Data Processing Addendum
DATA PROCESSING AGREEMENT
This Data Processing Agreement (DPA) is made by and between the parties to any Order Form or Terms incorporating this DPA by reference and this DPA shall be in addition to any obligations set out in any Order Form or Terms.
All capitalised terms in this DPA shall have the meaning as prescribed by the Intelligent VC Terms as located at https://www.intelligentvc.co.uk/ts-cs or as otherwise agreed between the parties, unless otherwise specified below.
means as applicable and binding on the Client, Intelligent VC and/or the Services:
(a)any law, statute, regulation, byelaw or subordinate legislation in force from time totime to which a party is subject and/or in any jurisdiction that the Services areprovided to or in respect of, as may be specified in Terms;
(b)the common law and laws of equity as applicable to the parties from time to time;
(c)any binding court order, judgment or decree; or
(d)any applicable direction, policy, rule or order that is binding on a party and that ismade or given by any regulatory body having jurisdiction over a party or any ofthat party’s assets, resources or business;
means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time (including, but not limited to, EU Model Contract Clauses or Privacy Shield certification);
has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws;
has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws;
Data Protection Laws
means as applicable and binding on the Client, Intelligent VC and/or the Services:
(a)in the United Kingdom:
(i)the Data Protection Act 1998 and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive); and/or
(ii)the General Data Protection Regulation (EU) 2016/679 (or“GDPR”) and/or any corresponding or equivalent national laws or regulations; and/or
(iii)the Privacy and Electronic Communications (EC Directive)Regulations 2003 and/or any corresponding or equivalent national laws orregulations.
(b)in member states of the European Union: the Data Protection Directive or theGDPR, once applicable, and all relevant member state laws or regulations giving effect to or corresponding with any of them;
(c)specifically in relation to the Client, all data protection and/or privacy laws in which recipient Data Subjects of emails sent via the Services are located;
(d)any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;
Data Protection Losses
means all liabilities, including all:
(a)costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
(b)to the extent permitted by Applicable Law:
(i)administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(ii)compensation which is ordered by a Supervisory Authority to bepaid to a Data Subject; and
(iii)the reasonable costs of compliance with investigations by aSupervisory Authority;
has the meaning given to that term in Data Protection Laws;
Data Subject Request
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
means from when the GDPR applies on 25 May 2018;
means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
has the meaning given to that term in clause 6;
has the meaning given to that term in Data Protection Laws;
Personal Data Breach
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
has the meaning given to that term in clause 3.2.1;
means Personal Data received from or on behalf of the Client in connection with the performance of Intelligent VC’s obligations under this Agreement;
means another Data Processor engaged by Intelligent VC for carrying out processing activities in respect of the Protected Data on behalf of the Client; and
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable. A reference to a law includes all subordinate legislation made under that law.
1.1 This DPA will take effect from either (as applicable):
1.1.1 The GDPR Date, if Client accepts the terms of this DPA prior to or on 25 May 2018; or
1.1.2 The date on which the Client accepts the terms of this DPA, if after the GDPR Date,
and shall continue until the end of Intelligent VC provision of the Services (including any period of suspension, where relevant) (“Term”).
2. Data Processor and Data Controller
2.1 The parties agree that, for the Protected Data, the Client shall be the Data Controller and Intelligent VC shall be the Data Processor.
2.2 Intelligent VC shall process Protected Data in compliance with:
2.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and
2.2.2 the terms of this DPA, the Terms and the Order Form which sets out the Client’s instructions in relation to such processing activities.
2.3 The Client shall comply with:
2.3.1 all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.3.2 the terms of this DPA.
2.4 The Client warrants, represents and undertakes, that:
2.4.1 all data sourced by the Client for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Client providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
2.4.2 all instructions given by it to Intelligent VC in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
2.4.3 it has undertaken due diligence in relation to Intelligent VC processing operations, and it is satisfied that:
(a)Intelligent VC’s processing operations are suitable for the purposes for which theClient proposes to use the Services and engage Intelligent VC to process the ProtectedData; and
(b)Intelligent VC has sufficient expertise, reliability and resources to implement technicaland organisational measures that meet the requirements of Data Protection Laws.
2.5 The Client shall not unreasonably withhold, delay or condition its agreement to any change or amendment requested by Intelligent VC in order to ensure the Services and Intelligent VC (and each Sub-Processor) can comply with Data Protection Laws.
