Data Processing Provisions

1. Definitions and Interpretation

1.1 The following definitions and rules of interpretation apply in this Agreement (including in the Recitals).
Appropriate Technical and Organisational Measures: has the meaning given to such term in Data Protection Legislation (including, as appropriate, the measures referred to in Article 32(1) of the GDPR).

Authorised Person:

the persons authorised by Client to give the Supplier instructions in respect of Processing, as amended from time to time in accordance with this Agreement.

Business Day:

a day other than a Saturday, Sunday or public holiday in the United Kingdom when banks are open for business.

Business Purpose:

the provision of the Services (as defined in the Agreement).

Client:

the company that has signed the agreement contract with the Supplier.

Customer:

end users of Client, and each a Customer;

Data:

any data or information, in whatever form, including but not limited to images, still and moving, and sound recordings.

Data Controller:

has the meaning given to such term in Data Protection Legislation.

Data Processor:

has the meaning given to such term in Data Protection Legislation.

Data Protection Legislation:

means the Data Protection Acts 1988 and 2003 and Directive 95/46/EC, any other applicable law or regulation relating to the Processing of Personal
Data and to privacy (including the E-Privacy Directive), as such legislation shall be amended, revised or replaced from time to time, including by operation of the GDPR (and laws implementing or supplementing the GDPR).

Data Protection Officer:

a data protection officer appointed pursuant to Data Protection Legislation.

Data Subject:

an individual who is the subject of Personal Data.

Delete:

to remove or obliterate Personal Data such that it cannot be recovered or reconstructed.

EEA:

European Economic Area.

Client Data:

Client Data (NPD) and Client Data (PD).

Client Data (NPD):

all Data supplied by Client to the Supplier from time to time other than Client Data (PD) during the Term.

Client Data (PD):

the Personal Data supplied by Client to the Supplier or access by the Supplier (in respect of Client’ personnel or its Customers) from time to time during the Term.

Client System:

any information technology system or systems owned or operated by Client from which Client Data is accessed or received by the Supplier in accordance with this Agreement.

GDPR:

General Data Protection Regulation (EU) 2016/679.

Intellectual Property Rights:

patents, utility models, rights to inventions, copyright and neighbouring and related rights, trademarks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets), and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
Material Breach: substantial (non-trivial) failure of performance under the Agreement which is significant enough to give the aggrieved Party the right to sue for breach of contract.

Normal Business Hours:

9.00 am to 5.30 pm GMT on a Business Day.

ICO.: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Personal Data:

has the meaning set out in Data Protection Legislation and relates only to personal data, or any part of such personal data, in respect of which Client is the Data Controller, and in respect of which the Supplier is the Data Processor under this Agreement.

Personal Data Breach:

means any “personal data breach” as defined in the GDPR in respect of the Personal Data caused by the Supplier.

Processed Data:

any Client Data that has been Processed.

Processing:

has the meaning given to such term in Data Protection Legislation, and Processed and Process shall be interpreted accordingly.

Representatives:

a Party’s employees, officers, representatives, advisers or subcontractors involved in the provision or receipt of the Services.

Restricted Transfer:

any transfer of Personal Data to countries outside of the EEA which are not subject to an adequacy decision by the European Commission, where such transfer would be prohibited by Data Protection Legislation.

Security Features:

any security feature, including any encryption, pseudonymisation, key, PIN, password, token or smartcard.

Services:

the Processing of Client Data by the Supplier for the Business Purpose.

Specific Instructions:

instructions meeting the criteria set out in Clause 2.2.

Standard Contractual Clauses:

the contractual Clauses dealing with the transfer of Personal Data outside the EEA, which have been approved by (i) the European Commission under Data Protection Legislation, or (ii) by the ICO. or an equivalent competent authority under Data Protection Legislation.

Sub-processor:

has the meaning given to such term in Clause 15.1.

Supplier System:

any information technology system or systems owned or operated by the Supplier to which Client Data is delivered or accessed or on which the Services are performed in accordance with this Agreement.

Term:

the duration of the Agreement.

2. Services

2.1 In consideration of the mutual obligations set out herein, during the Term the Supplier shall supply the Services to Client. Client hereby grants a non-exclusive, non-transferrable, non-sub licensable (other than to the Supplier’s affiliates) licence to the Supplier to the use of all copyright and database rights in Client Data for the duration of the Term to enable the Supplier to provide the Services, and to transfer to the Supplier all Client Data for the same purpose, in accordance with the terms of this Agreement.

