Data Processing Agreement

a) “Data Protection Legislation” means Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the GDPR (when in force), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable, any guidance notes and codes of practice issued by the European Commission and applicable national Regulators including the UK Information Commissioner;
b) “GDPR” means the EC Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (when in force);
c) “Regulator” means any regulatory body with responsibility for ensuring compliance with Data Protection Legislation.
d) “Security Breach” means accidental or deliberate, unauthorised or unlawful acquisition, destruction, loss, alteration, corruption, access, use or disclosure of personal data processed under to this Data Processing Agreement or breach of Service Provider’s security obligations under this Data Processing Agreement (including clause 3.3(c)).
e) “Services” means the services described in Schedule 1.

a) process the data only to the extent, and in such a manner, as is necessary for the purposes of this Data Processing Agreement and in accordance with Customer’s lawful written instructions from time to time. If Service Provider is unsure as to the parameters of the instructions issued by Customer and/or believes that Customer’s instructions may conflict with the requirements of Data Protection Legislation or other applicable laws, Service Provider may notify Customer for clarification and provide reasonable details in support of any assertion that Customer’s instructions may not be lawful;
b) ensure the reliability of all its personnel who have access to the data and shall in particular ensure that any person authorised to process data in connection with this Data Processing Agreement is subject to a duty of confidentiality;
c) having regard to the state of technological development and the cost of implementing any measures, take such technical and organisational measures against the unauthorised or unlawful processing of data and against the accidental loss or destruction of, or damage to data, to ensure a level of security appropriate to: a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage of the data; and b) the nature of the data to be protected, provided that where such measures may require the use of resource and/or cost additional to that usually provided or incurred, or anticipated, by Service Provider, Customer agrees to pay for the same (in addition to any other charges or fees, provided that Service Provider has notified Customer of the fact that additional charges or cost may be payable;
d) subject to agreement on costs assist Customer by using appropriate technical and organisational measures in responding to, and complying with, data subject requests;
e) subject to agreement on costs provide Customer with reasonable co-operation and assistance in relation to Customer’s obligations and rights under Data Protection Legislation, taking into account the nature of the processing and the information available to the processor, including providing Customer and relevant Regulators (as applicable) with all information and assistance reasonably necessary to investigate security breaches and where relevant notify the relevant Regulator and/or affected data subject of the relevant security breach, carry out privacy impact assessments or otherwise to demonstrate compliance by the parties with Data Protection Legislation;
f) subject to agreement on costs, without undue delay notify Customer, and provide such co-operation, assistance and information as Customer may reasonably require if Service Provider:
g) receives any complaint, notice or communication which relates directly or indirectly to the processing of the personal data under this Data Processing Agreement or to either party’s compliance with Data Protection Legislation; and/or becomes aware of any Security Breach;
h) keep at its normal place of business a written record of any processing of the data carried out in the course of the Services (“Records”);
i) permit no more than once per year Customer or a Regulator, on reasonable notice during normal business hours, but without notice in case of any reasonably suspected breach of this clause by Service Provider, access to inspect, and take copies of, the Records for the purpose of auditing Service Provider's compliance with its obligations under this clause. Service Provider shall at Customer’s cost give all reasonably necessary assistance to the conduct of such audit;
j) may engage a sub processor to process data (or otherwise sub-contract or outsource the processing of any data to a third party) (a “Sub processor”), provided that it:
k) notifies Customer of any new or replacement Sub processors. If Customer objects to the appointment of a new or replacement Sub processor, it shall notify Service Provider within five business days. Customer shall be deemed to have accepted the Sub processor if Service Provider does not receive an objection with five Business Days. If the objection cannot be resolved by the parties within five Business Days of receipt by the Companies of the written objection, Service Provider shall not be in breach of this Data Processing Agreement or the obligations of any other agreement to Customer to the extent it cannot provide its services or otherwise comply with its obligations as a result; enters into a written contract with the Sub processor that:
1. provides protections or guarantees that Sub processor considers necessary to implement appropriate technical and organization measures in compliance with the Data Protection Legislation; and
2. terminates automatically on termination or expiry of this Data Processing Agreement for any reason; and (iii) remains liable for all acts or omissions of the Sub processors as if they were acts or omissions of Service Provider (except to the extent caused or exacerbated by Customer). As at the date of this Data Processing Agreement, Service Provider uses the subprocessors set out in Schedule 1 for the activities set out in Schedule 1 in connection with the provision of the Services;
l) at Customer’s cost return or destroy (as directed in writing by Customer) all personal data it has in its possession and delete existing copies unless applicable law requires storage of the personal data.
m) Customer acknowledges and agrees that personal data may be transferred to those locations set out in Schedule 1 as well as any applicable order, quotation agreement or statement of work in accordance with any lawful transfer mechanisms. The parties agree that if the transfer mechanism used ceases to exist or is no longer considered to be a lawful method of transferring personal data outside of the European Economic Area (“EEA”), the parties shall have a good faith discussion and agree an alternative lawful transfer mechanism and Service Provider may cease or procure that the relevant third party ceases the processing of personal data until the parties have agreed an alternative transfer mechanism to enable the personal data to be transferred outside of the EEA in a compliant manner. Service Provider shall not be in breach of this Data Processing Agreement to the extent that the parties do promptly reach any such agreement.