1 - Term and effect
1.1) This Agreement shall be deemed to have commenced on the Effective Date and shall continue in force unless and until such time as the Services Agreement expires or is terminated in accordance with its terms.
1.2) This Agreement shall take priority over any Services Agreement that the Supplier has entered into with GCI for the provision of the Services to the extent of any conflict or inconsistency between any provision of this Agreement and the Services Agreement.
1.3) Definitions and rules of interpretation are set out in the Definitions and Interpretation section at the end of this Agreement.
2 - Relationship of the Parties
GCI appoints the Supplier as a processor (or Sub-Processor) to process the Personal Data described in the Data Processing Appendix or which the Supplier is otherwise appointed to process in accordance with the documented instructions of GCI. The Personal Data may include CRM Data, User Data, Communications Data and Content Data, as applicable. The Supplier acknowledges that GCI may be acting as a controller or as a processor on behalf of its customers with respect to the processing of Personal Data that is undertaken pursuant to this Agreement.
3 - Purpose limitation
The Supplier shall process the Personal Data as necessary to perform its obligations under this Agreement and under the Services Agreement (the “Permitted Purpose“), except where otherwise required by any Applicable Law. In no event shall the Supplier process the Personal Data for its own purposes or those of any third party.
4 - Documented instructions
The Supplier shall process the Personal Data only on documented instructions from GCI, which may include the instructions set out in this Agreement and the Services Agreement, and shall immediately inform the other Party if, in its opinion, an instruction infringes Data Protection Law.
5 - Confidentiality of processing
The Supplier shall ensure that any person that it authorises to process the Personal Data (including the Supplier’s staff, agents and subcontractors) (each an “Authorised Person“) shall be under an obligation (whether under contract or statute) to keep the Personal Data confidential.
6 - Security
The Supplier shall implement appropriate technical and organisational measures to protect the Personal Data from Data Security Incidents. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and shall include, as appropriate:
a) the pseudonymisation and encryption of Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
At GCI’s request and as a minimum, the Supplier shall comply with all relevant aspects of the Security Policy.
7 - Sub-processing
7.1) The Supplier shall not subcontract any processing of Personal Data to a third party Sub-Processor without the prior written consent of GCI. A list of approved Sub-Processors as at the Effective Date is set out in the Data Processing Appendix and the Supplier shall maintain and provide updated copies of this list to GCI when it adds or removes Sub-Processors in accordance with this clause. If GCI refuses to consent to the Supplier’s appointment of a third party Sub-Processor on grounds relating to the protection of Personal Data, then either the Supplier will not appoint the Sub-Processor or GCI may elect to suspend or terminate this Agreement and the Services Agreement without penalty.
7.2) The Supplier will ensure that there is in place a written contract between the Supplier and the Sub-Processor that specifies the Sub-Processor’s processing activities and imposes on the Sub-Processor equivalent terms as those imposed on the Supplier in this Agreement. The Supplier will remain responsible for the acts and omissions of Sub-Processors in respect of their processing of Personal Data as if they were its own.
7.3) If requested by GCI, the Supplier shall use reasonable endeavours to procure that any third party Sub-Processor appointed by the Supplier shall enter into a data processing agreement with GCI (or a third-party controller on behalf of whom GCI is processing Personal Data) on substantially the same terms as the agreement that the Supplier has in place with the third party Sub-Processor.
8 - Cooperation
The Supplier shall:
a) taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising data subjects’ rights; and
b) assist the controller in implementing appropriate technical and organisational measures against Data Security Incidents, completing data protection impact assessments and notifying Data Security Incidents to the competent supervisory authority or to the data subjects concerned, as required by Data Protection Law and taking into account the nature of the processing and the information available to the Supplier.
9 - Data protection impact assessments
If the Supplier believes or becomes aware that its processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform GCI and provide GCI with assistance to conduct a data protection impact assessment in accordance with clause 8.
10 - Data Security Incidents
Upon becoming aware of a Data Security Incident, the Supplier shall inform GCI without undue delay and shall provide such timely information and assistance in accordance with clause 8 as GCI may require in order for GCI to fulfil its data breach reporting obligations under Data Protection Law and to mitigate the effects of the Data Security Incident. The Supplier shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep GCI informed of all developments in connection with the Security Incident.
11 - Subject access requests
The Supplier shall promptly notify GCI if it receives a request from a data subject to exercise their rights in respect of their Personal Data and shall provide such assistance to GCI as may be required in accordance with clause 8.
12 - Deletion or return of Personal Data
Upon termination or expiry of this Agreement, the Supplier shall (at GCI’s election) destroy or return to GCI all Personal Data (including all copies of the Personal Data) in its possession or control (including any Personal Data that is processed by a Sub-Processor). This requirement shall not apply to the extent that the Supplier is required by any Applicable Law to retain some or all of the Personal Data, in which event the Supplier shall isolate and protect the Personal Data from any further processing except to the extent required by such Applicable Law.
