Data Protection Addendum
This current consolidated Data Protection Addendum was published on 22/09/2020. For previous versions, see no avail (first version). For details of Updated provisions, see no avail (first version).
1. Definitions
1.1. In this defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of the Agreement. In addition in this the following definitions have the meanings given below:
1. Definitions
1.1. In this defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of the Agreement. In addition in this the following definitions have the meanings given below:
Applicable Law
|
means applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states from time to time together with applicable laws in the United Kingdom from time to time;
|
Appropriate Safeguards
|
means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
|
Controller
|
has the meaning given to that term in Data Protection Laws;
|
Data Protection Laws
|
means all Applicable Laws relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including the following laws to the extent applicable in the circumstances:
(a) the GDPR; (b) the Data Protection Act 2018; (c) any laws which implement any such laws; and (d) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing (including where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 as modified by applicable domestic law from time to time); |
Data Protection Losses
|
means all liabilities, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and (b) to the extent permitted by Applicable Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; (ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and (iii) the reasonable costs of compliance with investigations by a Supervisory Authority; |
Data Subject
|
has the meaning given to that term in Data Protection Laws;
|
Data Subject Request
|
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
|
GDPR
|
means the General Data Protection Regulation, Regulation (EU) 2016/679;
|
International Recipient
|
means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Client’s prior written authorisation;
|
List of Sub-Processors
|
means the latest version of the list of Sub-Processors used by the ReKnowledge, as Updated from time to time, which as at Order Acceptance is available at https://www.reknowledge.tech/sub_processor.html;
|
Onward Transfer
|
means a Transfer from one International Recipient to another International Recipient;
|
Personal Data
|
has the meaning given to that term in Data Protection Laws;
|
Personal Data Breach
|
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
|
Processing
|
has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
|
Processing Instructions
|
has the meaning given to that term in paragraph 3.1.1;
|
Processor
|
has the meaning given to that term in Data Protection Laws;
|
Protected Data
|
means Personal Data in the Client Data;
|
Sub-Processor
|
means another Processor engaged by the ReKnowledge for carrying out processing activities in respect of the Protected Data on behalf of the Client;
|
Supervisory Authority
|
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;
|
Transfer
|
bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (or to the extent wider the definition of ‘transfer’ in equivalent provisions of UK Data Protection Laws). Without prejudice to the foregoing, this term also includes all Onward Transfers. Related expressions such as Transfers, Transferred and Transferring shall be construed accordingly; and
|
UK Data Protection Laws
|
means Data Protection Laws that form part of the law of England and Wales, Scotland and/or Northern Ireland from time to time.
|
2. Processor and Controller
2.1. The parties agree that, for the , the Client shall be the and the ReKnowledge shall be the .
2.2. To the extent the Client is not sole of any it warrants that it has full authority and authorisation of all relevant to instruct the ReKnowledge to the in accordance with the Agreement.
2.3. The ReKnowledge shall in compliance with:
2.3.1. the obligations of s under in respect of the performance of its and their obligations under the Agreement; and
2.3.2. the terms of the Agreement.
2.4. The Client shall ensure that it, its and each shall at all times comply with:
2.4.1. all in connection with the of , the use of the (and each part) and the exercise and performance of its respective rights and obligations under the Agreement, including maintaining all relevant regulatory registrations and notifications as required under ; and
2.4.2. the terms of the Agreement.
2.5. The Client warrants, represents and undertakes, that at all times:
2.5.1. all (if in accordance with the Agreement) shall comply in all respects, including in terms of its collection, storage and , with ;
2.5.2. fair processing and all other appropriate notices have been provided to the of the (and all necessary consents from such obtained and at all times maintained) to the extent required by in connection with all activities in respect of the which may be undertaken by the ReKnowledge and its in accordance with the Agreement;
2.5.3. the is accurate and up to date;
2.5.4. it shall establish and maintain adequate security measures to safeguard the in its possession or control (including from unauthorised or unlawful destruction, corruption, or disclosure) and maintain complete and accurate backups of all provided to the ReKnowledge (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such in the event of loss, damage or corruption of such by the ReKnowledge or any other person;
2.5.5. all instructions given by it to the ReKnowledge in respect of shall at all times be in accordance with ; and
2.5.6. it has undertaken due diligence in relation to the ReKnowledge’s operations and commitments and it is satisfied (and all times it continues to use the remains satisfied) that:
(a) the ReKnowledge’s processing operations are suitable for the purposes for which the Client proposes to use the Services and engage the ReKnowledge to process the Protected Data;
(b) the technical and organisational measures set out in the Information Security Addendum and the Agreement (each as Updated from time to time) shall (if the ReKnowledge complies with its obligations under such Addendum) ensure a level of security appropriate to the risk in regards to the Protected Data; and
(c) the ReKnowledge has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
3. Instructions and details of processing
3.1. Insofar as the ReKnowledge on behalf of the Client, the ReKnowledge:
3.1.1. unless required to do otherwise by , shall (and shall take steps to ensure each person acting under its authority shall) the only on and in accordance with the Client’s documented instructions as set out in this paragraph 3.1 and paragraphs 3.3 and 3.4 (including when making a of to any ), as from time to time (); and
3.1.2. if requires it to other than in accordance with the , shall notify the Client of any such requirement before the (unless prohibits such information on important grounds of public interest).
