Last updated: Jan 02, 2024
The following terms for data processing form part of the Agreement between the Supplier and the Customer. During the course of providing the Services, the Supplier may process Personal Data that is subject to Data Protection Legislation. The Customer appoints the Supplier to Process such Personal Data in accordance with this Data Processing Addendum.
Capitalized terms used in this Data Processing Addendum and not otherwise defined in the Terms of Service set out online (the “Terms of Service") shall have the meaning given to them in the Data Protection Legislation and the following additional definition shall apply:
“Data Protection Legislation” means all applicable privacy and data protection laws, including the EU General Data Protection Regulation (Regulation 2016/679 "GDPR"), the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 "UK GDPR"), the Data Protection Act 2018, and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive 2002/58/EC and the Privacy and Electronic Communications EC Directive) Regulations 2003 SI 2003/2426 .
"Standard Contractual Clauses" means, together, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs ("UK Addendum").
If there is a conflict between the Terms of Service and this Data Processing Addendum, the terms of this Data Processing Addendum shall prevail.
The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and the Supplier is the Data Processor of the Personal Data and a description of the Personal Data and the Processing activities undertaken by the Supplier is set out in clause 6.
The Supplier’s processing obligations
3.1. To the extent that the Supplier processes any Personal Data on behalf of Customer in connection with the Services, the Supplier shall:
3.1.1. only Process such Personal Data in accordance with the purposes set out in this Data Processing Addendum and notify Customer immediately if in its opinion the Customer’s instructions infringes applicable law;
3.1.2. maintain a record of its Processing activities under this Data Processing Addendum in accordance with and to the extent required by Article 30(2) GDPR, and the Supplier shall at any time upon request, deliver up to Customer details of such Processing activities;
3.1.3. ensure that access to any such Personal Data is restricted to those of its personnel who need to have access in order to perform the Services and who are subject to confidentiality obligations in respect of the Personal Data;
3.1.4. notify Customer without undue delay if it suffers a Personal Data Breach, if it receives any Data Subject Request relating to the Personal Data, and shall: (a) not respond to the Data Subject Request without Customer’s prior written consent and in accordance with Customer’s instructions; and (b) shall provide such assistance as Customer may reasonably require in respect of such Personal Data in order for Customer to comply and respond to the Data Subject Request in accordance with the Data Protection legislation;
3.1.5. provide reasonable assistance to Customer in inputting into and carrying out data protection impact assessments and, to the extent required under the Data Protection Legislation, prior notification under Article 36 of GDPR; and
3.1.6. ensure that it has implemented appropriate organizational and technical measures in order to comply with its obligations under this clause 3, including the measures referred to in clause 6.5.
3.2. To the extent legally permitted, Customer shall be responsible for any costs arising from the Supplier’s provision of assistance beyond the existing functionality of the Services.
3.3. The Supplier is permitted to engage a Subprocessor to Process any of the Personal Data on Customer’s behalf in connection with the Services. The Customer pre-approves the Supplier’s use of third party processors for the purposes of fulfilling its obligations, including this List of Subprocessor. The Supplier shall:
3.3.1. inform Customer prior to the appointment or removal of any such Subprocessor, thereby giving Customer an opportunity to object to the appointment or removal. If Customer objects on reasonable grounds, the Supplier shall either: i) alter its plans to use the Subprocessor with respect to Personal Data, or (ii) take corrective steps to remove Customer’s objections. If none of the above options are reasonably available or the issue is not resolved within 30 days of the objection, either party may terminate the Agreement; and
3.3.2. ensure that such Subprocessor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on the Supplier under this Data Processing Addendum; and
3.3.3. ensure that the Subprocessor’s Processing of such Personal Data terminates upon termination of the Supplier’s right to Process the data, provided that the Supplier shall be liable for the acts and omissions of such Subprocessors in relation to the Processing of such Personal Data.
3.4. The Customer acknowledges that the Supplier and its Subprocessors may Process Personal Data outside of the EEA or UK in non-adequate countries. The Supplier will abide by the requirements of the Data Protection Legislation regarding the transfer and Processing of Personal Data from the EEA or UK. The Supplier will ensure that transfers of Personal Data to a third country or an international organization that does not ensure an adequate level of protection are subject to appropriate safeguards as described in Article 46 of the GDPR or UK GDPR.
3.5. Upon termination or expiry of the Agreement, the Supplier shall cease all Processing of any Personal Data Processed on Customer’s behalf under the Agreement and shall, at Customer’s option, return or destroy and delete all such Personal Data.
3.6. In order to demonstrate the Supplier’s compliance with the Data Protection Legislation, the Supplier shall:
3.6.1. provide the Customer with such information as the Customer reasonably requests from time to time to enable the Customer to satisfy itself that the Supplier is complying with its obligations under this Data Processing Addendum and the Data Protection Legislation; and
3.6.2. allow the Customer, at the Customer’s sole cost and expense access (on reasonable notice and no more than once a year) to its premises where Personal Data is Processed under this Data Processing Addendum to allow Customer to audit its compliance with this Data Processing Addendum and Data Protection Legislation and shall provide reasonable co-operation as requested by the Customer in the performance of such audit. The Parties shall agree in advance on the reasonable start date, duration and security and confidentiality controls applicable to such audit.
