Info
This Data Processing Agreement ("DPA") is a legally enforceable contract entered into and made effective as of the date on the Service Agreement ("Effective Date") by and between HGEM Ltd, an English corporation with its principal location at Kings Court, Parsonage Lane, Bath, BA1 1ER ("Service Provider"), and the customer named on the Service Agreement who has entered into a Contract with the Service Provider ("Customer"). Service Provider and Customer are sometimes referred to in this DPA individually as a "Party" and collectively as the "Parties".
This DPA is incorporated by reference into the main agreement between the Parties for the provision by Service Provider to Customer of Service Provider’s software and/or services referred to as the Service Provider’s Commercial Terms & Conditions (such software and/or services being the “Services” and such agreement being the “Main Agreement”). Notwithstanding its mutual execution, this DPA shall apply only to the extent Customer is established within the EEA (as defined below) or Switzerland or is otherwise caught by applicable EEA or Swiss data protection laws by virtue of their extra-territorial effect.
⠀
Definitions
In this DPA:
Applicable Law: means as applicable and binding on the Customer, Service Provider and/or the Services:
(a) any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a Party is subject and/or in any jurisdiction that the Services are provided to or in respect of;
(b) the common law and laws of equity as applicable to the Parties from time to time;
(c) any binding court order, judgment or decree; or
(d) any applicable direction, policy, rule or order that is binding on a Party and that is made or given by any regulatory body having jurisdiction over a Party or any of that Party’s assets, resources or business;
Business Days: a day other than a Saturday, Sunday or public holiday in in the country in which the Services are provided;
Data Controller: has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws;
Data Processor: has the meaning given to that term (or to the term ‘Processor’) in Data Protection Laws;
Data Subject: has the meaning given to that term in Data Protection Laws;
Data Subject Request: means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
Data Protection Laws: means as applicable and binding on the Customer, Service Provider and/or the Services:
(a) in the United Kingdom:
(i) the Data Protection Act 2018; and/or
(ii) the GDPR, and/or any corresponding or equivalent national laws or regulations;
(b) in member states of the European Union: the GDPR and all relevant member state laws or regulations giving effect to, replacing or supplementing the same; and
(c) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;
Data Protection Losses means all liabilities arising under Data Protection Laws, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
(b) to the extent permitted by Applicable Law:
(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
(iii) the reasonable costs of compliance with investigations by a Supervisory Authority;
EEA: means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, the United Kingdom.
GDPR: means the General Data Protection Regulation (EU) 2016/679;
International Recipient: has the meaning given to that term in Section 6.1;
Personal Data: has the meaning given to that term in Data Protection Laws;
Personal Data Breach: means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
Processing: has the meaning given to that term in Data Protection Laws (and related terms such as Process have corresponding meanings);
Processing Instructions: has the meaning given to that term in Section 2.1.1;
Protected Data: means Personal Data received from or on behalf of the Customer in connection with the performance of Service Provider ’s obligations under this DPA or otherwise under the Main Agreement;
Standard Contractual Clauses: means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
Sub-Processor: means another Data Processor engaged by Service Provider for carrying out Processing activities in respect of the Protected Data on behalf of the Customer; and
Supervisory Authority: means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
References to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable.
A reference to a law includes all subordinate legislation made under that law.
⠀
1 Data Processor and Data Controller
1.1 The Parties agree that, for the Protected Data, the Customer shall be the Data Controller and Service Provider shall be the Data Processor.
1.2 Service Provider shall Process Protected Data in compliance with:
1.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this DPA; and
1.2.2 the terms of this DPA.
1.3 The Customer shall comply with:
1.3.1 all Data Protection Laws in connection with the Processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this DPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
1.3.2 the terms of this DPA.
1.4 The Customer warrants, represents and undertakes, that:
1.4.1 all data sourced by the Customer for use in connection with the Services, prior to such data being provided to or accessed by Service Provider for the performance of the Services under this DPA, shall comply in all respects, including in terms of its collection, storage and Processing, with Data Protection Laws (which shall include the Customer providing all of the required fair Processing information to Data Subjects and maintaining for the term of this DPA the necessary legal grounds for transferring the Protected Data to Service Provider and allowing Service Provider to perform the Processing contemplated by this DPA);
1.4.2 all instructions given by it to Service Provider in respect of Personal Data shall at all times be in accordance with Data Protection Laws;
1.4.3 it has undertaken due diligence in relation to Service Provider's Processing operations, and it is satisfied that:
(a) Service Provider's Processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Service Provider to Process the Protected Data; and
(b) Service Provider has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws;
1.4.4 it shall notify the Service Provider in the event of any change to the nature of the Protected Data, including its type and the categories of the relevant Data Subjects.
