Introduction
- This agreement regulates the processing of personal data by CULTRIX LIMITED, a company incorporated in England and Wales (registration number 04556716) having its registered office at Kendray Business Centre, Thornton Road, Barnsley, S70 3NA (the "Processor"); on behalf of the customer (the "Controller").
- This agreement is an addendum to the Main Contract in which the parties have agreed the terms for the Processor’s delivery of services to the Controller.
Background
- The Processor processes Personal Data on behalf of other businesses and organisations.
- The Controller processes Personal Data in connection with its business activities.
- The Controller wishes to engage the services of the Processor to process personal data on its behalf.
- Data Protection Laws provide that, where processing of personal data is carried out by a processor on behalf of a data controller the controller must choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures.
- Data Protection laws require that where processing is carried out by a processor on behalf of a controller such processing shall be governed by a contract or legal act binding the processor to the controller stipulating, in particular, that the processor shall act only on instructions from the controller and shall comply with the technical and organisational measures required under the appropriate national law to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing;
Agreement
- Definitions
- In this Agreement, except to the extent expressly provided otherwise:
"Agreement" means this agreement including any Schedules, and any amendments to this Agreement from time to time;
"Business Day" means any weekday other than a bank or public holiday in England;
"Business Hours" means the hours of 08:30 to 17:30 GMT/BST on a Business Day;
"Controller Personal Data" means any Personal Data that is processed by the Processor on behalf of the Controller under or in relation to this Agreement;
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to Controller Personal Data, the General Data Protection Regulation (Regulation (EU) 2016/679);
"Effective Date" means the date upon which the Main Contract comes into force;
"Main Contract" means any Service Level Agreement between the parties, as it may be amended and updated from time to time;
"Personal Data" has the meaning given to it in the Data Protection Laws applicable in the United Kingdom from time to time;
"Schedule" means any schedule attached to the main body of this Agreement; and
"Term" means the term of this Agreement, commencing in accordance with Clause 3.1 and ending in accordance with Clause 3.2.
- In this Agreement, except to the extent expressly provided otherwise:
- Supplemental
- This Agreement supplements the Main Contract.
- Any capitalised terms that are:
(a) used in this Agreement;
(b) defined in the Main Contract; and
(c) not defined in this Agreement,
shall in this Agreement have the meanings given to them in the Main Contract. - If there is a conflict between this Agreement and the Main Contract, then the Main Contract shall take precedence.
- This Agreement shall automatically terminate upon the termination of the Main Contract.
- The Main Contract shall automatically terminate upon the termination of this Agreement.
- Term
- This Agreement shall come into force upon the Effective Date.
- This Agreement shall continue in force indefinitely, subject to termination in accordance with Clause 2.4, 2.5 or 6 or any other provision of this Agreement.
- Data protection
- The Processor shall comply with the Data Protection Laws with respect to the processing of the Controller Personal Data.
- The Controller warrants to the Processor that it has the legal right to disclose all Personal Data that it does in fact disclose to the Processor under or in connection with this Agreement.
- The Controller shall only supply to the Processor, and the Processor shall only process, in each case under or in relation to this Agreement, the Personal Data of data subjects falling within the categories specified in Paragraph 1 of Schedule 1 (Data processing information) and of the types specified in Paragraph 2 of Schedule 1 (Data processing information); and the Processor shall only process the Controller Personal Data for the purposes specified in Paragraph 3 of Schedule 1 (Data processing information).
- The Processor shall only process the Controller Personal Data during the Term and for not more than 90 days following the end of the Term, subject to the other provisions of this Clause 4.
- The Processor shall only process the Controller Personal Data on the documented instructions of the Controller (including with regard to transfers of the Controller Personal Data to any place outside the European Economic Area), as set out in this Agreement or any other document agreed by the parties in writing.
- The Processor shall promptly inform the Controller if, in the opinion of the Processor, an instruction of the Controller relating to the processing of the Controller Personal Data infringes the Data Protection Laws.
- If the Controller agrees in writing to any transfer of Controller Personal Data to any place outside the European Economic Area then, unless the Controller agrees otherwise in writing, such transfer shall be made under the standard contractual clauses set out in Schedule 2 (Model contractual clauses).
- Notwithstanding any other provision of this Agreement, the Processor may process the Controller Personal Data if and to the extent that the Processor is required to do so by applicable law. In such a case, the Processor shall inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- The Processor shall ensure that persons authorised to process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- The Processor and the Controller shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Controller Personal Data, including those measures specified in Paragraph 4 of Schedule 1 (Data processing information).