3.2. The Client shall be responsible for ensuring all ’ and ’s read and understand the (as from time to time).
3.3. The Client acknowledges and agrees that the execution of any computer command to process (including deletion of) any made in the use of any of the by an will be a (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the ). The Client shall ensure that do not execute any such command unless authorised by the Client (and by all other relevant (s)) and acknowledges and accepts that if any is deleted pursuant to any such command the ReKnowledge is under no obligation to seek to restore it.
3.4. Subject to applicable or the the of the by the ReKnowledge under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of and categories of set out in the schedule.
4. Technical and organisational measures
4.1. Taking into account the nature of the , the ReKnowledge shall implement and maintain technical and organisational measures:
4.1.1. in relation to the of by the ReKnowledge, as set out the ; and
4.1.2. subject to paragraph 6.1, to assist the Client insofar as is possible (taking into account the nature of the ) in the fulfilment of the Client’s obligations to respond to s relating to , in each case at the Client’s cost on a time and materials basis in accordance with the .
5. Using staff and other Processors
5.1. The ReKnowledge shall not engage any for carrying out any activities in respect of the (except in accordance with the Agreement) without the Client’s written authorisation of that specific (such authorisation not to be unreasonably withheld, conditioned or delayed).
5.2. The Client authorises the appointment of each of the identified on the as from time to time.
5.3. The ReKnowledge shall:
5.3.1. prior to the relevant carrying out any activities in respect of the , appoint each under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures); and
5.3.2. remain fully liable for all the acts and omissions of each as if they were its own.
5.4. The ReKnowledge shall ensure that all natural persons authorised by it (or by any ) to are subject to a binding written contractual obligation to keep the confidential (except where disclosure is required in accordance with , in which case the ReKnowledge shall, where practicable and not prohibited by , notify the Client of any such requirement before such disclosure).
6. Assistance with compliance and Data Subject rights
6.1. The ReKnowledge shall refer all s it receives to the Client without undue delay. The Client shall pay the ReKnowledge for all work, time, costs and expenses incurred in connection with such activity, calculated at the ReKnowledge’s rates set out in the .
6.2. The ReKnowledge shall provide such assistance as the Client reasonably requires (taking into account the nature of and the information available to the ReKnowledge) to the Client in ensuring compliance with the Client’s obligations under with respect to:
6.2.1. security of ;
6.2.2. data protection impact assessments (as such term is defined in );
6.2.3. prior consultation with a regarding high risk ; and
6.2.4. notifications to the and/or communications to s by the Client in response to any ,
provided the Client shall pay the ReKnowledge for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph 6.2, calculated at the ReKnowledge’s rates set out in the ReKnowledge’s Standard Pricing Terms.
7. International data Transfers
7.1. Subject to paragraphs 7.2 and 7.4, the ReKnowledge shall not any :
7.1.1. from any country to any other country; and/or
7.1.2. to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without the Client’s prior written authorisation except where the ReKnowledge is required to Transfer the Protected Data by Applicable Law (and shall inform the Client of that legal requirement before the Transfer, unless those laws prevent it doing so).
7.2. The Client hereby authorises the ReKnowledge to any for 3.4 to any (s), provided all by the ReKnowledge of to an (and any ) shall be (to the extent required under ) effected by way of and in accordance with and the Agreement. The provisions of the Agreement (including this ) shall constitute the Client’s instructions with respect to in accordance with paragraph 3.1.1.
7.3. The employed by the ReKnowledge in connection with the Agreement shall be as follows: binding corporate rules (in respect of transfers to Affiliates) and the use of the Standard Contractual Clauses provided by the European Commission.
7.4. The Client acknowledges that due to the nature of technological services, the may be to other geographical locations in connection with use of the further to access and/or computerised instructions initiated by . The Client acknowledges that the ReKnowledge does not control such and the Client shall ensure that (and all others acting on its behalf) only initiate the of to other geographical locations if are in place and that such is in compliance with all .
8. Information and audit
8.1. The ReKnowledge shall maintain, in accordance with binding on the ReKnowledge, written records of all categories of activities carried out on behalf of the Client.
