Data protection
SCHEDULE ONE - DATA PROTECTION ADDENDUM
1. Definitions
1.1 In this Schedule:
means applicable law of the United Kingdom (or of a part of the United Kingdom);
has the meaning given in applicable Data Protection Laws from time to time;
means all applicable law relating to the processing, privacy and/or use of Personal Data, as applicable to either Party or the Services, including:
the GDPR;
the Data Protection Act 2018;
any laws which implement any such laws;
any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; and
all guidance, guidelines and codes of practice issued by any relevant Data Protection Supervisory Authority relating to such Data Protection Laws (in each case whether or not legally binding);
means any regulator, authority or body responsible for administering Data Protection Laws;
has the meaning given in applicable Data Protection Laws from time to time;
means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);
has the meaning given in applicable Data Protection Laws from time to time;
has the meaning given in applicable Data Protection Laws from time to time;
has the meaning given in applicable Data Protection Laws from time to time;
has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed, and processes shall be construed accordingly);
has the meaning given in applicable Data Protection Laws from time to time;
means Personal Data received from or on behalf of the Parties by the other Party, or otherwise obtained in connection with the performance of the obligations under this Agreement; and
means any agent, sub-contractor or other third Party engaged by the Company (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data.
1.2 Unless otherwise expressly stated in this Agreement the Company’s obligations and the Client’s rights and remedies under this Schedule are cumulative with, and additional to, any other provisions of this Agreement.
2. Compliance with Data Protection Laws
The parties agree that the Client is a Controller and that the Company is a Processor for the purposes of processing Protected Data pursuant to this Agreement. Each Party shall, and shall ensure its Sub-Processors and each of the Company Personnel shall, at all times comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Services. Nothing in this Agreement relieves any of the Parties of any responsibilities or liabilities under Data Protection Laws.
3. Instructions
The Parties shall only process (and shall ensure its Personnel only process) the Protected Data in accordance with satisfying the purpose of this Agreement and the other Party’s written instructions from time to time except where otherwise required by applicable law (and in such a case shall inform the other Party of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). A Party shall immediately inform the other Party if any instruction relating to the Protected Data infringes or may infringe any Data Protection Law.
4. Security
The Parties shall at all times implement and maintain appropriate technical and organisational measures to protect Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
5. Sub-processing and Personnel
A Party shall not permit any processing of Protected Data by any agent, sub-contractor or other third Party (except its own employees and subcontractors) without the prior specific written authorisation of that Sub-Processor by the other Party and only then subject to such conditions as the other Party may require.
The Company shall ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services.
1. Assistance
1.1 A Party promptly provide such information and assistance (including by taking all appropriate technical and organisational measures) as the other Party may require in relation to the fulfilment of the other Party’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws).
1.2 The Parties shall provide such information, co-operation and other assistance to the other Party as the other Party reasonably requires (taking into account the nature of processing and the information available to each Party) to ensure compliance with the other Party’s obligations under Data Protection Laws, including with respect to:
security of processing;
data protection impact assessments (as such Term is defined in Data Protection Laws);
prior consultation with a Data Protection Supervisory Authority regarding high-risk processing; and
any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or any complaint or request relating to either Party’s obligations under Data Protection Laws relevant to this Agreement, including (subject in each case to the Client’s prior written authorisation) regarding any notification of the Personal Data Breach to Data Protection Supervisory Authorities and/or communication to any affected Data Subjects.
2. Data Subject Requests
2.1 The Company shall (at the Client’s cost) record and refer all requests and communications received from Data Subjects or any Data Protection Supervisory Authority to the Client which relate (or which may relate) to any Protected Data promptly (and in any event within seven days of receipt) and shall not respond to any without the Client’s express written approval and strictly in accordance with the Client’s instructions unless and to the extent required by law.
3. International Transfers
3.1 None of the Party shall process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to any country or territory outside the United Kingdom or to any International Organisation without the prior written authorisation of the other Party (which may be refused or granted subject to such conditions as the other Party deems necessary).
4. Audit
4.1 The Company shall (and shall ensure all Sub-Processors shall) promptly make available to the Client (at the Client’s cost) such information as is reasonably required to demonstrate the Company’s and the Client’s compliance with their respective obligations under this Schedule and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose at the Client’s request from time to time. The Company shall provide (or procure) access to all relevant premises, systems, personnel and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice (not being more than seven Business Days) and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection.
5. Breach
5.1 Either of the Parties shall promptly (and in any event within 48 hours) notify the other Party if it (or any of its Sub-Processors or the Company Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data.
5.2 The Party shall promptly (and in any event within 48 hours) provide all information as the other Party requires to report the circumstances referred to in paragraph 6.1 (above) to a Data Protection Supervisory Authority and to notify affected Data Subjects under Data Protection Laws.
6. Deletion/Return
6.1 Either Party shall (and shall ensure that each of the Sub-Processors and Company Personnel shall without delay (and in any event within seven days), at the other Party’s written request, either securely delete or securely return all the Protected Data to the Party in such form as the Party reasonably requests after the earlier of:
the end of the provision of the relevant Services related to processing of such Protected Data; or
once processing by the Party of any Protected Data is no longer required for the purpose of the Party’s performance of its relevant obligations under this Agreement,and securely delete existing copies (except to the extent that storage of any such data is required by applicable law and, if so, the Party shall inform the other Party of any such requirement (together with confirmation of the relevant law(s).
7. Survival
7.1 This Schedule shall survive termination or expiry of this Agreement for any reason.
8. Rights of Data Subjects
8.1 Nothing in this Agreement affects the rights of Data Subjects under Data Protection Laws (including those in Articles 79 and 82 of the GDPR or in any similar Data Protection Laws) against the Client, the Company or any Sub-Processor.