Supplier Data Processing Agreement

1 -  Term and effect

1.1) This Agreement shall be deemed to have commenced on the Effective Date and shall continue in force unless and until such time as the Services Agreement expires or is terminated in accordance with its terms.

1.2)This Agreement shall take priority over any Services Agreement that the Supplier has entered into with GCI for the provision of the Services to the extent of any conflict or inconsistency between any provision of this Agreement and the Services Agreement.

1.3)The definitions and rules of interpretation set out in the Definitions and Interpretation section of this Agreement apply in this Agreement.

2 -  Relationship of the Parties

2.1) GCI appoints the Supplier as a processor (or Sub-Processor) to process the Personal Data described in the Data Processing Appendix or which the Supplier is otherwise appointed to process in accordance with the documented instructions of GCI. The Personal Data may include CRM Data, User Data, Communications Data and Content Data, as applicable. The Supplier acknowledges that GCI may be acting as a controller or as a processor on behalf of GCI Customers with respect to the processing of Personal Data that is undertaken pursuant to this Agreement.

2.2) Any change related to the details of the processing (as stated in the Data Processing Appendix) shall be subject to agreement by GCI. GCI shall not unreasonably withhold or delay its agreement to any such changes as the Supplier requests.

3 -  Purpose limitation and processing

The Supplier shall process the Personal Data only as necessary to provide the Services or to perform its obligations under this Agreement and under the Services Agreement (the “Permitted Purpose“), except where otherwise required by any Applicable Law.  The Supplier shall not process, apply or use the Personal Data for any other purpose other than as permitted under this clause 3. In no event shall the Supplier process the Personal Data for its own purposes or those of any third party or include Personal Data in any product or service offered to third parties.

4 -  Documented instructions 

The Supplier shall process the Personal Data only on documented instructions from GCI, which may include the instructions set out in this Agreement and the Services Agreement, and shall immediately inform GCI if, in its opinion, an instruction infringes Data Protection Law.

5 -  Confidentiality of processing 

5.1) The Supplier shall ensure that any person that it authorises to process the Personal Data (including the Supplier’s staff, agents, Sub-Processors and subcontractors) shall be under an obligation (whether under contract or statute) to keep the Personal Data confidential and ensure that the Supplier’s staff and the staff of its Sub-Processors and subcontractors have undergone appropriate training in the care, protection and handling of Personal Data.

5.2) The Supplier will remain liable for any disclosure of Personal Data by each such person as if it had made such disclosure.

6 -  Security 

6.1) The Supplier shall implement appropriate technical and organisational measures to protect the Personal Data from Data Security Incidents, to safeguard the security of any electronic communications networks or services provided to GCI or utilised to transfer or transmit Personal Data (including measures designed to ensure the secrecy of communications and prevent unlawful surveillance or interception of communications and gaining unauthorised access to any computer or system and thus guaranteeing the security of the communications) and generally to enable GCI to fulfil its obligations under Data Protection Law in connection with Personal Data processed by the Supplier.

6.2) Without prejudice to the generality of clause 6.1, the Supplier shall implement appropriate technical and organisational measures to ensure compliance with GCI’s reasonable instructions given in connection with Personal Data processed by the Supplier, which may include the following:

a) processes and measures to ensure that requests by individual data subjects to GCI, or any exercise of privacy rights, in respect of their Personal Data from time to time can be implemented;

b) provision of appropriate interfaces or support for other processes of GCI in ensuring information is provided to data subjects as required by Data Protection Law;

c) updating, amending or correcting the Personal Data of any individual upon request of GCI from time to time;

d) cancelling or blocking access to any Personal Data upon receipt of instructions from GCI;

e) if applicable, the flagging of Personal Data files or accounts to enable GCI to apply particular rules to individual data subjects’ Personal Data, such as the suppression of marketing activity.

6.3) Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and shall include, as appropriate:

a) the pseudonymisation and encryption of Personal Data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

6.4) At GCI’s request and as a minimum, the Supplier shall comply with all relevant aspects of the Security Policy and the security measures specified in GCI Minimum Security Requirements Appendix.