- The Processor must not engage any third party to process the Controller Personal Data without the prior specific or general written authorisation of the Controller. In the case of a general written authorisation, the Processor shall inform the Controller at least 14 days in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Controller objects to any such changes before their implementation, then the Controller may terminate this Agreement on 7 days' written notice to the Processor, providing that such notice must be given within the period of 7 days following the date that the Processor informed the Controller of the intended changes. The Processor shall ensure that each third-party processor is subject to the same or equivalent legal obligations as those imposed on the Processor by this Clause 4.
- As at the Effective Date, the Processor is hereby authorised by the Controller to engage, as sub-processors with respect to Controller Personal Data, the third parties identified at https://www.cultrix.co.uk/legal/privacy-and-cookies/gdpr/third-parties-and-data-sharing/.
- The Processor shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Controller with the fulfilment of the Controller's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws.
- The Processor shall assist the Controller in ensuring compliance with the obligations relating to the security of processing of personal data. The Processor shall report any Personal Data breach relating to the Controller Personal Data to the Controller within 24 hours following the Processor becoming aware of the breach. The Processor may charge the Controller at its standard time-based charging rates for any work performed by the Processor at the request of the Controller pursuant to this Clause 4.14.
- The Processor shall make available to the Controller all information necessary to demonstrate the compliance of the Processor with its obligations under this Clause 4 and the Data Protection Laws.
- The Processor shall, at the choice of the Controller, delete or return all of the Controller Personal Data to the Controller after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data.
- The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller in respect of the compliance of the Processor's processing of Controller Personal Data with the Data Protection Laws and this Clause 4. The Processor may charge the Controller at its standard time-based charging rates for any work performed by the Processor at the request of the Controller pursuant to this Clause
- If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under this Agreement, then the parties shall use their best endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.
- Limits upon exclusions of liability
- Nothing in this Agreement will:
(a) limit or exclude any liability for death or personal injury resulting from negligence;
(b) limit or exclude any liability for fraud or fraudulent misrepresentation;
(c) limit any liabilities in any way that is not permitted under applicable law; or
(d) exclude any liabilities that may not be excluded under applicable law.
- Nothing in this Agreement will:
- Termination
- Either party may terminate this Agreement by giving to the other party at least 30 days' written notice of termination.
- Either party may terminate this Agreement immediately by giving written notice of termination to the other party if the other party commits a material breach of this Agreement.
- Either party may terminate this Agreement immediately by giving written notice of termination to the other party if:
(a) the other party:
(i) is dissolved;
(ii) ceases to conduct all (or substantially all) of its business;
(iii) is or becomes unable to pay its debts as they fall due;
(iv) is or becomes insolvent or is declared insolvent; or
(v) convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;
(b) an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;
(c) an order is made for the winding up of the other party, or the other party passes a resolution for its winding up (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under this Agreement); or
(d) if that other party is an individual:
(i) that other party dies;
(ii) as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or
(iii) that other party is the subject of a bankruptcy petition or order.
- Effects of termination
- Upon the termination of this Agreement, all of the provisions of this Agreement shall cease to have effect, save that the following provisions of this Agreement shall survive and continue to have effect (in accordance with their express terms or otherwise indefinitely): Clauses 1, 2.2, 2.3, 4.1, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 4.13, 4.14, 4.15, 4.16, 4.17, 4.18, 5, 7, 9 and 10.
- Except to the extent that this Agreement expressly provides otherwise, the termination of this Agreement shall not affect the accrued rights of either party.
- Notices
- Any notice from one party to the other party under this Agreement must be given by one of the following methods (using the relevant contact details set out in Clause 8.2):
(a) delivered personally or sent by courier, in which case the notice shall be deemed to be received upon delivery; or
(b) sent by recorded signed-for post, in which case the notice shall be deemed to be received 2 Business Days following posting; or
(c) emailed, in which case the notice shall be deemed to be received upon delivery; or
(d) by telephone, in which case the notice shall be deemed to be received at the end of the conversation,
providing that, if the stated time of deemed receipt is not within Business Hours, then the time of deemed receipt shall be when Business Hours next begin after the stated time. - The parties' contact details for notices under this Clause 8 are as follows:
(a) in the case of notices sent by the Controller to the Processor: Kendray Business Centre, Thornton Road, Barnsley, South Yorkshire, S70 3NA, 01226 736670, accounts@cultrix.co.uk; and
(b) in the case of notices sent by the Processor to the Controller, to the contact details stored in the profile at https://secure.cultrix.co.uk/clientarea.php?action=details. - The addressee and contact details set out in Clause 8.2 may be updated from time to time by a party giving written notice of the update to the other party in accordance with this Clause 8.
