Skip to content

Terms and Conditions of Use





Table of contents:




1.1  In this Agreement, unless the context otherwise requires, the following terms have the following meanings:

“Agreement” – means this PrivIQ Licence Agreement, the Data Processing Addendum and any other documents expressly referenced in these;

“Authorised Users” – means those employees, agents and independent contractors of the Customer who are authorised by the Customer to access and use the Solution on behalf of and for the sole benefit of the Customer;

“Business Day” – means Monday to Friday excluding any public holidays in the Netherlands;

“Business Hours” – means 9 am – 5.00pm on a Business Day;

“Confidential Information” – means any and all information in any form or medium obtained by or on behalf of either party from or on behalf of the other party in relation to this Agreement which is expressly marked as confidential or which a reasonable person would consider to be confidential, whether disclosed or obtained before, on or after the date of this Agreement, together with any reproductions of such information or any part of it;

“Customer Data” – means any data inputted into the Solution by or on behalf of the Customer and/or otherwise created through use of the Solution by the Customer;

“Data Protection Legislation” – means any applicable law, statute, regulation or sub-ordinate legislation and all policies, codes of conduct, direction, policy rule or order issued by any regulatory body having jurisdiction over a party within the Netherlands that is from time to time in force, relating to data protection, privacy and the processing of personal data, including

  1. the Privacy and Electronic Communications (EC Directive) Regulations 2003;
  2. the GDPR from the date the GDPR applies (as set out in Article 99 Entry into force and application) and/or
  3. any corresponding or equivalent national laws or regulations from the date that they come into force;

“Documents” – means any customised documentation generated by the Solution following the input of Customer Data into the Solution and which is based on a Template including reports and notices;

“Effective Date” – means the date the Customer clicks to accept this Agreement;

“Fees” – means the fees payable by the Customer to PrivIQ for the relevant Subscription Plan subscribed to by the Customer, as set out on the Website and/or otherwise notified by PrivIQ to the Customer and as may be amended by PrivIQ from time to time;

“Force Majeure Event” – means any circumstance not within PrivIQ’s reasonable control including, without limitation:

  1. acts of God, flood, drought, earthquake or other natural disaster;
  2. epidemic or pandemic;
  3. terrorist attack, civil war, civil commotion or riots, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, or breaking off of diplomatic relations;
  4. nuclear, chemical or biological contamination or sonic boom;
  5. any law or any action taken by a government or public authority;
  6. collapse of buildings, fire, explosion or accident;
  7. any labour or trade dispute, strikes, industrial action or lockouts; and
  8. interruption or failure of a utility service;

“PrivIQ” – means Compliance Technology Solutions BV trading as PrivIQ (company no. 70798281) whose registered office is at Lepelstraat 14, 1018 XM, Amsterdam, The Netherlands;

“GDPR” – means the European General Data Protection Regulation (EU) 2016/679;

“Intellectual Property Rights” – means any and all intellectual property rights including copyright and related rights, trade marks and service marks, trade names and domain names, rights under licences, rights in get-up, rights to goodwill or to sue for passing off, patents, rights to inventions, rights in designs, rights in computer software, database rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications (or rights to apply) for, and renewals or extensions of, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world;

“Liability” – means liability in or for breach of contract, tort or otherwise relating to or arising under or in connection with this Agreement;

“Personal Data” – has the meaning set out in the GDPR;

“Service” – means the subscription service provided by PrivIQ to the Customer under this Agreement which includes use of the Solution via the Website  and as more particularly described in clause 3;

“Solution” – means the SaaS solution provided by PrivIQ via the Website to assist organisations with GDPR compliance;

“Subscription Plan” – means a subscription plan for the Service as described on the Website and as may be amended from time to time by PrivIQ;

“Subscription Term” – means a subscription term of 12 months commencing on the Effective Date and on each subsequent anniversary;

“Template” – means a template document available within the Solution and which can be customised through the input of Customer Data to create a Document;

“Term” – means the term of the Agreement as set out in clause 2;

“Virus” – means any thing or device (including any solution, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer solution, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices;

“Website” – means the PrivIQ website located at or such other website address as notified by PrivIQ from time to time.

