Data Processing Agreement
Last updated: January 2025
Important Notice
This Data Processing Agreement ("DPA") forms part of our Terms & Conditions and governs the processing of personal data by PaperDrop Limited as a data processor on behalf of our customers who act as data controllers.
For more information about your privacy rights, see our Privacy Policy.
1. Definitions
- Data Controller
- The Customer who determines the purposes and means of processing personal data
- Data Processor
- PaperDrop Limited, who processes personal data on behalf of the Data Controller
- Personal Data
- Any information relating to an identified or identifiable natural person
- Processing
- Any operation performed on personal data, including collection, storage, use, and deletion
- GDPR
- General Data Protection Regulation (EU) 2016/679 and UK GDPR
2. Scope and Application
This DPA applies to the processing of personal data by PaperDrop Limited in the provision of our job management services, where:
- The Customer acts as the Data Controller
- PaperDrop Limited acts as the Data Processor
- The processing is carried out in accordance with the Customer's documented instructions
3. Data Processing Details
3.1 Categories of Personal Data
We may process the following categories of personal data:
- Employee identification data
- Contact information
- Employment details
- Training and certification records
- Performance data
- Health and safety information
- Time and attendance records
- Job-related communications
- Financial information (expenses, payments)
- Location data (job sites)
3.2 Categories of Data Subjects
- Employees and contractors of the Customer
- Job site personnel
- Customer contacts and representatives
- Third-party service providers
3.3 Purposes of Processing
- Providing job management services
- Employee scheduling and task assignment
- Time tracking and attendance monitoring
- Communication and collaboration tools
- Reporting and analytics
- Compliance with legal obligations
4. Data Security Measures
Technical and Organisational Measures
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Technical Measures
- Encryption of personal data in transit and at rest
- Regular security updates and patches
- Access controls and authentication mechanisms
- Network security and firewall protection
- Regular security monitoring and incident detection
Organisational Measures
- Staff training on data protection
- Confidentiality agreements for all personnel
- Data breach response procedures
- Regular security audits and assessments
- Vendor management and due diligence
5. Data Subject Rights
We will assist the Data Controller in fulfilling their obligations to respond to data subject requests, including:
- Right of access to personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
6. Data Retention and Deletion
Retention Period
We will retain personal data only for as long as necessary to provide the services or as instructed by the Data Controller, but no longer than:
- 2 years after termination of the service agreement
- As required by applicable law
- As instructed by the Data Controller
Secure Deletion
Upon termination of the agreement or upon request, we will securely delete or return all personal data to the Data Controller, unless retention is required by law.
7. Contact Information
Data Protection Officer
PaperDrop LimitedData Protection Officer
Allia Future Business Centre,
London Rd,
Peterborough PE2 8AN,
United Kingdom
Email: dpo@paperdrop.com
Phone: 01733 612860