Data Processing Addendum
1. DEFINITIONS
1.1 Defined terms used in the Terms (as defined below) will have the same meaning in this Data Processing Addendum unless stated otherwise. In addition the following definitions and rules of interpretation apply in this Data Processing Addendum:
“Appropriate Safeguards” | the measures set out in Article 46 of the GDPR (or UK GDPR, as applicable); |
“Appropriate Technical and Organisational Measures” | the appropriate technical and organisational measures referred to in Data Protection Legislation (including, as appropriate, the measures referred to in Article 32(1) of the GDPR (or UK GDPR, as applicable)); |
“Authorised Person“ | the personnel authorised on Your behalf to provide instructions to Us in relation to the Processing provisions in this Data Processing Addendum; |
“Business Day“ | a day other than a Saturday, Sunday or public holiday in Ireland when banks are open for business; |
“Business Purpose“ | the provision of the Services; |
“Data“ | any data or information, in whatever form, including but not limited to images, still and moving, and sound recordings; |
“Data Controller“ | has the meaning given to such term in Data Protection Legislation; |
“Data Processor“ | has the meaning given to such term in Data Protection Legislation; |
“Data Protection Legislation“ | means all applicable laws concerning data protection and privacy in electronic communications including (1) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”); (2) the Data Protection Acts 1988 to 2018 and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 in Ireland; (3) the Data Protection Act 2018 and the GDPR (as retained by section 3(10) (as supplemented by section 205(4)) of the UK DPA) (“UK GDPR”), as such legislation shall be supplemented, amended, revised or replaced from time to time and all guidance and codes of practice issued by a relevant Supervisory Authority, such as the DPC and/or the ICO, from time to time and which are applicable to a Party;
|
“Data Protection Officer“ | a data protection officer appointed pursuant to Data Protection Legislation; |
“Data Subject“ | an individual who is the subject of Personal Data which is contained in any document or information provided by You to Us (or made available to Us) through Your use of the Services; |
“Delete“ | to remove or obliterate Personal Data such that it cannot be recovered or reconstructed; |
“DPC” | means the Supervisory Authority in Ireland for the purposes of Article 51 of the GDPR whose principal administrative offices are at 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, or any replacement Supervisory Authority under Data Protection Legislation, appointed from time to time in Ireland; |
“EEA” or “European Economic Area” | means those countries that are contracting parties to the agreement on the European Economic Area from time to time; |
“ICO” | means the Supervisory Authority in the UK for the purposes of Article 51 of the UK GDPR whose principal administrative offices are at Water Lane, Wycliffe House Wilmslow – Cheshire SK9 5AF United Kingdom or any replacement Supervisory Authority under Data Protection Legislation, appointed from time to time in the U.K.; |
“Normal Business Hours“ | 9.00am to 5.00 pm in Ireland; |
“Our System“ | any information technology system or systems owned or operated by Us to which Your Data is delivered or on which the Services are performed; |
“Personal Data“ | has the meaning set out in Data Protection Legislation and relates only to personal data, or any part of such personal data, in respect of which You are the Data Controller, and in respect of which We are the Data Processor; |
“Personal Data Breach“ | means any “personal data breach” as defined in the GDPR (or UK GDPR, as applicable) in respect of the Personal Data which is caused by Us; |
“Processing“ | has the meaning given to such term in Data Protection Legislation, and Processed and Process shall be interpreted accordingly; |
“Representatives“ | a Party’s employees, officers, representatives, advisers or subcontractors involved in the provision or receipt of the Services; |
“Restricted Transfer“ | any transfer of Personal Data to countries outside of the EEA or UK (as applicable) which are not subject to an adequacy decision by the European Commission or UK Government, as applicable, where such transfer would be prohibited by Data Protection Legislation; |
“Security Features“ | any security feature, including any encryption, pseudonymisation, key, PIN, password, token or smartcard; |
“Service” | has the meaning given to such term in the Terms; |
“Specific Instructions“ | instructions meeting the criteria set out in paragraph 2.1 of this Data Processing Addendum; |
