This Data Processing Agreement ("DPA") is made between:
Moonpig for Work Customer ("Customer") and
Moonpig.com Limited,
This DPA is incorporated into the Moonpig for Terms and Conditions and outlines how Moonpig.com Limited handles personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679.
1. Roles of the Parties
1.1 Controller: Moonpig.com Limited may act as a Data Controller when determining the purposes and means of processing personal data in certain business operations (e.g. managing customer data, marketing activities, etc.).
1.2 Processor: Moonpig.com Limited may also act as a Data Processor when processing personal data on behalf of the Customer in providing its services (e.g. storing customer recipient data to process Moonpig for Work orders).
2. Purpose of Processing
2.1 As Data Processor: Moonpig.com Limited agrees to process personal data only on behalf of the Controller for the purposes described in the Moonpig for Work Terms and Conditions, to process customer orders.
2.2 As Data Controller: Moonpig.com Limited (acting as Controller) may collect and process personal data for its own business purposes as specified in the Moonpig for Work Privacy Notice.
3. Types of Personal Data and Data Subjects
3.1 The categories of Personal Data and Data Subjects that Moonpig.com Limited may process on behalf of the Customer include:
Categories of Personal Data: name, address
Categories of Data Subjects: customers, recipients
3.2 When acting as a Controller, Moonpig.com Limited will collect and process personal data as specified in the Moonpig for Work Privacy Notice.
4. Processor Obligations
When acting as a Data Processor, Moonpig.com Limited agrees to the following obligations:
4.1 Processing on Instructions: Moonpig.com Limited will process personal data only on the documented instructions of the Controller and in compliance with applicable law.
4.2 Security Measures: Moonpig.com Limited shall at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
4.3 Moonpig.com Limited must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
4.3 Confidentiality: Moonpig.com Limited will ensure that all personnel authorised to process personal data are bound by confidentiality obligations.
4.4 Sub-processing: Moonpig.com Limited shall not engage any sub-processor without the Customer's prior written consent and will ensure that any sub-processors are bound by the same data protection obligations.
4.5 Data Breach Notification: In the event of a personal data breach, Moonpig.com Limited shall notify the customer without undue delay, providing details of the breach, affected data subjects, and measures taken to mitigate the impact.
5. Controller Obligations
When acting as a Data Controller, Moonpig.com Limited agrees to the following obligations:
5.1 Compliance with Laws: Moonpig.com Limited shall ensure that personal data is processed in compliance with all applicable data protection laws, including ensuring that Data Subjects are informed about the processing activities and their rights.
5.2 Lawful Basis for Processing: Moonpig.com Limited is responsible for determining and documenting the lawful basis for processing personal data.
5.3 Data Subject Requests: Moonpig.com Limited shall respond to requests from Data Subjects to exercise their rights under applicable data protection laws (e.g., rights to access, rectify, erase, or restrict processing).
6. Data Subject Rights
6.1 Assistance to the Customer: When acting as a Data Processor, Moonpig.com Limited shall assist the Customer in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including:
Right of access
Right to rectification
Right to erasure
Right to data portability
7. Data Transfers
7.1 Moonpig.com Limited ensures that adequate protections are in place for all transfers of personal data to countries outside the European Economic Area (EEA). Moonpig.com Limited ensures that any international transfers of personal data comply with applicable data protection laws.
8. Data Retention and Deletion
8.1 Moonpig.com Limited shall delete recipient data processed on behalf of the Customer 60 days from order dispatch.
8.2 As a Controller, Moonpig.com Limited shall retain personal data only for as long as necessary for the purposes for which it was collected or as required by applicable law.
9. Audits and Compliance
9.1 Moonpig.com Limited will conduct periodic internal reviews to ensure compliance with data protection obligations.