Supplier Data Processing Addendum
BACKGROUND
A. Orbex Solutions Limited (“Orbex”) and the Customer have entered into Principal Agreements (as defined below) which involve the processing of Personal Data (as defined below) of Data Subjects (as defined below) and such processing is subject to Data Protection Laws (as defined below).
B. This data processing addendum (Addendum) shall govern the processing of Personal Data of Data Subjects in the context of the Services and/or Products (as defined below).
C. The terms set out below supersede and replace any existing privacy and data protection terms contained in the Principal Agreements pertaining to the processing of Personal Data and this Addendum shall amend the Principal Agreements to that extent. If there is any conflict between the provisions of this Addendum and the data protection terms contained in the Principal Agreements, the provisions of this Addendum shall take precedence. Silence on any particular matter shall be deemed not to give rise to a conflict.
1. DEFINITIONS AND INTERPRETATION
1.1 In this Addendum, unless the context otherwise requires, the following definitions shall apply:
Addendum means these data processing provisions;
Applicable Law means as applicable and binding on the Customer, Orbex and/or the Services and/or Products:
(a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services and/or Products are provided to or in respect of;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party`s assets, resources or business;
Business Day means a day (other than a Saturday, Sunday or a public holiday in England) when the banks in London are open for business;
Data Client means in relation to any Protected Data which ever of;
(a) the Customer or member of the Customer`s Group; or
(b) any customer or end-customer of the Customer; is the Controller in relation to that Protected Data;
Data Protection Laws all Applicable Laws relating to data protection, the processing of personal data and privacy, including without limitation:
(a) the Data Protection Act 2018;
(b) the GDPR; and
(c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications);
and references to Controller, Processor, Data Subjects, Personal Data, Process, Processed, Processing, Processor and Supervisory Authority have the meanings set out in, and will be interpreted in accordance with, such Data Protection Laws;
Data Protection Losses means all liabilities, including all:
(a) reasonable costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
(b) to the extent permitted by Applicable Law:
(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
(iii) the reasonable costs of compliance with investigations by a Supervisory Authority;
Data Security Incident a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Protected Data transmitted, stored or otherwise Processed;
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
GDPR means the General Data Protection Regulation (EU) 2016/679;
GDPR Date means 25 May 2018;
Group means any and all Parent Undertakings or Subsidiary Undertakings of a party and any and all subsidiaries of a Parent Undertaking of a party. Parent Undertaking and Subsidiary Undertaking shall have the meanings given to them as in section 1162 of the Companies Act 2006 and Group Companies shall be construed accordingly;
International Transfer a transfer to a country outside the European Economic Area (as it is made up from time to time) of Protected Data which is undergoing Processing or which is intended to be Processed after transfer;
Principal Agreements the agreements between Orbex and the Customer for the provision of telecommunications and/or IT related Services and/or Access Control and/or CCTV and/or Products;
Processing Instructions has the meaning given to that term in clause 1.2;
Protected Data Personal Data which has been passed to Orbex and is required to be Processed under the Principal Agreements and this Addendum by Orbex as a Processor which is more particularly described in Schedule 1 of this Addendum;
Services and/or means the telecommunications and / or IT related services and / or products (as applicable) which are provided by Orbex pursuant to
Products the Principal Agreements; and
SubProcessor means any third party appointed by Orbex to Process the Protected Data.
1.2 In this Addendum (except where the context otherwise requires):
1.2.1 headings are inserted for ease of reference only and shall not affect construction;
1.2.2 the expression “person” means any individual, firm, body corporate, unincorporated association, partnership, government, state or agency of state or joint venture;
1.2.3 the Schedules form part of this Addendum and will have the same force and effect as if expressly set out in the body of this Addendum and any reference to this Addendum will include a reference to the Schedules;
1.2.4 references to any statute or statutory provision will include any subordinate legislation made under it and will be construed as references to such statute, statutory provision and/or subordinate legislation as modified, amended, extended, consolidated, re-enacted and/or replaced and in force from time to time;
1.2.5 where the context requires, words denoting the singular include the plural and vice versa and words denoting any gender include all genders; and
1.2.6 any words following the words “include”, “includes”, “including”, “in particular” or any similar words or expressions will be construed without limitation and accordingly will not limit the meaning of the words preceding them.