13 - Records
The Supplier shall maintain a record of all categories of processing activities carried out on behalf of GCI, containing: (i) the name and contact details of the processor or processors and of each controller on behalf of which the Supplier is acting and, where applicable, of the controller’s or processor’s representative, and the data protection officer; (ii) the categories of processing carried out on behalf of each controller; (iii) where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation; and (iv) where possible, a general description of the technical and organisational security measures implemented by the Supplier in accordance with clause 6 (Security) (“Processing Records”). The Supplier shall make available such Processing Records to GCI within five (5) working days following receipt of a request for such Processing Records from GCI.
14 - Information and audit
The Supplier shall make available to GCI all information necessary to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits, including inspections, conducted by GCI, the controller or another auditor mandated by the controller, except if and to the extent that providing such information or permitting such an audit would place the Supplier in breach of Applicable Law. The Supplier acknowledges that GCI (or its third party auditors) may enter its premises for the purposes of conducting this audit, provided that GCI gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to the Supplier’s operations. No more than one audit may be carried out in any calendar year, except if and when required by instruction of a competent data protection authority or if GCI believes a further audit is necessary including due to a Data Security Incident suffered by the Supplier.
15 – International transfers
15.1) The Supplier shall not permit any processing of Personal Data outside the European Economic Area unless:
a) the Supplier first puts in place adequate transfer mechanisms to ensure the transfer is in compliance with Data Protection Law, and obtains the written consent of GCI prior to permitting any such processing;
b) the Supplier or the relevant Sub-Processor is required to transfer the Personal Data to comply with Applicable Law, in which case the Supplier will notify the other Party of such legal requirement prior to such transfer unless such Applicable Law prohibits such notice from being given to the other Party.
15.2) For the purposes of clause 15.1(a), the adequate transfer mechanisms may include: (i) transferring the Personal Data to a recipient in an Adequate Territory, (ii) transferring the Personal Data to a recipient that has achieved binding corporate rules authorisation in accordance with Data Protection Law, or (iii) transferring the Personal Data to a recipient that has executed Model Clauses in circumstances that are appropriate for their use.
15.3) Where the Supplier processes Personal Data in a territory outside of the EEA that is not an Adequate Territory, then the Model Clauses will be incorporated into this Data Processing Agreement by reference and will apply to the processing as follows:
a) GCI will be the data exporter and will be deemed to have entered into the Model Clauses in its own name and on its own behalf in relation to the Personal Data disclosed to the Supplier (and on behalf of any third-party controller on behalf of whom GCI processes Personal Data that is transferred to the Supplier);
b) the Supplier will be deemed to have entered into the Model Clauses in its own name and on its own behalf in relation to the Personal Data disclosed to it by the Data Exporter(s);
c) the provisions of the details of processing set out in the Data Processing Appendix will be deemed to be incorporated into Appendix 1 of the Model Clauses;
d) the security measures referred to in clause 6 will be deemed to be set out in Appendix 2 to the Model Clauses (where relevant);
e) the optional illustrative indemnification clause will be deemed to have been deleted; and
f) where and to the extent that the Model Clauses apply pursuant to this clause 3, if there is any conflict between this Agreement and the Model Clauses, the Model Clauses will prevail.
15.4) Where the Supplier is established in the European Economic Area and wishes to appoint a Sub-Processor who will process Personal Data outside the European Economic Area, the Supplier agrees to procure that the Sub-Processor enters into a data transfer agreement with GCI (or with a third party controller on behalf of whom GCI is processing Personal Data) incorporating the Model Clauses in a manner that is consistent with clause 15.3.
15.5) In any event, if any Applicable Law(s) conflict with the provisions of this Agreement, then to the extent of such conflict:
a) where the standard of data protection required by Applicable Law(s) exceeds the standard required by this Agreement, the Supplier shall process the Personal Data to a standard consistent with Applicable Law(s); and
b) where the standard of data protection required by this Agreement exceeds the standard required by Applicable Law(s), the Supplier shall process the Personal Data to a standard consistent with this Agreement.
16 – Indemnity
The Supplier hereby indemnifies, shall keep indemnified and shall hold harmless GCI from any liability, loss, damage, claim or expense suffered or incurred by GCI (whether arising under contract, tort including negligence, breach of statutory duty or otherwise) for any breach by the Supplier of this Agreement or any breach by the Supplier (or any of its Sub-Processors) of Data Protection Law in respect of GCI’s or its customers’ Personal Data.
17 – Costs
Each party shall bear its own costs for complying with its obligations under this Agreement and shall not be entitled to charge any additional fees to the other party for such compliance, except as may otherwise be expressly agreed in writing by the other party.
18 – Notices
18.1) Any Notices to GCI under this Agreement should be sent by email to email@example.com or in writing via letter to GCI Data Protection Officer Global House, 2 Crofton Close, Lincoln, LN3 4NT. All notices under clauses 10 (Data Security Incidents) and 11 (Subject Access Requests) should be notified via email to firstname.lastname@example.org marked as high importance.
18.2) Any notice, letter or other communication contemplated by this Agreement will be communicated in writing via letter to the addresses set out in the relevant Schedule or by email to email addresses agreed between the Parties.