1.1 Clause, schedule and paragraph headings shall not affect the interpretation of these Terms.

1.2 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors or permitted assigns.

1.3 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.4 Words in the singular shall include the plural and vice versa.

1.5 A reference to one gender shall include a reference to the other genders.

1.6 A reference to a statute or statutory provision is a reference to the same as from time to time amended, extended, re-enacted or consolidated and includes any subordinate legislation for the time being in force made under it.

1.7 References to “clauses” and “Schedules” are to the clauses of, and schedules to, this Agreement.

1.8 Any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression, shall be construed as illustrative and shall not limit the sense of the words preceding those terms.

1.9 A reference to “writing” or “written” includes in electronic form and similar means of communication.


2.1 The Agreement shall commence on the Effective Date and shall continue for Subscription Terms unless and until terminated in accordance with the terms of this Agreement.

2.2 Either party may terminate this Agreement upon providing not less than 30 days’ written notice to the other party, such notice not to expire prior to the end of the then current Subscription Term.  In the event the Customer terminates prior to the end of a Subscription Term, the Customer shall be liable to pay the Fees for the remainder of that Subscription Term.


3.1 During the Term and subject to the terms and conditions of this Agreement, PrivIQ shall provide the Service.

3.2 As part of the Service, PrivIQ grants to the Customer a limited, non-exclusive, non-transferable and non-sub-licensable licence to access and use the Solution and the Templates for its own internal business purposes.

3.3 The Customer acknowledges and accepts that the Solution is hosted by PrivIQ’s trusted third party hosting service provider(s) based within the European Union.

3.4 The Agreement only permits access to the Solution by persons who are Authorised Users.  In relation to the Authorised Users, the Customer undertakes that:

3.4.1 the maximum number of Authorised Users that it authorises to access and use the Service shall not exceed the number of users permitted under the Subscription Plan subscribed to by the Customer;

3.4.2 each Authorised User shall keep a secure password for his/her use of the Service and shall keep the password secure and confidential;

3.4.3 it shall maintain a written, up to date list of current Authorised Users and provide such list to PrivIQ upon a written request at any time.  The Customer shall notify PrivIQ immediately of any Authorised User that should no longer have access to the Solution and of any new Authorised User.

3.5 The Customer acknowledges and agrees that it is responsible for all acts and omissions of an Authorised User and for ensuring their compliance with the terms of this Agreement.

3.6 The Customer shall not access, store, distribute or transmit via the Solution any Viruses, or any material during the course of its use of the Service that:

3.6.1 is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;

3.6.2 facilitates illegal activity;

3.6.3 depicts sexually explicit images;

3.6.4 promotes unlawful violence;

3.6.5 is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability; or

3.6.6 is otherwise illegal or causes damage or injury to any person or property; and PrivIQ reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer’s access to the Solution in the event of any breach of the provisions of this clause.

3.7 The Customer shall not and shall not attempt to:

3.7.1 except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this Agreement:

(a) copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Solution (as applicable) in any form or media or by any means; or

(b) de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Solution;

3.7.2 access all or any part of the Solution in order to build a product or service which competes with the Solution and/or any of the Templates;

3.7.3 use the Solution to provide services to third parties;

3.7.4 license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Solution and/or any Templates available to any third party except the Authorised Users;

3.7.5 attempt to obtain, or assist third parties in obtaining, access to the  Solution, other than as provided under this clause 3;

3.7.6 use or knowingly permit the use of any security testing tools in order to prove, scan or attempt to penetrate the security of the Solution; and/or

3.7.7 use or launch, or knowingly permit the use or launch of, any automated system, including “robots”, “spiders” or “offline readers” that access the Solution in a manner that sends more messages to the Solution in a given period of time than a human can reasonably produce in the same period by using a conventional online web browser.

3.8 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Solution and, in the event of any such unauthorised access or use, shall promptly notify PrivIQ in writing.

3.9 Access to the Solution is licensed and not sold.  The Customer shall not, by virtue of this Agreement or otherwise, acquire any rights whatsoever in the Solution aside from the limited licenses granted under this Agreement.  PrivIQ and its licensors shall retain all right, title and interest in and to the Solution and all Intellectual Property Rights in the Solution as well as any modifications or enhancements made to the Solution.


