Data Processor Addendum
1. DEFINITIONS
1.1. Terms such as “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.2. “Addendum” means this Data Processor Addendum;
1.3. “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in Annex 2 (Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Controller in accordance with section 6.1;
1.4. “Controller” means the Client;
1.5. “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Service Agreement i) the UK GDPR as defined in section 3(10) of the Data Protection Act 2018 (“UK GDPR”); ii) the Data Protection Act 2018, and iii) any other applicable data protection or privacy laws;
1.6. “EEA” means the European Economic Area;
1.7. “Personal Data” means the data described in Annex 1 (Details of Processing of Personal Data) and any other personal data processed by the Processor on behalf of the Controller pursuant to or in connection with the Service Agreement;
1.8. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Processor or any Sub-processor;
1.9. “Processor” means MITIGO;
1.10. “Service Agreement” means the agreement into which this Addendum is incorporated;
1.11. “Services” means the services described in the Service Agreement;
1.12. “Standard Contractual Clauses” means standard contractual clauses for the transfer of personal data to third countries or an international organisation, issued by the UK Information Commissioner’s Office and approved under section 119A of the Data Protection Act 2018, including the international data transfer addendum to EU standard contractual clauses set out in the annex of the Commission Implementing Decision (EU) 2021/914;
1.13. “Sub-processor” means any data processor (including any affiliate of the Processor) appointed by the Processor to process personal data on behalf of the Controller;
1.14. “Supervisory Authority” means (a) the Information Commissioner’s Office; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
2.0 PROCESSING OF THE PERSONAL DATA
2.1. The parties acknowledge that, for the purposes of the Data Protection Laws, Client is the Controller and MITIGO is the Processor.
2.2. Each party confirms that in the performance of the Service Agreement it will comply with Data Protection Laws.
2.3. The Processor shall only process the types of Personal Data relating to the categories of data subjects for the purposes of the Service Agreement and as set out in Annex 1 (Details of Processing of Personal Data) to this Addendum and shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Controller’s documented instructions (whether in the Service Agreement or otherwise) unless processing is required by applicable law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data.
2.4. The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to the Service Agreement or this Addendum infringes the GDPR or other Data Protection Laws.
3.0 CONTROLLER WARRANTY
3.1. Controller warrants that it has all necessary rights to provide the Personal Data to Processor for the Processing to be performed in relation to the Services.
3.2. To the extent required by Data Protection Laws, Controller is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Controller is responsible for communicating the fact of such revocation to the Processor, and Processor remains responsible for implementing any Controller instruction with respect to the further processing of that Personal Data.
4.0 CONFIDENTIALITY
4.1. The Processor shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
4.2. The Processor shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in section 2.3 above in the context of that person’s or party’s duties to the Processor.
4.3. The Processor shall ensure that all such persons or parties involved in the processing of Personal Data:
4.3.1. are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
4.3.2. have undergone adequate training in the use, care, protection and handling of Personal Data.
5.0 SECURITY
5.1. The Processor shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.
5.2. The parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Processor will therefore evaluate the technical and organisational measures it has implemented on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with Data Protection Laws.
6.0 SUB-PROCESSING
6.1. So far as permitted by law and subject to section 6.3, the Controller grants to the Processor general authorisation to engage any Sub-processor to process Personal Data.
6.2. As at the date of the Service Agreement the Controller hereby authorises the Processor to engage the Sub-processors set out in Annex 2 (Authorised Sub-processors).
6.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any Sub-processors, thereby giving the Controller the opportunity to object to such changes
6.4. With respect to each Sub-processor, the Processor shall:
6.4.1. carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Addendum;
6.4.2. include terms in the contract between the Processor and each Sub-processor which are equivalent to those set out in this Addendum, and shall supervise compliance there of;
6.4.3. insofar as that contract involves the transfer of Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Controller into the contract between the Processor and each Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as the Controller may approve as providing an adequate protection in respect of the processing of Personal Data in such third country(ies); and
6.4.4. remain fully liable to the Controller for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
7.0 DATA SUBJECT RIGHTS
7.1. The Processor shall without undue delay notify the Controller if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in chapter III of GDPR, and shall provide full details of that request.
