This Data Processing Annex forms part of the Company’s General Terms of Service, and of the Company’s Trade Customers & Resellers Terms of Service (the “Agreements”).
It is agreed as follows:
1.1. This Data Processing Annex is incorporated by reference into the Agreements. It shall be governed by the terms and conditions set out in the Agreements. Capitalized terms that are not defined in this Data Processing Annex shall acquire the meaning given in the relevant agreement, unless the context indicates otherwise.
1.2. In this Data Processing Annex, the following terms shall mean:
Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
Compliant means a complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority;
Customer Data means all information provided by the Customer to the Company when using the Service;
Data Controller has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws;
Data Processor has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws;
Data Protection Laws up to but excluding 25 May 2018, the Data Protection Act 1998 and thereafter (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016⁄679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998;
Data Protection Losses means all liabilities, including all:
costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
to the extent permitted by Applicable Law:
administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
the reasonable costs of compliance with investigations by a Supervisory Authority;
Data Subject has the meaning given to that term in Data Protection Laws;
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
GDPR means the General Data Protection Regulation (EU) 2016⁄679;
GDPR Date means 25 May 2018;
International Organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
International Recipient has the meaning given to that term in clause 11;
Personal Data has the meaning given to that term in Data Protection Laws;
Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data, which affects the rights and freedoms of Data Subjects;
processing has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
Processing Instructions means the Customer’s instructions as set out in clause 3 of the Data Processing Annex as updated from time to time;
Protected Data means Personal Data received from or on behalf of the Customer in connection with the performance of the Company’s obligations under this Agreement;
Sub-Processor means another Data Processor engaged by the Company for carrying out processing activities in respect of the Protected Data on behalf of the Customer;
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
2 Data Processor and Data Controller
2.1 The parties agree that, for the Protected Data, the Customer shall be the Data Controller and the Company shall be the Data Processor.
2.2 The Company shall process Protected Data in compliance with:
2.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and
2.2.2 the terms of this Agreement.
2.3 The Customer shall comply with:
2.3.1 all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.3.2 the terms of this Agreement.
2.4 The Customer warrants, represents and undertakes, that:
2.4.1 all data sourced by the Customer for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
2.4.2 all instructions given by it to the Company in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
2.4.3 it is satisfied that:
(a) the Company’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Company to process the Protected Data; and
(b) the Company has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
2.5 The Customer shall not unreasonably withhold, delay or condition its agreement to any change requested by the Company in order to ensure the Services and the Company (and each Sub-Processor) can comply with Data Protection Laws.
3 Instructions and details of processing
3.1 Insofar as the Company processes Protected Data on behalf of the Customer, the Company:
3.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s instructions as set out in this clause 3 and Data Processing Annex (Data processing details), as updated from time to time;
3.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall use reasonable endeavours to notify the Customer of any such requirement (unless Applicable Law prohibits such information on important grounds of public interest); and
3.1.3 shall promptly inform the Customer if the Company becomes aware of a Processing Instruction that, in the Company’s opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to clauses 2.3 and 2.4 of this Data Processing Annex;
(b) to the maximum extent permitted by mandatory law, the Company shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer’s Processing Instructions following the Customer’s receipt of that information; and
3.2 The processing of Protected Data to be carried out by the Company under this Agreement shall comprise the processing in relation to the Services (Data processing details), as may be updated from time to time by the Company.
4 Technical and organisational measures
4.1 The Company shall implement and maintain, at its cost and expense, the technical and organisational measures:
4.1.1 in relation to the processing of Protected Data by the Company; and
4.1.2 from the GDPR Date, taking into account the nature of the processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data.
4.2 Any additional technical and organisational measures shall be at the Customer’s cost and expense.
5 Assistance with the Customer’s compliance and Data Subject rights
5.1 The Company shall refer all Data Subject Requests it receives to the Customer within three Business Days of receipt of the request, provided that if the number of Data Subject Requests exceeds 5 per calendar month, the Customer shall pay the Company’s reasonable Charges calculated on a time and materials basis at the Company’s Charges for recording and referring the Data Subject Requests in accordance with this clause 5.1.