6.5) Without prejudice to the generality of the foregoing, the Supplier shall keep Personal Data logically separate to data processed on behalf of any other third party. For the avoidance of doubt Personal Data while being kept logically separate, is not required to be kept physically separate or maintained in stand-alone systems

6.6) The Supplier shall comply with Data Protection Law, and shall not perform its obligations under this Agreement or the Services Agreement in relation to the Personal Data in such a way as to cause GCI and/or GCI Customers to breach any of their obligations under Data Protection Law. The Supplier shall promptly inform GCI if, in its opinion, the Supplier is subject to legal requirements that would make it unlawful or otherwise impossible for the Supplier to comply with Data Protection Law in relation thereto.

7 -  Sub-processing 

7.1) The Supplier shall not subcontract any processing of Personal Data to a third party Sub-Processor including any member of the Supplier’s Group without the prior written consent of GCI. A list of approved Sub-Processors as at the Effective Date is set out in the Data Processing Appendix and the Supplier shall maintain and provide updated copies of this list to GCI when it adds or removes Sub-Processors in accordance with this clause. If GCI refuses to consent to the Supplier’s appointment of a third party Sub-Processor on grounds relating to the protection of Personal Data, then either the Supplier will not appoint the Sub-Processor or GCI may elect to suspend or terminate this Agreement and the Services Agreement without penalty.

7.2) The Supplier will ensure that there is in place a written contract between the Supplier and the Sub-Processor that specifies the Sub-Processor’s processing activities and imposes on the Sub-Processor equivalent terms as those imposed on the Supplier in this Agreement. The Supplier will remain responsible for the acts and omissions of Sub-Processors in respect of their processing of Personal Data as if they were its own.

7.3) Without prejudice to clause 1, no Sub-Processor shall carry out processing in relation to the Services other than as previously notified to, and not objected to, by GCI.

7.4) If requested by GCI, the Supplier shall use reasonable endeavours to procure that any third party Sub-Processor appointed by the Supplier shall enter into a data processing agreement with GCI (or a third party controller on behalf of whom GCI is processing Personal Data) on substantially the same terms as the agreement that the Supplier has in place with the third party Sub-Processor.

7.5) Where a breach of this Agreement is caused by the actions of a Sub-Processor, the Supplier shall – if requested by GCI – liaise or cooperate with GCI to take action as deemed necessary by GCI in order to protect and safeguard Personal Data.

8 -  Cooperation 

8.1) The Supplier shall:

a) assist the controller in implementing appropriate technical and organisational measures against Data Security Incidents, completing data protection impact assessments and notifying Data Security Incidents to the competent supervisory authority or to the data subjects concerned, as required by Data Protection Law and taking into account the nature of the processing and the information available to the Supplier; and

b) give GCI such other co-operation, assistance and information as GCI may reasonably request to enable it to comply with its obligations and/or the obligation of GCI Customers under Data Protection Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, and in each case within such time as would enable GCI and/or the GCI Customer to meet any time limit imposed by the Privacy Authority. GCI shall give the Supplier reasonable notice to comply with such requirements.

8.2) The Supplier shall not be entitled for reimbursement of any costs which the Supplier may incur as a result of or in connection with complying with GCI’s instructions for the purposes of providing the Services in compliance with the Data Protection Law and/or with any of its obligations under this Agreement or any Data Protection Law.

9 -  Third party requests for disclosure of Personal Data 

9.1)The Supplier shall, and shall procure that any Sub-Processor shall, inform GCI promptly (and in any event within 5 business days of receipt or sooner if required to meet with any earlier time-limit) of any inquiry, communication, request or complaint from:

a) any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or

b) any data subject;

relating to the Services, any Personal Data Processed by the Supplier on behalf of GCI and/or a GCI Customer or any obligations under Data Protection Law in so far as they relate thereto, and shall provide all reasonable assistance to GCI (free of cost to GCI subject to the remaining provisions of this clause 9.1) to enable GCI and/or any GCI Customer to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. Each party (and each Sub-Processor or GCI Customer, as applicable) shall bear its own costs in relation to any such inquiry, communication, request or complaint, unless and to the extent only that: (i) it has been caused by the other party’s breach of Data Protection Law; or (ii) it has arisen as a result of any interception or monitoring requests under applicable communications or investigatory powers laws applicable to the other party, and in either case that other party shall reimburse the first-mentioned party for its proportion of the costs of handling such inquiry, communication, request or complaint.

9.2) The Supplier shall not, and it shall procure that any Sub-Processor shall not, disclose Personal Data to any of the persons or entities in clause 9.1(a) or 9.1(b) above unless it is obliged by law or a valid and binding order of a court or other legal judicial process to disclose Personal Data.

