← Back to site Print / Save as PDF
Data Processing

Data Processing Agreement

Last updated: 6 July 2026

Schedule to the Service Agreement between [Client name] (Controller) and Oliver Lythe Sales (Processor)

This is our standard template, shown for transparency. The version we sign with you, completed with your details, is what governs your engagement.

1 Introduction and Scope

This Data Processing Agreement (the "DPA") is entered into as of the date of signature between:

Each a "party" and together the "parties".

This DPA forms an integral schedule to, and is governed by, the Service Agreement between the parties for done-for-you LinkedIn outbound and B2B appointment-setting services (the "Service Agreement", and the services provided under it, the "Services"). It sets out the terms on which the Processor processes personal data on behalf of the Controller in connection with the Services.

Where this DPA and the Service Agreement conflict on the subject of the processing of personal data, this DPA prevails. In all other respects the Service Agreement continues in full force. Capitalised terms not defined here have the meaning given in the Service Agreement.

2 Definitions

In this DPA:

3 Roles of the Parties

The parties acknowledge and agree that, for the purposes of Data Protection Law and in relation to the processing of Controller Personal Data under the Services:

The Controller warrants that it has all necessary rights, permissions and lawful bases to provide the Controller Personal Data to the Processor and to instruct the processing described in this DPA, including operation of the Controller's own LinkedIn account by the Processor with the Controller's authorisation.

4 Subject-Matter, Duration, Nature and Purpose of Processing

Further detail is set out in the Schedule to this DPA.

5 Types of Personal Data and Categories of Data Subjects

Types of personal data:

Categories of data subjects:

No special-category personal data (as defined in Article 9 GDPR) and no data relating to criminal convictions or offences is processed under the Services. The Controller shall not instruct or provide such data for processing.

Payment and billing data processed via Wise for the purpose of invoicing the Controller is processed by the Processor as an independent controller in its own right and falls outside the scope of this DPA.

6 Processor Obligations

The Processor shall:

7 Sub-processors

The Controller grants the Processor general authorisation to engage Sub-processors to process Controller Personal Data for the purpose of delivering the Services. The Sub-processors currently engaged are listed in Part C of the Schedule:

The Processor shall:

LinkedIn (Microsoft) operates the underlying platform under its own terms and, in respect of that platform, acts as an independent controller and the Controller's own platform provider rather than as a Sub-processor engaged by the Processor.

No client confidential data is used to train any third-party AI model, and all AI-drafted output is reviewed by the Processor before use.

8 International Transfers

The Processor is based in Georgia, and the Sub-processors may process Controller Personal Data outside the Controller's own region, including outside the European Economic Area or the United Kingdom. Georgia does not currently benefit from an EU or UK adequacy decision, so an appropriate transfer safeguard applies as set out below.

Where Controller Personal Data is transferred to a country not benefiting from an adequacy decision applicable to the Controller, the Processor shall ensure that the transfer is subject to appropriate safeguards within the meaning of Data Protection Law, such as the Standard Contractual Clauses (and, for UK data, the UK International Data Transfer Agreement or Addendum), or another lawful transfer mechanism.

Where the Controller is established in the European Economic Area or the United Kingdom, the transfer of Controller Personal Data to the Processor and its Sub-processors is made subject to the SCCs as operationalised in Part D of the Schedule. In summary: the EU SCCs apply on a controller-to-processor basis (Module Two), and the UK International Data Transfer Addendum applies to UK data; the Controller is the data exporter and Oliver Lythe Sales is the data importer; the optional docking clause (Clause 7) applies; Schedule Part A completes Annex I to the SCCs (parties, description of the transfer and competent supervisory authority), Schedule Part B completes Annex II (technical and organisational measures), and Schedule Part C completes Annex III (sub-processors).

Where the SCCs apply between the parties, they are incorporated into this DPA by reference and completed by the details in the Schedule, and in the event of conflict the SCCs prevail on the subject of the transfer. The Processor shall, on request, provide the Controller with reasonable information about the safeguards relied upon.

9 The Controller's Instructions and Obligations

10 Data-Subject Rights Assistance

Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller, by appropriate technical and organisational measures and insofar as possible, to enable the Controller to respond to requests from data subjects exercising their rights under Data Protection Law, including rights of access, rectification, erasure, restriction, portability and objection.

If the Processor receives a request directly from a data subject in respect of Controller Personal Data, it shall not respond to the request itself (except to confirm receipt or as legally required) and shall, without undue delay, forward the request to the Controller so the Controller can handle it. The Processor may charge the Controller its reasonable costs for assistance that goes beyond what is required by Data Protection Law or that is disproportionate in volume.

11 Personal Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data.

The notification shall, to the extent then known and insofar as reasonably available to the Processor, describe: the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects. Where the information cannot be provided at once, it may be provided in phases without further undue delay.

The Processor shall cooperate with the Controller and take reasonable steps as directed by the Controller to assist in the investigation, mitigation and remediation of the breach. Notification of a breach is not, and shall not be construed as, an acknowledgement by the Processor of fault or liability.

12 Audit and Information Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with its obligations under this DPA and Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Such audits are subject to reasonable conditions: they shall be conducted on reasonable prior written notice (not less than 30 days save where a supervisory authority or a live breach requires sooner), no more than once in any 12-month period save for cause or where required by a supervisory authority, during normal business hours, in a manner that does not unreasonably disrupt the Processor's operations, and subject to confidentiality. The Controller shall bear its own and the Processor's reasonable costs of any audit that goes beyond the provision of information. The Processor may satisfy audit requests, where appropriate, by providing existing documentation and responses to a reasonable information request rather than an on-site inspection.

13 Return or Deletion of Data on Termination

On termination or expiry of the Services, and at the Controller's choice, the Processor shall return the Controller Personal Data to the Controller and/or delete it, together with existing copies, unless retention is required by law to which the Processor is subject.

The Controller may specify its choice in writing within 30 days of termination. Absent instruction within that period, the Processor may delete the Controller Personal Data in the ordinary course. The Processor shall confirm deletion in writing on request. The Processor may retain Controller Personal Data to the limited extent, and for the limited period, required by applicable law, in which case the terms of this DPA continue to apply to that retained data. Data held within Sub-processor platforms will be deleted in accordance with the deletion functionality and standard retention practices of those platforms.

14 Liability, Term and General

Dated: the date of signature

15 Schedule to the DPA

Part A. Details of Processing

Part B. Technical and Organisational Security Measures

Part C. Approved Sub-processors (SCC Annex III)

The current list may be updated in accordance with Section 7 (Sub-processors). For the avoidance of doubt, LinkedIn (Microsoft) is not a Sub-processor engaged by the Processor but the platform provider under the Controller's own account relationship, and Wise (payment processing of the Controller's billing-contact data) falls outside the scope of this DPA per Section 5.

Part D. Operationalisation of the Standard Contractual Clauses

This Part applies where the Controller is established in the European Economic Area or the United Kingdom, or where Data Protection Law otherwise requires a transfer mechanism for Controller Personal Data.

Oliver Lythe. Individual Entrepreneur, Small Business Status, Tbilisi, Georgia. Invoiced directly, paid into Wise in your currency. Questions: [email protected].
↑ Back to top