Postforce GDPR Data Processing Agreement


Data Processing Agreement

1. Background

(A)          Postforce (the Data Processor”) provides certain services as set out in Appendix 1A (the “Services”) to your company/legal entity (the Data Controller).

(B)         In the course of the provision of the Services, your company will provide to Postforce Ltd certain Personal Data (as defined below Appendix 1B) relating to your customers, prospective customers, employees and or other Data Subjects exclusively and only for direct mail usage (as defined below Appendix 1C).

(C)          This Agreement sets out the obligations of the Data Processor in respect of such Personal Data.

2. Definitions

In this Agreement, the following terms and expressions shall have the following meanings unless the context otherwise requires:

2.1          Data Protection Legislation: means (i) prior to 25 May 2018, the Data Protection Act

1998; (ii) with effect from 25 May 2018 and unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679); (iii) any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and (ii) any successor legislation to the GDPR or the Data Protection Act 1998;

2.2          “Data Controller”, “Data Subject”, “Data Processor” and “Personal Data”: have the meanings given to them in the Data Protection Legislation.

3. Data Protection

3.1          Both parties  will  comply  with  all  applicable  requirements  of  the  General Data  Protection Legislation. The obligations set out in this Agreement are in addition to, and do not relieve, remove or replace, a party's obligations under the Data Protection Legislation.

3.2          The parties acknowledge that  for  the  purposes  of  the  Data  Protection  Legislation, the client of Postforce is the Data Controller and the Postforce Ltd is the Data Processor in relation to all Personal Data processed under this Agreement in relation to Data Subjects.

3.3          Appendix 1 sets out the permitted scope, nature and purpose of processing by Postforce Ltd under this Agreement, the duration of the processing and the relevant types of Personal Data and categories of Data Subject.

3.4          Without prejudice to the generality of paragraph 3.1, Postforce Ltd shall, in relation to any Personal Data processed in connection with, the performance by the Supplier of the Services:

3.4.1         process that Personal Data only on the written instructions of the data controller;

3.4.2         ensure that it has in place appropriate technical and organisational measures,   to  protect  against  unauthorised or unlawful  processing  of  Personal  Data  and  against  accidental  loss  or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any such measures, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it;

3.4.3         ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

3.4.4         Not transfer any electronic Personal Data outside of the business;

3.4.5         assist the Data Controller in responding to any request and/or complaint from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

3.4.6         notify the Data Controller without undue delay on becoming aware of a Personal Data breach;

3.4.7         at the written direction of the Data Controller, delete or return free of charge Personal Data and copies thereof on termination of the Services unless (and only to the extent) required by applicable law to store the Personal Data; and

3.4.8         maintain complete and accurate records and information to demonstrate its compliance with this Agreement and allow for audits of its data processing activities by the data controller of the data controllers auditor.

3.5          The Data Processor shall not appoint any third party processor of Personal Data under this agreement without the prior written consent of  the Data Controller and subject to the Data Processor confirming that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in Agreement.

3.6          The Data Controller may, at any time on not less than 20 days’ notice, require that this Agreement be replaced with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme under the Data Protection Legislation (and which shall apply when replaced by attachment to this Agreement).

3.7          In the event of any conflict between the provisions of this Agreement and any other agreement between the Data Controller and the Data Processor, the terms of this Agreement shall prevail.

3.8          This Agreement shall be governed and construed in accordance with the laws of England and Wales.

Postforce Ltd as Data Processor confirm our acceptance of the terms set out above and understand the spirit of GDPR.

Yours faithfully

Postforce Ltd


We confirm our agreement to the above.

Name:               Brian Trick                 Position:               Director

Date:                 14th May 2018          Signature:         

For and on behalf of Postforce Ltd.


Part A: The Services

Direct Mail postal services only

Part B: Types of Personal Data

Names and Titles

Company name (if required)

Home Address  (if required)

Work Address    (if required)



Parts C: Categories of Data Subject

Your prospects/mailing recipients who have a LEGITIMATE INTEREST to receive your Direct Mail mailshots only.