2.2 The Supplier shall not act on any specific instructions given by Client from time to time during the Term unless they are:

2.2.1 in writing (including by electronic means; and

2.2.2 given by an Authorised Person.

2.3 The Supplier shall Process Client Data (PD) for the Business Purpose only and in compliance with Client' instructions from time to time, which may be:

2.3.1 Specific Instructions; or

2.3.2 the general instructions set out in the Agreement
unless required to do otherwise by law, in which case, where legally permitted, the Supplier shall inform Client of such legal requirement before Processing.

2.4 The types of Personal Data to be Processed pursuant to this Agreement shall include (but shall not be limited to) names, email addresses, analytical information regarding use, information related to browsing habits, IP addresses, device IDs, location data, and phone numbers; and the categories of Data Subject to whom such Personal Data relates shall include Client’ personnel and Customers.

3. Access

3.1 The Supplier shall have access to the Personal Data which is uploaded by Client personnel or Customers to the Supplier’s System or which is automatically gathered/collected by the Supplier on the Supplier’s System or Client’ System for the purposes of providing the Services, as set out in the Agreement.

4. Parties' Obligations

4.1 The Supplier shall:

4.1.1 only make copies of Client Data to the extent reasonably necessary for the Business Purpose (which, for clarity, includes backup, mirroring (and similar availability enhancement techniques), security, disaster recovery and testing of Client Data); and

4.1.2 not extract, reverse-engineer, re-utilise, use, exploit, redistribute, re-disseminate, copy or store Client Data other than for the Business Purpose.

4.2 The Supplier shall notify Client in writing without delay of any situation or envisaged development that shall in any way change the ability of the Supplier to Process Client Data (PD) as set out in this Agreement.

4.3 The Supplier shall, at Client’ cost and taking into account the nature of the Supplier’s Processing of Personal Data, promptly comply with any written request from Client requiring the Supplier to amend, transfer or Delete any of Client Data. In the event of a request to Delete Client Data, the Supplier shall be entitled to keep one archived copy of Client Data for such period as it is legally possible for Client to make a claim against the Supplier in respect of the Agreement and/or the Services, plus one additional year.

4.4 At Client’ request and cost, the Supplier shall provide to Client a copy of all Client Data held by the Supplier in a commonly used format.

4.5 At Client’ request and cost, taking into account the nature of the Supplier’s Processing of the Personal Data and the information available, the Supplier shall provide to Client such information and such assistance as Client may reasonably require, and within the timescales reasonably specified by Client, to allow Client to comply with its obligations under Data Protection Legislation, including but not limited to assisting Client to:

4.5.1 comply with its own security obligations with respect to the Personal Data;

4.5.2 discharge its obligations to respond to requests for exercising Data Subjects’ rights with respect to the Personal Data;

4.5.3 comply with its obligations to inform Data Subjects about serious Personal Data Breaches;

4.5.4 carry out data protection impact assessments and audit data protection impact assessment compliance with respect to the Personal Data; and

4.5.5 the consultation with the ICO. following a data protection impact assessment, where a data protection impact assessment indicates that the Processing of the Personal Data would result in a high risk to Data Subjects.

4.6 Any proposal by the Supplier to in any way use or make available Client Data other than as provided for pursuant to this Agreement shall be subject to prior written approval of Client.

4.7 Client acknowledges that the Supplier is under no duty to investigate the completeness, accuracy or sufficiency of (i) any instructions received from Client, or (ii) any Client Data.

4.8 Client shall:

4.8.1 ensure that it is entitled to transfer the relevant Client Data (PD) to the Supplier so that the Supplier may lawfully use, process and transfer (if applicable) Client Data (PD) in accordance with this Agreement;

4.8.2 ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by Data Protection Legislation;

4.8.3 notify the Supplier in writing without delay of any situation or envisaged development that shall in any way influence, change or limit the ability of the Supplier to process Client Data (PD) as set out in this Agreement;

4.8.4 ensure that Client Data (PD) that Client instructs the Supplier to Process pursuant to this Agreement is:
(8.4.a) obtained lawfully, fairly and in a transparent manner in relation to the Data Subject (including in respect of how consent is obtained);
(8.4.b) collected and processed for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes;
(8.4.c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
(8.4.d) accurate, and where necessary kept up to date;
(8.4.e) erased or rectified without delay where it is inaccurate, having regard to the purposes for which they are processed;
(8.4.f) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (subject to circumstances where Personal Data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and subject to the implementation of Appropriate Technical and Organisational Measures);
(8.4.g) processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;

4.8.5 provide such information and such assistance to the Supplier as the Supplier may reasonably require, and within the timescales reasonably specified by the Supplier, to allow the Supplier to comply with its obligations under Data Protection Legislation; and

4.8.6 not alter the technical arrangements relating to the format, presentation and distribution of Client Data to the Supplier without the Supplier’s prior written approval.