4.1 PrivIQ undertakes that the Service will be provided with reasonable skill and care.

4.2 PrivIQ:

4.2.1 does not warrant that the Customer’s use of the Service will be uninterrupted or error-free or that the Service, Solution, Templates and/or the information obtained by the Customer through the Service, including Documents, will meet the Customer’s requirements;

4.2.2 provides the Solution, the Templates and/or any Documents for facilitating administration, mapping documentation and other work related to complying with with Data Protection Legislation, but GDPR is not a legal advisor and does not warrant that the Solution, the Templates and/or any Documents will meet the customer’s legal or other obligations. The Customer is solely responsible for obtaining its own legal advice as to whether the Solution, the Templates and any Documents comply with the Customer’s obligations under the Data Protection Legislation and other applicable laws;

4.2.3 is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Service and the Solution may be subject to limitations, delays and other problems inherent in the use of such communications facilities; and

4.2.4 shall use commercially reasonable endeavours to make the Service available 24 hours a day, seven days a week, except for planned maintenance and unscheduled maintenance.

4.3  will, as part of the Service, provide the Customer with PrivIQ’s standard customer support during Business Hours as further detailed by PrivIQ on the Website and  as may be amended from time to time.

4.4 warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this Agreement.


5.1 The Customer shall provide PrivIQ with:

(a) all necessary co-operation in relation to this Agreement; and

(b) all information as may be reasonably required by PrivIQ; in order for PrivIQ to provide the Service.

5.2 The Customer warrants that:

5.2.1 all user information including information regarding Authorised Users is accurate and that such information will be updated as necessary to maintain its completeness and accuracy;

5.2.2 it will comply with all applicable laws and regulations with respect to its activities under this Agreement;

5.2.3 it will ensure Authorised Users use the Service in accordance with the terms and conditions of this Agreement and the Customer shall be responsible for any Authorised User’s breach of this Agreement;

5.2.4 it will establish adequate operational back-up systems and procedures to ensure recovery and continuity of its systems and operations in the event of a failure of the Solution;

5.2.5 it will ensure that its network and systems comply with the relevant specifications provided by PrivIQ from time to time;

5.2.6 it will use current industry standard anti-malware protection solutions to reduce the risk of passing Viruses into the Solution; and

5.2.7 it will be solely responsible for procuring and maintaining its network connections and telecommunications links.


6.1 The Customer shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data.

6.2 In the event of any loss or damage to Customer Data, the Customer’s sole and exclusive remedy shall be for PrivIQ to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by PrivIQ.  PrivIQ shall not be liable or responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party.

6.3 PrivIQ shall, in providing the Service, comply with its Privacy Policy relating to the privacy and security of the Customer Data available at  (or such other website address as may be notified to the Customer from time to time) as such document may be amended from time to time by PrivIQ in its sole discretion.

6.4 In the event that PrivIQ processes any Personal Data on behalf of the Customer during performance of the Service, PrivIQ shall do so in accordance with the terms of the Data Processing Addendum.


7.1 The Customer shall pay the Fees to PrivIQ in accordance with this clause 7 and without any deduction, discount, counterclaim, set-off or withholding.

7.2 The Customer shall provide to PrivIQ valid, up-to-date and complete contact and billing details.

7.3 The Fees shall be paid monthly by direct debit. Credit card payments are possible on request. We do not accept payment by cheque.

7.4 In the event that the Customer wishes to upgrade to a different Subscription Plan it shall notify PrivIQ and pay any necessary further Fees (where applicable). The Customer shall only be permitted to downgrade its Subscription Plan at the end of a Subscription Term for the subsequent Subscription Term. In the event of any downgrade, PrivIQ shall not be obliged to refund any Fees already paid by the Customer.

7.5 If PrivIQ has not received payment of any sums due under this Agreement by the due date, and without prejudice to any other rights and remedies of PrivIQ:

7.5.1 PrivIQ may, without liability to the Customer, suspend the Service and disable the Customer’s and all Authorised User’s access to all or part of the Solution and PrivIQ shall be under no obligation to provide any or all of the Service to the Customer while the invoice(s) concerned remain unpaid; and

7.5.2 interest shall accrue on a daily basis on such due amounts at an annual rate equal to 3% over the then current base lending rate of PrivIQ’s bankers in the Netherlands from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.

