Data Processing Addenum
2 days ago
3 min read
-
1. Interpretation of this DPA
- 1.1. You will notice that we have used some capitalised words in this DPA. These words have specific meanings, which are as follows unless the context implies otherwise:
- "Controller", "Data Subject", "Personal Data Breach", "Processor", "Processing", and "Supervisory Authority" each respectively have the meanings given to them in the GDPR. "Process" and "Processes" will be construed accordingly.
- "Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the EU and the UK, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (the "UK GDPR"); the Data Protection Act 2018 ("DPA 2018"); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; the California Consumer Privacy Act of 2018, Cal. CIV. Code 搂1798.100, et seq. ("CCPA"); and any other legislation and regulatory requirement in force from time to time which apply to you or us relating to the use of Personal Data.
- "Personal Data" means the personal data which is Processed by us under the Agreement, as defined by Article 4 of the UK GDPR;
- "Services" means the services provided by us to you under the Agreement.
- "Standard Contractual Clauses" means, together, the standard contractual clauses for the transfer of Personal Data to third countries, pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs (the "UK Addendum").
- 1.2. Any capitalised terms we have used which aren't specified in paragraph 1.1 have the meanings that we have given to them in the Agreement.
- 1.3. Where this DPA refers to 'writing' or 'written', this includes e-mail but does not include fax.
- 1.4. If a term of this DPA conflicts with a term contained in the Agreement, the relevant term in this DPA will override the conflicting term in the Agreement.
- 1.5. If a term of the Schedules to this DPA conflict with a term contained in this DPA or the Agreement, the relevant term in the applicable Schedule will override the conflicting term in this DPA or the Agreement.
-
2. Our role and your role
- 2.1. Processor and Controller classification. We are a Processor of your Personal Data and you are the Controller of your Personal Data. This means that you are in control of any Personal Data that you provide to us and ask us to Process on your behalf.
- 2.2. What do you have to do as a Controller? As a Controller, you remain responsible for your compliance obligations under the Data Protection Legislation, including ensuring that you have all necessary consents, permissions, and authorisations to provide Personal Data to us to Process on your behalf (as well as a lawful basis for doing so), for notifying Data Subjects as to how their Personal Data is being used, and for giving us appropriate and lawful instructions.
- 2.3. Your instructions to us. You warrant that your instructions are, and that our use of the Personal Data to provide you with the Services you have instructed us to provide is, compliant with the Data Protection Legislation. We will notify you if, in our opinion, your instructions are not compliant with the Data Protection Legislation.
- 2.4. Where can you find the terms which set out the particulars of the Processing? The terms which set out the particulars of what we Process your Personal Data for, why we Process it and where we Process it, in addition to other information relating to the Processing of your Personal Data, can be found in the Schedules of this DPA.
-
3. Your obligations
-
3.1. What you will do. You will:
- 3.1.1. have in place, at all times during the term of the Agreement, appropriate technical and organisational measures to ensure that you have proper security measures in place to protect the Personal Data. These measures must be at least as secure as the measures we have set out at paragraph 3.12 of Schedule 1;
- 3.1.2. make sure that your instructions to us regarding the Processing of your Personal Data are given in writing and are clear and understandable;
- 3.1.3. make sure that you have an applicable legal basis for transferring any Personal Data to us for Processing; and
- 3.1.4. indemnify us against all loss, liability, damages, costs, fees, claims and expenses which we may incur or suffer as a result of your breach of this DPA or the Data Protection Legislation.
-
3.2. Your warranties to us. You warrant and represent that:
- 3.2.1. you will, and will throughout the term of the Agreement maintain (at your own cost and expense) all relevant regulatory registrations and notifications as required from time to time under the Data Protection Legislation; and
- 3.2.2. you have undertaken appropriate due diligence in relation to our Processing operations, and are satisfied that:
- (i) our Processing operations are suitable for the purposes you propose to use the Software for and engage us to Process your Personal Data; and
- (ii) we have sufficient expertise, reliability and resources to implement technical and organisational measures which meet the requirements of the Data Protection Legislation.