4.9 Client shall not pass any Client Data (PD) to the Supplier for processing which has been kept by Client for a period that is longer than necessary.

4.10 Unless required to do so by the ICO. or any other competent supervisory authority, the Supplier shall not make any payment or any offer of payment to any Data Subject in response to any complaint or any claim for compensation arising from or relating to the Processing of Client Data, without the prior written agreement of Client.

4.11 Client acknowledges and agrees that the Supplier is reliant on Client for direction as to the extent to which the Supplier is entitled to use and process Client Data (PD). Consequently, the Supplier will not be liable for any claim brought by a Data Subject arising from any action or omission by the Supplier, to the extent that such action or omission resulted directly from Client’ instructions and/or the transactions contemplated by this Agreement.

5. Supplier's Employees

5.1 The Supplier shall take reasonable steps to ensure the reliability of all its employees who have access to Client Data (PD), and to ensure that such employees have committed themselves to a binding duty of confidentiality in respect of such Client Data (PD).

6. Records

6.1 The Supplier shall keep at its normal place of business records (including in electronic form) relating to all categories of Processing activities carried out on behalf of Client, containing:

6.1.1 the general description of the security measures taken in respect of the Personal Data, including details of any Security Features and the Appropriate Technical and Organisational Measures;

6.1.2 the name and contact details of the Supplier; any sub-supplier; and where applicable the Supplier's representatives; and where applicable any Data Protection Officer appointed by the Supplier;

6.1.3 the categories of Processing by the Supplier on behalf of Client; and

6.1.4 details of any non-EEA Personal Data transfers, and the safeguards in place in respect of such transfers.

7. Audits

7.1 Subject to the extent required by Data Protection Legislation, Client shall have the right to examine and review the use by the Supplier of Client Data provided to the Supplier by Client only for the purpose of ascertaining that such Client Data has been used and Processed in accordance with the terms of this Agreement.

7.2 An audit under this Clause 8 shall be carried out no more than once in any twelve (12) month period and shall be conducted during Normal Business Hours during the course of one Business Day and shall only relate to the Personal Data. The Supplier shall grant to Client (or representatives of Client) on reasonable advance notice a right of access to the Supplier’s premises during Normal Business Hours for the purpose of such examination and review, and the Supplier shall give such necessary assistance to the conduct of such examinations/audits. Client shall bear the reasonable expenses incurred by the Supplier in respect of any such audit and any such audit shall not interfere with the normal and efficient operation of the Supplier’s business. The Supplier may require, as a condition of granting such access, that Client (and representatives of Client) enter into reasonable confidentiality undertakings with the Supplier.

7.3 The scope of any examination and review by Client of the use by the Supplier of the Personal Data shall be agreed in writing prior to the commencement of any such examination and review.

7.4 In the event that the audit process determines that the Supplier is materially non-compliant with the provisions of this Agreement, Client may, by notice in writing, deny further access to Client Data.

7.5 To the extent permitted under Data Protection Legislation, the Supplier may demonstrate its and, if applicable it’s Sub-processors’, compliance with its obligations under this Agreement through its compliance with a certification scheme or code of conduct approved under Data Protection Legislation.

8. Confidentiality

8.1 The Supplier acknowledges that Client’ Confidential Information includes any Client Data.

9. Data Subject requests

9.1 Taking into account the nature of the Supplier’s Processing of the Personal Data and at Client’ cost, the Supplier shall assist Client by employing Appropriate Technical and Organisational Measures, insofar as this is possible, in respect of the fulfilment of Client’ obligations to respond to requests from a Data Subject exercising his/her rights under Data Protection Legislation.

9.2 The Supplier shall, at Client’ cost, notify Client as soon as reasonably practicable if it receives:

9.2.1 a request from a Data Subject for access to that person’s Personal Data;

9.2.2 any communication from a Data Subject seeking to exercise rights conferred on the Data Subject by Data Protection Legislation in respect of the Personal Data; or

9.2.3 any complaint or any claim for compensation arising from or relating to the Processing of the Personal Data.