- Any notice from one party to the other party under this Agreement must be given by one of the following methods (using the relevant contact details set out in Clause 8.2):
- General
- No breach of any provision of this Agreement shall be waived except with the express written consent of the party not in breach.
- If any provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this Agreement will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant provision will be deemed to be deleted).
- This Agreement may not be varied except by a written document signed by or on behalf of each of the parties.
- Neither party may without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.
- This Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate, rescind, or agree any amendment, waiver, variation or settlement under or relating to this Agreement are not subject to the consent of any third party.
- Subject to Clause 5, this Agreement shall constitute the entire agreement between the parties in relation to the subject matter of this Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.
- This Agreement shall be governed by and construed in accordance with English law.
- The courts of England shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this Agreement.
- Interpretation
- In this Agreement, a reference to a statute or statutory provision includes a reference to:
(a) that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and
(b) any subordinate legislation made under that statute or statutory provision. - The Clause headings do not affect the interpretation of this Agreement.
- References in this Agreement to "calendar months" are to the 12 named periods (January, February and so on) into which a year is divided.
- In this Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.
- In this Agreement, a reference to a statute or statutory provision includes a reference to:
Schedule 1 (data processing information)
- Categories of data subject
- We may process the personal data of our website users, service users, employees, suppliers, customers and other natural persons. As an IT services provider we may process the personal data of our service users’ own website users, service users, employees, suppliers, customers and other natural persons.
- Types of personal data
- We may process:
(a) data about your use of our website and services ("usage data") - the usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use; and
(b) your information included in you account on our website ("account data") - the account data may include your company name, first name, last name, email address, phone number, address, security question and answer, and password; and
(c) your information included in your personal profile on our website ("profile data") - the profile data may include your company name, client group, account status, preferred payment method, language and currency; and
(d) your information that is provided to us in the course of the use of our services, or that we obtain through providing you with IT support services ("service data") - the service data may include, but is not limited to, usernames and passwords, domain names, service URLs, user information, as well as specifications and information about your networks, Internet connections, servers, laptops, computers, tablets, mobile devices, printers, applications, backups, antivirus and malware protection, security, routers and firewalls, spam and content filtering; and
(e) information that you post for publication on our website or through our services ("publication data") - the publication data may be processed for the purposes of enabling such publication and administering our website and services.
(f) information contained in any enquiry you submit to us regarding goods and/or services ("enquiry data") - the enquiry data may include your contact details, the enquiry content and metadata associated with the enquiry; and
(g) information relating to transactions, including purchases of goods and services, that you enter into with us and/or through our website ("transaction data") - the transaction data may include your contact details, your card details, your bank account details, and the transaction details; and
(h) information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters ("notification data"); and
(i) information contained in or relating to any communication that you send to us ("correspondence data"); and
(j) personal information stored on your IT systems ("customer data") - this customer data may include personal data about you, your employees, your suppliers, your own website and service users, and other natural persons; and
(k) information you upload to our servers, information submitted through and stored by your website, and information sent by email from you or to you ("hosted data"). This hosted data may include personal data about you, your employees, your suppliers, your own website and service users, and other natural persons.
(l) information contained in or relating to any telephone conversations ("call data") - this call data may include personal data about you, your employees, your suppliers, your own website and service users, and other natural persons.
- We may process:
- Purposes of processing
- Usage data may be processed for the purposes of analysing the use of the website and services, and ensuring the security of our website and services.
- Account data may be processed for the purposes of operating our website, providing our services, ensuring the security of our website and services, record-keeping, maintaining backups and communicating with you.
- Profile data may be processed for the purposes of enabling and monitoring your use of our website and services, record-keeping, and personalising our website and services to you.
- Service data may be processed for the purposes of operating our website, providing our services, ensuring the security of our website and services, record-keeping, maintaining backups and communicating with you.
- Publication data may be processed for the purposes of enabling such publication and administering our website and services.
- Enquiry data may be processed for the purposes of communicating with you, record-keeping, and offering, marketing and selling relevant goods and/or services to you.