9.3) Requests at law

9.3.1) Where the Supplier or any Sub-Processor is required by law, court order, warrant, subpoena, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than GCI, the Supplier shall, and shall procure that any Sub-Processor shall, notify GCI promptly (and in any event within 5 business days of receipt or sooner if required to meet with any time-limit in the Legal Request) and shall provide all reasonable assistance to GCI to enable GCI and/or any GCI Customer to respond or object to, or challenge, any such demands, requests, inquiries or complaints and to meet applicable statutory or regulatory deadlines.  Where the Supplier will bear any external costs in meeting such requirement it may request that GCI either bear or share the cost and at the option of GCI based on justifiable reasoning that the cost should be borne by GCI, GCI may agree to make the bear certain agreed costs. However this shall not be a pre-requisite for the Supplier to comply with its obligations in this clause 3.1.

9.3.2) The Supplier shall not, and it shall procure that any Sub-Processor shall not, disclose Personal Data pursuant to a Legal Request unless the Legal Request is valid and binding on the Supplier.

10 -  Data protection impact assessments

10.1) If the Supplier believes or becomes aware that its processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform GCI and provide GCI with assistance to conduct a data protection impact assessment in accordance with clause 8 and work with GCI to implement agreed mitigation actions to address privacy risks so identified.

10.2) Where requested to do so by GCI, the Supplier shall make available to GCI all information necessary to demonstrate compliance by GCI or any GCI Customer with Data Protection Law.

11 -  Data Security Incidents

11.1) Upon becoming aware of a Data Security Incident, the Supplier shall notify GCI without undue delay (and in any event within 24 hours of becoming aware) and shall provide such timely information and assistance in accordance with clause 8 as GCI may require in order for GCI to fulfil its data breach reporting obligations under Data Protection Law and to mitigate the effects of the Data Security Incident. Such notification shall include (i) a detailed description of the Data Security Incident, (ii) the type of data that was the subject of the Data Security Incident and (iii) the identity of each affected person (or, where not possible, the approximate number of data subjects and of Personal Data records concerned). The Supplier shall communicate to GCI in such notification:(i) the name and contact details of the Supplier’s data protection officer or other point of contact where more information can be obtained; (ii) a description of the likely consequences of the Data Security Incident and a description of the measures taken or proposed to be taken by the Supplier to address the Data Security Incident, including, where appropriate, measures to mitigate its possible adverse effects; and additionally in such notification or thereafter as soon as such information can be collected or otherwise becomes available, (iv) any other information GCI may reasonably request relating to the Data Security Incident.

11.2) The Supplier shall immediately investigate the Data Security Incident and identify, prevent and make best efforts to mitigate the effects of any Data Security Incident in accordance with its obligations under this Agreement and, subject to GCI’s prior agreement, carry out any recovery or other action necessary to remedy the Data Security Incident.

11.3) The Supplier shall not release or publish any filing, communication, notice, press release, or report concerning any Data Security Incident (“Publicity“) without GCI’s prior written approval unless the Supplier is itself required to make any such filing, communication, notice, press release, or report under Data Protection Law; provided that the Supplier liaises with GCI with regard to the nature of the publication where it is not precluded from so doing by Data Protection Law.

11.4) The Supplier shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Data Security Incident and shall keep GCI informed of all developments in connection with the Data Security Incident.

11.5) The actions and steps described in this clause 11 shall, without prejudice to GCI’s right to seek any legal remedy (including the claim for reimbursement of GCI’s costs of legal action against the Supplier or any Sub-Processor) as a result of the breach, be undertaken at the expense of the Supplier and the Supplier shall pay for or reimburse GCI for all costs, losses and expenses relating to the cost of preparing and publishing Publicity.

12 -  Subject access requests

12.1) The Supplier shall promptly notify GCI if it receives a request from a data subject to exercise their rights in respect of their Personal Data and shall provide such assistance to GCI as may be required in accordance with clause 8.

13 -  Deletion or return of Personal Data

13.1) The Supplier shall delete Personal Data from the Service(s) in accordance with the retention policies set out in the Data Processing Appendix for the Service(s) and at such other times as may be required from time to time by GCI.