9.3 The Supplier shall not disclose the Personal Data to any Data Subject or to a third party other than at the request of Client, as provided for in this Agreement, or as required by law in which case the Supplier shall to the extent permitted by law inform Client of that legal requirement before the Supplier discloses the Personal Data to any Data Subject or third party.

9.4 The Supplier shall not respond to any request from a Data Subject except on the documented instructions of Client or Authorised Person or as required by law, in which case the Supplier shall to the extent permitted by law inform Client of that legal requirement before the Supplier responds to the request.

10. Data Protection Officer

10.1 The Supplier shall appoint a Data Protection Officer, if required to do so pursuant to Data Protection Legislation, and provide Client with the contact details of such Data Protection Officer.

10.2 Client shall appoint a Data Protection Officer, if required to do so pursuant to Data Protection Legislation, and provide the Supplier with the contact details of such Data Protection Officer.

11. Security

11.1 The Supplier shall, in accordance with its requirements under Data Protection Legislation, implement Appropriate Technical and Organisational Measures to safeguard Client Data (PD) from unauthorised or unlawful Processing or accidental loss, alteration, disclosure, destruction or damage, and that, having regard to the state of technological development and the cost of implementing any measures (and the nature, scope, context and purposes of Processing, as well as the risk to Data Subjects), such measures shall be proportionate and reasonable to ensure a level of security appropriate to the harm that might result from unauthorised or unlawful Processing or accidental loss, alteration, disclosure, destruction or damage and to the nature of the Personal Data to be protected.

11.2 The Supplier shall ensure that Client Data provided by Client can only be accessed by persons and systems that are authorised by the Supplier and necessary to meet the Business Purpose, and that all equipment used by the Supplier for the Processing of Client Data shall be maintained by the Supplier in a physically secure environment.

11.3 Client shall make a backup copy of Client Data as often as is reasonably necessary and record the copy on media from which Client Data can be reloaded in the event of any corruption or loss of Client Data.

12. Breach Reporting

12.1 The Supplier shall promptly inform Client if any Client Data is lost or destroyed or becomes damaged, corrupted, or unusable, or if there is any accidental, unauthorised or unlawful disclosure of or access to Client Data. In such case, the Supplier will use its reasonable endeavours to restore such Client Data at Client’ expense (save where the incident was caused by the Supplier’s negligent act or omission, in which case it will be at the Supplier’s expense), and will comply with all of its obligations under Data Protection Legislation in this regard.

12.2 The Supplier must inform Client of any Personal Data Breaches, or any complaint, notice or communication in relation to a Personal Data Breach, without undue delay. Taking into account the nature of the Supplier’s Processing of the Personal Data and the information available to the Supplier and at Client’ cost the Supplier will provide sufficient information and assist Client in ensuring compliance with its obligations in relation to notification of Personal Data Breaches (including the obligation to notify Personal Data Breaches to the ICO. within seventy two (72) hours), and communication of Personal Data Breaches to Data Subjects where the breach is likely to result in a high risk to the rights of such Data Subjects. Taking into account the nature of the Supplier’s Processing of the Personal Data and the information available to the Supplier and at Client cost, the Supplier shall cooperate with Client and take such reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

13. Intellectual Property Rights

13.1 The Supplier acknowledges that all Intellectual Property Rights in Client Data are and will remain the property of Client and the Data Subjects, as the case may be; and that the Supplier shall have no rights in or to Client Data other than the right to use it for the purposes set out in this Agreement.

14. Restricted Transfers

14.1 A Restricted Transfer may not be made by the Supplier without the prior written consent of Client (such consent not to be unreasonably withheld, delayed or conditioned), and if such Client consent has been obtained, such Restricted Transfer may only be made where there are Appropriate Technical and Organisational Measures in place with regard to the rights of Data Subjects (including but not limited to the Standard Contractual Clauses, Privacy Shield, binding corporate rules, or any other model clauses approved by the ICO.).

14.2 Subject to Clause 14.3, in the event of any Restricted Transfer by the Supplier to a contracted Sub-processor, to any affiliate of Client or otherwise (“Data Importer") for which Client consent has been obtained, the Parties shall procure that (i) Client (where the Restricted Transfer is being made at the request of Client) or the Supplier acting as agent for and on behalf of Client (where the Restricted Transfer is being made at the request of the Supplier), and (ii) the Data Importer, shall enter into the Standard Contractual Clauses in respect of such Restricted Transfer.

