Data Privacy Addendum
This Data Privacy Addendum (this “Addendum”) is hereby established by DCR and Customer for purposes of ensuring that: (a) DCR’s operations under the Agreement comply with GDPR Article 28; and (b) the Parties have established and apply the required safeguards in respect any applicable transfers of personal data from the UK or European Economic Area to third countries.
This Addendum is established and becomes a binding part of this Agreement with effect from the Effective Date of this Agreement.
1.1 In this Addendum, unless the context requires otherwise the following terms will have the following meanings.
“Annex 1” to this Addendum provides the details of DCR’s processing of Personal Data as further described in Section 3.3 of this Addendum;
“Annex 2” to this Addendum provides the technical and organisational measures to be implemented by DCR in accordance with Section 4 of this Addendum;
“Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which any Customer Group Member is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data in respect of which any Customer Group Member is subject to any other Data Protection Laws;
“Customer Group Member” means Customer or any Associated Company of Customer;
“Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of a Customer Group Member pursuant to or in connection with this Agreement;
“Contracted Processor” means DCR or a DCR Sub-processor;
“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country (including the United Kingdom after Brexit);
“EEA” means the European Economic Area;
“Restricted Transfer” means: (a) a transfer of Customer Personal Data from any Customer Group Member to a Contracted Processor; or (b) an onward transfer of Customer Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor, and in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of required safeguards;
“Sub-processor” means any person (including any third party and any Associated Company of DCR, but excluding an employee of DCR or any of its sub-contractors) appointed by or on behalf of DCR or any Associated Company of DCR to Process Personal Data on behalf of any Customer Group Member in connection with this Agreement.
1.2 The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” will have the same meaning as in the GDPR, and their cognate terms will be construed accordingly. For purposes of this Addendum, unless otherwise expressly stated the term “DCR” means DCR and any Associated Company of DCR.
1.3 The word “include” will be construed to mean include without limitation, and cognate terms will be construed accordingly.
For purposes of this Addendum, each Party will act as agent for and on behalf of its applicable Associated Companies. Each Party will ensure that their respective Associated Companies have been duly and effectively authorised them to act as such.
3. PROCESSING OF CUSTOMER PERSONAL DATA
3.1 DCR will not Process Customer Personal Data other than on the relevant Customer Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case DCR or the relevant Associated Company of DCR will to the extent permitted by Applicable Laws inform the relevant Customer Group Member of that legal requirement before the relevant Processing of that Personal Data.
3.2 Each Customer Group Member hereby:
3.2.1 instructs DCR (and authorises DCR to instruct each Sub-processor) to Process Customer Personal Data as reasonably necessary for the provision of the Services and consistent with this Agreement; and
3.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in Section 3.2.1 on behalf of each relevant Associated Company of Customer.
3.3 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Customer Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Customer may make reasonable amendments to Annex 1 by written notice to DCR from time to time as Customer reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this Section 3.3) confers any right or imposes any obligation on either Party.
DCR will maintain the technical and organisational security measures described in Annex 2 to this Addendum. Customer as controller is responsible to data subjects and applicable supervisory authorities for identifying whether changes to these security measures are required to for Processing of Customer Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DCR will in relation to the Customer Personal Data work with Customer to implement any changes to these security measures and address other appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5.1 Each Customer Group Member authorises DCR to appoint (and permit each Sub-processor appointed in accordance with this Section 5 to appoint) Sub-processors in accordance with this Section 5 and any restrictions in this Agreement.
5.2 DCR may continue to use any Sub-processors already engaged by DCR as at the date of this Agreement, subject to DCR in each case as soon as practicable meeting the obligations set out in Section 5.4.
5.3 DCR will give Customer prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 10 days of receipt of that notice, Customer notifies DCR in writing of any objections (on reasonable grounds) to the proposed appointment, DCR will not appoint (or disclose any Customer Personal Data to) that proposed Sub-processor until reasonable steps have been taken to address the objections raised by any Customer Group Member and Customer has been provided with a reasonable written explanation of the steps taken.
5.4 With respect to each Sub-processor, DCR shall:
5.4.1 before the Sub-processor first Processes Customer Personal Data (or, where relevant, in accordance with Section 5.2), carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Customer Personal Data required by this Agreement;
5.4.2 ensure that the arrangement between DCR and the relevant Sub-processor is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR;
5.4.3 if that arrangement involves a Restricted Transfer, work to ensure that its agreement with the Sub-processor incorporates the EU standard contractual clauses and/or other required Personal Data protection safeguards;
5.4.4 provide to Customer for review such copies of the Contracted Processors’ agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.