1.5 The Customer shall not withhold, delay or condition its agreement to any change requested by Service Provider in order to ensure the Services and Service Provider (and each Sub-Processor) can comply with Data Protection Laws.
2 Instructions and details of Processing
2.1 Insofar as Service Provider Processes Protected Data on behalf of the Customer, Service Provider:
2.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) Process the Protected Data as agreed under the Main Agreement and in accordance with Service Provider’s standard procedures, this DPA, and Schedule 1 hereto (together, the “Processing Instructions”);
2.1.2 if Applicable Law requires it to Process Protected Data other than in accordance with the Processing Instructions, shall inform the Customer of any such requirement before Processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
2.1.3 shall inform the Customer if Service Provider becomes aware of a Processing Instruction that, in Service Provider ’s opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to Sections 1.3 and 1.4; and
(b) to the maximum extent permitted by mandatory law, Service Provider shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any Processing in accordance with the Customer's additional Processing Instructions following the Customer's receipt of that information.
3 Technical and organisational measures
3.1 Service Provider shall implement and maintain, at its cost and expense, the technical and organisational measures set out in Schedule 2, provided that Service Provider reserves the right to make changes to such technical and organisational measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects.
3.2 Any additional technical and organisational measures are subject to agreement by Service Provider and shall be at the Customer’s cost and expense.
3.3 The Customer shall ensure that, if feasible, any Protected Data in respect of which Service Provider is requested to provide support and maintenance services under this agreement are anonymised prior to Service Provider being granted access to them.
4 Using staff and other Processors
4.1 Customer agrees that Service Provider may engage Sub-Processors. Service Provider will impose on such Sub-Processors data protection terms that protect the Protected Data to the same standard provided for by this DPA. Upon Customer’s request, Service Provider will provide to Customer a list of the then-current Sub-Processors. The list of Sub-Processors as per the date of this Agreement is outlined
4.2 Service Provider may, by giving no less than 30 days’ prior notice to Customer, add or make changes to the Sub-Processors. Customer may object to the appointment of an additional Sub-Processor within 14 calendar days of such notice on reasonable grounds relating to the protection of the Protected Data, in which case Service Provider shall have the right to cure the objection through one of the following options (to be selected at Service Provider’s sole discretion):
4.2.1 Service Provider will cancel its plans to use the Sub-Processor with regard to Protected Data or will offer an alternative to provide the Services without such Sub-Processor; or
4.2.2 Service Provider will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Sub-Processor with regard to Protected Data; or
4.2.3 Service Provider may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such Sub-Processor with respect to Protected Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services.
If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the Parties within 30 days after Service Provider’s receipt of Customer’s objection, either Party may terminate the Main Agreement for its convenience pursuant to the terms of the Main Agreement, or, if the Main Agreement contains no such terms, on no less than 60 days’ advance written notice.
4.3 Service Provider may replace a Sub-Processor without advance notice to Customer if the reason for the change is beyond Service Provider’s reasonable control, in which event Service Provider shall notify Customer of the replacement as soon as reasonably practicable and Customer shall retain the right to object to the replacement Sub-Processor pursuant to Section 4.2 above.
4.4 To the extent the appointment of any Sub-processor may result in the transfer of Protected Data outside the EEA to a country not recognised by the European Commission as having an adequate level of protection for Personal Data, Customer hereby authorizes Service Provider to enter into Standard Contractual Clauses with such Sub-processor as agent on its behalf to ensure the adequate protection of the transferred Personal Data, or such other arrangement as the Customer may approve as providing an adequate protection in respect of the processing of Protected Data in such third country.
4.5 Service Provider shall ensure that all Service Provider personnel authorised to Process Protected Data are subject to a binding written contractual obligation with Service Provider to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Service Provider shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure) or are under an appropriate statutory obligation of confidentiality.
5 Assistance with the Customer’s compliance and Data Subject rights
5.1 Service Provider shall provide commercially reasonable assistance, including by appropriate technical and organisational measures as reasonably practicable, to enable Customer to respond to any Data Subject Request, including rights of access, correction, restriction, objection, erasure, or data portability, as applicable. Service Provider shall refer all Data Subject Requests it receives to the Customer within 3 Business Days of receipt of the request, provided that for unreasonably complex or numerous requests (as determined by Service Provider in its sole and reasonable discretion) the Customer shall pay Service Provider’s fees at Service Provider’s rates from time to time in force for recording, referring, or otherwise dealing with the Data Subject Requests in accordance with this Section 5.1.1 For the avoidance of doubt, Customer is responsible for responding to Data Subject Requests.