13.2) Upon termination or expiry of any of the relevant Services, in respect of such Services any remaining Personal Data shall, at GCI’s option, be deleted or returned to GCI, along with any medium or document containing Personal Data.

13.3) Upon termination or expiry of this Agreement, the Supplier shall (at GCI’s election) destroy or return to GCI all Personal Data (including all copies of the Personal Data along with any medium or document containing Personal Data) in its possession or control (including any Personal Data that is processed by a Sub-Processor). This requirement shall not apply to the extent that the Supplier is required by any Applicable Law to retain some or all of the Personal Data, in which event the Supplier shall isolate and protect the Personal Data from any further processing except to the extent required by such Applicable Law.

14 -   Records

14.1) The Supplier shall maintain a record of all categories of processing activities carried out on behalf of GCI, containing: (i) the name and contact details of the processor or processors and of each controller on behalf of which the Supplier is acting and, where applicable, of the controller’s or processor’s representative, and the data protection officer; (ii) the categories of processing carried out on behalf of each controller; (iii) where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation; and (iv) where possible, a general description of the technical and organisational security measures implemented by the Supplier in accordance with clause 6 (Security) (“Processing Records”). The Supplier shall make available such Processing Records to GCI within five (5) working days following receipt of a request for such Processing Records from GCI.

14.2) The parties shall give each other written notice if the details of their respective Data Protection Officer’s change. Such notice shall be given no later than 5 working days following the change taking effect.

15 – Information and audit

15.1) The Supplier shall, and shall use its best endeavours to procure that any Sub-Processor shall, make available to GCI and GCI Customers all information necessary to demonstrate compliance with the obligations set out in this Agreement or any applicable Data Protection Law and allow for and contribute to audits, including inspections, conducted by GCI, the controller (including GCI Customers) or another auditor mandated by the controller, except if and to the extent that providing such information or permitting such an audit would place the Supplier in breach of Applicable Law. The Supplier acknowledges that GCI or the controller (or their third party auditors) may enter its premises for the purposes of conducting this audit, provided that reasonable prior notice is given of the intention to audit, the audit is conducted during normal business hours, and all reasonable measures are taken to prevent unnecessary disruption to the Supplier’s operations.  No more than one audit may be carried out in any calendar year, except if and when required by instruction of a competent data protection authority or if GCI believes a further audit is necessary including due to a Data Security Incident suffered by the Supplier.

15.2) In case of the annual audit under clause 15.1, the auditing party shall bear its own costs in relation to such audit unless the audit reveals any on-compliance with the Supplier’s or any Sub-Processor’s obligations under any Data Protection Law or this Agreement or any subsequent sub-processing contract, in which case the costs of the audit shall be borne by the Supplier. For the avoidance of doubt, in case the audit is required by any Privacy Authority or in case of a Data Security Incident caused by the Supplier’s or any Sub-Processors breach of this Agreement or any Data Protection Law, the costs of the audit shall be borne by the Supplier.

15.3) The Supplier shall and shall procure that any Sub-Processor shall permit at its own cost the Privacy Authorities to conduct a data protection audit with regards to the processing of Personal Data carried out by the Supplier or any Sub-Processor in accordance with Data Protection Law.

16 – International transfers

16.1) The Supplier shall not permit any processing of Personal Data outside the European Economic Area unless:

a) the Supplier first puts in place adequate transfer mechanisms to ensure the transfer is in compliance with Data Protection Law and obtains the written consent of GCI prior to permitting any such processing;

b) the Supplier or the relevant Sub-Processor is required to transfer the Personal Data to comply with Applicable Law, in which case the Supplier will notify the other Party of such legal requirement prior to such transfer unless such Applicable Law prohibits such notice from being given to the other Party.

16.2) For the purposes of clause 16.1(a), the adequate transfer mechanisms may include: (i) transferring the Personal Data to a recipient in an Adequate Territory, (ii) transferring the Personal Data to a recipient that has achieved binding corporate rules authorisation in accordance with Data Protection Law, or (iii) transferring the Personal Data to a recipient that has executed Model Clauses in circumstances that are appropriate for their use.

