Data Processing Agreement


Evouchers Limited (“Evouchers”), has created its digital and physical voucher solution which it operates either through its website www.evouchers.com (and associated platforms) or manually.

To facilitate the data relationship in respect of Evouchers providing its Services, this Agreement details the agreed terms between Evouchers and any customer (“Customer”) (each a “party” and collectively the “parties”) that wishes to access and use the Services,  and how each party will collect, use and process any Personal Data in respect of the Services. This Agreement is therefore formed between Evouchers and the Customer, and is legally binding. 

The parties acknowledge that this Agreement will supplement other contractual terms between the parties in respect of the purchase of Evouchers’ Services which may include data protection terms relating to the collection and use of Personal Data.  

THESE TERMS ARE INCORPORATED INTO ALL TERMS AND CONDITIONS UNDER WHICH EVOUCHERS HAS AGREED TO PROVIDE ACCESS AND USE OF ITS EVOUCHERS SOFTWARE AND SERVICES TO THE CUSTOMER.

01. Definitions

  1. In this Agreement the following definitions shall apply:
Agreementmeans this data processing agreement.
“Authorised Persons”shall mean the persons or categories of persons that has authorised access to the Services.
Confidential Informationmeans all confidential information (however recorded or preserved) disclosed by either party in connection with this Agreement which is either labelled as such or else which could be reasonably considered confidential because of its nature and the manner of its disclosure.
Customermeans the person, firm or entity who purchases or uses the Services from Evouchers as set out in any Order. 
Data Controllershall be interpreted and construed by reference to the term Controller as defined under Data Protection Laws.
Data Processorshall be interpreted and construed by reference to the term Processor as defined under Data Protection Laws.
Data Protection Lawsmeans all applicable data protection and privacy legislation in force from time to time in the UK including the Data Protection Act 2018 (“DPA”) (as amended or replaced from time-to-time), UK GDPR (as defined in the Data Protection Act 2018) and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (SI 2020/1586) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party.
“Data Subject”shall have the meaning as referred to in the Data Protection Laws.
“Effective Date”means the date upon which the Customer accepts these terms.
“Evouchers Software”means the Evouchers website, software application and platform supplied (directly or indirectly) by Evouchers and used by the Customer.
Evouchers Retailersmeans third party retailers or providers of e gift cards or digital vouchers used in the provision of the Services. 
Personal Datahas the meaning given in Data Protection Laws.
“Personal Data Breach”has the meaning given in Data Protection Laws but shall include any breach of Personal Data.
“Personnel”means those employees, consultants or such other person or persons who are assigned by Evouchers from time to time to the provision of the Services. 
processed” or “processinghas the meaning given in Data Protection Laws.
“Order”shall mean any order placed by the Customer to Evouchers for the purchase of the Services at any one time.
“Services”means the services performed by Evouchers:
a.  for the benefit of the Customer and the voucher recipients, utilising the Evouchers Software, which includes transferring selected Personal Data from the Customer to the Evouchers Software to facilitate the creation of the digital vouchers; 
b.  to allow access to, and use of the Evouchers Software;
c.  the creation and issue of digital vouchers together with any subsequent reporting. 
“Standard Contractual Clauses (SCC)”means all Controller to Processor SCCs, any  Controller to Controller SCCs or any other SCCs that may apply and are entered into between the parties.
“Sub-Processors”means any third-party, person or company appointed by or on behalf of Evouchers who may process Personal Data to facilitate the provision of the Services in connection with the Agreement.
“UK GDPR”
means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time).
  1. A reference to writing or written includes emails and writing in any electronic form. 
  2. In the case of conflict or ambiguity between:
    1. any provision contained in the body of this Agreement and any provision contained in the Schedule, the provision in the body of this Agreement will prevail;
    2. the terms of any accompanying invoice or other documents as they may apply and any provision contained in this Agreement, the provision contained in this Agreement will prevail; and
    3. any of the provisions of this Agreement and the provisions of the other contractual terms relating to the processing of Personal Data, the provisions of this Agreement will prevail.