7.6.1 shall be payable in pounds sterling or Euros as stipulated by PrivIQ;

7.6.2 are non-cancellable and non-refundable;

7.6.3 are exclusive of value added tax, which shall be added to PrivIQ’s invoice(s) at the appropriate rate.

7.7 PrivIQ shall be entitled to review and increase the Fees annually at the end of a Subscription Term in line with any increase in the Consumer Price Index (CPI) in the preceding 12 months.

7.8 PrivIQ shall otherwise be permitted to increase the Fees upon not less than 90 days’ prior written notice to the Customer to be given prior to the start of the next Subscription Term.


8.1 The Customer acknowledges and agrees that PrivIQ and/or its licensors own all Intellectual Property Rights in the Solution and the Templates.

8.2 In relation to the Templates, the Customer is permitted to use the Templates to create customised documents for its own internal business purposes only and shall not distribute the Templates to a third party.

8.3 PrivIQ warrants that it has all the rights in relation to the Solution and the Templates that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of this Agreement.


9.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement.  A party’s Confidential Information shall not be deemed to include information that:

9.1.1 is or becomes publicly known other than through any act or omission of the receiving party;

9.1.2 was in the other party’s lawful possession before the disclosure;

9.1.3 is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or

9.1.4 is independently developed by the receiving party, which independent development can be shown by written evidence.

9.2 Subject to clause 9.4, each party shall hold the other’s Confidential Information in confidence and not make the other’s Confidential Information available to any third party, or use the other’s Confidential Information for any purpose other than the implementation of this Agreement.

9.3 Each party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.

9.4 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause 9.4, it takes into account the reasonable requests of the other party in relation to the content of such disclosure.

9.5 Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party.

9.6 PrivIQ acknowledges that the Customer Data is the Confidential Information of the Customer.

9.7 The above provisions of this clause 9 shall survive termination of this Agreement, however arising.


10.1 PrivIQ shall defend the Customer, its officers, directors and employees against any claim that the Solution infringes any Intellectual Property Rights (“Claim”) and shall indemnify the Customer for any amounts finally awarded against the Customer in judgment or settlement of such Claims, provided that:

10.1.1 PrivIQ is given prompt written notice of any such Claim;

10.1.2 the Customer provides reasonable co-operation to PrivIQ in the defence and settlement of such Claim; and

10.1.3 PrivIQ is given sole authority to defend or settle the Claim.

10.2 In the defence or settlement of any claim, PrivIQ may at its sole discretion, procure the right for the Customer to continue using the Solution, replace or modify the Solution so that it becomes non-infringing or, if such remedies are not reasonably available, terminate this Agreement without any additional liability or obligation to pay damages or other additional costs to the Customer.

10.3 In no event shall PrivIQ, its employees, agents and sub-contractors be liable to the Customer including under clause 10.1, to the extent that the Claim is based on:

10.3.1 a modification of the Solution by anyone other than PrivIQ;

10.3.2 the Customer’s use of the Solution in breach of this Agreement; and/or

10.3.3 the Customer’s use of the Solution after notice of the alleged or actual infringement from PrivIQ or any appropriate authority.

10.4 This clause 10 sets out the Customer’s sole and exclusive rights and remedies, and PrivIQ’s (including PrivIQ’s employees’, agents’ and sub-contractors’) entire obligations and liability for any Claim.


11.1 Nothing in this Agreement excludes or limits the Liability of PrivIQ:

11.1.1 for fraud or fraudulent misrepresentation;

11.1.2 for death or personal injury caused by PrivIQ’s negligence;

11.1.3 which it cannot exclude or limit as a matter of applicable law.

11.2 Except as expressly and specifically provided in this Agreement:

11.2.1 all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law including any warranties of satisfactory quality or fitness for purpose are, to the fullest extent permitted by applicable law, excluded from this Agreement; and

11.2.2 the Service is provided to the Customer on an “As Is” basis.