16.3) Where the Supplier processes Personal Data in a territory outside of the EEA that is not an Adequate Territory, then the Model Clauses will be incorporated into this Data Processing Agreement by reference and will apply to the processing as follows:

a) GCI will be the data exporter and will be deemed to have entered into the Model Clauses in its own name and on its own behalf in relation to the Personal Data disclosed to the Supplier (and on behalf of any third party controller on behalf of whom GCI processes Personal Data that is transferred to the Supplier);

b) the Supplier will be deemed to have entered into the Model Clauses in its own name and on its own behalf in relation to the Personal Data disclosed to it by the Data Exporter(s);

c) the provisions of the details of processing set out in the Data Processing Appendix will be deemed to be incorporated into Appendix 1 of the Model Clauses;

d) the security measures referred to in clause 6 will be deemed to be set out in Appendix 2 to the Model Clauses (where relevant);

e) the optional illustrative indemnification clause will be deemed to have been deleted; and

f) where and to the extent that the Model Clauses apply pursuant to this clause 16.3, if there is any conflict between this Agreement and the Model Clauses, the Model Clauses will prevail.

16.4) Where the Supplier is established in the European Economic Area and wishes to appoint a Sub-Processor who will process Personal Data outside the European Economic Area, the Supplier agrees to procure that the Sub-Processor enters into a data transfer agreement with GCI (or with a third party controller on behalf of whom GCI is processing Personal Data) incorporating the Model Clauses in a manner that is consistent with clause 16.3.

16.5) In any event, if any Applicable Law(s) conflict with the provisions of this Agreement, then to the extent of such conflict:

a) where the standard of data protection required by Applicable Law(s) exceeds the standard required by this Agreement, the Supplier shall process the Personal Data to a standard consistent with Applicable Law(s); and

b) where the standard of data protection required by this Agreement exceeds the standard required by Applicable Law(s), the Supplier shall process the Personal Data to a standard consistent with this Agreement..

17 – Indemnity

The Supplier hereby indemnifies, shall keep indemnified and shall hold harmless GCI from any liability, loss, damage, claim or expense suffered or incurred by GCI (whether arising under contract, tort including negligence, breach of statutory duty or otherwise) for any breach of this Agreement or any breach by the Supplier (or any of its Sub-Processors) of Data Protection Law in respect of GCI’s or GCI Customers’ Personal Data.

18 – Costs

Each party shall bear its own costs for complying with its obligations under this Agreement and shall not be entitled to any charge any additional fees to the other party for such compliance, except as may otherwise be expressly agreed in writing by the other party.

19 – Notices

19.1) Any Notices to GCI under this Agreement should be sent by email to dpo@gcicom.net or in writing via letter to GCI Data Protection Officer Global House, 2 Crofton Close, Lincoln, LN3 4NT. All notices under clauses 11 (Data Security Incidents) and 12 (Subject Access Requests) should be notified via email to dpo@gcicom.net marked as high importance.

19.2) Subject to clause 19.1, any notice, letter or other communication contemplated by this Agreement will be communicated in writing via letter to the addresses set out in the Data Processing Appendix (or if none is specified, the registered office address of the relevant party) or by email to email addresses agreed between the Parties.

20 – Miscellaneous

20.1) This Agreement and the Services Agreement shall constitute the entire agreement between the Parties relating to the subject matter of this Agreement and supersede all prior agreements, understandings, negotiations and discussions of the Parties.

20.2) The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability will affect only such phrase, clause or provision, and the rest of this Agreement will remain in full force and effect.

20.3) The provisions of this Agreement will endure to the benefit of and will be binding upon the Parties and their respective successors and assigns.

20.4) This Agreement may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

20.5) This Agreement will be governed by and construed in accordance with the laws of England, unless a different choice of law applies under the Services Agreement, in which case the law that governs the Services Agreement shall also govern this Agreement.

20.6) The Parties agree that no person who is not a Party to this Agreement shall have the right to enforce any provision of it in accordance with the Contracts (Rights of Third Parties) Act 1999 (“CRTPA“). Nothing in this clause shall affect the right of any person which exists apart from the CRTPA.

 

DEFINITIONS AND INTERPRETATION

1 -  Definitions

1.1) In this Agreement:

Adequate Territory means a territory outside of the European Economic Area that has not been designated by the European Commission as ensuring an adequate level of protection pursuant to EU Privacy Law.

this Agreement means this Data Processing Agreement and including the Data Processing Appendix and the GCI Minimum Security Requirements Appendix.
 
Applicable Law means applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any regulatory body, delegated or subordinate legislation or notice of any regulatory body.
 
