A. The Client has a requirement for the provision of certain Services (as defined below) which the Supplier is qualified to supply.
B. The Supplier has agreed to provide the Services under the terms set out in this Agreement.
C. These terms of Service (Terms) set out the agreement between the Client and the Supplier with respect to the Services provided to the Client by the Supplier.
D. The Terms create an enforceable legal agreement between the Client and the Supplier when the Client confirms their agreement to the Terms pursuant to a notification of such agreement through a positive affirmation of such during the on-boarding process set out in the Client’s website or as otherwise agreed by the parties hereto.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Charges: save for a period where the Client may utilise the Services during an initial evaluation phase, which Services shall be made available to the Client without the need for payment (as described in the Supplier’s website or as otherwise notified by the Supplier to the Client) the Charges means sums payable by the Client for the supply of the Services, as set out in by the Supplier on the Supplier’s website or as otherwise notified to the Client by the Supplier, which (in each case) shall be deemed to be part of these Terms.
Client: the party which has confirmed its acceptance of these Terms during the sign-up process identified on the Client’s website.
Client Materials: all materials and data supplied by the Client to the Supplier.
Commercially Reasonable Efforts: the same degree of priority and diligence with which the Supplier meets the support needs of its other similar customers.
Deliverables: information, documentation, products and materials generated by the Supplier or its agents, subcontractors and personnel as part of or in relation to the Services in any form, including without limitation, data, reports and specifications (including drafts).
Intellectual Property Rights: all patents, rights to inventions, utility models, copyright and related rights, trademarks, service marks, trade, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, source-code, database rights, topography rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for, and renewals or extensions of, such rights, and all similar or equivalent rights or forms of protection in any part of the world.
Parties: the Client and the Supplier.
Personal Data Processing Terms: the terms under which the Client and Supplier shall process personal data as set out at Schedule 1.
Project Manager: the person nominated by the Supplier to ensure that the Services are undertaken in accordance with the terms of this agreement; and generally.
Services: the provision of software services that provide contextual assistance with finding, displaying and making use of information found online through the web browser.
Supplier: CScout Limited a company registered in England and Wales under company number 09879640 who registered office is situated at 78 Gilling Court, Belsize Grove, London England NW3 4XB.
Supplier IPR: all Intellectual Property Rights either subsisting in the Deliverables or otherwise necessary or desirable to enable a Client to receive and use the Services.
(a) A reference to a statute or statutory provision is a reference to it as amended or re-enacted. A reference to a statute or statutory provision includes any subordinate legislation made under that statute or statutory provision, as amended or re-enacted.
(b) Any Schedule and matters relating to Services and Charges shall be deemed to form part of this Agreement.
(c) Any phrase introduced by the terms including, include, in particular or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.
(d) A reference to writing or written includes email.
- Commencement and term
2.1 This Agreement will start on the date when either, it has been signed by both parties or the Client has indicated its agreement to it by confirmation on the Supplier’s website or through its on-boarding process, and continue, unless terminated earlier in accordance with its terms, until the Services have been completed and account settled.
- Supply of Services
3.1 In consideration of payment by the Client to the Supplier, the Supplier shall supply the Services.
3.2 In supplying the Services, the Supplier shall:
(a) perform the Services with the highest level of care, skill and diligence in accordance with best practice in the Supplier’s industry, profession or trade;
(b) co-operate with the Client in all matters relating to the Services and comply with all instructions of the Client;
(c) only use personnel who are suitably skilled and experienced to perform the tasks assigned to them, and in sufficient number to ensure that the Supplier’s obligations are fulfilled;
(d) ensure that it obtains, and maintains all consents, licences and permissions (statutory, regulatory, contractual or otherwise) it may require, and which are necessary to enable it to comply with its obligations in this Agreement;
(e) ensure that the Services conform in all respects with the service description set out above;
(f) comply with all applicable laws, statutes, regulations and codes from time to time in force;
(g) observe all health and safety rules and regulations and any other reasonable security requirements that apply from time to time;
(h) hold all Client Materials in safe custody at its own risk, maintain the Client Materials in good condition until returned to the Client; and
(i) not dispose of or use the Client Materials other than in accordance with the Client’s written instructions or authorisation.
