DATA PROCESSING ADDENDUM
INTRODUCTION AND SCOPE
(A) With effect from 25 May 2018 (except provisions relating to law enforcement processing, in which case those provisions relating to such processing shall apply from 6 May 2018) (“the Effective Date”) save where expressly stated in this Data Processing Addendum, the terms of this Data Processing Addendum shall delete and replace all previous data protection, privacy and security provisions contained within the written agreement between the Client and Key Computers pursuant to which Key Computers has agreed to provide certain services to the Client (“the “Agreement”) and any associated schedule, addendum ,special conditions, variations or special terms relating thereto if applicable. (B) Notwithstanding the terms of the Agreement, except where indicated otherwise, from the Effective Date, the terms of this Data Processing Addendum shall apply to the relationship between the parties and these additional terms shall take precedence over the terms in the Agreement. (C) Except as set out in this Data Processing Addendum, the Agreement shall remain unchanged and in full force and effect. (D) Definitions set out in the Agreement shall also apply in this Data Processing Addendum unless the context otherwise expressly requires. (E) All references in this Data Processing Addendum to clauses are to the clauses in this Data Processing Addendum unless otherwise stated. (F) All reference to Key Computers in this Data Processing Addendum shall mean Key Computer Applications Ltd, Cloud Geeni, Service Geeni and any approved sub processors with whom you have an agreement, through Key Computers of Cavan House, Ellesmere Street, Leigh, Greater Manchester, WN7 4LQ 1.
DEFINITIONS AND INTERPRETATIONS
1.1 In this Data Processing Addendum, the following definitions shall apply: “Additional Terms” means any special terms and conditions relating to the use of Supplier Data as updated from time to time and as set out in the appendices to the Agreement which will apply if the Client has selected to use the relevant element of the Service incorporating the Supplier Data. “Client Data” any Personal Data provided to Key Computers by the Client for processing in accordance with the terms of the Agreement. “Data Controller” shall have the meaning as set out in the GDPR. “Data Processor” shall have the meaning as set out in the GDPR. “Data Subject” shall have the meaning as set out in the GDPR, and for the purposes of the Agreement and this Data Processing Addendum, this may include a Data Subjects whose details are provided to Key Computers by the Client as part of the Client Data or whose details are contained within the Supplier Data. “Data Supplier” means Key Computer’s third-party data suppliers that provide Supplier Data for use in Key Computer’s products and services. “GDPR” means General Data Protection Regulation (EU) 2016/679 as in force from time to time as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing GDPR. “LED” means the Law Enforcement Directive (Directive (EU) 2016/680) (as transposed into domestic legislation of each Member State) as may be applicable with regard to the processing of Personal Data by a competent authority (as defined in the LED) for the purposes of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties. “Personal Data” shall have the meaning set out in the GDPR including any information relating to a Data Subject; who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Privacy and Data Protection Requirements” all applicable laws and regulations relating to the processing of personal data and privacy in any relevant jurisdiction, including, if relevant, the GDPR (for so long as and to the extent that the laws of the European Union have legal effect in England and Wales), the Data Protection Act 2018, the LED the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) and the Privacy and Electronic Communication Regulations 2003, any amendment, consolidation or re-enactment thereof, any legislation of equivalent purpose or effect enacted in England and Wales, and any orders, guidelines and instructions issued under any of the above by relevant national authorities, a judicial authority in England and Wales or a European Union judicial authority with applicability to England and Wales. “Sub-processor” means a natural or legal person, public authority, agency or any other body contracted by the Data Processor to process Personal Data for the purpose of carrying out a specific processing activity on behalf of the Data Controller. “Supplier Data” means any Personal Data provided to Key Computers and/or the Client by the Data Supplier or used within key Computer’s products and services in accordance with the terms of the Agreement. “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.
2. GENERAL 2.1 Both Parties warrant that they will comply with their respective obligations under the Privacy and Data Protection Requirements and the terms of this Data Processing Addendum. This clause 2.1 is in addition to, and does not relieve, remove or replace, a party’s obligations under any Privacy and Data Protection Requirements. 2.2 For the purpose of this Data Processing Addendum, the Client is the Data Controller and Key Computers is the Data Processor.