- 3.3. Who bears the costs for our provision of assistance to you? To the extent legally permitted, you will promptly reimburse us for any reasonable costs we incur as a result of providing you with assistance, reporting, or documentation or in connection with any audit or inspection under or pursuant to this DPA (to the extent that this goes beyond the existing functionality of our Services).
-
3.1. What you will do. You will:
-
4. Our obligations
- 4.1. Our Processing of your Personal Data. When we Process your Personal Data, we will only do so in accordance with and for the purpose set out in this DPA.
- 4.2. What happens if you give us new instructions? If you give us an instruction to amend, transfer, delete or Process the Personal Data in a different manner, or you ask us to stop, mitigate or remedy any unauthorised Processing, we will promptly comply with this request.
- 4.3. Is your Personal Data kept confidential? We will keep your Personal Data confidential and will not share it with anyone else unless: (a) we are required to do so by law; (b) you authorise us to do so; or (c) we are permitted to do so under this DPA. Where the law, a regulator, a court, or a Supervisory Authority requires us to disclose or Process Personal Data, to the extent that we are lawfully and reasonably able to do so, we will first inform you of this requirement and give you an opportunity to challenge or object to it.
- 4.4. How will we assist you in complying with your obligations under the Data Protection Legislation? We will provide you with reasonable assistance in meeting your compliance obligations under the Data Protection Legislation, taking into account the nature of our Processing of your Personal Data and the information we have available to us. This includes data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
- 4.5. Your consent for us to use non-identifiable derived data. You acknowledge that we can use meta-data, statistics and other information derived from the Personal Data we receive from you which cannot be identified as originating or deriving directly from the Personal Data, and cannot be reverse-engineered by a third party so that it can be identified, for any purpose whatsoever.
-
5. Our employees
-
5.1. Assurances regarding our employees. We will ensure that any and all employees:
- 5.1.1. are informed of the confidential nature of the Personal Data, are subject to confidentiality obligations, and are aware of the restrictions on the use of the Personal Data;
- 5.1.2. have undertaken training relating to the handling of Personal Data under the Data Protection Legislation and how it applies to their particular duties; and
- 5.1.3. are aware of our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
-
5.1. Assurances regarding our employees. We will ensure that any and all employees:
-
6. Protecting your Personal Data
- 6.1. Appropriate technical and organisational measures. We will implement and maintain at all times appropriate technical and organisational measures to protect your Personal Data against any unauthorised or unlawful Processing, access, disclosure, copying, modification, storage, reproduction, display, distribution, destruction, alteration, disclosure, damage and accidental or unlawful loss. At a minimum, we will adhere to the measures set out at security.genieai.co.
- 6.2. Updating our security measures. We may update our security measures from time to time provided that these updates do not negatively impact on the security of the Personal Data they apply to. We will maintain an up-to-date record of our then-current security measures which we will review at least once a year to ensure that they are accurate and complete.
-
6.3. What level of security do we have to protect your Personal Data? When we implement the technological and organisational measures, we will ensure that the level of security is appropriate for the level of risk involved in Processing your Personal Data. This includes:
- 6.3.1. the pseudonymisation and encryption of Personal Data;
- 6.3.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of our Processing systems and services;
- 6.3.3. the ability to restore the access to and availability of Personal Data in a timely manner in the event of a physical or technical incident; and
- 6.3.4. a Process for regularly testing, assessing and evaluating the effectiveness of our security measures.
-
7. Personal Data Breach
- 7.1. What happens if your Personal Data is lost, damaged, corrupted or unusable? If any of your Personal Data that we are Processing is lost, destroyed, becomes damaged, corrupted or unusable, we will notify you promptly and without undue delay. We will restore your Personal Data at our own expense.
-
7.2. When will we notify you without undue delay? Where we become aware of any of the following, we will notify you without undue delay:
- 7.2.1. accidental, unauthorised or unlawful Processing of your Personal Data; or
- 7.2.2. any Personal Data Breach relating to your Personal Data.