2. PROCESSOR AND CONTROLLER
2.1 The parties acknowledge and agree that, for the Protected Data, the Customer (or the relevant Data Client) shall be the Controller and Orbex shall be the Processor or sub-processor.
2.2 The Customer authorises Orbex responsible for providing the Services and/or Products to the Customer pursuant to the Principal Agreements to Process the Protected Data pursuant to this Addendum as a Processor or sub-processor for the purpose set out in Schedule 1.
2.3 Orbex shall Process Protected Data in compliance with:
2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under this Addendum; and
2.3.2 the terms of this Addendum.
2.4 The Customer shall (and shall if the Customer is not the Controller ensure that the relevant Controller shall) comply with:
2.4.1 all Data Protection Laws in connection with the Processing of Protected Data, the
Services and/or Products and the exercise and performance of its respective rights and obligations under this Addendum, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws;
and
2.4.2 the terms of this Addendum.
2.5 The Customer warrants to Orbex that:
2.5.1 it has all necessary rights to authorise Orbex to Process Protected Data in accordance with this Addendum and the Data Protection Laws;
2.5.2 all data sourced by the Customer for use in connection with the Services and/or Products, shall comply in all respects, including in terms of its collection, storage and Processing (which shall include the Customer providing all of the required fair processing notices and information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
2.5.3 it will not send any Protected Data to Orbex which is not necessary for Orbex to provide the Services and/or Products;
2.5.4 its instructions to Orbex relating to Processing of Protected Data will not put Orbex in breach of Data Protection Laws, including with regard to International Transfers; and
2.5.5 it has undertaken due diligence in relation to Orbex`s Processing operations, and it is satisfied that:
(a) Orbex`s Processing operations are suitable for the purposes for which the Customer proposes to use the Services and/or Products and engage Orbex to Process the Protected Data; and
(b) Orbex has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
2.6 If Orbex reasonably considers that any instructions from the Customer relating to Processing of Protected Data may put Orbex in breach of Data Protection Laws, Orbex will be entitled not to carry out that Processing and will not be in breach of this Addendum or otherwise liable to the Customer as a result of its failure to carry out that Processing
2.7 The Customer shall remain fully liable for the acts or omissions of each Data Client as if they were its own..
3. INSTRUCTIONS AND DETAILS OF PROCESSING
3.1 Insofar as Orbex Processes Protected Data on behalf of the Customer in connection with the provision of the Services and/or Products to the Customer under the Principal Agreements, Orbex:
3.1.1 unless required to do otherwise by Applicable Law, shall (and shall ensure that any Sub-Processor shall) Process the Protected Data only on and in accordance with the Customer`s documented instructions as set out in this clause 3 and Schedule 1 (Data Processing Details) (Processing Instructions);
3.1.2 shall, if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, notify the Customer of any such requirement before Processing the Protected Data (unless Applicable Law prohibits such information on grounds of public interest); and
3.1.3 promptly inform the Customer if Orbex becomes aware of a Processing Instruction that, in Orbex`s opinion, infringes Data Protection Laws in the course of providing the Services and/or Products, provided that:
(a) this shall be without prejudice to clauses 2.4 and 2.5;
(b) to the maximum extent permitted by law, Orbex shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any Processing in accordance with the Customer`s Processing Instructions following the Customer`s receipt of that information; and
(c) this clause 3.1.3 shall only apply from the GDPR Date.
3.2 The Processing of Protected Data to be carried out by Orbex under this Addendum as a Processor shall comprise the Processing set out in Schedule 1 (Data Processing Details), as may be updated from time to time as agreed between the parties.