19 – Miscellaneous
19.1) This Agreement and the Services Agreement shall constitute the entire agreement between the Parties relating to the subject matter of this Agreement and supersede all prior agreements, understandings, negotiations and discussions of the Parties.
19.2) The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability will affect only such phrase, clause or provision, and the rest of this Agreement will remain in full force and effect.
19.3) The provisions of this Agreement will endure to the benefit of and will be binding upon the Parties and their respective successors and assigns.
19.4) This Agreement may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
19.5) This Agreement will be governed by and construed in accordance with the laws of England, unless a different choice of law applies under the Services Agreement, in which case the law that governs the Services Agreement shall also govern this Agreement.
19.6) The Parties agree that no person who is not a Party to this Agreement shall have the right to enforce any provision of it in accordance with the Contracts (Rights of Third Parties) Act 1999 (“CRTPA“). Nothing in this clause shall affect the right of any person which exists apart from the CRTPA.
DEFINITIONS AND INTERPRETATION
1 - Definitions
1.1) In this Agreement:
“Adequate Territory“ means a territory outside of the European Economic Area that has not been designated by the European Commission as ensuring an adequate level of protection pursuant to EU Privacy Law.
“this Agreement” means this Data Processing Agreement comprising the Data Processing Terms and the Definitions and Interpretation section and including the Data Processing Appendix.
“Applicable Law” means applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any regulatory body, delegated or subordinate legislation or notice of any regulatory body.
“Communications Data“ means any data processed for the purpose of the conveyance of (or billing of) any electronic communication or communication on an electronic communications network, including SMS, MMS, email and internet connection records, and any Location Data. Communications Data may include records of connections to particular telephone numbers, devices and users and the dates, times and durations of such connections.
“Content Data“ means the content (comprising any speech, music, sounds, visual images or data of any description) of any electronic communication by a user, including the content of electronic messages, such as SMS, MMS and email, and web pages requested to the extent that it is not Communications Data.
“CRM Data“ means any Personal Data of staff or representatives of a Party which is processed by the other Party for the purposes of managing the Services, administering a Services Agreement or marketing products or services to that Party.
“Data Processing Appendix“ means the Appendix to this Agreement detailing the processing activities that the Supplier carries out in relation to the Personal Data and the Sub-Processors, as approved by GCI.
“Data Protection Law“ means all Applicable Laws relating to data protection, the processing of personal data and privacy including: (a) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; (b) on and after 25 May 2018, the GDPR; (c) any applicable national laws and regulations that implement the laws referred to in sub-paragraphs (a) and (b), including the Data Protection Act 1998; (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); (e) any legislation that, in respect of the United Kingdom, replaces or converts into domestic law the GDPR, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing or personal data and privacy as a consequence of the United Kingdom leaving the European Union.
“Data Security Incident“ means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Effective Date“ means 25 May 2018.
“European Economic Area“ means the Member States of the European Economic Area as it is made up from time to time, comprising the Member States of European Union and such other countries that are party to the Agreement on the European Economic Area that entered into force on 1 January 1994, including the United Kingdom.
“GCI“ GCI Network Solutions Limited (Co No 04082862) and any other member of the GCI group of companies as is named as the supplier of the Services in an the Services Agreement.
“GDPR“ means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Model Clauses“ means model clauses for the transfer of Personal Data to controllers or processors (as appropriate) established in third countries approved by the European Commission from time to time (available online at //ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm), as such model clauses may be amended or superseded by the European Commission from time to time.
“Personal Data“ means any information relating to an identified or identifiable natural person that is processed by the Supplier in the performance of the Services Agreement. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
“Security Policy“ means GCI’s security policy which details the security measures taken by GCI in the provision of the Services and its current practices regarding the maintenance of the security of data, the current version of which may be made available on GCI’s website or upon request from GCI.
“Services“ means the services provided by the Supplier to GCI as more particularly described in the Services Agreement.
“Services Agreement“ the Supplier’s contract with GCI for the provision by the Supplier of the Services.
“Sub-Processor” any other person or entity to whom the Supplier sub-contracts or outsources any processing of Personal Data.
“Supplier“ means the entity contracting with GCI as identified in the Services Agreement.
“User Data“ means Personal Data regarding Users which is not Communications Data, Content Data or CRM Data. Such Personal Data include user IDs, passwords, authenticators, addresses (including MAC addresses, IP addresses and email addresses) and telephone numbers.
2 - Interpretation
In this Agreement:
2.1) references to the following terms shall be given their meanings under Data Protection Law: “personal data”, “controller”, “joint controller”, “processor”, “data subject”, “process” or “processing”, “subject access request”, and any other terms that are defined under Data Protection Law and used in this Agreement;
2.2) words in the singular shall include the plural and words in the plural shall include the singular unless the context requires otherwise;
2.3) headings are for convenience only and shall not affect the interpretation of this Agreement;
2.4) references to a Party include references to its successors in title and permitted assigns; and
2.5) references to “includes” or “including” shall be read as being immediately followed by the words “without limitation”.