5.5 DCR will ensure that each Sub-processor performs the obligations under Sections 3.1, 4, 6.1, 7.2 and 8 to the extent they apply to Processing of Customer Personal Data carried out by that Sub-processor, as if it were party to this Addendum in place of DCR.
6. DATA SUBJECT RIGHTS
6.1 Taking into account the nature of the Processing, DCR will assist each Customer Group Member by implementing appropriate technical and organisational measures, in accordance with Article 32 of the GDPR, for the fulfilment of the Customer Group Members’ obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws. To the extent Customer requests DCR to add or change DCR’s technical and organisational measures to meet requirements that are needed only for the Processing of Customer Personal Data, the Parties will work together to enable DCR to be reimbursed for any applicable cost implications that may result.
6.2 DCR shall:
6.2.1 promptly notify Customer if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
6.2.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer or the relevant Associated Company of Customer or as required by Applicable Laws to which the Contracted Processor is subject, in which case DCR will to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.
7. PERSONAL DATA BREACH
7.1 DCR will notify Customer without undue delay if DCR or any Sub-processor becomes aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow each Customer Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 DCR will co-operate with Customer and each Customer Group Member and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. DELETION OR RETURN OF CUSTOMER PERSONAL DATA
Following the date of cessation of any Services under which DCR Processes Customer Personal Data, DCR will delete relevant copies the same, subject to and in accordance with data retention laws and requirements.
9. GENERAL TERMS
Governing law and jurisdiction
9.1 The Parties to this Addendum hereby submit to the choice of jurisdiction stipulated in this Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity. This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in this Agreement.
Order of precedence
9.2 Nothing in this Addendum reduces DCR’s obligations under this Agreement in relation to the protection of Personal Data or permits DCR or any Associated Company of DCR to Process (or permit the Processing of) Personal Data in a manner which is prohibited by this Agreement.
9.3 Subject to Section 9.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including this Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum will prevail.
Changes in Data Protection Laws, etc.
9.4 Customer and DCR may propose any variations to this Addendum which either Party reasonably considers to be necessary to address the requirements of any Data Protection Law. Upon the issuance of any such proposal the Parties will work together to agree on the required variations.
9.5 If the Parties agree to vary this Addendum pursuant to Section 9.4, the Parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in either Party’s proposal as soon as is reasonably practicable.
9.6 Neither Customer nor DCR will require the consent or approval of any Associated Company of Customer or Associated Company of DCR to amend this Addendum pursuant to Section 9.5 or otherwise.
9.7 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Annex 1 to Data Privacy Addendum
Details of Processing of Customer Personal Data
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter of the Processing of the Customer Personal Data are set out in Annex 2 to the Service Order. DCR will endeavour to ensure that the duration of processing is limited to the extent necessary to enable the performance of the Services and DCR’s performance of all relevant contractual and operational obligations.
The nature and purpose of the Processing of Customer Personal Data
The nature and purpose of Customer personal data processing, if any, will be as required to support each Service Order executed in the Agreement, as further specified in Annex 2 to the Service Order.
The types of Customer Personal Data to be Processed
The types of Customer personal data to be processed, if any, will be limited to those required to support each Service Order executed in the Agreement, as further specified in Annex 2 to the Service Order.
The categories of Data Subjects to whom the Customer Personal Data relates
The categories of data subjects to whom the Customer Personal Data relates, if any, will limited to those required to support each Service Order executed in the Agreement, as further specified in Annex 2 to the Service Order.
The obligations and rights of Customer and Associated Company of Customers
The obligations and rights of Customer and any Associated Company of Customer are set out in the Agreement and this Addendum.
Annex 2 to Data Privacy Addendum
Technical and Organisational Security Measures
Description of the technical and organisational security measures implemented by DCR in accordance with Section 4 of this Addendum:
- Strong user passwords
- Multi-factor authentication
- Regular software and operating system updates
- Malware antivirus protection
- Firewalled implementation of servers and remote devices
- Encryption of personal data in transit
- Encryption of remote devices
- Secured configuration of servers and remote devices
- Data backups
- Only essential staff have access to server environments and infrastructure configuration
- Unique personal usernames and passwords
- Use of personal email accounts are banned for work purposes
- Staff training on data processing obligations, identification of breaches and risks