- Transaction data may be processed for the purpose of supplying the purchased goods and services and keeping proper records of those transactions.
- Notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters.
- Correspondence data may be processed for the purposes of communicating with you and record-keeping.
- Customer data may be processed for the purposes of providing our services, ensuring the security of our services, and maintaining backups.
- Hosted data may be processed for the purposes of providing our services, ensuring the security of our services, and maintaining backups.
- Call data may be processed for the purposes of providing our services, ensuring the quality of our services, dealing with complaints and queries, and maintaining backups.
- Sources of personal data
- The source of
(a) usage data is Google Analytics and our server logs;
(b) account data is you;
(c) profile data is you;
(d) service data is you;
(e) publication data is you;
(f) enquiry data is you, our website will also generate metadata associated with the enquiry when using the website contact forms;
(g) transaction data is you;
(h) notification data is you;
(i) correspondence data is you;
(j) customer data is you;
(k) hosted data is you;
(l) call data is you.
- The source of
- Legal basis for processing
- The legal basis for processing:
(a) usage data is our legitimate interests, namely monitoring, improvement and the security of our website and services;
(b) account data is consent and our legitimate interests, namely the proper administration of our website and business and the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract;
(c) profile data is consent and our legitimate interests, namely the proper administration of our website and business and the performance of a contract between you and us and/or taking steps, at you request, to enter into such a contract;
(d) service data is consent and our legitimate interests, namely the proper administration of our website and business and the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract;
(e) publication data is consent and our legitimate interests, namely the proper administration of our website and business;
(f) enquiry data is consent;
(g) transaction data is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely our interest in the proper administration of our website and business;
(h) notification data is consent and the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract;
(i) correspondence data is our legitimate interests, namely the proper administration of our website and business and communications with users;
(j) customer data is consent and our legitimate interests, namely the performance of a contract between you and us;
(k) hosted data is consent and our legitimate interests, namely the performance of a contract between you and us;
(l) call data is consent and our legitimate interests, namely the proper administration of our business, record-keeping, improving our services, training, and the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
- The legal basis for processing:
- Security of personal data
- We will take appropriate technical and organisational precautions to secure your personal data and to prevent the loss, misuse or alteration of your personal data.
- We will store all your personal data on secure servers, personal computers and mobile devices, and in secure manual record-keeping systems.
- The following personal data will be stored by us in encrypted form: password(s).
- Data relating to your enquiries and financial transactions that is sent from your web browser to our web server, or from our web server to your web browser, will be protected using encryption technology.
- You acknowledge that the transmission of unencrypted (or inadequately encrypted) data over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
- You should ensure that your password is not susceptible to being guessed, whether by a person or a computer program. You are responsible for keeping the password you use for accessing our website confidential and we will not ask you for your password (except when you log in to our website).
- Sub-processors of Personal Data
- You can find a list of our suppliers and subcontractors along with links to their privacy policies and practices at https://www.cultrix.co.uk/legal/privacy-and-cookies/gdpr/third-parties-and-data-sharing/.
Schedule 2 (model contractual clauses)
Standard Contractual Clauses (Processors)
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities. - If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established. - The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9
Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after the termination of personal data-processing services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1
to the Standard Contractual Clauses
This Appendix forms part of the Clauses
Data exporter
Depending on the contracted service(s) to which this applies, the data exporter is either the Customer, or CULTRIX LIMITED, a company incorporated in England and Wales (registration number 04556716) having its registered office at Kendray Business Centre, Thornton Road, Barnsley, S70 3NA.
Data importer
The data importer is the the relevant third-parties identified at https://www.cultrix.co.uk/legal/privacy-and-cookies/gdpr/third-parties-and-data-sharing/ that have hosting facilities outside the EEA.
Data subjects
The personal data transferred concerns the categories of data subjects set out under Schedule 1, Section 1.
Categories of data
The personal data transferred concern the categories of data set out under Schedule 1, Section 2.
Processing operations
The personal data transferred will be subject to the processing activities set out under Schedule 1, Section 3.
Appendix 2
to the Standard Contractual Clauses
This Appendix forms part of the Clauses
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Each data importer we employ uses appropriate security standards to safeguard data as detailed at https://www.cultrix.co.uk/legal/privacy-and-cookies/gdpr/third-parties-and-data-sharing/.
Liability
The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.
Indemnification is contingent upon:
(a) the data exporter promptly notifying the data importer of a claim; and
(b) the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim.