Data Protection
1.1 The parties agree that Client is a Data Controller (“Controller”) and that Agency is a Data Processor (“Processor”) for the purposes of Processing Controller Personal Data pursuant to this Agreement.
1.2 The Controller as at the date of this Agreement gives a general written authorisation to the Agency to engage any agent, sub-contractor or other third party (“Sub-Processor”) subject to the Processor informing the Controller of any intended changes concerning the addition or replacement of any Sub-processors and allowing the Controller to object to such changes, and the Processor remaining fully liable for all the actions and omissions of the Sub-Processor and, subject to this clause, that any Sub-Processor agrees in writing to comply with obligations at least equivalent to those obligations imposed on the Processor in this clause that relate to the requirements laid down in Article 28(3) of the GDPR. The Processor’s obligation under clause 1.2 to impose the obligations on the Sub-Processor as set out in that clause shall be subject to the Processor’s ability (acting reasonably) to impose such obligations on the Sub-Processor where the Sub-Processor has provided its non-negotiable standard terms to the Processor, in which case, the Processor shall use its reasonable endeavours to procure that those obligations set out at clause 1.3 are imposed on the Sub-Processor notwithstanding the Sub-Processor’s standard terms.
1.3 The Processor shall:
(a) only Process the Controller Personal Data on the documented instructions of the Controller from time to time; and
(b) subject to clause 1.4 not transfer, or otherwise directly or indirectly disclose, any Controller Personal Data to countries outside the European Economic Area (EEA) without the prior written consent of the Controller except where the Processor is required to transfer the Controller Personal Data by the laws of the member states of the EU or EU law (and shall inform the Controller of that legal requirement before the transfer, unless those laws prevent it doing so). Subject always to the preceding provisions of this clause
1.3 and clause 1.4 the Controller and the Processor shall agree the countries in respect of which the Processor is permitted to transfer the Controller Personal Data on the Effective Date.
1.4 The Processor shall be permitted to transfer the Controller Personal Data to countries outside of the EEA to the extent that any one or more of the following applies:
(a) the Processor has in place with the non-EEA receiving entity/Sub-Processor the EU model contractual clauses as set out in Decision 2010/87/EU or any alternative version of those clauses issued by the European Commission or a supervisory authority from time to time;
(b) the transfer is to a non-EEA country that is deemed to have an adequate level of protection from time to time by the European Commission or such other supervisory authority;
(c) to the extent that the transfer is to an Agency Group Company located outside of the EEA, the Processor’s Group has in place Binding Corporate Rules for the transfer of Personal Data to a non-EEA Group Company;
(d) there is an approved code of conduct in place by an association or other body representing the Controller or Processor that applies to the non-EEA territory or territories to which the Controller Personal Data is to be transferred; and
(e) there is an approved certification mechanism in place in respect of the non-EEA territory;
(f) to the extent that the transfer is to an entity located in the United States, such entity participates in the EU-US Privacy Shield or such other mechanism that may replace or supersede it from time to time.
1.5 The Processor shall ensure that access to Controller Personal Data is limited to the Processor Personnel and authorised Sub-Processors who need access to it to supply the Services and who are subject to an enforceable obligation of confidence with regards to the Controller Personal Data.
1.6 Taking into account the state of technical development and the nature of Processing, the Processor shall implement appropriate technical and organisational measures to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
1.7 The Processor shall, taking into account the nature of the Processing, assist the Controller (by appropriate technical and organisational measures), insofar as this is possible, in relation to any request from any Data Subject for: access, rectification or erasure of Controller Personal Data, or any objection to Processing.
1.8 The Processor shall notify the Controller without undue delay and in writing if any Controller Personal Data has been disclosed in breach of this clause 1.
1.9 The Processor shall notify the Controller promptly if it becomes aware of a breach of security of Controller Personal Data, such notices shall include full and complete details relating to such breach.