- Client’s obligations
4.1 The Client shall:
(a) co-operate with the Supplier in all matters relating to the Services, which shall include the following:
(i) guidance and support in delivery of the delivery of the Services;
(ii) ensure issues are escalated to the Project Manager in a timely manner;
(iii) agree the project scope and ensure that changes to this scope are communicated and agreed with the Supplier;
(iv) work with Project Manager to keep the delivery of the Services on track; and
(v) be the key decision maker with respect to all ongoing decision required during the utilisation of the services by the Supplier; and
(b) provide such access to Client’s Materials as may reasonably be requested by the Supplier and agreed with the Client in advance, for the purposes of the provision of the Services.
4.2 If the Supplier (acting reasonably) considers that the Client is not, or may not, be complying (in a material way) with any of the Client’s obligations, it shall be entitled to rely on this as relieving the Supplier’s performance under this Agreement if the Supplier, promptly after the actual or potential non-compliance has come to its attention, has notified details of non-compliance to the Client in writing and the Client has not rectified the purported breach of the terms of this agreement.
- Personal Data Processing Terms
5.1 Where, pursuant to the provision of the Services, the parties agree that the Client (as Data Controller) and the Supplier (as Data Processor) undertake the processing of personal data (each as defined in the General Data Protection Regulation 2016/679) the parties to this Agreement confirm that they are bound by the Personal Data Processing Terms set out at Schedule 1 which (for the avoidance of doubt) represent legally binding obligations.
- Intellectual property
6.1 Save for the Supplier IPR, the Client retains all Intellectual Property Rights in the Client Materials and grants the Supplier a licence to such Intellectual Property Rights to the extent required to perform its obligations pursuant to this Agreement.
6.2 All Intellectual Property Rights arising in connection with this agreement shall be the property of the Client, and the Client hereby grants the Supplier an irrevocable licence in perpetuity to use Intellectual Property Rights arising in this manner.
- Charges and payment
7.1 In consideration for the provision of the Services, the Client shall pay the Supplier the Charges in accordance with this clause 7.
7.2 Payment is due where the Client and the Supplier, acting reasonably and in accordance with the provisions of this agreement, agree that a milestone has been met or the Services (in whole or on part) have been completed.
7.3 Where a milestone has been met or the Services (in whole or in part) have been completed, the Supplier shall submit an invoice for the Charges to the Client; and payment for the Services shall be required following receipt of an invoice from the Supplier to the Client specifying the Charges for the Services.
7.4 Payment against a properly issued invoice shall be not later than 30 days after the date of the invoice provided it has been received provided the invoice is received in a reasonable time after acceptance of the invoiced amount.
7.5 All amounts payable by the Client shall be in UK Sterling (or any other currency agree by the parties) and exclude amounts in respect of tax (including VAT or its equivalent) which the Client shall be liable to pay to the Supplier at the prevailing rate (as applicable).
7.6 Any invoice shall include all reasonable supporting information requested by the Client.
7.7 If the Client fails to make any payment due to the Supplier under this Agreement by the due date for payment, then, without limiting the Supplier’s remedies under clause 9, the Client shall pay interest on the overdue amount at the rate of 5% per annum above HSBC plc’s base rate from time to time. Such interest shall accrue daily from the due date until actual payment of the overdue amount, whether before or after judgment. The Client shall pay the interest together with the overdue amount.
- Limitation of liability
8.1 Nothing in this Agreement shall limit or exclude the Supplier’s liability for:
(a) death or personal injury caused by its negligence, or the negligence of its personnel, agents or subcontractors;
(b) fraud or fraudulent misrepresentation;
(c) any other liability which cannot be limited or excluded by applicable law.
8.2 The Supplier shall not be liable to the Client, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with this agreement for:
(a) loss of profits;
(b) loss of sales or business;
(c) loss of agreements or contracts;
(d) loss of or damage to goodwill; and
(e) loss of use or corruption of software, data or information.
8.3 The Supplier’s total liability to the Client, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising under or in connection with this agreement shall be limited to the amount owed by the Client to the Supplier, under this Agreement.
8.4 Subject to clause 8.1 neither party to this Agreement shall have any liability to the other party, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for any indirect or consequential loss arising under or in connection with this Agreement.
9.1 This Agreement may be terminated upon 1 months’ notice in writing to the other party. Where the Services are terminated by the Client, the Client will pay the cost of time and materials upon receipt of a suitably detailed summary of work undertaken for the period where the Supplier has not, hitherto, received any payment.