02. General Provisions

  1. The Effective Date of this Agreement shall be the date that the Customer accepts the terms of this Agreement and the Customer acknowledges that this Agreement shall be effective and replace any previously applicable data processing, handling and security terms, which relates to the use of the Evouchers Software or the Services.
  2. This Agreement applies to the extent that Evouchers processes Personal Data which is subject to the Data Protection Laws and in connection with the provision of the Services or otherwise as described in Schedule 1. 
  3. By granting access to (some or all of) the Personal Data to Evouchers and the Evouchers Software, the Customer agrees to the terms of this Agreement.
  4. The Customer and Evouchers acknowledge that, for the purposes of Data Protection Laws, Evouchers shall act as a Data Processor and the Customer shall be a Data Controller in respect of the Personal Data directly or indirectly provided by the Customer and accordingly made accessible to Evouchers and processed by the Evouchers Software. Each party shall comply with their respective obligations under the Data Protection Laws. Evouchers shall promptly comply with any request from the Customer requiring Evouchers to amend, transfer or delete the Personal Data.
  5. The parties acknowledge that Evouchers shall be a Data Controller in respect of certain other Personal Data collected by Evouchers, such as where any Authorised Person, account holder, parent, guardian or voucher recipient provides Personal Data to create an account with Evouchers, to access and use the Evouchers Software and to facilitate the Services. This Agreement does not apply to any information Evouchers collects as a Data Controller. Further information relating to Evouchers’ collection and handling of Personal Data is outlined in its privacy notice, which is made available to the Customer and any Authorised User of Evouchers, and is further available on the Evouchers’ website or by request.
  6. Evouchers shall comply with all applicable Data Protection Laws in respect of its obligations for the processing of the Personal Data.
  7. Where Evouchers is processing any Personal Data for the Customer, it shall not process any Personal Data other than on the instructions of the Customer (unless such processing shall be required by any applicable law to which Evouchers is subject to). 
  8. The Customer hereby instructs and authorises Evouchers to process Personal Data for the purpose of:
    1. transferring certain Personal Data through, or for the benefit of the Evouchers Software;
    2. fulfilling any contractual obligations between the parties;
    3. using and disclosing the Personal Data relating to and/or obtained in connection with the operation, support and use of the Services for its legitimate business purposes;
    4. Evouchers providing the Customer with access to the Evouchers Software and Services; and
    5. as otherwise reasonably necessary for the provision of the Services by Evouchers to the Customer. 
  9. The Customer and Evouchers confirm that Schedule 1 determines the subject matter, duration, nature and purpose of processing.
  10. The Customer and Evouchers shall be liable to each other and shall indemnify (and keep indemnified) each other against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demand incurred by the other which arise directly or in connection with a breach of the Data Protection Laws, a breach of this Agreement and any data processing activities which are subject to this Agreement. 

03. Term and Termination

  1. This Agreement shall commence on the Effective Date, and shall continue until the Services have been completed by Evouchers or for as long as any contract between the parties remains effective and for as long as Evouchers continues to process Personal Data on behalf of the Customer.   
  2. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the licence terms or this Agreement, in order to protect the Personal Data, will remain in full force and effect.

04. Transfer of Personal Data

  1. The Customer hereby consents to the Evouchers Software accessing Personal Data shared by the Customer, for the purpose of extracting and transferring such Personal Data to Evouchers in connection with the Services.
  2. Evouchers shall ensure that the Customer has access to the Evouchers Software whereby the Customer has visibility over the categories of Personal Data they are sharing with Evouchers.
  3. In particular, the Customer acknowledges and agrees that it will be solely responsible for (i) the accuracy, quality, and legality of the Personal Data and the means by which it has been acquired; (ii) complying with all necessary transparency and lawfulness requirements under the Data Protection Laws for the collection and use of the Personal Data; (iii) ensuring the Customer has the right to transfer or provide Evouchers access to the Personal Data for processing under this Agreement; (iv) ensuring that the Customer’s instructions to Evouchers comply with applicable laws including the Data Protection Laws.
  4. The Customer shall inform the Service Provider without undue delay if it is not able to comply with its responsibilities under clause 4.3.
  5. The Customer shall indemnify Evouchers against all costs, claims, damages, expenses, losses and liabilities incurred by Evouchers arising out of or in connection with any breach of this clause 4.