“Standard Contractual Clauses“ | (A) The contractual clauses dealing with the transfer of Personal Data outside the EEA, which have been approved by (i) the European Commission under Data Protection Legislation, or (ii) by the DPC or an equivalent Supervisory Authority under Data Protection Legislation as may be revised, updated or replaced from time to time; and (B) in relation to a Restricted Transfer of Personal Data from the UK, the EU SCCs in conjunction with and as varied by the United Kingdom Addendum B.1.0 to the Standard Contractual Clauses issued by the UK Information Commissioner’s Office as may be revised, updated or replaced from time to time;
|
“Sub-processor” | has the meaning given to such term in paragraph 12.1 of this Data Processing Addendum; |
“Supervisory Authority” | any court, regulatory agency or authority which, according to applicable laws and/or regulations (including Data Protection Legislation) supervises privacy issues and/or the Processing of Personal Data; |
“Term“ | the duration of the provision of the Services; |
“Terms” | the terms and conditions for supply of the Services entered into between Us and You; |
“Us, Our, We“ | Lex Software Limited t/a Klyant; |
“You, Your“ | the entity party to the Terms receiving Services from Us; |
“Your Data“ | the Personal Data uploaded during the Term by You or any Data Subject from time to time in respect of use of the Services, and any other Personal Data Processed by Us on behalf of You or any Data Subject; and |
“UK” | The United Kingdom of Great Britain and Northern Ireland. |
2. SERVICES
2.1 We shall not act on any specific instructions given by You from time to time during the Term in respect of Processing unless they are:
2.1.1 in writing (including by electronic means); and
2.1.2 given by an Authorised Person.
2.2 We shall Process Your Data for the Business Purpose only and in compliance with Your instructions from time to time, which may be:
2.2.1 Specific Instructions; or
2.2.2 the general instructions set out in this Data Processing Addendum
2.2.3 unless required to do otherwise by law, in which case, where legally permitted, We shall inform You of such legal requirement before Processing.
2.3 The subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data processed and the categories of data subjects are as follows:
Subject Matter of the processing | Processing the Personal Data included in the Controller Data in connection with the Terms. |
Duration of the processing | For the duration of the Terms or until the Data Processor no longer Processes any Personal Data for the Data Controller. |
Nature and purpose of the processing | Organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data in connection with the Business Purpose of the Data Controller. |
Categories of data subjects | the named users being employees, or contractors of You and of your clients and their client details. |
Types of personal data processed | Identity information such as first and last name (including prefix or title), date of birth, place of birth, photograph and gender. Contact information such as billing, business and home postal address, email address and fax and phone number(s). Occupational information such as job titles, work history, education history, qualifications, professional memberships, employment records, salary and employment benefits, professional training history and training plans, national security (e.g. PPS) numbers, driving licences, health information, and employment or character references. Information pertaining to ongoing cases or trials which may include special category data (e.g. relating to political opinion of clients) or information regarding criminal convictions or offences that may be referred to in fee note narratives or letters of engagements to clients. Financial information such as VAT and other tax reference numbers, bank account or card details and bank account details. |
3. PARTIES’ OBLIGATIONS
3.1 We shall:
3.1.1 only make copies of Your Data to the extent reasonably necessary for the Business Purpose (which, for clarity, may include for generating logs in relation to your use of the Services, back-up, mirroring (and similar availability enhancement techniques), security, disaster recovery and testing the Services); and
3.1.2 not extract, reverse-engineer, re-utilise, use, exploit, redistribute, re-disseminate, copy or store Your Data other than for the Business Purpose.
3.2 We shall notify You in writing without delay of any situation or envisaged development that shall in any way change the ability of Us to Process Your Data as set out in this Data Processing Addendum.
3.3 In general, Your Data and any logs created by us relating to Your Data will be kept and stored for the duration of the Term. Notwithstanding this, we shall, and taking into account the nature of Our Processing of Personal Data, promptly comply with any written request from you requiring Us to amend, transfer or Delete any of Your Data in advance of the expiration of the Term.
