1. Term of Agreement

1.1        This agreement supplements the Principal Contract and makes legally binding provisions for compliance with the Data Protection Laws as set forth in this agreement. As per the requirements of relevant Data Protection Law, all processing of personal data by a data processor on behalf of a data controller, shall be governed by a contract. The terms, obligations and rights set forth in this agreement relate directly to the processing activities and conditions laid out in Schedule 1.

1.2        The terms used in this agreement have the meanings as set out in the ‘definitions’ part of the document, with any capitalised terms not otherwise defined, having have the meaning given to them in the Principal Contract.

2.    Definitions

2.1        In this Agreement, unless the text specifically notes otherwise, the below words shall have the following meanings:

2.2        “data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.

2.3        “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2.4        “Data Protection Laws” means all applicable Data Protection Laws, including the General Data Protection Regulation (GDPR) (EU 2016/679), implementing legislation and, to the extent applicable, the data protection or privacy laws of any other country.

2.5        “EEA” means the European Economic Area.

2.6        “Effective Date” means that date that this agreement comes into force.

2.7        “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.8        “GDPR” means the General Data Protection Regulation (GDPR) (EU) (2016/679).

2.9        “Principal Contract” means the main contract between the parties named in this agreement.

2.10        “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.11        “data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller.

2.12        “third-party” means a natural or legal person, public authority, agency or body other than the data subject, data controller, data processor and persons who, under the direct authority of the data controller or data processor, are authorised to process personal data.

2.13        “sub-processor” means any person or entity appointed by or on behalf of the Processor to process personal data on behalf of the Controller.

2.14        “supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the “GDPR”.

3.    Obligations and Rights of the Processor

3.1        The Processor shall comply with the relevant Data Protection Laws and must:

a) Only act on the written instructions of the Controller.

b) Ensure that people processing the data are subject to a duty of confidence.

c) Ensure that any natural person acting under their authority who has access to personal data, does not process that data except on instructions from the Controller.

d) Use its best endeavours to safeguard and protect all personal data from unauthorised or unlawful processing, including (but not limited to) accidental loss, destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Schedule 1 of this agreement.

e) Ensure that all processing meets the requirements of the GDPR and related Data Protection Laws and is in accordance with the Data Protection principles as set out under GDPR.

f) Ensure that where a sub-processor is used, they:

i) Only engage a sub-processor with the prior consent of the Controller.

ii) Inform the Controller of any intended changes concerning the addition or replacement of sub-processors.

iii) implement a written contract containing the same data protection obligations as set out in this agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws.

iv) Understand that where any sub-processor is used on their behalf, that any failure on the part of the sub-processor to comply with the Data Protection Laws or the relevant data processing agreement, the Processor remains fully liable to the Controller for the performance of the sub-processor’s obligations.

g) Assist the Controller in providing subject access and allowing data subjects to exercise their rights under the Data Protection Laws.

h) Assist the Controller in meeting its data protection obligations in relation to:

i) The security of processing.

ii) Data protection impact assessments.

iii) The investigation and notification of personal data breaches.

i) Delete or return all personal data to the Controller as requested at the end of the contract.

j) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the relevant Data Protection Laws and allow for, and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

k) Tell the Controller immediately if they have done something (or are asked to do something) infringing the GDPR or other data protection law of the EU or a member state.

l) Co-operate with supervisory authorities in accordance with GDPR Article 31.

m) Notify the Controller of any personal data breaches in accordance with GDPR Article 33.

3.2        Nothing within this agreement relieves the Processor of its own direct responsibilities, obligations and liabilities under the General Data Protection Regulation (GDPR) or other Data Protection Laws.

3.3        The Processor is responsible for ensuring that each of its employees, agents, subcontractors or vendors are made aware of its obligations regarding the security and protection of the personal data and the terms set out in this agreement.

3.4        The Processor shall maintain induction and training programs that adequately reflect the Data Protection Law requirements and regulations, and ensure that all employees are afforded the time, resources and budget to undertake such training on a regular basis.

3.5        Any transfers of personal data to a third-party outside of the EEA shall only be carried out on documented instructions from the Controller; unless required to do so by Union or Member State law. Where such a legal requirement exists, the Processor shall inform the Controller of that legal requirement before processing.

3.6        The Processor shall maintain records of processing activities in writing, including in electronic form and shall make the record available to the supervisory authority on request

3.7        When assessing the appropriate level of security and the subsequent technical and operational measures, the Processor shall consider the risks presented by any processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

4.    Obligations and Rights of the Controller

4.1        The Controller is responsible for verifying the validity and suitability of the Processor before entering into a business relationship.

4.2        The Controller shall comply with all applicable parts of the Data Protection Legislation.

4.3        The Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to the Processor for the duration and purposes of this agreement, and for the processing of that personal data as envisaged by this agreement.

4.4        The Controller will ensure that the personal data transferred under this agreement is accurate and is solely responsible for the accuracy of the personal data transferred to the Processor.

4.5        The Controller shall refrain from providing instructions which are not in accordance with applicable laws and, in the event that such instructions are given, the Processor is entitled to resist carrying out such instructions.

4.6        Where the Controller has authorised the use of any sub-processor by the Processor, the details of the sub-processor will be added to Schedule 2 of this agreement by the Processor.

5.    Penalties & Termination

5.1        By signing this agreement, the parties confirm that they understand the legal and enforcement actions that they may be subject to should they fail to uphold the agreement terms or breach the Data Protection Laws.

5.2        The Controller or Processor can terminate this agreement with the written consent of both parties.

6.    General Information

6.1        The provisions of this agreement are in addition to the Principal Contract. In the event of a conflict or ambiguity between this document and the Principal Contract, the provisions of this agreement shall prevail.

6.2        No third party shall have any rights to enforce any of the terms of this agreement, whether under the Contracts (Rights of Third Parties) Act 1999 or otherwise.

6.3        Variation of the Contract shall only be effective if it is in writing and signed on behalf of both parties.

6.4        Each of the clauses of these Terms operates separately. If any court or relevant authority decides that any of them are unlawful or unenforceable, the remaining clauses will remain in full force and effect.