In so far as required, both parties agree that they will comply with the applicable data protection and privacy legislation (the “Applicable Law”), including The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
“Personal Data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the “Personal Data”).
The parties acknowledge that for the purposes of the Applicable Law, the Client is the data controller and the Company is the data processor. The Client will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
1. Processing of Personal Data
The Company undertakes to process Personal Data on behalf of the Client in accordance with the conditions in this Schedule. The processing will be with the purpose of delivering the Services as described in the Agreement, and for all such purposes as may be mutually agreed to subsequently.
The Company shall not sub-contract such processing without the prior written consent of the Client.
The Company may only act and process the Personal Data in accordance with documented instruction from the Client and under the (ultimate) responsibility of the Client, unless required by law or any regulatory body to act without such instruction.
The Client’s instructions for the processing of Personal Data shall comply with Applicable Law. The Company will inform the Client of any instruction that in the Company’s opinion is in violation or infringement of Applicable Law and will not execute the instructions until they have been confirmed or modified by the Client. In this context, the Client indemnifies the Company of all claims and actions of third parties related to such violation or infringement.
The Client represents and warrants that it has the necessary consent(s) and/or a legal basis for collecting, processing and transfer of the relevant Personal Data. Furthermore, the Client represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Client indemnifies the Company of all claims and actions of third parties related to the collecting, processing and transfer of personal data without the necessary consent(s) and/or a legal basis under this Agreement.
The Company shall comply with any request from the Client requiring the Company to amend, transfer or delete the Personal Data.
The Company shall maintain complete and accurate records and information to demonstrate its compliance relating to this Agreement including a register of processing activities in accordance with the GDPR.
The Company will ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
Unless the Client has given written instructions for the Company to do so, the Company shall not disclose any Personal Data supplied to the Company by, for, or on behalf of, the Client to any third party or engage any third party processor of Personal Data.
2. Security
The Company will endeavour to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of Personal Data) in connection with the performance of processing Personal Data under this Data Processing Agreement.
The Company does not guarantee that the security measures are effective under all circumstances. The Company will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the nature of the personal data and the costs related to the security measures.
The Company shall provide documentation for the Company’s security measures if requested by the Client in writing. The Client is subject to a duty of confidentiality regarding any documentation and information, received by the Company, related to the Company’s implemented technical and organizational security measures.
3. Transfer of Data
The Company will not transfer any Personal Data outside of the European Economic Area (EEA) unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
(a) the Client or the Company has provided appropriate safeguards in relation to the transfer;
(b) the data subject has enforceable rights and effective legal remedies;
(c) the Company provides an adequate level of protection to any Personal Data that is transferred; and
(d) the Company complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data.
In some cases, Personal Data will be saved on storage solutions that have servers outside the EEA, (for example Dropbox or Google). Only those storage solutions that provide secure services with adequate relevant safeguards will be employed.
4. Audit
The Company will allow for audits by the Client, with the following provisions:
(a) the audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data, and no earlier than two weeks after the Client has provided written notice to the Company;
(b) any such audit will follow the Company’s reasonable security and confidentiality requirements, and will not interfere unreasonably with the Company’s business activities;
(c) the findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties; and
(d) the costs of the audit will be borne by the Client.
5. Duty to Report; Assistance
The Company will notify the Client without undue delay on becoming aware of any unauthorized or unlawful processing, loss of, damage to or destruction of any of the Personal Data processed on behalf of the Client.
If required by law and/or regulation, the Company shall cooperate in notifying the relevant authorities and/or data subjects. The Client remains the responsible party for any statutory obligations in respect thereof.
If the Company receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Client, the Company must immediately forward the request to the Client and the request will then be dealt with by the Client. The Company will refrain from responding to the person directly.
The Company shall, at the Client’s cost, provide reasonable assistance to the Client, taking into account relevant information available to the Company in responding to any request from a data subject and in ensuring compliance with its obligations under the Applicable Law with respect to security, breach notifications, impact assessments, consultations and any required approvals with supervisory authorities or regulators. The Company shall bear such costs if the breach is caused by circumstances for which the Company is responsible.
The Company shall be given reasonable time to assist the Client with such requests.
6. Remuneration
The Client shall remunerate the Company based on time spent to perform the obligations in this Schedule based on the Company’s hourly rates.
The Company is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Client’s instruction, including implementation costs and additional costs required to deliver the Services due to the change in the instruction.
7. Termination & Non-Performance
Following expiration or termination of the Agreement, at the written direction of the Client, the Company shall return, or destroy, Personal Data to the Client unless required by Applicable law to store some or all of the Personal Data.
The Company is exempted from liability for non-performance with the Agreement if the performance of the obligations under the Agreement would be in conflict with any changed instruction or if contractual delivery in accordance with the changed instruction is impossible. This could for instance be the case; (i) if the changes to the instruction cannot technically, practically or legally be implemented; (ii) where the Client explicitly requires that the changes to the instruction shall be applicable before the changes can be implemented; or (iii) in the period of time until a mutual agreement is reached and, if necessary, amendments to the Agreement and commercial terms are made.