11.3 Subject to clause 11.1:

11.3.1 PrivIQ shall have no Liability for any loss of profits, loss of business, depletion of goodwill and/or similar losses; loss or corruption of data or information; pure economic loss; and/or any special, indirect or consequential loss, costs, damages, charges or expenses; in all cases however arising under this Agreement and whether direct or indirect, foreseeable or otherwise; and

11.3.2 the total aggregate Liability of PrivIQ arising out of or in connection with this Agreement (unless otherwise excluded or limited) shall be limited to 125% of the total Fees paid by the Customer to PrivIQ during the 12 months immediately preceding the date of the event giving rise to the Liability.

11.4 The exclusions and limitations of Liability under clause 11.3 have effect in relation to both any Liability expressly provided for under this Agreement and to any Liability arising by reason of the invalidity or unenforceability of any term of this Agreement.


12.1 Without affecting any other right or remedy available to it, either party may terminate this Agreement with immediate effect by giving written notice to the other party if:

12.1.1 the other party is in material breach of any of its obligations under this Agreement, and, where such material breach is capable of remedy, the other party fails to remedy such breach within a period of 30 days of being notified of such breach by the party; and/or

12.1.2 the other party is subject to any insolvency proceedings such as suspension of payment or insolvency.

12.2 Termination of this Agreement shall be without prejudice to any accrued rights or remedies of either party.

12.3 Termination of this Agreement shall not affect the coming into force, or continuance in force, of any provision which is expressly or by implication intended to come into or continue in force on or after such termination.

12.4 On termination of this Agreement for any reason:

12.4.1 the licence granted under this Agreement shall immediately terminate and PrivIQ shall be entitled to disable Customer’s use of the Solution;

12.4.2 PrivIQ may, upon expiry of 3 months from the date of termination, destroy or otherwise dispose of any of the Customer Data in its possession ; and

12.4.3 any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination shall not be affected or prejudiced.


13.1 If PrivIQ is subject to a Force Majeure Event, it shall not be in breach of this Agreement and shall be excused from performance under this Agreement while and to the extent it is unable to perform due to any Force Majeure Event.

13.2 If the circumstance of a Force Majeure Event continues for a period of 30 days or longer, either party shall have the right to terminate this Agreement upon written notice to the other.


14.1 A waiver of any right or remedy under this Agreement is only effective if given in writing and shall not be deemed a waiver of any subsequent breach or default. No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it preclude or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall preclude or restrict the further exercise of that or any other right or remedy.


15.1 If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.

15.2 If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.


16.1 This Agreement and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter of this Agreement.

16.2 Each of the parties acknowledges and agrees that in entering into this Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this Agreement or not) relating to the subject matter of this Agreement, other than as expressly set out in this Agreement.

16.3 Neither party excludes or limits its liability for fraud or fraudulent misrepresentation.


17.1 The Customer may not assign, sub-licence, novate or transfer any right, benefit or interest and/or any of its obligations under this Agreement, without PrivIQ’s prior written consent.

17.2 PrivIQ shall be entitled to assign, sub-licence, novate or transfer any right, benefit or interest and/or any of its obligations under this Agreement.


18.1 Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).


19.1 This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns).


20.1 Any notice required to be given under this Agreement shall be in writing and shall be delivered by hand or sent by recorded delivery post or email to the other party at such address as may have been notified by that party for such purposes.

20.2 A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in Business Hours, at 9 am on the first Business Day following delivery). A correctly addressed notice sent by recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post.  A notice sent by email to the email address set out above shall be deemed to have been received on the day it is sent if that is a Business Day or otherwise on the next Business Day.


21.1 No changes may be made to this Agreement without the agreement in writing of each of the parties.

21.2 Notwithstanding the foregoing, PrivIQ has the right to amend the terms of this Agreement unilaterly. If it does so, it will inform the Customer accordingly. If PrivIQ amends the terms, the Customer has the right to terminate this Agreement during a term ending 30 days after the Customer was informed of the amendment.


22.1 This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the laws of the Netherlands.

22.2 The parties submit to the exclusive jurisdiction of the courts in Amsterdam, the Netherlands, except that PrivIQ:

22.2.1 has the right to sue in any jurisdiction in which the Customer is operating or has assets; and

22.2.2 has the right to sue for breach of its Intellectual Property Rights in any country where it believes that infringement or a breach of this Agreement relating to its Intellectual Property Rights might be taking place.