9.2 Without affecting any other right or remedy available to it, either party may terminate this Agreement with immediate effect by giving written notice to the other party if:
(a) the other party commits a material breach of any term of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 15 Business Days after being notified to do so;
(b) the other party takes any step or action in connection with its entering administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business or, if the step or action is taken in another jurisdiction, in connection with any analogous procedure in the relevant jurisdiction; or
(c) the other party suspends, or threatens to suspend, or ceases or threatens to cease to carry on all or a substantial part of its business; or
(d) in reasonable opinion of the relevant party, the other party has undertaken a course of behaviour which may result in material commercial or reputational damage to the Supplier.
9.3 Termination of the Agreement shall not affect any of the parties’ rights and remedies that have accrued as at termination, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination.
9.4 Any provision of the Agreement that expressly or by implication is intended to come into or continue in force on or after termination shall remain in full force and effect.
10.1 Force majeure. Neither party shall be in breach of this Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control (which shall include local down-time as a result of unforeseen security restrictions.)
10.2 If the period of delay or non-performance continues for 4 weeks, the party not affected may terminate this Agreement by giving 10 Business Days’ written notice to the affected party.
10.3 Subcontracting. The Supplier may not subcontract any or all of its rights or obligations under this Agreement without the prior written consent of the Client. If the Client consents to any subcontracting by the Supplier, the Supplier shall remain responsible for all acts and omissions of its subcontractors as if they were its own.
(a) Each party undertakes that it shall not at any time disclose to any person any confidential information concerning the business, affairs, Clients, clients or suppliers of the other party, except as permitted by clause 10.4(b).
(b) Each party may disclose the other party’s confidential information:
(i) to its employees, officers, representatives, subcontractors or advisers who need to know such information for the purposes of carrying out the party’s obligations under this Agreement. Each party shall ensure that its employees, officers, representatives, subcontractors or advisers to whom it discloses the other party’s confidential information comply with this clause 10.4; and
(ii) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
(c) Neither party shall use the other party’s confidential information for any purpose other than to perform its obligations under this Agreement.
10.5 Entire Agreement. This Agreement constitutes the entire Agreement between the parties and supersedes and extinguishes all previous Agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
10.6 Variation. No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
10.7 Waiver. A waiver of any right or remedy is only effective if given in writing and shall not be deemed a waiver of any subsequent breach or default. A delay or failure to exercise, or the single or partial exercise of, any right or remedy shall not:
(a) waive that or any other right or remedy; or
(b) prevent or restrict the further exercise of that or any other right or remedy.
10.8 Severance. If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Agreement.
(a) Any notice or other communication given to a party under or in connection with this Agreement shall be in writing, addressed to that party at its registered office or such other address as that party may have specified to the other party in writing in accordance with this clause, and shall be delivered personally, or sent by pre-paid first-class post or other next working day delivery service, commercial courier, or email.
(b) A notice or other communication shall be deemed to have been received: if delivered personally, when left at the address referred to in clause 10.9(a); if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second Business Day after posting; if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed; or, if sent by receipted email, one Business Day after transmission.
(c) The provisions of this clause shall not apply to the service of any proceedings or other documents in any legal action.
10.10 Third party rights. No one other than a party to this Agreement shall have any right to enforce any of its terms.
- Governing law and jurisdiction
11.1 This Agreement and any dispute or claim arising out of or about it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and the parties hereby irrevocably submit to the exclusive jurisdiction of the English Courts.
This Agreement has been entered on the date stated at the beginning of this Agreement.
PERSONAL DATA PROCESSING TERMS
A. The Client (acting as a Data Controller) has a requirement for the processing of Personal Data (as defined below).
B. The Supplier has agreed to provide the requested processing of such Personal Data under the terms set out in these Personal Data Processing Terms.
1.1 In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
Effective Date has the meaning given to it in section 2.
Applicable Laws means (a) European Union or Member State laws with respect to the Personal Data; and (b) any other applicable law with respect to the Personal Data.
Contract for Services: the agreement entered into by the Data Controller and Data Processor under which the Data Processor (as Supplier) shall provide the Services specified therein.
Data Processor Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the Data Processor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
Data Protection Laws shall mean Directive 95/46/EC and Directive 2002/58/EC, in each case as transposed into domestic legislation of each Member State of the European Economic Area and in each case as amended, replaced or superseded from time to time, including without limitation by the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) and/or other applicable data protection or national/federal or state/provincial/emirate privacy legislation in force, including where applicable, statues, decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, any Supervisory Authority and other applicable authorities.
