Data Protection

1.1 For the purpose of this Schedule, the following terms shall have the following meanings:

a. Counterparty:  means the entity entering into this Agreement with the Company.

b. Data Controller: shall have the meaning of ‘data controller’ set out in Article 4(7) of the GDPR or the equivalent clause of such legislation which may implement the same in the UK.

    1. Data Processor: shall have the meaning of ‘data processor’ set out in Article 4(8) of the GDPR or the equivalent clause of such legislation which may implement the same in the UK.

    1. Data Protection Legislation: means, for such time as they are in force in England and Wales, the DPA, the GDPR and all related legislation which may supplement, amend, implement or replace them and which relates to the protection of individual’s rights in their personal data and the protection of their privacy.

    1. Data Subject: means an individual who is the subject of Personal Data.

    1. DPA: means the Data Protection Act 2018.

    1. EEA: means the European Economic Area and also includes the United Kingdom whether or not it is a member of the European Economic Area.

    1. GDPR: means Regulation (EU) 2016/679 and/or such legislation as may give effect to its terms in England and Wales.

    1. Personal Data: has the meaning set out in Article 4(1) of the GDPR, and for the purposes of this Agreement means Personal Data provided by one party to this Agreement to the other.

    1. Processing and Process: have the meaning set out in section 1(1) of the DPA.

    1. Sensitive Personal Data has the meaning set out in Article 9(1) of the GDPR.

 

  1. Controller’s obligations

2.1 The Company and the Counterparty agree that for the purposes of Data Protection legislation that the Company shall be the Data Controller and the Counterparty shall be the Data Subject in respect of any Personal Data which identifies the Counterparty and is transferred from the Counterparty to the Company in accordance with this Agreement.

2.2 The Data Controller shall Process the Counterparty’s Personal Data for any and all purposes reasonably required in furtherance of this Agreement and its objectives.

 

  1. Processor’s obligations

3.1 The Company and the Counterparty further agree that the Company shall be the Data Controller and the Counterparty shall be a Data Processor in respect of any Personal Data which identifies Data Subjects other than the parties to this Agreement which may be transferred from the Company to the Counterparty in accordance with this Agreement.

 

3.2 The Data Processor shall Process the Personal Data only to the extent necessary to perform its obligations pursuant to this Agreement and/or in accordance with the Data Controller’s instructions from time to time, and shall not Process the Personal Data for any other purpose other than enabling it to fulfil its obligations pursuant to this Agreement or to perform any other activity which may be authorised by the Data Controller from time to time.

 

  1. Extent of Processing in scope

4.1 The parties note that they foresee a very limited scope for the transfer of Personal Data between the parties to this Agreement, but to the extent that any such transfer of Personal data may occur the parties anticipate that such data may include:

(a) data relating to the Counterparty which is required in order for the Company to perform its obligation under the Agreement including Personal Data such as name, address and contact details; and

(b)   data relevant to services provided pursuant to the main agreement as may be more particularly set out in the Deal Terms.

4.2   The parties shall Process the Personal Data identified in 4.1 to the extent necessary to:

(a) perform their obligations pursuant to the terms of the main Agreement;

(b) and/or in accordance with the Data Controller’s reasonable, lawful instructions from time to time;

(c) and shall not Process the Personal Data for any purpose other than enabling them to fulfil their obligations pursuant to this Agreement or to perform any other activity which may be authorised by the Data Controller from time to time.

 

4.3 The parties will delete or destroy any Personal Data when it is no longer necessary for the purpose(s) for which it was shared.

 

  1. Data Protection Warranties

5.1 Each party warrants to the other that it will Process the Personal Data in compliance with all applicable Data Protection Legislation.

 

5.2 Where a party to this Agreement becomes a Data Processor pursuant to it, it warrants that:

 (a) having regard to the reasonably available state of the art of technological development, the nature of the Processing in question, the cost of implementation, and the material risk to the rights of affected Data Subjects, the Data Processor will take appropriate technical and organisational measures to secure relevant Personal Data against the unauthorised or unlawful Processing and against the accidental loss or destruction;

 (b) it will not transfer any Personal Data outside of the European Economic Area without the prior authorisation of the Data Controller or as is strictly necessary for the performance of its obligations hereunder;

 (c) it will promptly report to the Data Controller any actual or suspected data breach concerning Personal Data that relates to this Agreement which comes to its attention and shall in relation to such breaches:

 (i) do all such things as reasonably necessary to assist the Data Controller in mitigating the effects of the data breach;

 (ii) implement any measures necessary to restore the security of any compromised Personal Data;

 (iii) work with the Data Controller to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and

 (iv) not do anything which may damage the reputation of the Data Controller or that party’s relationship with the relevant Data Subjects, save as required by law; and

 (d) it will, on request, take reasonable steps to demonstrate to the Data Controller, to the extent that is reasonable given the nature of the Processing in question, that it complies with Data Protection Legislation.

 

  1. Indemnity

6.1 Each party agrees to indemnify and keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses incurred by the other party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations pursuant to sections 0 or 5 of this Schedule. In order to avail itself of this indemnity the claiming party must: promptly notify the indemnifier of any relevant claim of which the indemnified party becomes aware; not make any admission of liability or offer to settle in respect of any relevant claim without the prior written permission of the indemnifier; grant the indemnifier full control of all relevant proceedings on request, and; provide the indemnifier with such assistance in dealing with such claims as it may reasonably request.

 

  1. Appointment of sub-contractors

7.1 The Data Processor may not authorise any third party to Process Personal Data provided by the Data Controller without the prior written consent of the Data Controller and without first obliging them to treat that Personal Data to the same standard as it is obliged to do so.