5.2 From the GDPR Date, the Company shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to the Company) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
5.2.1 security of processing;
5.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
5.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
5.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,
provided the Customer shall pay the Company’s Charges for providing the assistance in this clause 5.2, such Charges to be calculated on a time and materials basis.
6 International data transfers
6.1 The Customer agrees that the Company may transfer Protected Data to countries outside the European Economic Area (EEA) or to any International Organisation(s) (an International Recipient), provided all transfers by the Company of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this Agreement shall constitute the Customer’s instructions with respect to transfers in accordance with clause 3.1 of this Data Processing Annex.
6.2 The Customer agrees and gives its informed consent to transfers of Personal Data to countries outside the EEA or to any International Organisation(s) as follows:
6.2.1 comprised in public web pages, emails or otherwise necessary for the performance of the Services under this Agreement;
6.2.2 necessary for the performance of a contract made in the interests of the individual between the controller and another person;
6.2.3 necessary for important reasons of public interest;
6.2.4 necessary for the establishment, exercise or defence of legal claims;
6.2.5 necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
6.2.6 made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
7 Breach notification
7.1 In respect of any Personal Data Breach involving Protected Data, the Company shall, without undue delay, and where feasible, not later than 72 hours after having become aware of it:
7.1.1 notify the Customer of the Personal Data Breach; and
7.1.2 provide the Customer with details of the Personal Data Breach.
8 Deletion or return of Protected Data and copies
8.1 The Company shall, at the Customer’s written request, either delete or return all the Protected Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the earlier of:
8.1.1 the end of the provision of the relevant Services related to processing; or
8.1.2 once processing by the Company of any Protected Data is no longer required for the purpose of the Company’s performance of its relevant obligations under this Agreement,
and delete existing copies, unless storage of any data is necessary to exercise the right of freedom of expression and information, to comply with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority, for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing, or for the establishment, exercise or defence of legal claims or is otherwise required by Applicable Law.
8.2 If the Company reasonably considers the Customer’s request under clause 8 to be manifestly unfounded or excessive, the Company may:
8.2.1 request that the Customer pay a reasonable fee in advance, based on the administrative costs of complying with the request; or
8.2.2 refuse to deal with the request.
In the case of 8.2.1 above, the Company will not be required to comply with the Customer’s request unless and until the Company has received the fee.
9 Liability, indemnities and compensation claims
9.1 The Customer shall indemnify and keep indemnified the Company in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, the Company and any Sub-Processor arising from or in connection with any:
9.1.1 non-compliance by the Customer with the Data Protection Laws;
9.1.2 processing carried out by the Company or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Law; or
9.1.3 breach by the Customer of any of its obligations under clauses 1 to 10 of this Data Processing Annex (inclusive),
except to the extent the Company is liable under clause 9.2 of this Data Processing Annex.
9.2 The Company shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Agreement:
9.2.1 only to the extent caused by the processing of Protected Data under this Agreement and directly resulting from the Company’s breach of clauses 1 to 10 of this Data Processing Annex; and
9.2.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Agreement by the Customer (including in accordance with clause 3.1.3(b) of this Data Processing Annex).
9.3 If the Customer receives a compensation claim from a person relating to processing of Protected Data, it shall promptly provide the Company with notice and full details of such claim. The Customer shall:
9.3.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
9.3.2 consult fully with the Company in relation to any such action.
9.4 The parties agree that the Customer shall not be entitled to claim back from the Company any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify the Company in accordance with clause 9.1 of the Data Processing Annex.
9.5 This clause 9 of the Data Processing Annex is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
9.5.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and
9.5.2 that it does not affect the liability of either party to any Data Subject.
10 Survival of data protection provisions
10.1 Clauses 1 to 10 (inclusive) of this Data Processing Annex shall survive termination (for any reason) or expiry of this Agreement and continue:
10.1.1 indefinitely in the case of clauses 9 to 10(inclusive); and
10.1.2 until 12 months following the earlier of the termination or expiry of this Agreement in the case clauses 1 to 8 (inclusive),
provided always that any termination or expiry of clauses 1 to 8 (inclusive) shall be without prejudice to any accrued rights or remedies of either party under any such clauses at the time of such termination or expiry.