3. CONTROLLER OBLIGATIONS IN RELATION TO PROCESSING OF CLIENT DATA 3.1 The Client warrants and represents that all instructions provided to Key Computers in relation to the processing of Client Data are lawful and shall as a minimum include: (a) The nature and purpose of the processing of the Client Data; (b) The types of Personal Data to be processed; and (c) The categories of Data Subjects to whom the Personal Data relates. 3.2 The Client shall only provide instructions to Key Computers that are in accordance with the terms of the Agreement and this Data Processing Addendum. Such instructions shall be limited to the subject matter of the relevant Services under the Agreement and the Client acknowledges that Key Computers is under no duty to investigate the completeness, accuracy or sufficiency of the Client’s instructions or the Client Data. 3.3 The Client will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of Client Data to Key Computers for the duration and purposes of the Agreement and this Data Processing Addendum. 3.4 The Client acknowledges that as Data Controller it is solely responsible for determining the lawful processing condition upon which it shall rely in providing instructions to Key Computers to process Client Data for the purposes of carrying out the Services as set out in the Agreement. 3.5 The Parties acknowledge and accept that processing of Personal Data belonging to an EEA Data Subject and/or the processing of Personal Data in the context of the activities of an establishment of a Data Controller or Data Processor within the EEA shall be lawful only if and to the extent that either an exemption, Article 2 GDPR or at least one of the following conditions (as specified on this Data Processing Addendum or Order Form as may be applicable) applies: (a) the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the Data Controller is subject; (d) processing is necessary in order to protect the vital interests of the Data Subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; or (f) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.
4. DATA PROCESSOR OBLIGATIONS IN RELATION TO THE PROCESSING OF CLIENT DATA 4.1 To the extent that the performance of Key Computer’s obligations, and any supporting and/or ancillary activities, involves processing Client Data, Key Computers acting as Data Processors hall: (a) only carry out processing of Client Data (i) only to the extent necessary for Key Computers to provide the services it has contractually agreed to provide to the Client under the Agreement and this Data Processing Addendum and (ii) in accordance with the Client’s documented instructions, including where relevant for transfers of Client Data outside the European Economic Area (“EEA”) or to an international organisation (unless Key Computers is otherwise required to process Client Data by European Union, Member State and/or English law to which Key Computers is subject, in which case Key Computers shall inform the Client of that legal requirement before processing unless prohibited by that law on important grounds of public interest), and shall immediately inform the Client if, in Key Computer’s opinion, any instruction given by the Client to Key Computers infringes the Privacy and Data Protection Requirements; (b) notify the Client without undue delay of any requests received from a Data Subject exercising their rights under Privacy and Data Protection Requirements and, taking into account the nature of the processing, assist the Client by taking appropriate technical and organisational measures, insofar as this is possible, with fulfilling its obligations in respect of Data Subject rights under Privacy and Data Protection Requirements, including assisting the Client in responding to any subject access requests or requests from Data Subjects for access to, rectification, erasure or portability of Personal Data, or for restriction of processing or objections to processing of Personal Data; (c) take all appropriate technical and organisational security measures required in accordance with Privacy and Data Protection Requirements (including Article 32 GDPR), and at the request of the Client provide a written description of, and rationale for, the technical and organisational measures implemented, or to be implemented, to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted stored or otherwise processed; and detect and report Personal Data breaches without undue delay; (d) taking into account the nature of the processing and the information available to Key Computers, use all reasonable measures to assist the Client in ensuring compliance with the Client’s obligations to; i. keep Personal Data secure (Article 32 GDPR); ii. notify Personal Data breaches to the Supervisory Authority (Article 33 GDPR); iii. advise Data Subjects when there has been a Personal Data breach (Article 34 GDPR); iv. carry out data protection impact assessments (Article 35 GDPR); and v. consult with the Supervisory Authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR). (e) without undue delay, inform the Client of becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, damage, corruption, unauthorised disclosure of, or access to, the Client Data transmitted, stored or otherwise processed. Key Computers accepts and acknowledges that the Client shall direct in its sole discretion, any and all steps and measures taken to remedy a breach by Key Computers under Privacy and Data Protection Requirements, including but not limited to any communications with a Supervisory Authority. Key Computers agree not to act in any way upon such disclosure without the prior written consent of the Client; (f) make available to the Client all information reasonably necessary to demonstrate compliance with the obligations laid down in this Data Processing Addendum and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client as set out in clause 6; (g) maintain complete and accurate records and information to demonstrate its compliance with this clause 4.1 and allow for audits by the Client in accordance with clause 6 of this Data Processing Addendum; and (h) in addition to the confidentiality obligations contained within the Agreement, ensure that persons authorised to process the Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 4.2 On expiry or termination of the Agreement, Key Computers shall immediately cease to use Client Data (and any copies of it) and shall arrange for its safe return or destruction as shall be required by the Client (unless European Union, Member States and/or English Law requires storage of any Personal Data contained within the Client Data or an exemption under GDPR applies).