3.3 In respect of the Personal Data which Orbex Processes as a Controller in connection with the Services and / or Products (for example, in relation to Customer account management and billing), the Customer will:
3.3.1 provide reasonable assistance to Orbex, including to provide fair processing notices to the relevant Data Subjects and obtaining consents if necessary, to enable Orbex to comply with the Data Protection Laws;
3.3.2 ensure that it is not subject to any prohibition or restriction which would:
(a) prevent or restrict it from disclosing or transferring the relevant Personal Data to Orbex, as required under the Principal Agreements or this Addendum; or
(b) prevent or restrict Orbex from Processing the Personal Data as envisaged under the Principal Agreements or this Addendum.
4. TECHNICAL AND ORGANISATIONAL MEASURES
4.1 Orbex shall implement and maintain, at its cost and expense, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, appropriate technical and organisational measures to ensure a level of security appropriate to the risk..
5. USING STAFF AND OTHER PROCESSORS
5.1 The Customer acknowledges and agrees that Orbex may engage third-party Sub-Processors in connection with the provision of the Services and/or Products. Orbex has entered or will enter into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Protected Data to the extent applicable to the nature of the Services and/or Products provided by each SubProcessor.
5.2 Orbex shall make available to the Customer the current list of Sub-Processors. Orbex will inform the Customer of any proposed addition or replacement of a Sub-Processor thereby giving the Customer an opportunity to object (acting promptly, reasonably and in good faith towards Orbex) to such changes. If the Customer does not provide any objections within 30 days of notice from Orbex regarding the proposed changes to Sub-Processors, without limiting any of its rights or remedies under the Data Protection Laws, the Customer shall be deemed to have consented to such changes.
5.3 In the event that the Customer rejects any proposed addition or replacement of a SubProcessor in accordance with clause 5.2 without prejudice to any other rights and remedies of Orbex:
5.3.1 Orbex shall not be liable to the Customer for any failure to perform or delay in the performance of its obligations under this Addendum and/or Principal Agreement arising as a result of such rejection by the Customer of any proposed addition or replacement of a Sub-Processor; and
5.3.2 the Customer shall bear all costs incurred by Orbex in the procurement of a suitable replacement Sub-Processor to replace the rejected Sub-Processor (if applicable).
5.4 With effect from the GDPR Date, if Orbex appoints a SubProcessor, Orbex shall:
5.4.1 prior to the relevant Sub-Processor carrying out any Processing activities in respect of the Protected Data, appoint such Sub-Processor under a written contract which imposes the same (in substance) terms to those imposed on Orbex under this Addendum that is enforceable by Orbex; and
5.4.2 remain fully liable for the acts and omissions of each Sub-Processor as if they were its own.
5.5 With effect from the GDPR Date, Orbex shall ensure that all persons authorised by it (or by any Sub-Processor) to Process Protected Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (except where disclosure is required in accordance with Applicable Law, in which case Orbex shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).
6. ASSISTANCE WITH THE CUSTOMER`S COMPLIANCE AND DATA SUBJECT RIGHTS
6.1 Orbex shall, to the extent permitted under Applicable Law, promptly notify the Customer if it receives a Data Subject Request relating to the Services and/or Products. Taking into account the nature of the Processing, Orbex shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer`s (or the relevant Data Client`s) obligation to respond to a Data Subject Request under Data Protection Laws, provided that if the number of Data Subject Requests exceeds 3 per calendar month, the Customer shall pay Orbex`s charges calculated on a time and materials basis at Orbex`s then current prevailing rates for recording and referring the Data Subject Requests in accordance with this clause 6.1.
6.2 From the GDPR Date, Orbex shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of Processing and the information available to Orbex) to the Customer in ensuring compliance with the Customer`s obligations under Data Protection Laws with respect to:
6.2.1 complying with its obligations under the Data Protection Laws relating to the security of Processing Protected Data;
6.2.2 conducting privacy impact assessments of any Processing operations and consulting with Supervisory Authorities, Data Subjects and their representatives accordingly (as such term is defined in Data Protection Laws);
6.2.3 responding to requests for exercising Data Subjects` rights under the Data Protection Laws, including by appropriate technical and organisational measures, insofar as this is possible
6.2.4 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.5 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Data Security Incident, provided the Customer shall pay Orbex`s charges for providing the assistance in this clause 6.2, such charges to be calculated on a time and materials basis at Orbex`s then current prevailing rates.