05. Ownership of the Personal Data and Confidential Information

  1. The Customer retains control of the Personal Data it supplies to Evouchers and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Evouchers.
  2. Evouchers shall have no responsibility to maintain the security of any Personal Data to the extent it is held or processed outside of Evouchers’ direct control.
  3. Evouchers shall keep all Confidential Information and Personal Data confidential and shall not:-
    1. use any Confidential Information or Personal Data except for the purpose of performing the Services it provides to the Customer; or
    2. disclose any Confidential Information in whole or in part to any third party, except as expressly permitted by this Agreement, or as required for the purpose of any Services provided by Evouchers to the Customer, or to the extent required by law.

06. Security of the Data

  1. Evouchers must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Personal Data.
  2. Both parties shall use endeavour to achieve and maintain independent, industry recognised certifications as evidence of their compliance with information security and data protection best practice.
  3. Evouchers implements such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
    1. the pseudonymisation and/or encryption of Personal Data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and the Services;
    3. the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
    4. a procedure for regularly testing, assessing and evaluating the effectiveness of security measures.
  4. In assessing the appropriate level of security, Evouchers shall take into account the particular risks that are presented by processing of the Personal Data, in particular from a Personal Data Breach and to preserve the security and confidentiality of the Personal Data, in accordance with Data Protection Laws.
  5. Evouchers shall promptly provide the Customer with all reasonable assistance and information as the Customer may reasonably require, including without limitation as regards any measures required by the Customer to meet the Data Protection Laws in relation to the security of any Personal Data processing, record keeping requirements, the notification of Personal Data compromise or breaches and any data protection impact assessments.

07. Sub-Processors and International Transfers

  1. The Customer acknowledges and agrees that Evouchers may use Sub-Processors in the course of its business and to fulfil the Services. Evouchers may continue to use such Sub-Processors already engaged by Evouchers and a list of its current Sub-Processors may be found at https://www.evouchers.com/subprocessors/. Evouchers will continue to update this list when required to do so.
  2. The Customer hereby provides a general authorisation to Evouchers to appoint future Sub-Processors for the processing of Personal Data by Evouchers, so long as Evouchers carries out due diligence on all potential Sub-Processors, complies with the requirements under the Data Protection Laws and complies with clause 7.3. 
  3. Where Evouchers appoints a Sub-Processor pursuant to this clause 7, it shall ensure that the arrangement between it and the Sub-Processor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this Agreement, which meets the requirements of Data Protection Laws.
  4. Any obligation imposed on Evouchers in this Agreement includes an obligation on Evouchers to procure compliance by its agents, representatives, officers and Personnel and Sub-Processors (where applicable) unless the context otherwise requires and Evouchers shall ensure that persons who have access to any Personal Data in the provision of the Services, are aware of and comply with provisions that are no less onerous than those contained in this Agreement.
  5. The Customer authorises Evouchers to transfer or otherwise process the Personal Data outside the UK or the European Economic Area, without obtaining the Customer’s specific prior written consent, provided that:
    1. the Personal Data is transferred to or processed in a territory which is subject to adequacy regulations under the Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals, including in particular the UK GDPR Articles 44 -47 and sections 17A to 17C of the DPA or in relation to law enforcement, sections 73, 74A, 74B and 75 of the DPA), or one of the derogations in Article 49 of the UK GDPR applies; or
    2. Evouchers participates in a valid cross-border transfer mechanism under Data Protection Laws, so that Evouchers (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by the UK GDPR;or
    3. the transfer otherwise complies with Data Protection Laws.
  6. If any Personal Data transfer between Evouchers and the Customer requires execution of SCCs in order to comply with the Data Protection Laws, the parties shall agree to enter into a further agreement to reflect the further SCCs.

08. Insurance

  1. Evouchers maintain a policy of insurance in respect of public and product liability in respect of the services provided by Evouchers and the processing of the Personal Data, and shall produce a copy of such policy to the Customer if requested to do so.