-
7.3. What information will we provide you in our notification of a Personal Data Breach? If any of the events in clause 7.2 occur, we will promptly provide you with the following information:
- 7.3.1. a description of the nature of the event which includes the volume and categories of Data Subjects and Personal Data records concerned;
- 7.3.2. the likely consequences of the event; and
- 7.3.3. a description of the measures we have taken or propose to be taken to address such an event, including measures to mitigate against its possible adverse effects.
-
7.4. How is a Personal Data Breach investigated? Immediately following any unauthorised or unlawful Processing or your Personal Data, or a Personal Data Breach, we will coordinate with you to investigate the matter and provide you with our reasonable cooperation to assist you with handling the matter, including:
- 7.4.1. assisting with any investigation;
- 7.4.2. making all relevant records, logs, files, data reporting and other materials required by you to comply with the Data Protection Legislation available to you; and
- 7.4.3. promptly taking reasonable steps to mitigate the effects of and minimise the damage resulting from the Personal Data Breach or unauthorised or unlawful Processing of your Personal Data.
- 7.5. When will we inform third parties of a Personal Data Breach? If there is a Personal Data Breach, we will not inform any third party that one has occurred without first obtaining your consent to do so unless: (a) we are required to do so by law; (b) we need to do so in order to maintain our insurance coverage; or (c) to maintain regulatory or equivalent certifications.
-
7.6. Your responsibilities when making notifications of Personal Data Breaches. Subject to clause 7.5, you have the sole right to determine:
- 7.6.1. whether or not to inform Data Subjects, supervisory authorities, regulators, law enforcement agencies, or others of the occurrence of a Personal Data Breach (whether in accordance with a legal requirement or at your discretion);
- 7.6.2. the form of any notice to be provided to any Data Subjects, supervisory authorities, regulators, law enforcement agencies, or others, if you choose to make a notification under clause 7.6.1; and
- 7.6.3. whether or not you will offer affected Data Subjects any type of remedy and, if so, the nature and extent of it.
-
8. Transfers of Personal Data outside of the European Union or the UK
- 8.1. When will Personal Data be transferred outside of the UK or European Economic Area? There may be occasions where we need to transfer your Personal Data outside of the United Kingdom or the European Economic Area (the "GDPR Territories") in order to provide you with our Services. We will not transfer your Personal Data outside of the GDPR Territories without ensuring that adequate safeguards are in place where the Data Protection Legislation requires.
- 8.2. What mechanisms will govern this type of transfer? If there is no adequate protection measure in place to facilitate an international transfer of your Personal Data, the Standard Contractual Clauses will be incorporated into this DPA in the Schedules, as if they had been set out in full.
-
8.3. Safeguards to put in place for transfers of Personal Data outside of the GDPR Territories. If we transfer your Personal Data outside of the GDPR Territories, both you and we will ensure that:
- 8.3.1. the Personal Data is being Processed in a jurisdiction which the European Union has determined provides adequate protection for the privacy rights of individuals;
- 8.3.2. cross-border transfer mechanisms under the Data Protection Legislation are applied to ensure that appropriate safeguards with an adequate level of protection are in place to protect the privacy rights of individuals under Article 46 of the GDPR (and/or, as applicable, the UK GDPR); or
- 8.3.3. the transfer of the Personal Data otherwise complies with the Data Protection Legislation.
- 8.4. Where can you find details of the transfer mechanisms we rely on? As of the date of this DPA, we have identified in the Schedules which transfer mechanisms will apply to transfers of your Personal Data outside of the GDPR Territories. If there is any change to these mechanisms, we will promptly inform you of these changes.
- 8.5. What measures are in place with sub-Processors? Where we use sub-Processors to assist us in providing the Services to you, you authorise us to enter into the Standard Contractual Clauses with that sub-Processor in order to comply with the Data Protection Legislation. We will provide copies of these executed Standard Contractual Clauses to you if you make a request for us to provide them to you in writing.
-
9. Using third parties to Process your data on our behalf
- 9.1. When can sub-Processors be used? We may require the assistance of third parties to Process your Personal Data on our behalf in connection with the Services (a "sub-Processor"). You pre-approve our use of third-party Processors so that we can fulfil our obligations to you. This includes the sub-Processors which are published here.