7. INTERNATIONAL DATA TRANSFERS
7.1 Orbex will only make an International Transfer if:
7.1.1 a competent authority or body of the United Kingdom or the European Commission (as applicable) makes a binding decision that the country or territory to which the International Transfer is to be made ensures an adequate level of protection for Processing of Personal Data;
7.1.2 Orbex or the relevant Sub-Processor provides adequate safeguards for that International Transfer in accordance with Data Protection Laws, in which case the Customer will execute (and ensure the relevant Data Client(s) execute) any documents (including data transfer agreements) relating to that International Transfer which Orbex or the relevant Sub-Processor requires it to execute from time to time; or
7.1.3 Orbex or the relevant Sub-Processor is required to make the International Transfer to comply with Applicable Laws, in which case Orbex will notify the Customer of such legal requirement prior to such International Transfer unless such Applicable Laws prohibit notice to the Customer on public interest grounds.
8. RECORDS, INFORMATION AND AUDIT
8.1 Orbex shall maintain, in accordance with Data Protection Laws binding on Orbex, written records of all categories of Processing activities carried out on behalf of the Customer.
8.2 Orbex shall, in accordance with Data Protection Laws, upon prior written request make available to the Customer:
8.2.1 a summary of the audit reports demonstrating Orbex`s compliance with their respective obligations as a Processor under Data Protection Laws; and
8.2.2 confirmation that the audit has not revealed any material vulnerability in Orbex`s systems, or to the extent that any such vulnerability was detected, that Orbex has taken steps to remedy such vulnerability.
8.3 If the measures set out at clause 8.2 are not sufficient to confirm Orbex`s compliance with Data Protection Laws, Orbex will allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) as is reasonably necessary to demonstrate Orbex`s compliance with its obligations under Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), subject to the Customer:
8.3.1 giving Orbex reasonable prior notice of such information request, audit and/or inspection being required by the Customer;
8.3.2 the parties mutually agreeing upon the scope, timing and duration of the audit;
8.3.3 ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
8.3.4 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Orbex`s business, the Sub-Processors` business and the business of other customers of Orbex; and
8.3.5 paying Orbex`s reasonable charges for assisting with the provision of information and allowing for and contributing to inspections and audits.
9. BREACH NOTIFICATION
9.1 In respect of any Data Security Incident involving Protected Data;
9.1.1 Orbex shall, without undue delay, notify the Customer of the Data Security Incident; and
9.1.2 Orbex shall, without undue delay, provide the Customer with relevant details of the Data Security Incident; and
9.1.3 Customer, if it is not the Controller, shall ensure it provides such notification to the relevant Controller without undue delay.
10. DELETION OR RETURN OF PROTECTED DATA AND COPIES
10.1 Orbex shall, at the Customer`s written request, either delete or return all the Protected Data to the Customer in such format as the Customer reasonably requests within a reasonable time after the earlier of:
10.1.1 the end of the provision of the relevant Services and/or Products related to the Processing of Protected Data; or
10.1.2 once Processing by Orbex of any Protected Data is no longer required for the purpose of Orbex`s performance of its relevant obligations under this Addendum, and delete existing copies (unless storage of any Protected Data is required by Applicable Law and, if so, Orbex shall inform the Customer of any such requirement).
11. LIABILITY AND COMPENSATION CLAIMS
11.1 Subject to clauses 11.2, 11.3 and 11.4 Orbex will only be liable to the Customer for direct losses incurred by or awarded against the Customer (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Addendum only to the extent caused by the Processing of Protected Data under this Addendum and directly resulting from Orbex`s breach of this Addendum.
11.2 In no circumstances shall Orbex be liable under this Addendum or the Principal Agreements to the extent that any losses (or the circumstances giving rise to them) are contributed to or caused by any breach of (i) this Addendum or the Principal Agreements (including in accordance with clause 3.1.3(b)), or (ii) the Data Protection Laws by the Customer, relevant Data Client or any third party.