3 Instructions and details of processing
3.1 By entering into this DPA, Client instructs Intelligent VC to process Client Protected Data only in accordance with Applicable Law:
3.1.1 To provide the Services;
3.1.2 As further specified by Client’s use of the Services or the Software;
3.1.3 As documented in the form of the terms and this DPA; and
3.1.4 As further documented in any other written instructions provided by the Client and acknowledged by Intelligent VC as being instructions for the purposes of this DPA.
3.2 Insofar as Intelligent VC processes Protected Data on behalf of the Client, Intelligent VC:
3.2.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Client’s documented instructions as set out in this clause, as updated from time to time as agreed between the parties (Processing Instructions);
3.2.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Client of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
3.2.3 shall inform the Client if Intelligent VC becomes aware of a Processing Instruction that, in Intelligent VC opinion, infringes Data Protection Laws, provided that:
(a)this shall be without prejudice to clauses 2.3 and 2.4; and
(b)to the maximum extent permitted by mandatory law, Intelligent VC shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any DataProtection Losses) arising from or in connection with any processing in accordance with the Client’s Processing Instructions following the Client’s receipt of that information; and
3.3 The subject matter and details of the processing of Protected Data to be carried out by Intelligent VC under this DPA shall comprise the processing set out in Schedule 1 (Data processing details), as may be updated from time to time as agreed between the parties.
4 Technical and organisational measures
4.1 Intelligent VC shall implement and maintain, at its cost and expense and in relation to the processing of Protected Data by Intelligent VC, technical and organisational measures taking into account the nature of the processing, to assist the Client insofar as is possible in the fulfilment of the Client’s obligations to respond to Data Subject Requests relating to Protected Data.
5 Using Sub-Processors
5.1 Subject to the below, Intelligent VC shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data without the Client’s written authorisation (such authorisation not to be unreasonably withheld, conditioned or delayed).
5.2 Client specifically authorises the engagement of Intelligent VC’s affiliates and associated group companies as Sub-Processors and also authorises the appointment of any of the Sub-Processors.
5.3 Intelligent VC shall ensure:
5.3.1 via a written contract that the Sub-Processor only accesses and processes Protected Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this DPA that is enforceable by Intelligent VC; and
5.3.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
5.4 When any new Sub-Processor is engaged by Intelligent VC during the Term, Intelligent VC shall give Client 30 days’ prior notice of the appointment of any new Sub-processor, including details of the Processing to be undertaken by the Sub-processor, via either email, the Software or the Site.
5.5 Client may object (on reasonable grounds) to any new Sub-Processor appointed per clause 5.4. above within 14 days of Intelligent VC’s notice; If Client notifies Intelligent VC in writing of any objections to the proposed appointment:
5.5.1 Intelligent VC shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and
5.5.2 where such a change cannot be made within 14 days of Intelligent VC’s receipt of Client’s notice, Client may by written notice to Intelligent VC with immediate effect terminate the Service Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor. This termination right is Client’s sole and exclusive remedy to Client’s objection of any Sub-Processor appointed by Intelligent VC during the Term.
6 International data transfers
6.1 The Client agrees that Intelligent VC may transfer any Protected Data to countries outside the European Economic Area (EEA) or to any International Organisation(s) (an International Recipient), provided all transfers by Intelligent VC of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The pr ovisions of this Agreement shall constitute the Client’s instructions with respect to transfers in accordance with clause 3.1.
7.1 Intelligent VC shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Intelligent VC shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure).
8 Assistance with the Client’s compliance and Data Subject rights
8.1 Intelligent VC shall refer all Data Subject Requests it receives to the Client within three Business Days of receipt of the request, provided that if the number of Data Subject Requests exceeds three per calendar month, the Client shall pay Intelligent VC’s Charges calculated on a time and materials basis for recording and referring the Data Subject Requests in accordance with this clause 8.1.
8.2 Further to the above and notwithstanding anything to the contrary in the Terms, Intelligent VC reserves the right to disclose the identity of the Client to any relevant Data Subject following any such request from a Data Subject.
8.3 Intelligent VC shall provide such reasonable assistance as the Client reasonably requires (taking into account the nature of processing and the information available to Intelligent VC) to the Client in ensuring compliance with the Client’s obligations under Data Protection Laws with respect to:
8.3.1 security of processing;
8.3.2 data protection impact assessments (as such term is defined in Data Protection Laws);
8.3.3 prior consultation with a Supervisory Authority regarding high risk processing; and
8.3.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach.