Obligations of Customer
4.1. Customer shall:
4.1.1. have at all times during the term of the Agreement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect any Personal Data;
4.1.2. provide clear and comprehensible written instructions to the Supplier for the processing of Personal Data to be carried out under this Data Processing Addendum; and
4.1.3. ensure that it has all the necessary licenses, permissions, consents and notices in place to enable lawful transfer of Personal Data to the Supplier for the duration and purposes of the Agreement.
Cross-Border Transfers of Personal Data
5.1. If an adequate protection measure for the international transfer of Personal Data is required under Data Protection Legislation (and has not otherwise been arranged by the parties) the Standard Contractual Clauses shall be incorporated into this Data Processing Addendum in the Schedules as if they had been set out in full.
5.2. The parties shall ensure that whenever Personal Data is transferred outside the EEA and the UK ("GDPR Territories") they:
5.2.1. are Processing Personal Data in a territory which is subject to a current finding by the UK's Information Commissioner's Office (for transfers under the UK GDPR) or European Commission (for transfers under the GDPR) that the territory provides adequate protection for the privacy rights of individuals;
5.2.2. participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the parties can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or
5.2.3. otherwise ensure that the transfer complies with the Data Protection Legislation.
5.3. In the case of any Processing of Personal Data outside of the GDPR Territories as at the date of this Data Processing Addendum, the relevant transfer mechanism has been identified in the Schedules. The Supplier will promptly inform the Customer of any change to such mechanisms.
5.4. The Customer authorizes the Supplier to enter into the Standard Contractual Clauses with the subprocessor on the Customer's behalf, if required to ensure the relevant Processing of Personal Data complies with Data Protection Legislation. The Supplier will make the executed Standard Contractual Clauses available to the Customer on written request.
Processing Particulars
6.1. Data Subjects. The categories of Data Subjects whose Personal Data may be Processed in connection with this Data Processing Addendum are The Customer may submit Personal Data to the Supplier through its use of the Services, the extent of which and the data subjects whose Personal Data is processed in relation to such use of the Services is determined and controlled by the Customer in its sole discretion and may include data subjects who are customers of the Customer.
6.2. Categories of Personal Data. The Customer may submit Personal Data to the Supplier through its use of the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: first name, last name, email address, address, country, and profession.
6.3. Processing Operations. Personal Data shall be processed by the Supplier in accordance with this Data Processing Addendum for the purpose of providing the Services in accordance with the Agreement.
6.4. Duration. The Supplier will Process the Personal Data on the Customer's behalf for the duration of the Agreement.
6.5. A description of the technical and organizational measures applying to this Data Processing Addendum are set out in the Supplier's Security Policy.
SCHEDULE 1
EU SCCs
Incorporation of the EU SCCs
1.1. To the extent clause 5.1 applies and the transfer is made pursuant to the GDPR, this Schedule 1 and Module 2 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Controller, the importer is a Processor and the transfer requires such additional protection.
Clarifications to the EU SCCs
2.1. Deletion of data. For the purposes of clause 8.5 of the EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the importer shall delete all Personal Data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing.
2.2. Auditing. The parties acknowledge that the importer complies with its obligations under clause 8.9 of the EU SCCs (Documentation and compliance) by exercising its contractual audit rights it has agreed with its subprocessors.
2.3. Subprocessors. For the purposes of clause 9 of the EU SCCs (Use of subprocessors), option 2 general applies and the parties agree that the process for appointing subprocessors set out in clause 3.3 applies.
2.4. Competent Supervisory Authority. For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:
i. if the exporter is established in an EU Member State: The Irish Data Protection Commissioner;
ii. where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter's representative is appointed shall be the competent Supervisory Authority; and
iii. where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
2.5. International Transfer Assessments. For the purposes of clause 14(c) of the EU SCCs (local laws and practices affecting compliance with the Clauses) the exporter has been provided with a transfer impact assessment by the importer which the exporter accepts as sufficient to fulfill the importer's obligations pursuant to clause 14(c) and 14(a). The exporter acknowledges that it has been provided with the security measures applied to the Personal Data and approves such measures as being in compliance with the EU SCCs.
2.6. Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the EU SCCs (Local laws and practices affecting compliance with the clauses) the parties agree that "best efforts" and the obligations of the importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
2.7. Governing Law & Jurisdiction. For the purposes of clauses 17 and 18 of the EU SCCs, the parties agree that the governing law and choice of jurisdiction shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply and the courts of Ireland will have exclusive jurisdiction.
Processing Particulars for the EU SCCs
The Parties
3.1. Exporter (Controller): Customer