5.2 Service Provider shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of Processing and the information available to Service Provider) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
5.2.1 security of Processing;
5.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
5.2.3 prior consultation with a Supervisory Authority regarding high risk Processing; and
5.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,
provided the Customer shall pay Service Provider’s generally applicable fees for providing the assistance in this Section 5.2, including time and materials rates or fees for additional technical measures such as software.
6 International data transfers
6.1 Subject to the terms of the Main Agreement, the Customer agrees that Service Provider may transfer Protected Data to countries outside the EEA or to any international organisation(s) (an “International Recipient”), provided all transfers by Service Provider of Protected Data to an International Recipient shall be effected in accordance with Data Protection Laws. In the event any such transfer results in Protected Data being transferred to a country which is not recognized by the European Commission as having an adequate level of protection for Personal Data, the Standard Contractual Clauses set out in Schedule 4 to this DPA shall apply.
6.2 The provisions of this DPA shall constitute the Customer’s instructions with respect to transfers in accordance with Section 2.1. Service Provider will provide a list of any such International Recipients upon request.
7 Records, information and audit
7.1 Service Provider shall maintain, in accordance with Data Protection Laws binding on Service Provider, written records of all categories of Processing activities carried out on behalf of the Customer.
7.2 Service Provider shall, in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Service Provider’s compliance with the obligations of Data Processors under Data Protection Laws.
7.3 Audits by Customer of Service Provider’s activities under this DPA will be as set out in the Main Agreement. If the Main Agreement does not include audit rights, Service Provider and Customer will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit, and Service Provider reserves the right to charge a fee (based on Service Provider’s reasonable costs) for any such audit. Service Provider will provide further details of any applicable fee and the basis of its calculation to Customer in advance of any such audit. Any such audit shall be conducted in such a manner that the Service Provider’s undertakings toward third parties (including, but not limited to, the Service Provider’s customers, partners, and vendors) are in no way jeopardized. All Customer’s representatives or external auditors participating in any such audit shall execute customary confidentiality undertakings towards the Service Provider.
8 Breach notification
8.1 In respect of any Personal Data Breach involving Protected Data, Service Provider shall, without undue delay after becoming aware of the Personal Data Breach:
8.1.1 notify the Customer of the Personal Data Breach; and
8.1.2 provide the Customer with details of the Personal Data Breach.
9 Term
9.1 This DPA shall commence on the Effective Date and shall terminate on the earlier of: (1) the termination of the Main Agreement; or (2) the mutual written agreement of the Parties.
10 Deletion or return of Protected Data and copies
10.1 Service Provider shall, at the Customer’s written request, either delete or return all the Protected Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the earlier of:
10.1.1 the end of the provision of the relevant Services related to Processing; or
10.1.2 once Processing by Service Provider of any Protected Data is no longer required for the purpose of Service Provider’s performance of its relevant obligations under this DPA, and delete existing copies,
unless storage of any data is required by Applicable Law, in which case Service Provider shall inform the Customer of any such requirement.
11 Liability
11.1 The disclaimers and limitations of liability set out under the Main Agreement shall apply also to this DPA.
12 Survival of data protection provisions
12.1 Sections 1 to 13 (inclusive) shall survive termination (for any reason) or expiry of this DPA and continue:
12.1.1 indefinitely in the case of Sections 10 to 13 (inclusive); and
12.1.2 until 12 months following the earlier of the termination or expiry of this DPA in the case Sections 1 to 8 (inclusive), provided always that any termination or expiry of Sections 1 to 8 (inclusive) shall be without prejudice to any accrued rights or remedies of either party under any such Sections at the time of such termination or expiry.
13 Miscellaneous
13.1 In case of any conflict between this DPA and the Main Agreement, the provisions of this DPA shall control as regards the Processing of Protected Data unless expressly stated otherwise herein.
13.2 In the event the Standard Contractual Clauses apply pursuant to Section 6.1, in case of any conflict between the main body and Schedules 1 and 2 of this DPA and the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall control.
13.3 Any claims brought under or pursuant to this DPA or otherwise related hereto shall be subject to the terms and conditions of the Main Agreement, including, but not limited to, the exclusions to and limitations of liability set forth therein which shall apply to the liabilities and indemnities under and in connection with this DPA.