3.4 At Your request, We shall provide to You a copy of all Your Data held by Us in a commonly used format.
3.5 At Your request, taking into account the nature of Our Processing of the Personal Data and the information available, We shall provide to You such information and such assistance as You may reasonably require, and within the timescales reasonably specified by You, to allow You to comply with Your obligations under Data Protection Legislation, including, but not limited to assisting You to:
3.5.1 comply with Your own security obligations as set out in this Data Processing Addendum with respect to the Personal Data;
3.5.2 discharge Your obligations to respond to requests for exercising Data Subjects’ rights with respect to the Personal Data;
3.5.3 comply with Your obligations to inform Data Subjects about serious Personal Data Breaches;
3.5.4 carry out data protection impact assessments and audit data protection impact assessment compliance with respect to the Personal Data; and
3.5.5 comply with Your obligations in respect of the consultation with the DPC or the ICO, as applicable following a data protection impact assessment, where a data protection impact assessment indicates that the Processing of the Personal Data would result in a high risk to Data Subjects.
3.6 Any proposal by Us to in any way use or make available Your Data other than as provided for pursuant to this schedule shall be subject to prior written approval of You.
3.7 You acknowledge that We are under no duty to investigate the completeness, accuracy or sufficiency of (i) any instructions received from You, or (ii) any of Your Data.
3.8 In respect of Your Data (including any special category Personal Data that you upload), You shall:
3.8.1 ensure that You are entitled to transfer Your Data to Us so that We may lawfully process and transfer (if applicable) Your Data in accordance with this Data Processing Addendum;
3.8.2 ensure that the relevant Data Subjects have been informed of, and have given their consent to, such use, processing, and transfer as required by Data Protection Legislation or that You have a lawful basis other than consent to provide Your Data to Us;
3.8.3 notify Us in writing without delay of any situation or envisaged development that shall or may in any way influence, change or limit the ability of Us to process Your Data as set out in this Data Processing Addendum;
3.8.4 ensure that Your Data that You instruct Us to Process pursuant to this Data Processing Addendum is:
(a) obtained lawfully, fairly and in a transparent manner in relation to the Data Subject (including in respect of how consent is obtained, where applicable);
(b) collected and processed for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
(d) accurate, and where necessary kept up to date;
(e) erased or rectified without delay where it is inaccurate, having regard to the purposes for which they are processed;
(f) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (subject to circumstances where Personal Data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and subject to the implementation of Appropriate Technical and Organisational Measures);
(g) processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using Appropriate Technical and Organisational Measures; and
(h) provide such information and such assistance to Us as We may reasonably require, and within the timescales reasonably specified by Us, to allow Us to comply with Our obligations under Data Protection Legislation.
3.9 Your Data passed to Us for Processing shall not be kept by You for a period that is longer than necessary.
4. OUR EMPLOYEES
4.1 We shall take reasonable steps to ensure that Our employees have committed themselves to a binding duty of confidentiality in respect of Your Data.
5. RECORDS
5.1 We shall keep at Our normal place of business records (including in electronic form) relating to all categories of Processing activities carried out on behalf of You, containing:
5.1.1 the general description of the security measures taken in respect of the Personal Data, including details of any Security Features and the Appropriate Technical and Organisational Measures;
5.1.2 the name and contact details of Us; any sub-supplier; and where applicable Our representatives; and where applicable any Data Protection Officer appointed by Us;
5.1.3 the categories of Processing by Us on behalf of You; and
5.1.4 details of any non-EEA Personal Data transfers, and the Appropriate Safeguards in place in respect of such transfers.
6. AUDITS
6.1 Subject to paragraph 6.2, 6.3 and 6.5 below, and to the extent required by Data Protection Legislation, You shall have the right to examine and review the use by Us of Your Data provided to Us by You only for the purpose of ascertaining that Your Data has been used and Processed in accordance with the terms of this Data Processing Addendum.
6.2 An audit under this paragraph 6 shall be carried out on the following basis: (i) You must first contact Us by email asking for evidence of compliance with Our obligations under this Data Processing Addendum, and We shall respond to such email within 30 Business Days; (ii) if We have not responded to Your email with a response which is reasonably satisfactory to You within such 30 Business Day period then, no more than once in any twelve (12) month period and during Normal Business Hours during the course of one Business Day You may audit Our Processing of Your Personal Data at a location agreed by Us. Any such audit shall not interfere with the normal and efficient operation of Our business. We may require, as a condition of granting such access, that You (and representatives of You) enter into reasonable confidentiality undertakings with Us.