14.3 Clauses 14.1 or 14.2 shall not apply to a Restricted Transfer if other compliance steps (which may include, but shall not be limited to, obtaining consents from Data Subjects) have been taken to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Legislation.

15. Sub-Processors

15.1 Client agrees and acknowledges that the Supplier may have the Personal Data Processed by any of its affiliates and by any agents and contractors (a “Sub-processor”). The Supplier shall inform Client of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Client the opportunity to object to such changes.

15.2 The Supplier must enter into a data processing contract with the Sub-processor which places obligations on the Sub-processor to implement Appropriate Technical and Organisational Measures in such a manner that the Processing will meet the requirements of Data Protection Legislation).

15.3 With respect to each Sub-processor, the Supplier shall, before the Sub-processor first Processes Client Data (PD), ensure that the Sub-processor is capable of providing the level of protection for Client Data (PD) required by this Agreement.

15.4 The Supplier will remain fully liable to Client in respect of any failure by the Sub-processor to fulfil its data protection obligations in this regard.

16. Warranties

16.1 The Supplier warrants and undertakes to Client that:

16.1.1 the Supplier will Process Client Data in compliance with the Data Protection Legislation;

16.1.2 the Supplier will maintain Appropriate Technical and Organisational Measures against the unauthorised or unlawful Processing of Client Data (PD) and against the accidental loss or destruction of, or damage to, Client Data (PD); and

16.1.3 the Supplier will discharge its obligations under this Agreement with all due skill, care and diligence.

16.2 Client hereby warrants and undertakes that:

16.2.1 it has complied with and shall comply with its obligations under Data Protection Legislation;

16.2.2 it has the right to transfer Client Data (PD) to the Supplier in accordance with the terms of this Agreement;

16.2.3 as far as it is aware, the Processing of Client Data (PD) under this Agreement will not infringe the Intellectual Property Rights of any third party;

16.2.4 Client Data contains nothing that is defamatory or indecent;

16.2.5 Client’ instructions that are set out in this Agreement accurately reflect the instructions of the Data Controller to the extent that Client is a Data Processor of the Data Controller;

16.2.6 it shall and shall cause, appropriate notices to be provided to, and valid consents to be obtained from, Data Subjects, in each case that are necessary for the Supplier to Process (and have Processed by Sub-processors) Personal Data under or in connection with this Agreement, including Processing outside the EEA on the basis of any of the legal conditions for such transfer and Processing set out in Clause 15 above;

16.2.7 it shall not, by act or omission, cause the Supplier to violate any Data Protection Legislation, notices provided to, or consents obtained from, Data Subjects as a result of the Supplier or its Sub-processors Processing the Personal Data; and

16.2.8 notwithstanding anything contained in this Agreement, it shall pay in immediately available funds the Supplier’s costs incurred or likely to be incurred, at the Supplier’s option in advance under Clauses 5; 8; and 9 of the main agreement terms and conditions of use.

17. Indemnity

17.1 Client (the “Indemnifying Party”) agrees to indemnify and keep indemnified and defend at its own expense the Supplier (the “Indemnified Party”) against all costs, claims, damages or expenses incurred by the Indemnified Party or for which the Indemnified Party may become liable due to any failure by the Indemnifying Party or its employees or agents to comply with any of its obligations under this Agreement and/or under Data Protection Legislation.

17.2 If any third party makes a claim against the Indemnified Party, or notifies an intention to make a claim against the Indemnified Party, the Indemnified Party shall: (i) give written notice of the claim against the Indemnified Party to the Indemnifying Party as soon as reasonably practicable; (ii) not make any admission of liability in relation to the claim against Indemnified Party without the prior written consent of the Indemnifying Party; (iii) at the Indemnifying Party’s request and expense, allow the Indemnifying Party to conduct the defence of the claim against the Indemnified Party including settlement; and (iv) at the Indemnifying Party’s expense, cooperate and assist to a reasonable extent with the Indemnifying Party's defence of the claim against the Indemnified Party.

18. Termination

18.1 On any termination or expiry of this Agreement:

18.1.1 all licences granted by Client to the Supplier pursuant to this Schedule shall cease and have no further effect;

18.1.2 the Supplier shall as soon as reasonably practicable ensure that all Client Data (PD) is Deleted from the Supplier System, unless legally required to store Client Data for a period of time.

18.2 The Supplier shall provide written confirmation of compliance with this Clause in the form of a letter signed by an authorised representative no later than fourteen (14) days after termination or expiry of this Agreement.