Supplemental Data Processing Addendum – Processor to Controller
Updated September 2023
This Data Processing Addendum (“Addendum”) forms part of the agreement between the Client and EMaC covering any Processing of Personal Data relating to the Services provided to the Client (as defined below) (“Agreement”).
1. Definitions
| Affiliate | any entity that directly or indirectly controls, is controlled by, or is under common control with another entity; |
| Controller, Processor, Data Subject, Personal Data | shall bear the respective meanings given to them in the Data Protection Law; |
| Controller Personal Data | all Personal Data which is owned, controlled or processed by the Client or any of its Affiliates, and which is provided by or on behalf of the Client or any of its Affiliates to EMaC or which comes into the possession of the EMaC as a result of or in connection with the supply of the Services; |
| Data Protection Law | all applicable legislation and regulatory requirements in force from time to time relating to the use of Personal Data and the privacy of electronic communications, including, without limitation (i) any data protection legislation from time to time in force in the United Kingdom (“UK”) including the Data Protection Act 2018 or any successor legislation, as well as (ii) the General Data Protection Regulation ((EU) 2016/679), as it forms part of domestic law in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the UK or of any part of the UK from time to time) (“UK GDPR”); (iii) any laws which implement any such laws; and (iv) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing (whether or not before or after the date of the Agreement); |
| Description of Processing | the description of Processing as set out in Clause 8 of this Addendum; |
| Personnel | Means any employee, staff, workers, agents or consultants of a Party; |
| Process or Processing of Personal Data | Shall bear the meanings given to it in the Data Protection Law (currently Chapter 1, Article 4) and Processor shall be defined accordingly; |
| Services | All of the services provided to the Client by EMaC in connection with any Agreement that the parties have entered into that requires the Processing of Personal Data. |
| Sub-Contractor | any Third Party which has the meaning given to it in the Data Protection Law; and |
| Supplier Personnel | any of the Supplier’s employees, staff, workers, agents or consultants. |
2. Preliminaries
2.1 The parties agree that the Client is the Data Controller, and that EMaC is appointed as a Processor for the purposes of Processing Controller Personal Data pursuant to this Addendum.
3. Processor Obligations
3.1 EMaC and any of its Personnel shall:
(a) only Process Controller Personal Data on the documented instructions of the Client from time to time;
(b) ensure that access to Controller Personal Data is limited to EMaC Personnel and authorised Sub-Processors who need access to it to supply the Services and who are subject to obligations of confidence with regard to the Controller Personal Data that are at least as onerous as the obligations of confidence set out in this Addendum;
(c) subject to clause 3.4, not transfer, or otherwise directly or indirectly disclose, any Controller Personal Data which are undergoing Processing or are intended to Process after transfer to countries or international organisations outside the UK and/or European Union (EU) without the prior written consent of the Client except where EMaC is required to transfer the Controller Personal Data by the laws of the UK or member states of the EU or EU law (and shall inform the Client of that legal requirement before the transfer, unless those laws prevent it doing so);
(d) taking into account the nature of the Processing, assist the Client (by appropriate technical and organisational measures), insofar as this is possible, in relation to any request from any Data Subject for: access, rectification or erasure of Controller Personal Data, or any objection to Processing; and
(e) provide such information and assistance as the Client may require in relation to:
i. the need to undertake a data protection impact assessment in accordance with the Data Protection Law; and
ii. any approval of the Information Commissioner or other data protection supervisory authority to any Processing of Controller Personal Data, or any request, notice or investigation by such supervisory authority.
3.2 EMaC shall:
(a) ensure that access to Controller Personal Data is limited to the EMaC Personnel and authorised Sub-Contractors who need access to it to supply the Services, and that all EMaC Personnel and authorised Sub-Contractors are:
i. informed of the confidential nature of Controller Personal Data, and that they must not disclose Controller Personal Data;
ii. subject to an enforceable obligation of confidence with regards to Controller Personal Data; and
iii. EMaC remains fully liable for all the acts and omissions of the Sub-Processor; and
iv. subject to clause 3.3, that any Sub-Processor agrees in writing to comply with the obligations imposed on the EMaC in this clause that relate to the requirements laid down in Article 28(3) of the UK GDPR;
v. the Client agrees to the use of Sub-Processors as follows:
• Affiliates of EMaC; and
• those Sub-Processors meeting the criteria set out in the EMaC’s data protection policies relating to the criteria on which it appoints its supply chain. EMaC shall provide the Client an opportunity to object to their appointment for these Services.