8.2. The Client may, by written notice to ReKnowledge, request information regarding ReKnowledge’s compliance with the obligations placed on it under this Data Protection Addendum. On receipt of such request, ReKnowledge shall provide the Client (or auditors mandated by the Client) with information to demonstrate ReKnowledge’s compliance with this Data Protection Addendum to the extent such request is reasonable and the information is in ReKnowledge’s possession or control.
8.3. In the event that the Client, acting reasonably, deems the information provided in accordance with paragraph 8.2 insufficient to satisfy its obligations under , the ReKnowledge shall, on request by the Client make available to the Client such information as is reasonably necessary to demonstrate the ReKnowledge’s compliance with its obligations under this and Article 28 of the (and under any equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose provided:
8.3.1. such audit, inspection or information request is reasonable, limited to information in the ReKnowledge’s possession or control and is subject to the Client giving the ReKnowledge reasonable (and in any event at least 60 days’) prior notice of such audit, inspection or information request;
8.3.2. the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which the Client or third party auditor shall comply (including to protect the security and confidentiality of other Clients, to ensure the ReKnowledge is not placed in breach of any other arrangement with any other Client and so as to comply with the remainder of this paragraph 8.3);
8.3.3. the Client shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of the ReKnowledge;
8.3.4. the duration of any audit or inspection shall be limited to one business day;
8.3.5. all costs of such audit or inspection or responding to such information request shall be borne by the Client, and the ReKnowledge’s costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by the Client on a time and materials basis in accordance with the ;
8.3.6. the Client’s rights under this paragraph 8.3 may only be exercised once in any consecutive month period, unless otherwise required by a ;
8.3.7. the Client shall promptly (and in any event within Bu) report any non-compliance identified by the audit, inspection or release of information to the ReKnowledge;
8.3.8. the Client agrees that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits shall be as defined in the Agreement, and shall be treated in accordance with applicable terms;
8.3.9. the Client shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of the ReKnowledge while conducting any such audit or inspection; and
8.3.10. this paragraph 8.3 is subject to paragraph 8.4.
8.4. The Client acknowledges and accepts that relevant contractual terms agreed with (s) may mean that the ReKnowledge or Client may not be able to undertake or facilitate an information request or audit or inspection of any or all s pursuant to paragraph 8.3 and:
8.4.1. the Client’s rights under paragraph 8.3 shall not apply to the extent inconsistent with relevant contractual terms agreed with (s);
8.4.2. to the extent any information request, audit or inspection of any are permitted in accordance with this paragraph 8.4, equivalent restrictions and obligations on the Client to those in paragraphs 8.3.1 to 8.3.10 (inclusive) shall apply together with any additional or more extensive restrictions and obligations applicable in the circumstances; and
8.4.3. paragraphs 5.3.1 and 8.3 shall be construed accordingly.
8.5. Notwithstanding paragraph 8.4 ReKnowledge shall ensure that it has appropriate mechanisms in place to ensure its Sub-Processors meet their obligations under Data Protection Laws. The Client accepts that the provisions of paragraph 8.4 shall satisfy the ReKnowledge’s obligations in that regard.
9. Breach notification
9.1. In respect of any involving , the ReKnowledge shall, without undue delay (and in any event within 72 hours):
9.1.1. notify the Client of the ; and
9.1.2. provide the Client with details of the .
10. Deletion of Protected Data and copies
Following the end of the provision of the Services (or any part) relating to the processing of Protected Data the ReKnowledge shall dispose of Protected Data in accordance with its obligations under the Agreement. The ReKnowledge shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with the Agreement.
11. Compensation and claims
11.1. The ReKnowledge shall be liable for (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with the Agreement:
11.1.1. only to the extent caused by the of under the Agreement and directly resulting from the ReKnowledge’s breach of the Agreement; and
11.1.2. in no circumstances to the extent that any (or the circumstances giving rise to them) are contributed to or caused by any breach of the Agreement by the Client (including in accordance with paragraph ).
11.2. If a party receives a compensation claim from a person relating to of in connection with the Agreement or the , it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
11.2.1. make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
11.2.2. consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under the Agreement for paying the compensation.
11.3. The parties agree that the Client shall not be entitled to claim back from the ReKnowledge any part of any compensation paid by the Client in respect of such damage to the extent that the Client is liable to indemnify or otherwise compensate the ReKnowledge in accordance with the Agreement.
11.4. This paragraph 11 is intended to apply to the allocation of liability for as between the parties, including with respect to compensation to s, notwithstanding any provisions under to the contrary, except:
11.4.1. to the extent not permitted by (including ); and
11.4.2. that it does not affect the liability of either party to any .
12. Survival
This Data Protection Addendum (as Updated from time to time) shall survive termination (for any reason) or expiry of the Agreement and continue until no Protected Data remains in the possession or control of the ReKnowledge or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.
13. Data protection contact
The ReKnowledge’s person responsible for data protection is Julien Grossmann who may be contacted at [email protected].