09. Deletion or return of Personal Data

  1. Evouchers shall within a reasonable period of either a written request from the Customer or upon instruction from an Authorised Person, or the termination of this Agreement, delete and procure the deletion of all copies of the Personal Data held by Evouchers.
  2. Subject to clause 9.3, the Customer may in its absolute discretion by written notice to Evouchers at any time require Evouchers to:
    1. return a complete copy of all Personal Data by secure file transfer in such format as is reasonably notified by the Customer to Evouchers; and
    2. delete and use all reasonable endeavours to procure the deletion of all other copies of Personal Data processed by Evouchers or any of its Sub-Processors.
  3. Evouchers shall use all its reasonable endeavours to comply with any such written request within 30 days of receiving such request.
  4. Evouchers and its Sub-Processors may retain Personal Data to the extent required by any applicable law, provided that Evouchers and its Sub-Processors shall ensure the confidentiality of all such Personal Data retained, and shall ensure that such Personal Data is only processed as necessary for the purpose(s) specified by the applicable laws requiring its storage and for no other purpose.
  5. Evouchers shall, within 30 days of a formal request from the Customer, provide written certification to the Customer that it has fully complied with this clause 9.

10. Audit and Information Rights

  1. Subject to clauses 10.2, 10.3 and 10.4, Evouchers shall:
    1. make available to the Customer on request all information reasonably necessary to demonstrate Evouchers’s compliance with this Agreement; and
    2. allow for and contribute to audits, including inspections, by the Customer or any auditor nominated by the Customer in relation to the processing of the Personal Data by Evouchers and its Sub-Processors.
  2. The information and audit rights of the Customer under clause 10.1 shall apply only to the extent required by Data Protection Laws.
  3. The Customer shall give Evouchers reasonable notice of any audit or inspection that it wishes to conduct under clause 10.1, and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to Evouchers or its Sub-Processors’ premises, equipment, personnel and business.
  4. Without prejudice to clause 10.3, Evouchers or its Sub-Processors are not required to give access to their premises for the purposes of an audit or inspection:
    1. to any individual unless he or she produces reasonable evidence of identity and authority; or
    2. outside normal business hours at those premises; or
    3. for the purposes of more than one audit or inspection in any calendar year.

11. Data Subject Rights and Associated Matters

  1. Taking into account the nature of the processing conducted by Evouchers, Evouchers shall (and shall use all reasonable endeavours to procure that its Sub-Processors shall) assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, to respond to requests to exercise data subject rights under the Data Protection Laws.
  2. Evouchers shall:
    1. promptly notify the Customer if it or any Sub-Processor receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; 
    2. notify the Customer promptly in writing if it receives any complaint or notice that relates directly or indirectly to the processing of the Personal Data and/or to either party’s compliance with the Data Protection Laws; and
    3. not, and shall use all reasonable endeavours to ensure that the Sub-Processor does not, respond to any request from a Data Subject, except on the written instructions of the Customer or as required by any applicable laws to which Evouchers or the Sub-Processor is subject to.
  3. Evouchers shall notify the Customer without undue delay and in any event within 24 hours, upon Evouchers becoming aware of:
    1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. Evouchers will restore any Personal Data at its own expense as soon as possible;
    2. any accidental, unauthorised or unlawful processing of the Personal Data; or
    3. any Personal Data Breach in respect of any Personal Data processed by Evouchers, providing the Customer with sufficient information to allow the Customer to meet any obligations to report, or inform the individuals to which the Personal Data related, of such Personal Data Breach under Data Protection Laws. It shall be the responsibility of the Customer to report the Personal Data Breach to the Information Commissioner’s Office or any other appropriate regulatory authority, where appropriate.
  1. Evouchers shall co-operate with the Customer and take such reasonable commercial steps as directed by the Customer to include: assisting in the investigation, facilitating any interviews, remediation and making any records available in relation to any such Personal Data Breach referred to in clause 11.3.
  2. Evouchers shall provide reasonable assistance to the Customer (at the Customer’s expense) with:
    1. responding to any request from a Data Subject; and
    2. any data protection impact assessments, and prior consultations with competent data privacy authorities, which the Customer reasonably considers to be required under any Data Protection Laws, in each case solely in relation to processing of Personal Data comprised in the Personal Data, by and taking into account the nature of the processing and information available to Evouchers.

