DATA PROCESSOR ADDENDUM
1.1 The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.2 “Addendum” means this Data Processor Addendum;
1.3 “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in Annex 2 (Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Customer in accordance with section 5.1;
1.4 “Customer” means the Customer or Licensee under the Main Agreement;
1.5 “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Main Agreement i) until 25 May 2018, EU Directive 95/46/EC, as transposed into domestic legislation of each Member State; ii) on and from 25 May 2018 the General Data Protection Regulation (EU) 2016/679 ("GDPR"); iii) EU Directive 2002/58/EC on privacy and electronic communications, as transposed into domestic legislation of each Member State; and iv) any applicable decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, supervisory authorities and other applicable government authorities; in each case together with all laws implementing, replacing, amending or supplementing the same and any other applicable data protection or privacy laws;
1.6 “EEA” means the European Economic Area;
1.7 “Personal Data” means the data described in Annex 1 (Details of Processing of Personal Data) and any other personal data processed by the Supplier on behalf of the Customer pursuant to or in connection with the Main Agreement;
1.8 “Main Agreement” means the license or services agreement into which this Addendum is incorporated;
1.9 “Services” means the services described in the Main Agreement;
1.10 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
1.11 “Sub-processor” means any data processor (including any affiliate of the Supplier) appointed by the Supplier to process personal data on behalf of the Customer;
1.12 “Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
1.13 “Supplier” means the Supplier or Licensor under the Main Agreement.
2. PROCESSING OF THE PERSONAL DATA
2.1 The parties agree that the Customer is a data controller and that the Supplier is a data processor for the purposes of processing Personal Data.
2.2 Each party shall at all times in relation to processing connected with the Main Agreement comply with Data Protection Laws.
2.3 The Supplier shall only process the types of Personal Data relating to the categories of data subjects for the purposes of the Main Agreement and for the specific purposes in each case as set out in Annex 1 (Details of Processing of Personal Data) to this Addendum and shall not process, transfer, modify,
Data Processor Addendum 4
amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Customer's documented instructions (whether in the Main or otherwise) unless processing is required by applicable law to which the Supplier is subject, in which case the Supplier shall to the extent permitted by such law inform the Customer of that legal requirement before processing that Personal Data.
2.4 The Supplier shall immediately inform the Customer if, in its opinion, an instruction pursuant to the Main Agreement or this Addendum infringes Data Protection Laws.
2.5 The Customer warrants to and undertakes with the Supplier that all data subjects of the Personal Data have been or will be provided with appropriate notices and information to establish and maintain for the relevant term the necessary legal grounds under Data Protection Laws for transferring the Personal Data to the Supplier to enable the Supplier to process the Personal Data in accordance with this Addendum and the Main Agreement.
3. PROCESSOR PERSONNEL
3.1 The Supplier shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorised Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
3.2 The Supplier shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or Authorised Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in section 2.1 above in the context of that person's or party's duties to the Supplier.
3.3 The Supplier shall ensure that all such persons or parties involved in the processing of Personal Data are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality.
4.1 The Supplier shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
5.1 The Customer authorises the Supplier to engage sub-processors to process Personal Data provided that, the Supplier shall inform the Customer of any intended changes concerning the addition or replacement of other processors, thereby giving the Customer the opportunity to object to such changes. If the Customer objects in writing to the proposed sub-processor within 14 days of the notification, the Customer shall have the right to terminate the Main Agreement.
5.2 With respect to each Sub-processor, the Supplier shall:
5.2.1 carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Addendum;
5.2.2 include terms in the contract between the Supplier and each Sub-processor which are the same as those set out in this Addendum, and shall supervise compliance thereof;
5.2.3 in so far as that contract involves the transfer of Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as appropriate into
Data Processor Addendum 5
the contract between the Supplier and each Sub-processor to ensure the adequate protection of the transferred Personal Data, and shall inform the Customer in the notification referred to in clause 5.1 of the basis on which adequate protection in respect of the processing of Personal Data in such third country(ies) is ensured; and
5.2.4 remain fully liable to the Customer for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
5.3 As at the date of the Main Agreement or (if later) implementation of this Addendum, the Customer hereby authorises the Supplier to engage those Sub-processors set out in Annex 2 (Authorised Sub-processors).
6. DATA SUBJECT RIGHTS
6.1 The Supplier shall without undue delay, and in any case within three (3) working days, notify the Customer if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in chapter III of GDPR, and shall provide full details of that request.