This Data Processing Addendum (“Addendum”) forms part of the Licence Agreement entered into between PrivIQ (the trading name of Compliance Technology Solutions BV) (“PrivIQ”) and the customer to whom PrivIQ provides the services (“Customer”) (the “Agreement”), either previously or concurrently with this Addendum.

Where there is any conflict between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum shall prevail. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by and including this Addendum.



The following clauses will only apply to the extent that Data Protection Legislation applies to Protected Data (both as defined below).


2.1. Appropriate Safeguards: means such legally enforceable mechanism(s) for transfers of Personal Data outside the European Economic Area as may be permitted under Data Protection Legislation from time to time.

Controller: has the meaning given to that term in Data Protection Legislation.

2.2 Data Protection Legislation: means any applicable Dutch or EU law, statute, regulation or sub-ordinate legislation and all policies, codes of conduct, direction, policy rule or order issued by any regulatory body having jurisdiction over a party that is from time to time in force, relating to data protection, privacy and the processing of personal data, including:

(a) the GDPR from the date the GDPR applies (as set out in Article 99 Entry into force and application) and/or (a) the GDPR from the date the GDPR applies (as set out in Article 99 Entry into force and application) and/or

(b) any corresponding or equivalent national laws or regulations from the date that they come into force.

2.3. Data Subject: has the meaning given to it in Data Protection Legislation.

2.4 EU: The European Union.

2.5  GDPR: means the General Data Protection  Regulation (EU) 2016/679;

2.6. Member State: A member state of the EU.

2.7. Personal Data: has the meaning given to that term in Data Protection Legislation.

2.8. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data on systems managed by or otherwise controlled by PrivIQ, excluding unsuccessful attempts or activities that do not compromise the security of the Protected Data.

2.9. Processing or processing: has the meaning given to that term in Data Protection Legislation and related terms such as ‘process’ have corresponding meanings.

2.10. Processor: has the meaning given to that term in Data Protection Legislation.

2.11. Protected Data: means Personal Data processed by PrivIQ on behalf of the Customer as a Processor in connection with the provision of the Services.

2.12. Services: means the services provided by PrivIQ to the Customer pursuant to the Agreement.

2.13. Sub-Processor: another processor engaged by PrivIQ for carrying out processing activities in respect of the Protected Data as part of the Services.

2.14. Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

The definitions in this clause should, as far as possible, be interpreted in accordance with the GDPR.


3.1. The Annexes form part of this Addendum and shall have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the Annexes.

3.2. The Customer has engaged PrivIQ to perform and deliver the Services which may require PrivIQ to process Personal Data on behalf of the Customer as a Processor.

3.3. Annex A (“Details of Processing”)  contains details about the processing of Protected Data by PrivIQ.


4.1. PrivIQ agrees that it shall only carry out processing of Protected Data on the documented instructions of the Customer as set out in this Addendum and Annex A (“Details of the Processing”), as updated from time to time upon written agreement between the parties (including with regard to the transfer of Personal Data to a third country or an international organisation).

4.2. PrivIQ may process the Protected Data outside of the instructions of the Customer if PrivIQ is required to do so by EU or Member State law to which PrivIQis subject; in such a case, PrivIQ shall to the extent permitted by law inform the Customer of that legal requirement before processing.


5.1. PrivIQ shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

5.2. PrivIQ shall in assessing the appropriate level of security take into account in particular the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.


6.1. PrivIQ shall ensure that persons authorised by them to process the Protected Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.


7.1. PrivIQ shall provide such information and assistance to the Customer as the Customer may reasonably require to allow it to comply with requirements of the GDPR, including, information and assistance relating to the security of processing, notification of Personal Data Breaches to the Supervisory Authority, communication of a Personal Data Breach to the Data Subject (where required), data protection impact assessments and/or prior consultation with a Supervisory Authority regarding high risk processing.


8.1. PrivIQ shall promptly assist  the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.


9.1. PrivIQ shall notify the Customer of any Personal Data Breach, promptly upon becoming aware of such Personal Data Breach.