Communications Data means any data processed for the purpose of the conveyance of (or billing of) any electronic communication or communication on an electronic communications network, including SMS, MMS, email and internet connection records, and any Location Data. Communications Data may include records of connections to particular telephone numbers, devices and users and the dates, times and durations of such connections.

Content Data means the content (comprising any speech, music, sounds, visual images or data of any description) of any electronic communication by a user, including the content of electronic messages, such as SMS, MMS and email, and web pages requested to the extent that it is not Communications Data.
 
CRM Data means any Personal Data of staff or representatives of a Party which is processed by the other Party for the purposes of managing the Services, administering a Services Agreement or marketing products or services to that Party.
 
Data Processing Appendix means the Appendix to this Agreement detailing the processing activities that the Supplier carries out in relation to the Personal Data and the Sub-Processors, as approved by GCI.

Data Protection Law means all Applicable Laws relating to data protection, the processing of personal data and privacy including: (a) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; (b) on and after 25 May 2018, the GDPR; (c) any applicable national laws and regulations that implement the laws referred to in sub-paragraphs (a) and (b), including the Data Protection Act 1998; (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); (e) any legislation that, in respect of the United Kingdom, replaces or converts into domestic law the GDPR, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing or personal data and privacy as a consequence of the United Kingdom leaving the European Union; and (f) any other regulatory requirements relating to data protection and privacy to which the Supplier, GCI or GCI Customers are subject and any binding guidance or statutory codes of practice issued by the relevant Privacy Authority/ies.
 
Data Security Incident means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Effective Date 25 May 2018.

European Economic Area means the Member States of the European Economic Area as it is made up from time to time, comprising the Member States of European Union and such other countries that are party to the Agreement on the European Economic Area that entered into force on 1 January 1994, including the United Kingdom.
 
GCI GCI Network Solutions Limited (Co No 04082862) and any other member of the GCI group of companies as is named as the customer in the Services Agreement.
 
GCI Customer shall mean an enterprise customer of GCI in relation to whom the Supplier may process Personal Data.

GCI Minimum Security Requirements Appendix shall mean the GCI Minimum Security Requirements Appendix as may be updated or reissued from time to time by GCI in accordance with the terms of this Agreement.

GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Group means in relation to a company, that company, any subsidiary or holding company from time to time of that company, and any subsidiary from time to time of a holding company of that company (and “Group Company” shall be interpreted accordingly).

Model Clauses means model clauses for the transfer of Personal Data to controllers or processors (as appropriate) established in third countries approved by the European Commission from time to time (available online at //ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm), as such model clauses may be amended or superseded by the European Commission from time to time.

Personal Data means any information relating to an identified or identifiable natural person that is processed by the Supplier in the performance of the Services Agreement. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

Privacy Authority shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction of GCI, any GCI Group Company and/or any GCI Customer.

Security Policy means GCI’s security policy which details the security measures required by GCI of its suppliers including regarding the maintenance of the security of data, the current version of which may be made available on GCI’s website or upon request from GCI.

Services means the services provided by the Supplier to GCI as more particularly described in the Services Agreement.

Services Agreement the Supplier’s contract with GCI for the provision by the Supplier of the Services.

Sub-Processor any other person or entity to whom the Supplier sub-contracts or outsources any processing of Personal Data;

“Supplier“ means the entity contracting with GCI as identified in the Services Agreement.

User Data means Personal Data regarding Users which is not Communications Data, Content Data or CRM Data.  Such Personal Data include user IDs, passwords, authenticators, addresses (including MAC addresses, IP addresses and email addresses) and telephone numbers.

2 -  Interpretation

In this Agreement:

2.1) In this Agreement:

2.2) references to the following terms shall be given their meanings under Data Protection Law: “personal data”, “controller”, “joint controller”, “processor”, “data subject”, “process” or “processing”, “subject access request”, and any other terms that are defined under Data Protection Law and used in this Agreement;

2.3) a reference to a “holding company”or a “subsidiary” means a holding company or a subsidiary (as the case may be) as defined in section 1159 of the Companies Act 2006;

2.4) words in the singular shall include the plural and words in the plural shall include the singular unless the context requires otherwise;

2.5) headings are for convenience only and shall not affect the interpretation of this Agreement;

2.6) references to a Party include references to its successors in title and permitted assigns; and

2.7) references to “includes” or “including” shall be read as being immediately followed by the words “without limitation”.