1.10 The Processor shall provide such assistance (at the Controller’s cost) as the Controller may reasonably require in relation to the need to undertake a data protection impact assessment in accordance with the Data Protection Legislation.
1.11 The Processor shall provide such assistance (at the Controller’s cost) as the Controller may reasonably require in relation to any approval of the Information Commission or other data protection supervisory authority to any Processing of Controller Personal Data.
1.12 The Processor shall on the expiry or termination of this Agreement, at the Controller’s cost and its option either return all of the Controller Personal Data (and copies of it) or securely dispose of the Controller Personal Data except to the extent that any applicable law requires the Processor to store such Controller Personal Data or the Controller orders the Processor’s retention service.
1.13 At the Controller’s cost, the Processor shall allow for an audit (no more than once per annum) by the Controller and any auditors appointed by it in order for the Processor to demonstrate its compliance with this clause 1. For the purposes of such audit, upon reasonable notice, the Processor shall make available to the Controller and any appointed auditors all information that the Controller deems necessary (acting reasonably) to demonstrate the Processor’s compliance with this clause 1.
1.14 In the Processor’s reasonable opinion, to the extent that it believes that any instruction received by it in accordance with clause 1.13 is likely to infringe the Data Protection Legislation or any other applicable law, the Processor shall promptly inform the Controller and shall be entitled to withhold its permission for such audit and/or provide the relevant Services until the Controller amends its instruction so as not to be infringing.
1.15 The Processor shall adhere to any relevant approved code of conduct and approved certification mechanism, if and when this has been adopted and implemented by the Information Commissioner’s Office.
1.16 To the extent that the Controller collects and passes Personal Data to the Processor pursuant to this Agreement, it represents, warrants and undertakes that:
(a) it has obtained appropriate authority from all Data Subjects to whom it relates, or has provided them with the requisite information required under the Data Protection Law, to pass their Personal Data to the Processor for the purposes for which the Controller intends to use it and/or as specified by the Controller in writing; and
(b) it is accurate and up to date.
1.17 Each party (the “indemnifying party”) shall indemnify the other party (the “indemnified party”) against:
(a) any fines imposed on the indemnified party by the Information Commissioner or any regulator that may replace it from time to time or any equivalent as a result of the indemnifying party’s breach of its obligations under this Agreement; and
(b) subject to clause 1.18, all amounts paid or payable by the indemnified party to a third party which would not have been paid or payable if the indemnifying party’s breach of this clause 1 had not occurred; and
(c) all other losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, expenses, demands and legal and other professional costs (calculated on a full indemnity basis) arising out of or in connection with any breach by the indemnifying party of its obligations under this clause, up to the maximum aggregate value in respect of each Data Protection Liability of two hundred and fifty thousand pounds (£250,000); in each year of the Term and provided that such breach amounts to £10,000 or above.
1.18 The indemnifying party shall not be liable under clause 1.17(b): (a) if it proves that it was not in any way responsible for the event giving rise to the damage in accordance with Article 82(3) of the GDPR; or
(b) to the extent that the indemnified party is responsible for the damage in accordance with Article 82(5) of the GDPR.
1.19 Notwithstanding the provisions of this clause 1, the Client as Data Controller acknowledges that it has authorised the Agency as Data Processor to obtain and collect certain personal information relating to the Client’s customers through the provision of the Services. This includes but is not limited to the use of cookies, tracking technologies and tracking code. The Client warrants that it has fully complied with the Data Protection Legislation in authorising the Agency to collect and make such Controller Personal Data available to the Client. The Client further warrants that it makes available a privacy policy/privacy on the Client Platforms as required by the Data Protection Legislation which informs its customers that the Agency is collecting the Controller Personal Data on its behalf and how the Client will use that information. The Client further warrants that it will include a cookie policy on its Client Platforms which informs its customers about the cookies which will be placed on the Client Platforms by the Agency during the provision of the Services.