Data Controller, Data Processor, Data Subject, Process/Processing and Special Categories of Personal Data shall have the same meaning as described in the Data Protection Laws;
Delete means the removal or obliteration of Personal Data such that it cannot be recovered or reconstructed.
Group shall mean, in relation to a company, that company, any subsidiary or any holding company from time to time of that company, and any subsidiary from time to time of a holding company of that company. Each company in a Group is a member of the Group. A reference to a holding company or a subsidiary means a holding company or a subsidiary (as the case may be) as defined in section 1159 of the Companies Act 2006.
Personal Data means the personal data (as defined in the Data Protection Laws) set out in Annex 1 to this Agreement and any other personal data, as defined in the Data Protection Laws, Processed by the Data Processor on behalf of the Data Controller pursuant to or in connection with the Contract for Services.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise Processed.
Relevant Date means the date falling on the earlier of (i) the cessation of Processing of the Personal Data by the Data Processor; or (ii) termination of the Contract for Services.
Restricted Transfer means:
(i) a transfer of the Personal Data from any Data Controller to a Data Processor or Subprocessor; or
(ii) an onward transfer of the Personal Data from a Data Processor or Subprocessor to (or between two establishments of) a Data Processor or Subprocessor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
Subprocessor means any Data Processor (including any third party) appointed by the Data Processor to Process Personal Data on behalf of the Data Controller.
Supervisory Authority means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
1.2 The terms used in this Agreement shall have the meanings set forth in this Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Contract for Services. Except as modified below, the terms of the Contract for Services shall remain in full force and effect.
1.3 The parties hereby agree that the terms and conditions set out below shall be added as an Agreement to the Contract for Services.
- Formation of this Agreement
2.1 This Agreement comes into effect on the Effective Date, which shall be the earlier of:
(a) the date on which this Agreement is signed by the Data Processor;
(b) the date which is thirty (30) calendar days after the date on which this Agreement is sent by the Data Controller to the Data Processor,
except where the Data Processor objects to the terms of this Agreement in accordance with section 2.2 below.
2.2 If, following receipt of this Agreement, the Data Processor objects to its terms it shall notify the Data Controller in writing of its objection within thirty (30) calendar days after the date on which the Agreement is sent by the Data Controller to the Data Processor. The Parties shall then work together promptly and in good faith to resolve the Data Processor’s objections and to agree upon a mutually satisfactory form of this Agreement, whereupon the Agreement Effective Date shall be the date on which the agreed form of the Agreement is signed by the parties.
- Data Processing Terms
3.1 In the course of providing the Services to the Data Controller pursuant to the Contract for Services, the Data Processor may Process Personal Data on behalf of the Data Controller as per the terms of this Agreement. The Data Processor agrees to comply with the following provisions with respect to the Personal Data submitted by or for the Data Controller to the Data Processor or otherwise collected and Processed by or for the Data Controller by the Data Processor.
3.2 Processing of Personal Data
3.3 The Data Controller hereby appoints the Data Processor in relation to the Processing of Personal Data and the parties agree to act in accordance with their respective obligations under this Agreement.
3.4 The parties shall at all times comply with applicable Data Protection Laws.
3.5 The Data Processor shall not Process the Personal Data other than on the Data Controller’s documented instructions (whether in the Contract for Services or otherwise) unless Processing is required by Applicable Laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the relevant Processing of that Personal Data.
3.6 The Data Controller:
(a) instructs the Data Processor (and authorises the Data Processor to instruct each Subprocessor) to:
(b) Process the Personal Data; and
(c) subject to sections 11 (Subprocessors) and 12 (Restricted Transfers of Personal Data) transfer the Personal Data to any country or territory,
(d) as reasonably necessary to the provision of the Services and consistent with the Contract for Services.
3.7 Annex 1 to this Agreement sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject as required by Article 28(3) of the GDPR or equivalent provisions of any Data Protection Law. The Data Controller may make reasonable amendments to Annex 1 by written notice to the Data Processor from time to time as the Data Controller reasonably considers necessary to meet those requirements. As between the parties, nothing in Annex 1 (including as amended pursuant to this section 4.5) confers any right or imposes any obligation on either party.