-
9.2. Appointing new sub-Processors. Where we appoint a new sub-Processor, we will:
- 9.2.1. inform you of the new sub-Processor prior to their appointment and provide you with an opportunity to object to the sub-Processor's appointment. If your reason for objecting to our use of the proposed sub-Processor is reasonable, we will use our commercially reasonable efforts to either:
- (a) alter our plans to use the proposed sub-Processor with respect to your Personal Data;
- (b) take corrective steps to remove your objections; or
- (c) if we cannot reasonably effect (a) or (b), we will be entitled to terminate the Services. Your objection must be provided to us within ten (10) calendar days of us notifying you of our intention to appoint the proposed sub-Processor. If no objection is received, you will be deemed to have accepted the proposed sub-Processor and they will then be appointed;
- 9.2.2. ensure that a written agreement is in place between us and the sub-Processor, and that the terms of that agreement impose obligations on the sub-Processor which are equivalent to the terms which are imposed on us under this DPA; and
- 9.2.3. if our right to Process the Personal Data is terminated, terminate the Processing of your Personal Data by the sub-Processor.
- 9.2.1. inform you of the new sub-Processor prior to their appointment and provide you with an opportunity to object to the sub-Processor's appointment. If your reason for objecting to our use of the proposed sub-Processor is reasonable, we will use our commercially reasonable efforts to either:
- 9.3. Our liability for our sub-Processors. We will be liable to you for the acts and omissions of our sub-Processors as if their acts and omissions were ours.
-
10. Dealing with Processing complaints
-
10.1. Assisting you with processing complaints. We will take such technical and organisational measures as are appropriate and promptly provide you with such information as you may reasonably require to enable you to comply with:
- 10.1.1. the rights of Data Subjects under the Data Protection Legislation including:
- (a) subject access rights;
- (b) the right to rectify and erase Personal Data;
- (c) object to the Processing and automated Processing of Personal Data; and
- (d) restrict the Processing of Personal Data; and
- 10.1.2. information or assessment notices which you have been served by a Supervisory Authority under the Data Protection Legislation.
- 10.1.1. the rights of Data Subjects under the Data Protection Legislation including:
- 10.2. What happens if we receive a complaint? If we receive a complaint, notice or communication which is directly or indirectly related to our Processing of your Personal Data or our or your compliance with the Data Protection Legislation, we will notify you immediately.
- 10.3. What happens if a Data Subject makes a request to us? We will notify you if a Data Subject makes a request to exercise any of their rights under the Data Protection Legislation.
- 10.4. Assistance in responding to complaints. We will give you our full cooperation and assistance with responding to any complaint, notice, communication or Data Subject request.
-
10.5. When will we disclose Personal Data to third parties? We will not disclose Personal Data to any Data Subject or to a third party unless:
- 10.5.1. you instruct us to do so;
- 10.5.2. we are required to do so by law; or
- 10.5.3. this DPA otherwise states that we can.
-
10.1. Assisting you with processing complaints. We will take such technical and organisational measures as are appropriate and promptly provide you with such information as you may reasonably require to enable you to comply with:
-
11. Liability
- 11.1. Our liability to you. Our liability to you under this DPA will be subject to the limitations on liability set out at clause 18.2 of the Agreement.
-
12. Term and Termination
- 12.1. How long does this DPA apply for? This DPA will remain in force for so long as we have any of your Personal Data related to the Services in our possession or control. Any provision of this DPA that is expressly or impliedly intended to continue in force after termination of the Services will remain in full force and effect.
- 12.2. Impacts of changes to Data Protection Legislation on fulfilment of obligations. If the Data Protection Legislation is subject to change, and that change prevents either you or us from fulfilling obligations to each other under this DPA, we and you will discuss these changes in good faith and with a view to implementing any changes which are necessary to ensure that the Processing of your Personal Data is compliant with the new requirements.
-
13. Returning and destroying Personal Data
- 13.1. Returning and destroying Personal Data. We will give you a copy of, or access to, all or part of your Personal Data which is in our possession or control if you ask us to do so. We will provide this to you in a commonly accessible and electronic format of our choosing.