11.3 Subject to clause 11.4, the total liability of Orbex taken together in the aggregate, arising under or in connection with the performance or contemplated performance of its obligations of this Addendum, the Data Protection Laws and all Principal Agreements, to the Customer and all members of the Customer`s Group, all Data Clients and all Data Subjects in respect of all Data Protection Losses, shall not exceed the lower of 100% of the annual charges paid or payable by the Customer under the directly affected Principal Agreement or the applicable cap to such liabilities in such Principal Agreement.
11.4 Nothing in this Addendum excludes or limits the liability of Orbex for:
11.4.1 death or personal injury caused by Orbex`s negligence;
11.4.2 fraud or fraudulent misrepresentation; or
11.4.3 any liability which cannot by law be limited or excluded.
11.5 If a party receives a compensation claim from a person relating to Processing of Protected Data (Data Compensation), it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
11.5.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
11.5.2 consult fully with the other party in relation to any such action, but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible for paying the compensation.
11.6 This clause 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
11.6.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and
11.6.2 that it does not affect the liability of either party to any Data Subject.
12. TERM
This Addendum shall commence on the later of 25 May 2018 or the date of the applicable Principal Agreement, and shall immediately terminate when Orbex is no longer in possession of any Protected Data.
13. VARIATION
This Addendum may be varied by Orbex uploading the new form of Addendum to http://www.orbex.co.uk/terms_and_conditions.php (or such other website address as is notified to the Customer from time to time) and such variation being brought to the attention of the Customer.
14. SEVERANCE
To the extent that any provision of this Addendum is found by any court or competent authority to be invalid, unlawful or unenforceable in any jurisdiction, that provision shall be deemed not to be a part of this Addendum, it shall not affect the enforceability of the remainder of this Addendum nor shall it affect the validity, lawfulness or enforceability of that provision in any other jurisdiction.
15. CONTRACTS RIGHTS OF THIRD PARTIES
15.1 Save as expressly provided in clause 15.2, no express term of this Addendum or any term implied under it is enforceable pursuant to the Contracts (Rights of Third Parties) Act 1999 by any person who is not a party to it, but this does not affect any right or remedy of a third party which exists, or is available, apart from pursuant to that Act.
15.2 This Addendum shall be for the benefit of Orbex and Orbex shall be entitled to enforce the benefits set out in this Addendum.
15.3 The parties may without limit or restriction terminate, rescind this Addendum, agree any waiver or settlement or vary it in accordance with its terms without reference to, or the consent of any such third party referred to in clause 15.2.
16. RELEASES AND WAIVERS
16.1 Any right, power or remedy of a party under or pursuant to this Addendum or by law shall not be capable of being waived otherwise than by an express waiver in writing signed by an authorised representative of the relevant party.
16.2 No single or partial exercise, or failure or delay in exercising any right, power or remedy by any party shall constitute a waiver by that party of, or impair or preclude any further exercise of, that or any right, power or remedy arising under this Addendum or otherwise.
17. CHANGES TO LAW
Orbex may change any provision of this Addendum to the extent required to comply with any Applicable Law without the consent of the Customer .
18. GOVERNING LAW AND JURISDICTION
18.1 This Addendum and any dispute, claim or obligation (whether contractual or non-contractual) arising out of or in connection with it, its subject matter or formation shall be governed by English law.
18.2 The parties irrevocably agree that the English courts shall have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this Addendum, its subject matter or formation .
SCHEDULE 1
DATA PROCESSING DETAILS
1 Subject-matter of processing:
For the purposes of Orbex performing the Principal Agreements.
2 Duration of the processing:
The Processing shall continue for the duration of the Principal Agreements and for any period thereafter that Orbex continues to Process any Protected Data.
3 Nature and purpose of the processing:
To perform and/or deliver (as applicable) the Services and/or Products as set out in the Principal Agreements and as further instructed by the Customer.
4 Type of Personal Data:
Names, telephone numbers, email addresses, addresses of the Data Subjects set out below and any other Personal Data required to be provided to Orbex as Protected Data in the performance of the Principal Agreements, including without limitation the performance and/or delivery (as applicable) of the Services and/or Products.
5 Categories of Data Subjects:
Employees and customers (being natural persons) of the Customer or the relevant Controller.