- Data Processor Personnel
4.1 The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Personal Data, as strictly necessary for the purposes of that individual’s duties to the Data Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate including inter alia as appropriate: (a) the pseudonymisation and encryption of the Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
5.2 In assessing the appropriate level of security, the Data Processor shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
- Personal Data Breach
6.1 The Data Processor shall notify the Data Controller without undue delay and in any case within twenty-four (24) hours, upon becoming aware of or reasonably suspecting a Personal Data Breach, with sufficient information which allows the Data Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
6.2 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
6.3 communicate the name and contact details of the Data Processor’s data protection officer or other relevant contact from whom more information may be obtained;
6.4 describe the likely consequences of the Personal Data Breach; and
6.5 describe the measures taken or proposed to be taken to address the Personal Data Breach.
6.6 The Data Processor shall co-operate with the Data Controller and take such reasonable commercial steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach.
6.7 In the event of a Personal Data Breach, the Data Processor shall not inform any third party without first obtaining the Data Controller’s prior written consent, unless notification is required by EU or Member State law to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by such law inform the Data Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Data Controller before notifying the Personal Data Breach.
- Data Subject Rights
7.1 Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR or equivalent provision of any Data Protection Laws.
7.2 The Data Processor shall promptly notify the Data Controller (and in any case within 3 business days) if it receives a request from a Data Subject under any Data Protection Laws in respect of the Personal Data.
- Data Protection Impact Assessment and Prior Consultation
8.1 The Data Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any supervisory authority of the Data Controller which are required under Article 36 GDPR, in each case solely in relation to Processing of Personal Data by the Data Processor on behalf of the Data Controller under the Contract for Services and this Agreement, and taking into account the nature of the Processing and information available to the Data Processor.
- Restricted Transfers
9.1 In the event that that the Data Processor (whether it is required to by the Data Controller or otherwise) undertakes the transfer of Personal Data to a jurisdiction outside the EEA which has not been assigned ‘adequate’ status by the European Commission, the parties agree that any such transfer shall conform to the provisions of Chapter V GDPR in particular (but not limited to) the provisions of Article 46 (Transfers Subject to Appropriate Safeguards). The provisions of this clause apply to any Subprocessor appointed by the Data Processor pursuant to the terms of this Agreement.
- Audit rights
10.1 In addition to any audit rights granted pursuant to the Contract for Services, the Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement and allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction pursuant to this section 10 (Audit Rights) infringes the GDPR or other EU or Member State data protection provisions.
11.1 The Data Controller authorises the Data Processor to appoint (and permit each Subprocessor appointed in accordance with this section 11 to appoint) Subprocessors in accordance with this section 11 and any restrictions in the Contract for Services.
11.2 The Data Processor may continue to use those Subprocessors already engaged by the Data Processor as at the date of this Agreement, subject to the Data Processor in each case as soon as practicable meeting the obligations set out in section 11.4.
11.3 The Data Processor shall give the Data Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 30 (thirty) calendar days of receipt of that notice, the Data Controller notifies the Data Processor in writing of any objections (on reasonable grounds) to the proposed appointment:
(a) the Data Processor shall work with the Data Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
(b) where such a change cannot be made within 30 (thirty) calendar days from the Data Processor’s receipt of the Data Controller’s notice (or such longer period as the parties may agree in writing), notwithstanding anything in the Contract for Services, the Data Controller may by written notice to the Data Processor with immediate effect terminate the Contract for Services to the extent that it relates to the Services which require the use of the proposed Subprocessor.
11.4 With respect to each Subprocessor, the Data Processor shall:
(a) carry out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Agreement including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of GDPR or equivalent provisions of any Data Protection Law and this Agreement;
(b) include terms in the contract between the Data Processor and each Subprocessor which offer at least the same level of protection for the Personal Data as those set out in this Agreement Upon request, the Data Processor shall provide a copy of its agreements with Subprocessors to the Data Controller (which may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement); and
(c) remain fully liable to the Data Controller for any failure by each Subprocessor to fulfil its obligations in relation to the Processing of the Personal Data.
- Deletion or return of Personal Data
12.1 Subject to sections 12.2 and 12.3 the Data Processor shall promptly and in any event within 28 (twenty-eight) calendar days of the Relevant Date, Delete and procure the Deletion of all copies of Personal Data Processed by the Data Processor or any Subprocessor.
