Details of data processed are in the client's Front Sheet or Purchase Order

Data Processing Agreement

Details of data processed are in the client's Front Sheet or Purchase Order


(A) HGEM has agreed to carry out processing of Personal Data on behalf of the Client on the terms set out in this agreement.

(B) This is a an addendum to the commercial business terms established by the parties (the Existing Terms).

(C) This supplemental agreement does not override the Existing Terms, which continue to apply. However, where there is a conflict between the Existing Terms and this supplemental agreement in relation to the processing of personal data, the parties agree that this supplemental agreement shall prevail.



1.1 The definitions and rules of interpretation in this clause apply in this agreement.

Applicable Laws: the laws of any member of the European Union or the laws of the European Union applicable to HGEM in force from time to time.

Data Protection Legislation: all applicable privacy and data protection laws including the General Data Protection Regulation (EU) 2016/679) and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data, as amended, replaced or updated from time to time, including the Data Protection Act 2018 and any successor legislation.

Data Controller: as defined in the Data Protection Legislation.

Data Processor: as defined in the Data Protection Legislation.

Data Protection Losses: all liabilities and other amounts, including all costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage), loss or damage to reputation, brand or goodwill and, to the extent permitted by Applicable Law:

(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a supervisory authority;

(ii) compensation paid to a Data Subject (including compensation to protect goodwill and ex gratia payments); and

(iii) costs of compliance with investigations by a supervisory authority.

Data Subject: as defined in the Data Protection Legislation.

Front Sheet: the front sheet incorporating these Conditions and containing specific details in respect of the supply of Services. This may be in the form of a Purchase Order.

GDPR: the General Data Protection Regulation 2018.

Personal Data: as defined in the Data Protection Legislation.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Protected Data: means Personal Data received from or on behalf of the Client, or otherwise obtained in connection with the performance of the HGEM’s obligations under the Existing Terms.

1.2 Clause, Front Sheet and paragraph headings shall not affect the interpretation of this agreement.

1.3 The Front Sheet forms part of this agreement and shall have effect as if set out in full in the body of this agreement. Any reference to this agreement includes the Front Sheet.

1.4 References to clauses and the Front Sheet are to the clauses and the Front Sheet of this agreement and references to paragraphs are to paragraphs of the Front Sheet.

1.5 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).

1.6 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.7 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

1.8 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to.

1.9 A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.

1.10 A reference to writing or written includes e-mail.

1.11 Any obligation on a party not to do something includes an obligation not to allow that thing to be done.


2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This agreement is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.

2.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and HGEM is the Data Processor of or in relation to the Protected Data.


3.1 The Front Sheet sets out the scope, nature and purpose of processing by HGEM, the duration of the processing and the types of personal data and categories of Data Subject.

3.2 Without prejudice to the generality of clause ‎2.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Protected Data to HGEM for the duration and purposes of this agreement.

3.3 Without prejudice to the generality of clause 2.1, HGEM shall (and shall ensure that each person acting under its authority shall), in relation to any Protected Data processed in connection with the performance by HGEM of its obligations under the Existing Terms:

3.3.1 process that Protected Data only on and in accordance with the written instructions of the Client, as set out in the Front Sheet and as updated from time to time by the written agreement of the parties, unless HGEM is required by Applicable Laws to process the Protected Data;

3.3.2 where HGEM is relying on Applicable Laws as the basis for processing Protected Data, HGEM will notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit HGEM from doing so; and

3.3.3 without prejudice to its obligations under clause 2.1, inform the Client in writing if, in HGEM’s opinion, any processing is reasonably likely to infringe the Data Protection Legislation or any other Applicable Laws and explain the reasons for its opinion.


4.1 HGEM shall implement and maintain appropriate technical and organisational measures in relation to the processing of Protected Data:

4.1.1 such that the processing will meet the requirements of Data Protection Legislation and ensure the rights of Data Subjects are protected; and

4.1.2 so as to ensure a level of security in respect of Protected Data processed by it that is appropriate to the risks that are presented by the such processing.


5.1 HGEM shall:

5.1.1 not permit any processing of Protected Data by any agent, subcontractor or other third party (except its or its sub-processors’ own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior written authorisation of the Client;

5.1.2 prior to the relevant sub-processor carrying out any processing activities in respect of the Protected Data, appoint a sub-processor under a written contract containing materially the same obligations as under this agreement; and

5.1.3 ensure that all persons authorised by HGEM to process Protected Data are obliged to keep the Protected Data confidential.

5.2 The Client requests that HGEM shares [INSERT THE TYPE OF DATA*] with [INSERT DETAILS OF THE THIRD PARTY/PARTIES*] via the HGEM Results API for further processing on behalf of the Client.

* As detailed on the Service Agreement Front Sheet


6.1 HGEM shall (at HGEM’s cost, subject to such costs being limited to reasonable costs):

6.1.1 assist the Client (by appropriate technical and organisational measures), insofar as reasonably practicable, for the fulfilment of the Client’s obligations to respond to requests from a Data Subject;

6.1.2 assist the Client in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and

6.1.3 notify the Client without undue delay and in writing on becoming aware of any personal data breach in respect of any Protected Data.


7.1 HGEM shall not, without the prior written consent of the Client, process and/or transfer any Protected Data in or to countries outside of the European Economic Area.


8.1 HGEM shall:

8.1.1 maintain complete and accurate records to demonstrate its compliance with this agreement; and

8.1.2 allow for audits by the Client or the Client’s designated auditor.


9.1 At the written direction of the Client, HGEM shall delete or return the Protected Data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the Protected Data.


10.1 The Client shall indemnify and keep indemnified HGEM in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, HGEM arising from or in connection with any breach by the Client of any of its obligations under this agreement.

10.2 This clause 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under the Data Protection Legislation to the contrary, except to the extent that:

10.2.1 it is not permitted by Applicable Law (including Data Protection Legislation); and

10.2.2 it does not affect the liability of either party to any Data Subject.


This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.

This agreement has been entered into on the date stated on the Front Sheet or Purchase Order.