6.2 The Supplier shall co-operate as reasonably requested by the Customer to enable the Customer to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or the Main Agreement, which shall include:
6.2.1 the provision of all information reasonably requested by the Customer within any reasonable timescale specified by the Customer in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a data subject;
6.2.2 where applicable, providing such assistance as is reasonably requested by the Customer to enable the Customer to comply with the relevant request within the timescales prescribed by Data Protection Laws; and
6.2.3 implementing any additional technical and organisational measures as may be reasonably required by the Customer to allow the Customer to respond effectively to relevant complaints, communications or requests.
7. INCIDENT MANAGEMENT
7.1 In the case of a personal data breach, the Supplier shall without undue delay notify the personal data breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a personal data breach under Data Protection Laws. Such notification may be made in stages but shall as a minimum:
7.1.1 describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned;
7.1.2 communicate the name and contact details of the Supplier's data protection officer or other relevant contact from whom more information may be obtained;
7.1.3 describe the likely consequences of the personal data breach; and
7.1.4 describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.2 The Supplier shall fully co-operate with the Customer and take such reasonable steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the Customer to (i) perform a thorough investigation into the personal data breach,
Data Processor Addendum 6
(ii) formulate a correct response and to take suitable further steps in respect of the personal data breach in order to meet any requirement under Data Protection Laws.
7.3 The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1 The Supplier shall, at the Customer’s request, provide reasonable assistance to the Customer with any data protection impact assessments and any consultations with any Supervisory Authority of the Customer as may be required in relation to the processing of Personal Data by the Supplier on behalf of the Customer.
9. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
9.1 Unite Communications Limited retains records of collections after termination of the Agreement in order to deal with post termination Indemnity Claim(s) in accordance with the Main Agreement. To the extent that Personal Data is not required for this purpose, upon request made by the Customer within thirty (30) days of the earlier of: (i) cessation of processing of Personal Data by the Supplier; or (ii) termination of the Main Agreement, the Supplier shall return all Personal Data to the Customer. After such thirty (30) day period, the Supplier shall securely dispose of Personal Data and delete all copies of it (except to the extent that any applicable law requires the Supplier to retain a copy of such Personal Data) and Customer acknowledges that the Supplier will have no obligation to maintain or provide such Personal Data.
10. AUDIT RIGHTS
10.1 The Supplier shall make available to the Customer on request all information necessary to demonstrate compliance with this Addendum and Data Protection Laws and allow for and contribute to audits, including inspections by the Customer or another auditor mandated by the Customer of any premises where the processing of Personal Data takes place.
10.2 The Supplier shall permit the Customer or another auditor mandated by the Customer during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of Data Protection Laws and this Addendum are being complied with.
10.3 The Supplier shall provide full co-operation to the Customer in respect of any such audit and shall at the request of the Customer, provide the Customer with evidence of compliance with its obligations under this Addendum and Data Protection Laws.
11. INTERNATIONAL TRANSFERS OF CONTROLLER PERSONAL DATA
11.1 The Supplier shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the EEA without an adequate level of protection, other than in respect of those recipients in such countries listed in Annex 3 (Authorised Transfers of Personal Data) or in accordance with clause 5.2.3, unless authorised in writing by the Customer in advance.
13. The disclaimers and limitations of liability set out under the Main Agreement shall apply also to this Addendum.
14.1 The Customer shall pay any reasonable costs and expenses incurred by the Supplier in meeting the Customer’s requests made under this Addendum.
Data Processor Addendum 7
15.1 Any obligation imposed on the Supplier under this Addendum in relation to the processing of Personal Data shall survive any termination or expiration of the Main Agreement.
15.2 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Main Agreement and any provision of this Addendum, the provision of this Addendum shall prevail. In the event of any conflict or inconsistency between the Main Agreement or this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Data Processor Addendum 8
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data
The Supplier will process personal data relating to the Customer’s payors in the course of providing direct debit processing services during the term of the Main Agreement and will also retain transaction records beyond termination for the purposes of dealing with indemnity claims made after termination as set out in the Main Agreement.
The nature and purpose of the processing of Personal Data
Direct debit processing services including the submission of payment files to the Bacs system including the return of data to the Customer directly or by way of interface with the Customer’s other systems.
The types of Personal Data to be processed
Payment information consisting of account number, sort code, and the name of the Customers
The categories of data subject to whom the Personal Data relates
ANNEX 2: AUTHORISED SUB-PROCESSORS
Nexus Technology Services
ANNEX 3: AUTHORISED TRANSFERS OF CONTROLLER PERSONAL DATA
None outside the EEA, save where the Customer is based outside the EEA (in respect of the return of data) and/or requests an interface to return data directly to its other systems hosted outside the EEA