12. Liability

  1. Evouchers shall have no liability to the Customer, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:
    1. loss, interception or corruption of any data; other than to the extent such loss is caused by the negligence or fault of Evouchers;
    2. loss, interception or corruption of any data resulting from any negligence or default by any provider of telecommunications services to Evouchers, the Customer or any Evouchers Retailer;
    3. any loss arising from the default or negligence of any Evouchers Retailer;
    4. damage to reputation or goodwill; 
    5. any indirect or consequential loss.
  2. In all other circumstances, Evouchers’s maximum liability to the Customer, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, in connection with the Services or related to this Agreement shall be limited to the aggregate amount paid or payable for the Services during the 12 month period preceding the event giving rise to the claim. 
  3. Nothing in this clause shall limit the liability of Evouchers for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law. 

13. Records

  1. Evouchers agrees that it shall keep detailed, accurate and complete records regarding any processing activities it carries out pursuant to this Agreement, including but not limited to, the access, control and security of the Personal Data.
  2. Evouchers will ensure that any such records referred to in clause 13.1 are sufficient to enable the Customer to verify Evouchers’s compliance with its obligations under this Agreement.

14. Evouchers employees

  1. Evouchers will ensure that all of its employees:
    1. are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
    2. have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
    3. are aware of both Evoucher’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
  2. Evouchers will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable domestic law on all of Evouchers’ employees with access to the Personal Data.

16. Miscellaneous Provisions

  1. Save for any statement, licence, representations or assurances as to the method or location of storage this Agreement and the Schedules to it constitutes the entire agreement and understanding between the parties and with respect to all matters which are referred to and shall supersede any previous agreements between the parties in relation to the matters referred to in this Agreement.
  2. No one other than a party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.
  3. Evouchers may vary the terms of this Agreement from time to time by giving notice to the Customer in advance of the variation.
  4. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual dispute or claims) shall be governed by and construed in accordance with the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
  5. Evouchers may transfer, assign or novate its rights and obligations under this Agreement to any member of its group companies to whom Evouchers transfers all or substantially all of its business.
  6. Evouchers may allow employees working for other companies within its group companies to access personal data for the purposes of providing support, system development and technical support.
  7. This Agreement is binding upon and solely for the benefit of the parties hereto, and any permitted assigns and nothing herein, express or implied, is intended to or confers upon any other person any legal or equitable right, benefit or remedy of any nature whatsoever, under or by reason of this Agreement.

Schedule 1

Subject matter of processing:

The transfer is necessary to enable the provision of services by Evouchers in any Order placed by the Customer to Evouchers including the following:

  • receiving and processing certain categories of Personal Data in line with the Customer’s instructions via the Evouchers Software;
  • Evouchers providing the Customer with access to the Evouchers Software if required by the Customer; 
  • providing reports to the Customer; and
  • as otherwise reasonably necessary for the provision of the Services by Evouchers to the Customer.

Evouchers provides a service for creating and providing digital vouchers in a private and secure manner. 

Duration of Processing:

For as long as it is necessary to provide the Services and until all Personal Data is deleted. 

Nature of Processing:

The collection, storage, organisation and re-categorisation of the Personal Data in connection with, and for the purpose of, providing the Services to the Customer. 

Personal Data Categories and Types:

The Personal Data being processed concerns the following categories of Data Subjects:  

Eligible Voucher recipients
Relatives, guardians of the Voucher recipient if a minor or vulnerable person
Authorised Persons with access to the Evouchers Software

Data Types:

Identifying information – names and former names, and dates of birth, reference numbers.
Contact information – postal and email addresses (current and former), telephone number
Usernames, passwords, IP addresses and cookies


  EV-DPA/11-2024/V3.0