Data Processing Terms

Application: these Data Processing Terms apply to and are binding on the Parties where Paperform Party Limited (“Paperform”) acts as a data processor  on your behalf and you act as data controller for the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)


In this Annex, the following expressions bear the following meanings unless the context otherwise requires:

Controller” means you as the party providing instructions to Paperform to Process Personal Data.

Data Protection Incident” means a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Data Protection Legislation” means the GDPR and all other applicable law, regulations and codes of conduct in any relevant jurisdiction relating to the processing of Personal Data and privacy including the guidance and codes of practice issued by a relevant data protection regulator, including the Data Protection Commissioner and the European Data Protection Board or the Article 29 Working Party.

Data Subject”, “Personal Data”, “Processing” (and “Process” shall be construed accordingly) each have the same meaning as in the Data Protection Legislation.

Parties” means the Processor and the Controller.

Personnel” means the employees and/or contractors of the Processor. 

Platform” means the online form building website operate by Paperform at:

Processor” means Paperform where it processes Personal Data based on the instructions of the Controller.

Services” has the meaning set out in the General Terms & Conditions Of Use.


The Parties agree as follows:

  1. Processor will process the Personal Data only on documented or written instructions of the Controller including as set out in the General Terms & Conditions Of Use;
  2. Controller acknowledges that Personal Data is provided by it to Processor and collected by Processor outside the European Economic Area (“EEA”) on the basis set out in the Paperform privacy Policy;
  3. Processor shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality;
  4. Processor will take appropriate technical and organisational measures to: (i) protect the security of the Personal Data as required by Article 32 of the GDPR; and (ii) to provide reasonable assistance to the Controller in response to any Data Subject requests under the GDPR but the Parties acknowledge and agree that the Controller bears primary responsibility for complying with all such requests and reimburse the Processor for any additional services performed and costs incurred in this regard.
  5. Processor agrees to only engage sub-Processor on its behalf that are necessary for the performance of the Services and where a written and binding agreement is entered containing terms no less onerous than these Data Processing Terms;
  6. Processor shall reasonably assist Controller in complying with the Controller’s obligations under Articles 33, 34 and 35 of the GDPR and again Controller reimburse the Processor for any additional services performed and costs incurred in this regard;
  7. On reasonable written notice, Processor will makes available to the Controller information necessary to demonstrate compliance with the Article 28 obligations and allow for and contribute to audits, including inspections by the Controller or auditor appointed by the Controller. In such cases the Controller shall treat all such information obtained in any audit, inspection or otherwise provided by Processor as strictly confidential and Controller shall reimburse the Processor for any additional services performed and/or costs incurred in this regard; and
  8. The Parties acknowledge that the Controller will have the ability to erase all Personal Data from the Paperform platform by accessing its account and that it shall have full responsibility for doing so once the purpose of the relevant Processing of Personal Data has been completed.
  9. Controller agrees that, prior to providing any Personal Data, to the Processor through the Platform, it shall provide all appropriate notices and obtain any required consents from the relevant Data Subjects. Controllers agrees to indemnify and hold harmless from all liability, damages, compensation and any other form of loss or expense incurred by Processor for Controller’s breach or non-compliance with this clause 2.9.