12.2 Subject to section 12.3, the Data Controller may in its absolute discretion notify the Data Processor in writing within 15 (fifteen) days of the Relevant Date to require the Data Processor to: (a) return a complete copy of all Personal Data to the Data Controller by secure file transfer in such format as notified by the Data Controller to the Data Processor; and (b) Delete and procure the Deletion of all other copies of Personal Data Processed by the Data Processor or any Subprocessor. The Data Processor shall comply with any such written request within 28 (twenty-eight) days of the Relevant Date.
12.3 The Data Processor may retain Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that the Data Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
12.4 The Data Processor shall provide written certification to the Data Controller that it has fully complied with this section 13 within 28 (twenty-eight) days of the Relevant Date.
- Liability and Indemnity
13.1 Notwithstanding anything to the contrary in the Principle Agreement, The Data Processor’s liability for any breach of this Agreement shall be unlimited.
13.2 The Data Processor shall indemnify and hold harmless the Data Controller against all losses, fines and sanctions arising from any claim by a third party or Supervisory Authority arising from any breach of this Agreement.
- General Terms
14.1 Subject to section 14.2, the parties agree that this Agreement shall terminate automatically upon: (i) termination of the Contract for Services; or (ii) expiry or termination of all service contracts, statements of work, work orders or similar contract documents entered into by the Data Processor with the Data Controller pursuant to the Contract for Services, whichever is later.
14.2 Any obligation imposed on the Data Processor under this Agreement in relation to the Processing of Personal Data shall survive any termination or expiration of this Agreement.
- Governing law of this Agreement
15.1 To the extent that EU Data Protection Laws apply to the Processing of the Personal Data this Agreement shall be governed by:
(a) the governing law of the Contract for Services for so long as that governing law is the law of a Member State of the European Union; or
(b) where section 15.3(a) does not apply, the laws of England.
15.2 To the extent that EU Data Protection Laws do not apply to the Processing of the Personal Data, this Agreement shall be governed by the governing law of the Contract for Services.
15.3 Notwithstanding the general choice of law under sections 15.1 and 15.2, any questions of contract formation pertaining to this Agreement shall be governed by English law.
- Choice of jurisdiction
16.1 Notwithstanding the choice of law under section 15, the parties to this Agreement submit to the choice of jurisdiction stipulated in the Contract for Services with respect to any disputes or claims howsoever arising under this Agreement.
17.1 Any breach of this Agreement shall constitute a material breach of the Contract for Services.
17.2 With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including but not limited to the Contract for Services, the provisions of this Agreement shall prevail with regard to the parties’ data protection obligations for Personal Data of a Data Subject from either a Member State of the European Union or from the UK (following the UK’s exit from the European Union).
17.3 Compliance by the Data Processor with the provisions of this Agreement will be at no additional cost to the Data Controller.
17.4 A person who is not a party to this Agreement shall have no right to enforce any term of this Agreement.
17.5 The rights of the parties to rescind or vary this Agreement are not subject to the consent of any other person.
17.6 The Data Controller may notify the Data Processor in writing from time to time of any variations to this Agreement which are required as a result of a change in Data Protection Laws including without limitation to the generality of the foregoing, any variations which are required as a result of any changes to UK Data Protection Laws following any exit of the UK from the European Union. Any such variations shall take effect on the date falling 30 (thirty) calendar days after the date such written notice is sent by the Data Controller to the Data Processor shall procure that where necessary the terms in each contract between the Data Processor and each Subprocessor are amended to incorporate such variations within the same time period.
17.7 Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
This Annex 1 includes certain details of the Processing of the Personal Data as required by Article 28(3) GDPR.
A. Subject matter and duration of the Processing of the Personal Data: the subject matter and duration of the Processing of the Personal Data are set out in the Contract for Services and this Agreement.
B. The nature and purpose of the Processing of the Personal Data: this is described in the Terms of Service.
C. The types of the Personal Data to be Processed: this includes the personal data of third parties which have been located online or through any other open source where the data subject has knowingly allowed or placed their personal data, which shall include networking platforms, business introduction media, marketing materials, public announcements and any similar media where the data subject has agreed or knowingly released their personal data into an environment where it can commonly be accessed.
D. The categories of Data Subject to whom the Personal Data relates: the Supplier will act as the processor of personal data relating to third parties described at paragraph C above and regulated under the Terms. The supplier will act as a controller of personal data with respect to the names and other personal data of Client personnel.