1. Definitions and Interpretation
For the purposes of this Data Processing Agreement the following terms shall have the following meanings:
Agreement means the agreement between the Client and the Service Provider under which the Service Provider will be processing Personal Data on behalf of the Client;
Client means the party identified on the relevant Agreement;
Data Protection Legislation means a) to the extent the UK GDPR applies, the law of the United Kingdom or part of the United Kingdom which relates to the protection of personal data including national legislation; or b) to the extent the EU GDPR applies, the law of the European Union and any applicable member state of the European Union which relates to the protection of personal data.;
GDPR means EU GDPR Regulation (EU) 2016/679 or UK GDPR Retained Regulation (EU) 2016/679 as applicable;
Personal Data means any personal data processed by Service Provider on behalf of Client pursuant to the Agreement;
Service Provider means Future Anthem Limited with registered company number 11622370 and registered address of 89 Lyndhurst Gardens, London, United Kingdom, N3 1TE;
Sub-processor means any processor appointed by Service Provider to assist with Service Provider 's processing of Personal Data; and
Supervisory Authority means the applicable national information authority in respect of data protection.
Third Countries means under EU GDPR any country outside of the European Union or under UK GDPR any country outside of the UK as applicable.
The terms Controller, Data Subject, Personal Data, Personal Data Breach, Process, Processing, Processor, Pseudonymisation shall have the meanings attributed to them in Article 4 of the GDPR.
References to Clauses are to clauses of this Data Processing Agreement, and references to the Schedule are to the schedule of this Data Processing Agreement.
This Data Processing Agreement is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
Any words following the terms including, include, in particular, for example or any other similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or terms preceding those terms.
2. Acknowledgement of Roles
The parties hereby acknowledge that, as between the parties only, Client is the Controller and Service Provider is the Processor in respect of Personal Information processed pursuant to the Agreement.
3. Service Provider's Data Processing Obligations
3.1 To the extent that Service Provider processes personal data on behalf of Client, Service Provider shall:
3.1.1 only process Personal Data as is strictly necessary to fulfil its obligations under the Agreement or in accordance with Client's express written instructions from time to time, and shall not process Personal Data for any other purposes;
3.1.2 not otherwise modify, amend or alter the contents of any Personal Data unless specifically authorised to do so in writing by Client;
3.1.3 only permit its employees to access Personal Data where it is necessary for such employees to do so, and ensure that such employees have received adequate training in respect of personal data and Data Protection Legislation;
3.1.4 not appoint a sub-processor without Client's consent, and if Client does provide such consent Service Provider shall: (i) ensure that the sub-processor is bound by the terms of this Clause 3.1 as it applies to Service Provider hereunder; (ii) be fully responsible for any breach by the sub-processor of any of the obligations under this Clause 3.1; and (iii) conduct adequate due diligence on the sub-processor to ensure that the sub-processor provides sufficient guarantees to keep Personal Data secure;
3.1.5 not transfer Personal Data to Third Countries without: (i) the prior written consent of Client; and (ii) ensuring that any such transfer is permitted under the Agreement and (iii) appropriate safeguards are in place in accordance with Data Protection Legislation;
3.1.6 provide all reasonable assistance to Client to enable Client to comply with its obligations under Data Protection Legislation in respect of Personal Data, including assisting Client in complying with a data subject's right to access, restriction, rectification, objection, erasure and portability;
3.1.7 promptly comply with any request from Client requiring Service Provider to amend, transfer or delete Personal Data;
3.1.8 if it receives any complaint, notice or communication (from either a Supervisory Authority or a data subject) which relates directly or indirectly to the processing of Personal Data or to either party's compliance with Data Protection Legislation: (i) notify Client without undue delay; (ii) not respond to any data subject or Supervisory Authority without Client's written consent; and (iii) provide Client and any Supervisory Authority (if applicable and if consent from Client has been given) with full co-operation and assistance in relation to any such complaint, notice or communication;
3.1.9 not disclose Personal Data to any data subject or to a third party other than at the request of Client;
3.1.10 notify Client without undue delay, and in any event within 24 hours, upon becoming aware of any unauthorised or unlawful processing, loss of, damage to or destruction of any Personal Data, or any personal data breach in respect of the Personal Data or any suspected, threatened or ‘near miss’ personal data breach in respect of Personal Information;
3.1.11 comply with any codes of practice or policies of Client relating to Personal Information, as notified to Service Provider from time-to-time;
3.1.12 maintain all appropriate records of processing carried out in respect of Personal Data in accordance with GDPR;
3.1.13 upon request by Client, provide written evidence demonstrating its compliance with this Clause 3.1 and the Data Protection Legislation; and
3.1.14 take appropriate technical and organisational measures against the unauthorised or unlawful processing of Personal Data, and against the accidental loss or destruction of, or damage to, Personal Information, such measures to include:
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) ensuring that all individuals, parties, employees or other persons / entities with access to Personal Data are bound by industry standard confidentiality obligations which include keeping such Personal Information confidential;
(d) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(e) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
3.1.15 without prejudice to Clause 3.1.9, promptly notify Client if it suffers a personal data breach which does not relate to the Agreement or any Personal Data.
4. Audit and Contact
4.1 Upon request the Service Provider shall provide contact details to Client of the person or persons responsible for overseeing compliance with data protection and, specifically, Personal Data. Any changes to such person or persons shall be promptly notified to Client.
4.2 Service Provider shall keep at its normal place of business detailed, accurate and up-to-date records (whether in electronic form or hard copy) relating to the processing of Personal Data by Service Provider and to the measures taken by Service Provider under Clause 3.1.14 (Records).
4.3 Service Provider shall permit Client and its third-party representatives, on reasonable written notice during normal business hours, but without notice in case of any reasonably suspected Personal Data breach, to:
4.3.1 gain access to, and take copies of, the Records and any other information held at Service Provider’s premises or on Service Provider’s computer systems; and
4.3.2 inspect all Records, documents and electronic data and Service Provider’s computer systems, facilities and equipment, for the purpose of auditing Service Provider’s compliance with its obligations under this Data Processing Agreement. Such audit rights may be exercised only once in any calendar year during the term of the Agreement (and for two years thereafter) save where Client has reason to suspect that Service Provider is in breach of any part of Clause 3.1 or Data Protection Legislation, in which case such restriction shall not apply.
5. Term and Termination
This Data Processing Agreement shall take effect on the commencement date of the relevant Agreement and shall remain in effect until the termination or expiry of the Agreement. If the Service Provider processes Personal Data under one or more agreements in addition to the Agreement, this Data Processing Agreement shall terminate upon expiry of the last of such agreements between the parties to expire or terminate.
6. Conflict
In the event of any conflict between the terms of this Data Processing Agreement and any provision of the Agreement, this Data Processing Agreement shall take precedence. For the avoidance of doubt, all other terms of the Agreement shall continue to apply.
7. General
7.1 A person who is not a party to this Data Processing Agreement may not enforce any of its terms under the Contracts (Rights of Third parties) Act 1999.
7.2 Any notice given under this Data Processing Agreement, including (without limitation) any notice given pursuant to Clause 3.1.10 shall be sent to Leigh Nissim at 89 Lyndhurst Gardens, Finchley, London N31TE.
7.3 This Data Processing Agreement is governed by and will be construed in accordance with laws of England and Wales and the parties will be subject to the exclusive jurisdiction of the English and Welsh courts.