9.2. In the case of a Personal Data Breach PrivIQ will assist the Customer in meeting its obligations under Articles 33 and 34 of the GDPR to inform the competent Supervisory Authority and Data Subjects. As the Controller, the Customer is solely responsible for complying with its notification obligations for Personal Data Breaches under Data Protection Legislation.


10.1.  The Customer acknowledges and agrees that PrivIQ engages Sub-Processors to provide certain services  The Customer provides general consent to the engagement of such Sub-Processors. The current Sub-Processors are set out in Annex B.

10.2.  PrivIQ will notify the Customer of the appointment of any new Sub-Processor or changes to any existing Sub-Processor.  The Customer may object to the appointment of or any change in the Sub-Processor where it has reasonable grounds for doing so and in such circumstances PrivIQ shall be entitled to address the objection through one of the following options at its sole discretion:

(i)  cease to use the relevant Sub-Processor;

(ii) take steps suggested by the Customer to address the objection;

(iii) terminate or allow the Customer to terminate the Services.

10.3 .PrivIQ may only subcontract the processing of Protected Data under this Addendum to a Sub-Processor if PrivIQ has imposed legally binding contractual terms substantially the same as those contained in this Addendum on the Sub-Processor.  The Customer acknowledges and agrees that it has no right to audit and inspect a Sub-Processor’s facilities and premises and that PrivIQ shall not be obliged to include such rights in its agreements with Sub-Processors.


11.1. Upon reasonable request of the Customer, PrivIQ agrees to make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Addendum and the Data Protection Legislation and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer subject to clause 11.2.

11.2. The Customer shall give PrivIQ reasonable prior notice of any information request, audit or inspection and ensure that such audit or inspection is undertaken during normal business hours for PrivIQ and with minimal disruption to PrivIQ.  The Customer shall ensure that all information obtained or generated by the Customer pursuant to clause 11.1 is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable law).  The Customer shall pay PrivIQ’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.

11.3 PrivIQ may object to any third party auditor appointed by the Customer to conduct any audit or inspection under clause 11.1 if the auditor is not in PrivIQ’s reasonable opinion, suitably qualified or independent. Nothing in clause 11.1 gives the Customer any right to access any data of any other customer of PrivIQ or any information that could cause PrivIQ to breach its obligations under Data Protection Legislation and/or its confidentiality or privacy obligations to any third party.


12.1. PrivIQ shall at the express choice of the Customer and upon the end of the provision of Services relating to processing, either return to the Customer or delete or destroy all copies of the Protected Data in PrivIQ’s possession or control and if the Customer requests, certify to the Customer that it has done so, unless EU or Member State law requires the storage of the Protected Data.


13.1 PrivIQ shall not transfer Protected Data outside of the European Economic Area unless there are Appropriate Safeguards  in place and any transfer shall be in accordance with Data Protection Legislation.


14.1  PrivIQ may amend this Addendum at any time where required to comply with any applicable laws or where such amendments do not result in a material reduction in the protection of the Protected Data and do not breach Data Protection Legislation.


15.1. PrivIQ’s liability under this Addendum shall be subject to the exclusions and limitations set out in the Agreement.


16.1. This Addendum will enter into force upon signing by both parties of the Agreement.

16.2. This Addendum will remain in effect until the Agreement is terminated.

Annex A – Details of the Processing

Detailed description of the Processing – The processing of Personal Data to the extent necessary in the provision of the Services

(including the subject-matter, nature and purpose)

Duration of the Processing –  The term of the Agreement and until deletion of all Protected Data by PrivIQ

Types of Personal Data processed – Personal Data relating to individuals that is provided to PrivIQ via the Services by or at the direction of the Customer including without limitation, names, addresses, contact details, online identifiers and login details.

Categories of Data Subjects – Individuals about whom Personal Data is provided to PrivIQ via the Services by or at the direction of the Customer.

Annex B – Sub Processors

Name Description of services
Amazon AWS Hosting
GoCardless Payment processing
Subprocessor 3 Support and Helpdesk
Subprocessor 4 Marketing automation
Subprocessor 5 Administration and support services
Xero Accounting software