This Appendix only applies if data processing occurs between the parties, as explained in clause 2 of this Appendix. Capitalised terms used but not defined in this Appendix shall have the same meanings as set out in the Commercial Terms.
The Parties agree as follows.
In this Data Processing Appendix, the following terms shall have the following meanings:
- "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special category data" shall have the meanings given in Applicable Data Protection Law;
- "Applicable Data Protection Law" shall mean: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR); (ii) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in electronic communications sector (as amended or replaced from time to time) and applicable laws implementing that directive in European Union Member States; (ii) the Data Protection Act 2018; and (iv) any other data protection legislation that applies to the Parties from time to time;
- "Authorised Persons" means, with respect to each party, any person authorised by that party to process personal data (including such party's staff, agents and subcontractors);
- "EEA" shall mean the European Economic Area, and “EU” shall mean the European Union;
- “EU Member State” means a member country of the EU;
- "Permitted Purpose" has the meaning specified in Clause 3;
- "Standard Contractual Clauses" shall mean the model clauses for the transfer of personal data to processors, being the clauses approved by the European Commission from time to time, the approved version of which in force at present is that set out in the European Commission's Decision 2010/87/EU, as may be amended or replaced from time to time.
2. Relationship of the parties
If a party (the “Processor”) processes personal data on behalf of the other (the “Controller”) that is the subject of this agreement (the "Data"), each of the Controller and the Processor shall comply with the obligations that apply to it under Applicable Data Protection Law.
3. Purpose limitationIf processing occurs, the Processor shall process the personal data (and shall maintain records of such processing activities) as a processor as necessary to perform its obligations under this agreement and strictly in accordance with the documented instructions of the Controller (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law applicable to the Processor. In no event shall the Processor:
- process the personal data for its own purposes or those of any third party;
- assume any responsibility for determining the purposes for which and the manner in which the personal data is processed;
- disclose the personal data to any third party (other than its authorised subcontractors) without the prior consent of the Controller, except where and to the extent disclosure is required by any EU (or any EU Member State) law applicable to the Processor; or
- process the personal data in any way that would cause the Controller to breach any of its obligations under Applicable Data Protection Law.
4. Local laws
The Processor has no reason to believe that the laws applicable to it prevent it from fulfilling the instructions received from the Controller party and its obligations under these Data Processing Appendix, and it will promptly notify the Controller of any actual or anticipated changes to those laws that will or may have a substantial adverse effect on its ability to comply with this Data Processing Appendix, in which case the Controller will be entitled to suspend the transfer of personal data to the Processor and processing of personal data by the Processor.
5. Confidentiality of processing
The Processor shall ensure that any Authorised Persons shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise) and shall not permit any person who is not under such a duty of confidentiality to process the personal data. The Processor shall ensure that it processes the personal data only as necessary for the Permitted Purpose.
7. SecurityThe Processor shall implement and maintain appropriate technical and organisational measures to protect the personal data from: (i) accidental or unlawful destruction; (ii) accidental loss, alteration, unauthorised disclosure, or access; and (iii) any other breach of security (each of (i), (ii) and (iii) a "Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate, but are not limited to:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and/or
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Processor shall not subcontract any processing of the Data to a third-party subcontractor without the prior written consent of the Controller. If the Controller refuses to consent to the Processor’s appointment of a third-party subcontractor for any reason, including [but not limited to] grounds relating to the protection of the personal data, then either the Processor will not appoint the subcontractor or the Controller may, in its sole discretion, elect to suspend or terminate this agreement without penalty. The Processor will (and will procure that any subcontractors will) not process or cause the Data to be processed outside the EEA without the Controller 's prior written consent, which will be conditional on the Processor taking all such steps (and procuring that its subcontractors take all such steps) to ensure an adequate level of protection for the personal data in accordance with the Controller's instructions and Applicable Data Protection Law.
9. Cooperation and data subjects' rights
The Processor shall provide all reasonable and timely assistance to the Controller to enable the Controller to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the personal data. In the event that any such request, correspondence, enquiry or complaint is made directly to the Processor, the Processor shall promptly inform the Controller providing full details of the same.
10. Data Protection Impact Assessment
If the Processor believes or becomes aware that its processing of the personal data is likely to result in a risk to the data protection rights and freedoms of data subjects, it shall promptly inform the Controller and provide the Controller with all such reasonable and timely assistance as the Controller may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
11. Security incidents
Upon becoming aware of a Security Incident, the Processor shall inform the Controller immediately and shall provide all such timely information and cooperation as the Controller may reasonably require, including in order for the Controller to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. The Processor shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep the Controller up to date of all developments in connection with the Security Incident.
12. Deletion or return of Data
Upon termination or expiry of the Commercial Terms, the Processor shall (at the Controller’s election) promptly destroy or return to the Controller all personal data (including all copies of the personal data) in its possession or control (including any personal data subcontracted to a third party for processing). This requirement shall not apply to the extent that the Processor is required by any EU (or any EU Member State) law to retain some or all of the personal data, in which event the Processor shall isolate and protect the personal data from any further processing except to the extent required by such law.
The Processor shall permit the Controller (or its appointed third-party auditors bound by a duty of confidentiality) to audit the Processor’s compliance with this Data Processing Appendix and shall make available to the Controller all information, systems and staff necessary for the Controller (or its third party auditors) to conduct such audit. The Processor acknowledges that the Controller (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that the Controller gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to the Processor’s operations. the Controller will also exercise its audit rights (i) if and when required by instruction of a competent data protection authority; or (ii) if the Processor believes a further audit is necessary due to a Security Incident suffered by the Processor
14. Data Processing Indemnity
- The Processor agrees to indemnify and keep indemnified the Controller from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage ("Damage") suffered or incurred by the Controller as a result of the Processor’s breach of this Data Processing Appendix.
- The Processor shall take out insurance sufficient to cover any payment that may be required under Clause 14 (a) and produce the policy and receipt for premium paid to the Controller on request.
This Appendix shall continue in full force and effect until the termination or expiration of the Commercial Terms.
- This Appendix shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Commercial Terms.
- Except for the changes made by this Data Processing Appendix, the Commercial Terms remains unchanged and in full force and effect. If there is any conflict between any provision in this Appendix and any provision in the Commercial Terms, this Appendix controls and takes precedence.
- With effect from the Commencement Date, this Appendix is a part of and incorporated into the Commercial Terms so references to "Commercial Terms" shall include this Appendix.
- Clause and other headings in this Appendix are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of this Appendix.
- Data Processing information
- Subject Matter and duration of processing:
- Nature and purpose of processing:
- Type of personal data:
- Categories of data subjects:
- Obligations and rights of Controller:
Effective date: 21 April 2020