⠀
SCHEDULE 1
PROCESSING INSTRUCTIONS
The Customer hereby instructs the Service Provider to carry out Processing of the Customer’s Personal Data for the performance of Services, as per the Main Agreement.
If the Service Provider entrusts the Processing of the Customer’s Protected Data to Sub-Processors, the Service Provider is responsible for entering into written agreements with them. The Service Provider is responsible for ensuring that the Customer’s instructions are sent to any Sub-Processors.
1.1 Purpose of the Processing
Processing of the Protected Data shall take place in accordance with the purpose in the Main Agreement.
1.2 General description of the Processing
Nature & purpose of processing: The Data Processor hosts a website on behalf of the Data Controller for the purpose of inviting customers who have visited the Data Controller’s locations to provide feedback on their experience using a survey form.
Duration of processing: For the duration of the contract.
Types of personal data: Depending on what is requested by the Data Controller for inclusion on the survey form, the types of personal data may include some or all of the following: name, email address, telephone number, postcode, birthday.
1.3 Types of personal data
The Protected Data includes Personal Data of the categories highlighted in bold (not italics) below.
(a) Personal Data:
(b) Sensitive Personal Data:
(c) Data on purely private matters of individuals:
1.4 Categories of data subjects
Data regarding the following categories of data subjects (for example, citizens, pupils, recipients of cash benefits, etc.) are Processed:
Customers of the Data Controller following an experience at one of their venues
⠀
SCHEDULE 2
TECHNICAL AND ORGANISATIONAL MEASURES
Below, the Service Provider will positively indicate in bold (not italics), or otherwise state, the applicable technical and organisational security measures within each section that have been applied to the Processing of Protected Data associated with this agreement.
⠀
1. Confidentiality (Article 32 (1)(a) and (b) GDPR)
Aim: To prevent unauthorized access or disclosure of protected data to individuals, entities or Processes.
(a) Physical Access Control - No unauthorised access to Data Processing Facilities, e.g.:
Relevant when accessing the HGEM office
(b) Electronic Access Control - No unauthorised use of the Data Processing and Data Storage Systems, e.g.:
When accessing digital data from any location or any device
(c) Internal Access Control (permissions for user rights of access to and amendment of data) - No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g.:
(d) Isolation Control - The isolated Processing of data e.g.:
(e) Pseudonymisation - The Processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
When accessing data stored in databases or images stored in an Azure storage account
⠀
2. Integrity (Article 32 (1)(b) GDPR)
Aim: To provide assurance of consistency, accuracy and trustworthiness of protected data.
(a) Data Transfer Control - No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.:
(b) Data Entry Control - Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.:
(c) Data Integrity Control - Awareness or control of changes to data.: e.g.:
⠀
3. Availability and Resilience (Article 32 (1)(b) GDPR)
Aim: To ensure that information is accessible to authorized individuals, entities, or Processes when needed.
(a) Availability Control, e.g.:
(c) Architectural Control; To reduce the possibility of loss of service through architectural/structural design e.g.:
⠀
4. Effectiveness - Procedures for regular testing, assessment and evaluation (Article 32 (1)(d) GDPR)
(a) Data Protection Management, e.g.:
(b) Data Privacy Impact Assessments, e.g.:
(c) Incident Response Management; e.g.:
(d) Data Protection by Design and Default (Article 25 Paragraph 2 GDPR); e.g.:
(e) Order or Contract Control - No third party data Processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.:
⠀
SCHEDULE 3
LIST OF SUB-PROCESSORS
Below is a list of the approved Service Provider’s third-party Sub-Processors as of the date of this DPA. This list may be updated from time to time.