3.3 EMaC’s obligations under clause 3.2 to impose the obligations on the Sub-Processor as set out in that clause shall be subject to the EMaC’s ability (acting reasonably) to impose such obligations on the Sub-Processor where the Sub-Processor has provided its non-negotiable standard terms to the EMaC, in which case, the EMaC shall use its reasonable endeavours to procure that those obligations set out at clause 3.2 are imposed on the Sub-Processor notwithstanding the Sub-Processor’s standard terms.
3.4 EMaC shall be permitted to transfer the Controller Personal Data to countries outside of the UK and/or the European Union to the extent that the following applies:
(a) EMaC has provided appropriate safeguards in relation to the transfer, which shall include having in place the appropriate model clauses and/or International Data Transfer Agreement as required by the Data Protection Laws or as specified from time to time by the UK Information Commissioners Office and/or the EU;
(b) the data subject has enforceable rights and effective legal remedies;
(c) EMaC complies with its obligations under the Data Protection Law by providing an adequate level of protection to any Personal Data that is transferred; and
(d) EMaC complies with the reasonable instructions notified to it in advance by the Client with respect to the Processing of Client Personal Data.
4. Data Breaches
4.1 EMaC shall:
(a) notify the Client without undue delay and in writing if any Controller Personal Data has been disclosed in breach of this Addendum; and
(b) notify the Client promptly if it becomes aware of a breach of security of Controller Personal Data and such notices shall include full and complete details relating to such breach.
4.2 If EMaC breaches or potentially breaches its obligations set out in this Addendum or there occurs any threat to the security of Controller Personal Data, the Client shall:
(a) take immediate steps to remedy the breach or prevent the potential breach or remove the threat;
(b) promptly take measures to ensure there is no repetition of the incident in the future;
(c) promptly provide the Client with full details in writing of the steps and measures taken; and
(d) comply with all reasonable requests made by the Client in respect of the breach or threat.
4.3 In EMaC’s reasonable opinion, to the extent that it believes that any instruction received by it is likely to infringe the Data Protection Law or any other applicable law, EMaC shall promptly inform the Client.
5. Security
5.1 Taking into account the state of technical development and the nature of Processing, EMaC shall implement appropriate technical and organisational measures to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
5.2 EMaC shall:
(a) provide to the Client upon request a detailed written description of such technical and organisational measures in place;
(b) at all times align with ISO 27001 or otherwise comply with Good Industry Practice relating to data protection, and implementation and maintenance of back-up systems;
(c) preserve so far as possible the security of Controller Personal Data and prevent any loss, disclosure, theft, manipulation or interception of Controller Personal Data; and
(d) ensure that its anti-malware controls are deployed and maintained in accordance with Good Industry Practice and any of the Supplier’s IT policies, check for and delete any malicious materials from its systems and not intentionally or negligently transfer any malicious materials onto any of EMaC’s IT systems or onto any media containing Controller Personal Data.
6. Records
6.1 EMaC shall keep detailed, accurate and up-to-date records relating to its Processing of Controller Personal Data, and shall make available to the Client on request (at no cost to the Client) all information necessary to demonstrate compliance with the obligations laid down in this Addendum.
6.2 EMaC shall after the expiry or termination of the Agreement and following the end of EMaC’s data retention periods (as set out in the EMaC’s data retention policy, which is available on request), at the Client’s cost and its option either to return all of the Controller Personal Data (and copies of it), or securely dispose of Controller Personal Data and/or Confidential Information, except to the extent that any applicable law requires EMaC to store such Controller Personal Data.
6.3 EMaC shall ensure that if any Controller Personal Data is disposed of, such disposal takes place in a secure manner such that Controller Personal Data is not recoverable and is rendered beyond use.
7. Audit
7.1 EMaC shall allow for an audit (no more than once per annum) by the Client, and subject to EMaC’s prior written approval, the Client may appoint a third party auditor in order for EMaC to demonstrate its compliance with this Addendum. For the purposes of such audit, upon reasonable notice, EMaC shall make available to the Client and any appointed auditors the relevant information that the Client deems necessary (acting reasonably) to demonstrate EMaC’s compliance with this clause.
7.2 In EMaC’s reasonable opinion, to the extent that it believes that any instruction received by it in accordance with clause 8.1 is likely to infringe the Data Protection Law or any other applicable law, EMaC shall promptly inform the Client and shall be entitled to withhold its permission for such audit and/or provide the relevant Services until the Client amends its instruction so as not to be infringing.
8. Description of Processing
8.1 The description of Processing shall be as detailed in the Agreement.
9. Governing Law and Jurisdiction
9.1 This Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales and shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Each party is aware that this Data Processing Addendum is in addition to any other terms and conditions the parties may have entered into in the Agreement and shall be supplemental to those other Agreements.