Date Protection Terms (Businesses)
Update Date: 7 February 2024
These Data Protection Terms are Additional Terms that are supplemental to the agreement (“the Agreement”) between you (the “Customer”) and us (the “Business”, namely the business described in the Legal Information that is supplying the Services pursuant to the Agreement). By submitting an Order or requesting us to supply Services you are deemed to accept these Terms, irrespective of whether they are signed by you or us or not.
Agreed Terms
1. Interpretation
1.1 Definitions
Applicable Data Protection Laws: means:
a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data
b) To the extent the EU GDPR applies, the law of the law of the European Union or any member state of the European Union to which the Business is subject, which relates to the protection of personal data.
Applicable Laws: means:
a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.
b) To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the Business is subject.
Business Personal Data: any personal data which the Business processes in connection with the Agreement, in the capacity of a controller.
Customer Personal Data: any personal data which the Business processes in connection with the Agreement, in the capacity of a processor on behalf of the Customer.
EU GDPR: means the General Data Protection Regulation ((EU) 2016/679), as it has effect in EU law.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
1.2 Further interpretation
(a) The Schedule(s) form part of these Terms and shall have effect as if set out in full in the body of these Terms. Any reference to these Terms includes the Schedules.
(b) The definitions and rules of interpretation in the Terms & Conditions shall apply to these Terms, unless otherwise specified.
2. Data protection
2.1 For the purposes of this clause 2, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.
2.2 Both parties will comply with all applicable requirements of the Applicable Data Protection Laws. This clause 2 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Laws.
2.3 The parties have determined that for the purposes of Applicable Data Protection Laws
(a) the Business shall process the personal data as set out in paragraph 1.1 of Schedule 1 as processor on behalf of the Customer; and
(b) the Business shall act as controller of the personal data set out in paragraph 1.2 of Schedule 1.
2.4 Should the determination in clause 2.3 change, the parties shall use all reasonable endeavours make any changes that are necessary to this clause 2 and Schedule 1.
2.5 The Customer consents to, (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by the Business in connection with the processing of Business Personal Data, provided these are in compliance with the then-current version of the Business's privacy policy (Privacy Policy) available via the Legal Information or supplied to the Customer. In the event of any inconsistency or conflict between the terms of the Privacy Policy and these Terms, the Privacy Policy will take precedence.
2.6 Without prejudice to clause 2.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Business Personal Data and Customer Personal Data to the Business and lawful collection of the same by the Business for the duration and purposes of the Agreement.
2.7 In relation to the Customer Personal Data, Schedule 1 sets out the scope, nature and purpose of processing by the Business, the duration of the processing and the types of personal data and categories of data subject.
2.8 Without prejudice to clause 2.2, the Business shall, in relation to Customer Personal data:
(a) process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process the Customer Personal Data for the purposes set out in Schedule 1 (Processing, personal data and data subjects) or agreed between the parties in writing from time to time, unless the Business is required by Applicable Laws to otherwise process that Customer Personal Data (Purpose). Where the Business is relying on Applicable Laws as the basis for processing Customer Personal Data, the Business shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Business from so notifying the Customer on important grounds of public interest. The Business shall inform the Customer if, in the opinion of the Business, the instructions of the Customer infringe Applicable Data Protection Laws;
(b) implement the technical and organisational measures set out in Schedule 1 (Processing, personal data and data subjects) to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
(c) ensure that any personnel engaged and authorised by the Business to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
(d) assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Business), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
(f) at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless the Business is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 2.8(f), Customer Personal Data shall be considered deleted where it is put beyond further use by the Business; and
(g) maintain records to demonstrate its compliance with this clause 2.
2.9 The Customer provides its prior, general authorisation for the Business to:
(a) appoint processors to process the Customer Personal Data, provided that the Business:
(i) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Business in this clause 2;
(ii) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Business; and
(iii) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Business's reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify the Business for any losses, damages, costs (including legal fees) and expenses suffered by the Business in accommodating the objection.
(b) transfer Customer Personal Data outside of the UK as required for the Purpose, provided that the Business shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of the Business, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the Commissioner from time to time (where the UK GDPR applies to the transfer).
2.10 Either party may, at any time on not less than 30 days' notice, revise this clause 2 (Data protection) by replacing it (in whole or part) with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when: replaced by attachment to these Terms; or provided by one party to the other in writing).
2.11 The Business's liability for losses arising from breaches of this clause 2 is as set out in clause 3.3.
3. Limitation of liability
3.1 Neither party may benefit from the limitations and exclusions set out in this clause 3 in respect of any liability arising from its deliberate default.
3.2 Nothing in these Terms limits any liability which cannot legally be limited, including but not limited to liability for:
(a) death or personal injury caused by negligence;
(b) fraud or fraudulent misrepresentation; and
(c) breach of the terms implied by section 2 of the Supply of Goods and Services Act 1982 (title and quiet possession).
3.3 Subject to clause 3.1 (no limitations in respect of deliberate default) and clause 3.2 (liabilities which cannot legally be limited), the Business's total liability to the Customer for loss arising from the Business's failure to comply with its data processing obligations under clause 2 (Data protection) shall not exceed the cap on liability applicable to data protection set out in the Business’ Terms of Service.
Schedule 1 - Processing, Personal Data and Data Subjects
1. Parties' roles
1.1 Where the Business acts as a processor
Providing the services pursuant to the Agreement.
1.2 Where the Business acts as a controller
Administering and managing the Services and the Agreement in accordance with the Business’ Privacy Policy.
2. Particulars of processing
2.1 Scope
The processing of the data subjects’ personal data in order to provide the services pursuant to the Agreement.
2.2 Nature
Storing and using the personal data to fulfil the Agreement.
2.3 Purpose of processing
Performance of the Agreement.
2.4 Duration of the processing
The duration of the processing shall correspond to the duration of the Agreement between the parties, and a reasonable time following termination of the Agreement to allow for any applicable post-termination handover procedures to be completed.
2.5 Types of personal data
Any personal data transferred by the Customer to the Business under the Agreement, as agreed between the parties from time to time, including, but not limited to: names, contact information, job titles, IP addresses.
2.6 Categories of data subject
Officers, employees, consultants, subcontractors, suppliers, clients and prospective clients.
3. Technical and organisational measures
3.1 Technical and organisational measures as agreed between the parties from time to time, including inter alia as appropriate:
(i) the pseudonymisation and encryption of Customer Personal Data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
(v) any other measures agreed between the parties from time to time.
-END-