Data Protection Addendum

Data Protection The following words shall have the following meanings:

  1. Data Protection Legislation: (i) the Data Protection Act 1998 and then (ii) unless and until the General Data Protection Regulation ((EU) 2016/679) (GDPR) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (iii) any successor legislation to the GDPR or the Data Protection Act 1998.
  2. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
  3. The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and the Company is the Data Processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). This clause sets out the scope, nature and purpose of processing by the Company, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject.
  4. The Client warrants that it has obtained and will obtain all legally required consents and permissions from the relevant parties, including employees, and directors and data subjects, for the use, processing and transfer of Data as described in this clause and will in all respects abide by the terms of the Data Protection Legislation for the duration and purposes of this agreement.
  5. The Client shall indemnify the Company in respect of liability under the Data Protection Legislation when acting in accordance with the instructions of the Client, this Agreement or as is required by any applicable law.
  6. The Client acknowledges that the Company will by virtue of the provision of the Service and other services provided hereunder, come into possession of information and data regarding the Client, its employees and directors (“Data”).
  7. This Data may include but shall not be limited to data transmitted, IP addresses, personal information of the Client, its employee, directors and Clients, such as email addresses, addresses and telephone numbers and other information obtained by or provided to the Company.
  8. The Client acknowledges and agrees that the Company may use process, store and/or transfer the Data; in connection with the provision of the Services provided hereunder; to incorporate the Data into databases controlled by the Company for the purpose of administration, provisioning, reconciliation, analysis and reporting and meeting any legal or regulatory obligation imposed from time to time on the Company; to communicate to the Client regarding the products and services of the Company by voice, letter, fax or email. The Client may withdraw consent to such communications (or use of the Data save as is necessary for the provision of the Service and the fulfilment of the parties obligations under this Agreement) by delivering a notice to the Company in accordance with the provisions of this Agreement.
  9. The Company shall notify the Client as soon as practicable (but within 24 hours) upon becoming aware of loss or damage to the Client’s data, a Personal Data breach or other security breach. In the event of such loss or damage, the Company will use reasonable commercial endeavours to restore the lost or damaged Client data from the latest backup. If, in the opinion of the Company, a third party is required to carry out work, then the Company shall advise the Client and shall have no other obligations. This is the sole and exclusive remedy for the Client.
  10. The Company shall, in relation to any Personal Data processed in connection with the performance by the Company of its obligations under this agreement:
    1. process that Personal Data only on the written instructions of the Client unless the Company is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Company to process Personal Data (Applicable Laws). Where the Company is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Company shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Company from so notifying the Client;
    2. ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
    3. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
    4. not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
      1. the Client or the Company has provided appropriate safeguards in relation to the transfer;
      2. the data subject has enforceable rights and effective legal remedies;
      3. the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
      4. the Company complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data;
    5. assist the Client, at the Client's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
    6. at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the Personal Data; and
    7. maintain complete and accurate records and information to demonstrate its compliance with this clause 23 and allow for audits by the Client or the Client's designated auditor.
  11. Where any conflict between the terms of this clause or any other clause in another agreement between the parties the terms of this clause in this agreement take precedence.
  12. This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with the law of England and Wales.
  13. The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) that arises out of, or in connection with, this variation agreement or its subject matter or formation.