ADDENDUM – PROCESSING PERSONAL DATA
1. APPLICABILITY
1.1 The terms in this Addendum apply only where one Party (the "Controller") provides Personal Data for processing by the other Party (the "Processor") during the course of Arkessa providing its services.
Definitions
1.2 In this Addendum:
(a) “Data Protection Laws” means all laws applicable to any personal data processed under or in connection with this agreement including the Data Protection Act 2018, GDPR and the Privacy and Electronic Communications Directive 2002/58/EC, any laws which implement any such laws, and any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
(b) “Data Subject”, “Personal Data” and “Processing” shall have the meanings given to them in the Data Protection Laws from time to time and international organisation and Personal Data Breach shall have the respective meanings given to them in the GDPR;
(c) “GDPR” means the General Data Protection Regulation (EU) 2016/679;
(d) “Protected Data” means Personal Data received from or on behalf of the Controller in connection with the performance of the Processor's obligations under this Agreement; and
(e) “Sub-Processor” means any third party engaged by the Processor to carrying out any processing activities on behalf of the Controller in respect of the Protected Data.
Compliance with Data Protection Laws
1.3 The Controller shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data. The Controller shall ensure all instructions given by it to the Processor in respect of Protected Data shall at all times be in accordance with Data Protection Laws. The Processor shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of this Agreement.
Instructions
1.4 The Processor shall only process the Protected Data in accordance with the Controller's written instructions except where otherwise required by applicable law (and shall inform the Controller of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). If the Processor believes that any instruction received by it from the Controller is likely to infringe the Data Protection Laws it shall promptly inform the Controller.
Processor's Personnel
1.5 The Processor shall ensure that persons authorised to process the Protected Data are under an obligation of confidentiality in respect of the Protected Data.
Security
1.6 The Processor shall implement and maintain appropriate technical and organisational measures to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
Sub-processing
1.7 The Processor shall not permit any processing of Protected Data by a Sub-Processor without the prior notification to the Controller and the Processor must appoint any Sub-Processor under a written contract containing materially the same obligations as under this Addendum.
Assistance
1.8 The Processor shall (at the Controller's cost):
(a) assist the Controller in ensuring compliance with the Controller's obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to the Processor; and
(b) taking into account the nature of the processing, assist the Controller (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the Controller's obligations to respond to requests for exercising the Data Subjects' rights under Chapter III of the GDPR in respect of any Protected Data.
Audits and processing
1.9 The Processor shall make available to the Controller all information as is necessary to demonstrate the Processor's compliance with the obligations placed on it under this Addendum and allow for and contribute to audits, including inspections, conducted by the Controller (or another auditor mandated by the Controller) for this purpose.
International transfers
1.10 The Processor shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the EEA or to any international organisation where permitted by the Data Protection Laws.
Breach
1.11 The Processor shall notify the Controller without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.
Deletion/return
1.12 At the end of the provision of the services relating to the processing of Protected Data, at the Controller's cost and the Controller's option, the Processor shall either return all of the Protected Data to the Controller or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the Processor to store such Protected Data.