9 Records, information and audit
9.1 Intelligent VC shall maintain, in accordance with Data Protection Laws binding on Intelligent VC, written records of all categories of processing activities carried out on behalf of the Client.
9.2 Intelligent VC shall, in accordance with Data Protection Laws, make available to the Client such information as is reasonably necessary to demonstrate Intelligent VC’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose, subject to the Client:
9.2.1 giving Intelligent VC reasonable prior notice of such information request, audit and/or inspection being required by the Client;
9.2.2 ensuring that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
9.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Intelligent VC’s business and the business of other Clients of Intelligent VC; and
9.2.4 paying Intelligent VC’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
10 Breach notification
10.1 In respect of any Personal Data Breach involving Protected Data, Intelligent VC shall, without undue delay (but in any event within 24 hours) from when Intelligent VC becomes aware of the same:
10.1.1 notify the Client of the Personal Data Breach; and
10.1.2 provide the Client, where possible, with details of the Personal Data Breach.
11 Deletion or return of Protected Data and copies
11.1 Intelligent VC shall, at the Client’s written request, or provide facilities for the Client to either delete or return all the Protected Data to the Client in such form as the Client reasonably requests within a reasonable time after the earlier of:
11.1.1 the end of the provision of the relevant Services related to processing; or
11.1.2 once processing by Intelligent VC of any Protected Data is no longer required for the purpose of Intelligent VC’s performance of its relevant obligations under this Agreement,
and delete existing copies (unless storage of any data is required by Applicable Law and, if so, Intelligent VC shall inform the Client of any such requirement).
12 Liability, indemnities and compensation claims
12.1 The Client shall indemnify and keep indemnified Intelligent VC in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, Intelligent VC and any Sub-Processor arising from or in connection with any:
12.1.1 non-compliance by the Client with the Data Protection Laws;
12.1.2 processing carried out by Intelligent VC or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Law; or
12.1.3 breach by the Client of any of its obligations under clauses 1 to 13 (inclusive), except to the extent Intelligent VC is liable under clause
12.2 Intelligent VC shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this DPA:
12.2.1 only to the extent caused by the processing of Protected Data under this DPA and directly resulting from Intelligent VC’s breach of clauses 1 to 13 (inclusive); and
12.2.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this DPA by the Client (including in accordance with clause 3.2.3(b)).
12.3 Subject to clauses 12.1 and 12.2 above and where expressly stated the total combined liability of either party (and its affiliates) to the other (and its affiliates) in connection with the Terms and this DPA will be limited to that as specified in the Terms. Nothing in this clause 12.3 will otherwise affect the remaining provisions of the Terms relating to liability or any specific exclusions for any limitations of liability.
12.4 If a party receives a compensation claim from a person relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
12.4.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
12.4.2 consult fully with the other party in relation to any such action. The parties agree that the Client shall not be entitled to claim back from Intelligent VC any part of any compensation paid by the Client in respect of such damage to the extent that the Client is liable to indemnify Intelligent VC in accordance with clause 12.1.
12.5 This clause 12 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
12.5.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and
12.5.2 that it does not affect the liability of either party to any Data Subject.
13 Survival of data protection provisions
13.1 Clauses 2 to 13 (inclusive) shall survive termination (for any reason) or expiry of this Agreement and continue:
13.1.1 indefinitely in the case of clauses 10 to 13 (inclusive); and
13.1.2 until 12 months following the earlier of the termination or expiry of this Agreement in the case clauses 2 to 9 (inclusive),
provided always that any termination or expiry of clauses 2 to 9 (inclusive) shall be without prejudice to any accrued rights or remedies of either party under any such clauses at the time of such termination or expiry.
SCHEDULE 1 DATA PROCESSING DETAILS
Subject-matter of processing:
Intelligent VC’s provision of the Services to the Client.
Duration of the processing:
The term of any relevant Order Form until deletion of all Protected Data by Intelligent VC in accordance with the DPA.
Nature and purpose of the processing:
Intelligent VC will process Client Protected Data for the purposes of providing the Services to the Client in accordance with the DPA and the Terms.
Type of Personal Data:
Data relating to individuals provided to Intelligent VC via the provision of the Services by or at the direction of the Client or end-users of the Client.
Categories of Data Subjects:
Data subjects include the individuals about whom data is provided to Intelligent VC via the Services by or at the direction of Client or end-users of the Client.