SUPPLIER |
LOCATION |
NATURE OF PROCESSING |
TRANSFER BASIS |
SERVICE DESCRIPTION |
Microsoft |
UK |
Hosting provider Data processor Authentication provider Email service provider |
DPA as published by Microsoft |
Microsoft hosts all HGEM services and supporting systems. Microsoft is the hosting provider for all of HGEM’s services, including database storage, backup storage and uploaded files. All data is stored in the UK South data center. |
Zoho |
Europe |
CRM Help Desk Email campaigns |
DPA as published by Zoho |
Zoho is used for the provision of customer support, via HGEM’s Help Centre, or via emailed support requests. It is also used for CRM and email campaigns. Only basic personal data is captured (first name, last name, job title and email address). Details of support tickets and history are also stored. Zoho data centers for Europe are in Dublin and Amsterdam. |
Destar |
UK |
Call recording |
DPA as published by Destar |
Recording calls made by mystery guests as part of an assessment. Each recording is checked for any personal details which are then edited out. |
Docevent.io |
USA |
SFTP provider |
DPA with standard approved EU model clauses |
Docevent is used for secure transfer of files between technical partners |
Airship |
UK |
CRM provider |
DPA as published by Airship |
For HGEM clients that use Airship as their CRM and for whom HGEM collects customer feedback via a survey site, HGEM will at the request of the client share basic details for adding to a marketing database, but personal data will only be collected for this purpose after the customer has explicitly consented to it. |
Atreemo |
UK |
CRM provider |
DPA as published by Atreemo |
For HGEM clients that use Atreemo as their CRM and for whom HGEM collects customer feedback via a survey site, HGEM will at the request of the client share basic details for adding to a marketing database, but personal data will only be collected for this purpose after the customer has explicitly consented to it. |
Bloomreach |
UK |
CRM provider |
DPA as published by Bloomreach |
For HGEM clients that use Bloomreach as their CRM and for whom HGEM collects customer feedback via a survey site, HGEM will at the request of the client share basic details for adding to a marketing database, but personal data will only be collected for this purpose after the customer has explicitly consented to it. |
Sendgrid |
USA |
Mass Mail delivery service |
DPA with standard approved EU model clauses |
Sendgrid is used to send transactional emails to all our service users |
Toggle |
UK |
Electronic gift card provider |
DPA as published by Toggle |
For HGEM clients that use Toggle as their gift card provider and for whom HGEM collects customer feedback via a survey site, HGEM will at the request of the client share email address for the purpose of Toggle sending a gift card, but only after the customer has explicitly consented to it. |
Fourth |
UK |
Hospitality systems provider |
DPA as published by Fourth |
For HGEM clients that use the Fourth Engage app for their employees, and for whom HGEM collects employee feedback via a survey site, HGEM will at the request of the client add feedback tasks to the Fourth Engage app for employees that have certain criteria, such as length of service and department. Doing so requires a database query to identify such employees, but the data is not stored by HGEM. |
Zendesk |
UK |
Help desk platform |
DPA as published by Zendesk |
For HGEM clients that use Zendesk as a help desk platform, and for whom HGEM collects employee feedback via a survey site, HGEM will at the request of the client create support tickets on Zendesk in the name and email address of a customer who has provided feedback on a survey site and who has explicitly consented to a response from HGEM’s client. The customer’s details will not be requested until consent is given. |
Freshdesk |
UK |
Help desk platform |
DPA as published by Freshdesk |
For HGEM clients that use Zendesk as a help desk platform, and for whom HGEM collects employee feedback via a survey site, HGEM will at the request of the client create support tickets on Zendesk in the name and email address of a customer who has provided feedback on a survey site and who has explicitly consented to a response from HGEM’s client. The customer’s details will not be requested until consent is given. |
⠀
SCHEDULE 4
STANDARD CONTRACTUAL CLAUSES
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection,
Customer (the “data exporter”)
And
HGEM Ltd (the “data importer”),
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) the data exporter means the controller who transfers the personal data;
(c) the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) the sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;
(e) the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause 3, Clause 4(b) to Clause 4(i), Clause 5(a) to Clause 5(e) and Clause 5(g) to Clause 5(j), Clause 6.1 and Clause 6.2, Clause 7, Clause 8.2 and Clause 9 to Clause 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to Clause 5(e) and Clause 5(g), Clause 6, Clause 7, Clause 8.2 and Clause 9 to Clause 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to Clause 5(e) and Clause 5(g), Clause 6, Clause 7, Clause 8.2, and Clause 9 to Clause 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8.3 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2 and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subjects as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to Clause 4(i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11; and
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or its sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9
Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.
Clause 11
Sub-processing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
⠀
APPENDIX 1 – DETAILS OF PROCESSING
This Appendix forms part of the Clauses and is deemed signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix 1.
Data exporter: Customer (as defined in this Agreement)
Data importer: Service Provider (as defined in this Agreement).
Data subjects: As per the details set out in Schedule 1 of this Agreement.
Categories of data: As per the details set out in Schedule 1 of this Agreement.
Special categories of data (if appropriate): As per the details set out in Schedule 1 of this Agreement.
Processing operations: As per the details set out in Schedule 1 of this Agreement.
⠀
APPENDIX 2 – Technical and Organisational Security Measures
This Appendix 2 forms part of the Clauses and is deemed signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clause 4(d) and Clause 5(c) (or documents/legislation attached):
As per the measures set out in Schedule 2 of this Agreement.