- 13.2. When will we not delete your Personal Data? We will not delete, destroy or return your Personal Data to you under clause 13.1 if we are required to retain it to comply with applicable law or regulation, or with the instruction of a regulatory or government body.
-
14. Records
- 14.1. Requirement to maintain records. We will keep detailed, accurate and up-to-date written records regarding any Processing of Personal Data that we carry out for you ("Records") and provide you with copies of these Records upon your reasonable written request.
-
15. Audit
- 15.1. When can you audit us? You may, no more than once in any consecutive twelve-month period, request that we provide you with the relevant information from our most recent ISO27001 audit and a summary of its results to demonstrate to you that we are compliant with this DPA. We will answer any reasonable questions that you have regarding our compliance with the Data Protection Legislation in advance of an audit. We will use our reasonable endeavours to ensure that the results of the audit constitute an adequate response.
- 15.2. Auditing our sub-Processors. If you make a request to us in writing, we will exercise the applicable audit rights that we have in connection with our sub-Processors' compliance with their obligations regarding your Personal Data. We will provide you with a summary of the audit results in a format of our choosing.
- 15.3. Compliance with audit requests from a Supervisory Authority. The audit rights set out at clauses 15.1 to 15.2 are your only contractual rights (and our only contractual obligations) in connection with the auditing of our Processing of your Personal Data, save that nothing in this DPA shall, or is intended to, undermine the rights and powers granted to Data Subjects or Supervisory Authorities. Accordingly, we will submit to any audits required by a Supervisory Authority or Data Protection Legislation.
-
16. CCPA
- 16.1. When does the CCPA apply? This paragraph 16 only applies if we are Processing Personal Data within the scope of the CCPA ("CCPA Data") under the Agreement. We will Process CCPA Data on your behalf and will not retain, use or disclose CCPA Data for any purpose other than the purpose set out in this DPA, and permitted under the CCPA, including under any "sale" exemption.
-
16.2. We will not sell or share your CCPA Data. In no event will we 鈥渟ell鈥 or 鈥渟hare鈥 (as those terms are defined in the CCPA) any CCPA Data. We:
- 16.2.1. will not combine CCPA Data that we receive from, or on behalf of, you with personal information that we receive from, or on behalf of, any other person, or that we collect from our own interaction with a consumer, provided that we may combine CCPA Data to perform any business purpose as defined in regulations adopted pursuant to the CCPA;
- 16.2.2. grant to you the right to take reasonable and appropriate steps to help ensure that we use CCPA Data in a manner consistent with your obligations under the CCPA;
- 16.2.3. will notify you in the event that we determine that we can no longer meet our obligations under the CCPA; and
- 16.2.4. grant to you the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of CCPA Data.
-
SCHEDULE 1
-
EU Standard Contractual Clauses
-
1. Incorporation of the EU SCCs
- 1.1. Which Standard Contractual Clauses apply? Where clause 9 of the DPA applies, and a transfer of Personal Data is made pursuant to the GDPR, this Schedule 1 and the following terms will apply:
- 1.1.1. Module 2 of the EU SCCs and no other optional clauses, unless we have explicitly referred to them herein, are incorporated into this Schedule 1 as if they had been set out in full. They will apply where you, as the exporter of Personal Data, are acting as a Controller and we, as the importer of Personal Data, are acting as a Processor, and the transfer requires the additional protection; and
- 1.1.2. Module 3 of the EU SCCs and no other optional clauses, unless we have explicitly referred to them herein, are incorporated into this Schedule 1 as if they had been set out in full. They will apply where you, as the exporter of Personal Data, are acting as a Processor and we, as the importer of Personal Data, are acting as a sub-Processor, and the transfer requires the additional protection.
- 1.1.3. Module 4 of the EU SCCs and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Processor, the importer is a Controller and the transfer requires such additional protection.
- 1.1. Which Standard Contractual Clauses apply? Where clause 9 of the DPA applies, and a transfer of Personal Data is made pursuant to the GDPR, this Schedule 1 and the following terms will apply:
-
1. Incorporation of the EU SCCs
-
EU Standard Contractual Clauses