7.2. The Processor shall cooperate as reasonably requested by the Controller to enable the Controller to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or the Service Agreement, which shall include:
7.2.1. the provision of all information reasonably requested by the Controller within any reasonable timescale specified by the Controller in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a data subject;
7.2.2. where applicable, providing such assistance as is reasonably requested by
the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by Data Protection Laws; and
7.2.3. implementing any additional technical and organisational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.
8.0 INCIDENT MANAGEMENT
8.1. In the case of a Personal Data Breach, the Processor shall, without undue delay, notify the Personal Data Breach to the Controller providing the Controller with sufficient information which allows the Controller to meet any obligations to report a Personal Data Breach under Data Protection Laws. Such notification shall as a minimum:
8.1.1. describe the nature of the Personal Data Breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2. communicate the name and contact details of the Processor’s data protection officer or other relevant contact from whom more information may be obtained;
8.1.3. describe the likely consequences of the Personal Data Breach; and
8.1.4. describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.2. The Processor shall fully co-operate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach, in order to enable the Controller to meet any requirement under Data Protection Laws.
8.3. The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The Processor shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement.
9.0 DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
9.1. The Processor shall, at the Controller’s request, provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Controller or any of its affiliates which are required under Article 36 UK GDPR, in each case in relation to processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the processing and information available to the Processor.
10. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
The Processor shall following the termination of the Service Agreement, at the choice of the Controller, delete or return all Personal Data to the Controller and delete any existing copies unless the Processor is under a legal obligation to store any of the Personal Data.
11. AUDIT RIGHTS
11.1. The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with Data Protection Laws and allow for and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller.
11.2. Any such audits or inspections shall take place during normal working hours and on reasonable prior notice.
12. INTERNATIONAL TRANSFERS
12.1. The Processor shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the UK without an adequate level of protection, other than in respect of those recipients in such countries listed in Annex 3 (Authorised Transfers of Personal Data), unless authorised in writing by the Controller in advance.
12.2 When requested by the Controller, the Processor shall promptly enter into (or procure that any relevant Sub-processor of the Processor enters into) an agreement with the Controller on Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Personal Data in a country
12.2. 12.2 When requested by the Controller, the Processor shall promptly enter into (or procure that any relevant Sub-processor of the Processor enters into) an agreement with the Controller on Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Personal Data in a country outside of the UK without an adequate level of protection.
13.0 LIABILITY
13.1. The disclaimers and limitations of liability set out under the Service Agreement shall apply also to this Addendum.
14.0 COSTS
14.1. The Controller shall pay any reasonable costs and expenses incurred by the Processor in meeting the Controller’s requests made under sections 7.2, 9 or 11.
15.0 MISCELLANEOUS
15.1. Any obligation imposed on the Processor under this Addendum in relation to the processing of Personal Data shall survive any termination or expiration of the Service Agreement.
15.2. With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Service Agreement and any provision of this Addendum, the provision of this Addendum shall prevail. In the event of any conflict or inconsistency between the Service Agreement or this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data
The processor shall process Personal Data for the duration of the Service Agreement.
The nature and purpose of the processing of Personal Data
The processing of Personal Data shall be undertaken as necessary to perform the Services.
The types of Personal Data to be processed
Contact details (e.g. full name, job title, email address, phone numbers, postal address). Grades and test results, performance and evaluation reports. Job and task responsibilities. Contract data. Personal Data contained in management information and reports.
The categories of data subject to whom the Personal Data relates
Employees, directors, shareholders, agents, suppliers, contractors and associates of the Controller.
ANNEX 2: AUTHORISED SUB-PROCESSORS
PANCENTRIC LIMITED – UK;
EPIGNOSIS – US and UK; and
XQ Digital Resilience Limited – UK
ANNEX 3: AUTHORISED TRANSFERS OF CONTROLLER PERSONAL DATA
Pancentric Limited of 197 Long Lane, London, SE1 4DP. Data Storage.
Epignosis LLC, a US company of 315 Montgomery Street, San Francisco, California, CA 94194 USA. Data Storage.
Epignosis UK Limited, Crown House, 72 Hammersmith Road, London, UK. Data Storage.
XQ Digital Resilience Limited of the Courtyard, Tewksbury Business Park, Tewksbury, England, GL20 8GD. Data Storage.