5. USE OF SUPPLIER DATA 5.1 Where the Client uses or receives Supplier Data as part of the Services, the Client acknowledges that: (a) the Supplier Data may be subject to Additional Terms; (b) where relevant for the provision of Services under the Agreement, the Client shall comply with the Additional Terms; and (c) where the Additional Terms specify that Personal Data belonging to EEA Data Subjects cannot be processed by a particular Data Supplier, the Client warrants that it will not use that element of the Service for the processing of Personal Data belonging to an EEA Data Subject. 5.2 Key Computers shall promptly notify the Client in the event of a change to the Additional Terms. 6. AUDIT RIGHTS 6.1 Upon the Client’s reasonable request, Key Computers agrees to provide the Client with any documentation or records (which may be redacted to remove confidential commercial information not relevant to the requirements of this Data Processing Addendum) which will enable it to verify and monitor Key Computer’s compliance with its data protection and security obligations under the terms of this Data Processing Addendum, within 14 days of receipt of such request, and to notify the Client of the person within Key Computer’s organisation who will act as the point of contact for provision of the information required by the Client. 6.2 Where, in the reasonable opinion of the Client, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR (or where applicable Article 22 of the LED), the Client will be entitled, upon reasonable prior written notice to Key Computers and upon reasonable grounds, to conduct an on-site audit of Key Computer’s premises used in connection with the Service, solely to confirm compliance with Key Computer’s data protection and security obligations under this Data Processing Addendum. 6.3 Any audit carried out by the Client will be conducted in a manner that does not disrupt, delay or interfere with Key Computer’s performance of its business. The Client shall ensure that the individuals carrying out the audit are under the same confidentiality obligations as set out in the Agreement.
6.4 Any audit right granted to Key Computers under the Agreement shall remain in full force and effect. In the event that there is no audit right in favour of Key Computers or the audit right contained in the Agreement in favour of Key Computers is not sufficient to enable it to verify and monitor the Client’s compliance with its data protection and security obligations under the terms of this Data Processing Addendum, then, Key Computers shall be entitled to carry out an audit of the Client on reciprocal terms as those set out in clauses 6.1, 6.2 and 6.3.
7. USE OF SUB-PROCESSORS 7.1 The Client provides their consent for Key Computers to use Sub- processors in the delivery of the Service. Where Key Computers use third party Data Suppliers or any other third party and where they are acting as a Sub[1]processor in relation to the Client Data Key Computers shall: (a) enter into a legally binding written agreement that places the equivalent data protection obligations as those set out in this Data Processing Addendum to the extent applicable to the nature of the services provided by such Sub-processor, in particular, unless otherwise stated in the Additional Terms in accordance with clause 5.1(c), providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of theGDPR; (b) shall remain liable for any act or omission of a Sub[1]processor that does not comply with the data protection obligations as set out in this Data Processing Addendum; and (c) where required by law, Key Computers shall inform the Client of any intended changes concerning the addition or replacement of a Sub-processor with access to Client Data and give the Client the opportunity to object to such changes.
8. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS 8.1 KEY COMPUTERS shall not cause or permit any Client Data to be transferred outside of the EEA unless such transfer is necessary for the purposes of Key Computer carrying out its obligations under the Agreement in which case, the provisions of this clause 8 shall apply. 8.2 Transfer subject to adequate safeguards: Subject to clauses 8.3 and 8.4, if Personal Data is to be processed outside of the EEA, Key Computers agrees to provide and maintain appropriate safeguards as set out in Article 46 GDPR or where applicable, LED Article 37 to lawfully transfer the Personal Data to a third country. 8.3 Transfers based on adequacy decisions: Clause 8.2 shall not apply if the processing of the Personal Data is carried out in a country that the European Commission has considered as offering an adequate level of protection. 8.4 Derogations for specific situations: The Client has consented to such transfer and acknowledges and accepts that certain Data Suppliers engaged by Key Computers in the provision of the products and services are located in a country that the European Commission has not formally declared to have an adequate level of protection (Clause 8.3/ Article 45(3) GDPR) and are not able to demonstrate appropriate safeguards (Clause 8.2/ Article 46 GDPR). In such circumstances this will be stated in the Additional Terms and where GDPR applies to the Client by virtue of Article 3 GDPR, the Client as Data Controller acknowledges that prior to submitting Client Data to Key Computers for processing it shall determine, and is solely liable for ensuring, that one of following exceptions set out in Article 49 GDPR applies: (a) the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards; (b) the transfer is necessary for the performance of a contract between the Data Subject and the Client or the implementation of pre-contractual measures taken at the Data Subject’s request; (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Client and another natural or legal person; (d) the transfer is necessary for important reasons of public interest; (e) the transfer is necessary for the establishment, exercise or defence of legal claims; (f) the transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent; or (g) the transfer is made from a register which according to European Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by European Union or Member State law for consultation are fulfilled in the particular case. The terms of this clause 8.4 shall not apply where the Client is subject to LED. In such circumstance clause 8.5 of this Data Processing Addendum shall apply. 8.5 Derogations for specific situations where the LED is applicable to the Client: The Client has consented to such transfer and acknowledges and accepts that certain Data Suppliers engaged by Key Computers in the provision and services are located in a country that the European Commission has not formally declared to have an adequate level of protection (Clause 8.3/ Article 36 LED) and are not able to demonstrate appropriate safeguards (Clause 8.2/Article 37 LED). In such circumstances this will be stated in the Additional Terms and the Client as Data Controller acknowledges that prior to submitting Client Data to Key Computers for processing it shall determine, and is solely liable for ensuring that, one of the following exceptions set out in Article 38 LED applies: (a) the transfer is necessary to protect the vital interest of the Data Subject or another person; (b) to safeguard legitimate interest of the Data Subject, where the law of the Member State transferring the Personal Data so provides; (c) for the prevention of an immediate and serious threat to public security of a Member State or a third country; (d) in individual cases for the purposes set out in Article 1 (1) LED; or (e) in an individual case for the purpose set out in Article 1 (1) LED.
9. SECURITY 9.1 For the avoidance of doubt, both Parties acknowledge that any provisions in relation to User IDs and passwords used in connection with the Service under the Agreement shall remain unchanged and in full force and effect. 10. LIABILITY 10.1 Nothing in this Data Processing Addendum shall limit or exclude Key Computers’ liability for: (a) death or personal injury caused by its negligence, or the negligence of its employees, agents or subcontractors; (b) fraud or fraudulent misrepresentation; or (c) any other liability which cannot be limited or excluded by law. 10.2 Subject to clause 10.1, neither party shall be liable to the other party, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with this Data Processing Addendum for: (a) loss of profits; (b) loss of sales or business; (c) loss of agreements or contracts; (d) loss of anticipated savings; (e) loss of use or corruption of software, data or information which is not Client Data; (f) loss of or damage to goodwill or reputation; or (g) any indirect or consequential loss. 10.3 Any aggregate cap of Key Computer’s liability under the Agreement shall also apply in respect of this Addendum. 11. MISCELLANEOUS 11.1 This Data Processing Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed and construed in accordance with the laws of England and subject to any dispute resolution procedure as set out in the Agreement, both Parties submit to the exclusive jurisdiction of the English Courts, save that Key Computers may elect to bring proceedings against the Client in the courts of any jurisdiction where the Client or any of the Client’s property or assets may be found or located. 11.2 A person who is not a Party to this Data Processing Addendum has no rights under the Contracts (Rights of Third Parties) Act 1999 or otherwise) to enforce the provisions of this Data Processing Addendum. 11.3 Where applicable, the Parties agree that if, upon review following GDPR and LED coming into force, the provisions of this data Processing Addendum do not comply with GDPR or LED then both Parties agree to cooperate in good faith to re-negotiate the terms of this Data Processing Addendum to ensure compliance with GDPR or LED.