Subjects required pursuant to Article 6
Paragraph 1(A) UK GDPR
(2) The Processor may claim a reasonable fee for support services which are not included in the
description of the services and which are not attributable to failures on the part of the Processor.
8. Directive powers of the Controller
(1) The Processor shall not process any personal data under this DPA except on instructions from
the Controller, unless required to do so by applicable national law.
(2) In case the Controller should require any change in the processing of personal data set forth
by the documented instructions mentioned at sec. 2, the Processor shall immediately inform the
Controller if it considers such changes likely to result in infringements to data protection
provisions. The Processor may refrain from carrying out any activity that may result in any such
9. Deletion and return of personal data
(1) The Processor shall not create copies or duplicates of the data without the Controller’s
knowledge and consent, except for backup copies as far as they are necessary to ensure orderly
data processing, as well as data required to meet regulatory data retention requirements.
(2) After conclusion of the provision of services, the Processor shall, at the Controller’s choice,
delete in a data-protection compliant manner or return to the Controller all the personal data
collected and processed under this DPA, unless any applicable legal provision requires further
storage of the personal data. In any case the Processor may retain all information necessary to
demonstrate orderly and compliant processing activities beyond termination of the Contract, in
accordance with the statutory retention periods.
(3) Documentation which is used to demonstrate orderly data processing in accordance with the
DPA shall be stored beyond the contract term by the Processor in accordance with the respective
retention periods. It may hand such documentation over to the Controller at the end of the
contract duration to relieve the Processor of this contractual obligation.
Terms of Business
Data protection. The Supplier will comply with all data protection and privacy laws
applicable to the services under this contract, including but not limited to the UK GDPR
(General Data Protection Regulation), Privacy and Electronic Communications (EC
Directive) Regulations 2003 and Data Protection Act 2018.
Minimum contract terms. The Client agrees to use the Supplier’s services for a
minimum contract term of subject to satisfactory
conclusion of any initial free trial. Automatic renewal will occur for a further 12-
month period unless terminated by a party with 30 days’ written
notice prior to renewal.
Set up fees. A fee is payable by the Client to the Supplier within 30 days of invoicing on completion of set up. Regardless of continuation of services
beyond any free trial period the set up fee is nonrefundable. The set up fee
includes: 250 branded loyalty cards & sleeves, registration of the Client programme domain name; design, content and supply of the Client loyalty programme website including gift code category system for point redemption, personalised registration form,
programme terms & conditions (including a privacy statement), cookies banner, staff training manual/brief, promotional pages and links to the Client nominated website/s
where required, email communications set up to confirm member registration, order processing confirmation and order fulfilment confirmation containing unique gift code/s for member redemption; representation of the Client on Vantage hotel collection website
and app (if opted in), any current or future integration of the Client loyalty programme registration, point balance, transaction history and digital card integrated with a branded mobile application provider; Payment provider and/or PMS vendor where required. Any integration set up fee and ongoing integration charge by third party partners and all other aspects of their products and services are contracted and charged independent of Inspire Loyalty. The Client agrees to pay for design and production of all marketing point of sale
material as and when required, out-with initial 250 loyalty cards & sleeves provided.
Monthly fees. A monthly fee is payable by the Client to the Supplier by bank standing order mandate or bank transfer on 1st calendar day of each month, pending successful completion of any free trail, which includes: member support and administration, monthly
reporting of transactional information including points issued, points redeemed, member points balance remaining and all registered member data.
If required by the Client as part of the services under this contract (to be communicated by the Client to the Supplier from time to time), the Supplier agrees to provide monthly
reports to the Client on the first business week of each calendar month and on request with advance notification; to provide the Client members with member services enquiry handling and staff support as required; on-going content and system updates as
required; distribution of monthly member e-statements on the first business week of each calendar month and campaign analyse report; management of registered data in
compliance with applicable data protection laws; loyalty marketing consultation and consumer marketing of the Vantage website to drive programme awareness (if opted in).
Payment Terms. The Supplier will represent and fulfil all services agreed upon this contract of agreement. Failure to pay on time after any trial period will nil and void all services provided and invoke cancellation terms. Any
marketing material requested (i.e. loyalty cards, card sleeves, promotional material) outwith initial set up allocation will be invoiced as ordered, payable within 30 days of invoice date.
Cancellation terms. Within the 12 month contract period (including any initial free trial period) or during any renewal period, should the Client prove dissatisfaction with the services provided by the Supplier, without mutual satisfactory resolve, the Client
must notify it’s intent of cancellation in writing, to take effect 30 days after receipt of written cancellation of the agreement. Set up fees on deferred payment terms remain due and any historical payments made will not be refunded.
Inspire Loyalty Ltd| 7 Donegal Square West | Belfast | Northern Ireland | BT1 6JH
Vat registration number 993 8592 47