6.3 The scope of any examination and review by You of the use by Us of the Personal Data shall be agreed in writing prior to the commencement of any such examination and review.
6.4 In the event that the audit process determines that We are materially non-compliant with our obligations under this Data Processing Addendum, You may, by notice in writing, deny Us further access to Your Data.
6.5 To the extent permitted under Data Protection Legislation, We may demonstrate Our and, if applicable Our Sub-processors’, compliance with Our obligations under this Data Processing Addendum through Our compliance with a certification scheme or code of conduct approved under Data Protection Legislation.
7. DATA SUBJECT REQUESTS
7.1 Taking into account the nature of Our Processing of the Personal Data and, We shall assist You by employing Appropriate Technical and Organisational Measures, insofar as this is possible, in respect of the fulfilment of Your obligations to respond to requests from a Data Subject exercising his/her rights under Data Protection Legislation.
7.2 We shall notify You as soon as reasonably practicable if We receive:
7.2.1 a request from a Data Subject for access to that person’s Personal Data (relating to the Services);
7.2.2 any communication from a Data Subject (relating to the Services) seeking to exercise rights conferred on the Data Subject by Data Protection Legislation in respect of Personal Data; or
7.2.3 any complaint or any claim for compensation arising from or relating to the Processing of such Personal Data.
7.3 We shall not disclose the Personal Data to any Data Subject or to a third party other than at the request of You, as provided for in this Data Processing Addendum, or as required by law in which case We shall to the extent permitted by law inform You of that legal requirement before We disclose the Personal Data to any Data Subject or third party.
7.4 We shall not respond to any request from a Data Subject except as required by law, in which case We shall to the extent permitted by law inform You of that legal requirement before We respond to the request.
8. DATA PROTECTION OFFICER
8.1 We shall appoint a Data Protection Officer, if required to do so pursuant to Data Protection Legislation, and provide You with the contact details of such Data Protection Officer.
8.2 You shall appoint a Data Protection Officer, if required to do so pursuant to Data Protection Legislation, and provide Us with the contact details of such Data Protection Officer.
9. SECURITY
9.1 We shall, in accordance with Our requirements under Data Protection Legislation, implement Appropriate Technical and Organisational Measures to safeguard Your Data from unauthorised or unlawful Processing or accidental loss, alteration, disclosure, destruction or damage, and that, having regard to the state of technological development and the cost of implementing any measures (and the nature, scope, context and purposes of Processing, as well as the risk to Data Subjects), such measures shall be proportionate and reasonable to ensure a level of security appropriate to the harm that might result from unauthorised or unlawful Processing or accidental loss, alteration, disclosure, destruction or damage and to the nature of the Personal Data to be protected.
9.2 We shall ensure that Your Data can only be accessed by persons and systems that are authorised by Us and necessary to meet the Business Purpose, and that all equipment used by Us for the Processing of Your Data shall be maintained by Us in a physically secure environment.
9.3 You shall make a back-up copy of Your Data as often as is reasonably necessary and record the copy on media from which Your Data can be reloaded in the event of any corruption or loss of Your Data.
10. BREACH REPORTING
10.1 We shall promptly inform You if any of Your Data is lost or destroyed or becomes damaged, corrupted, or unusable, or if there is any accidental, unauthorised or unlawful disclosure of or access to any of Your Data. In such case, We will use Our reasonable endeavours to restore Your Data, and will comply with all of Our obligations under Data Protection Legislation in this regard.
10.2 We must inform You of any Personal Data Breaches, or any complaint, notice or communication in relation to a Personal Data Breach, without undue delay. Taking into account the nature of Our Processing of the Personal Data and the information available to Us and, We will provide sufficient information and assist You in ensuring compliance with Your obligations in relation to notification of Personal Data Breaches (including the obligation to notify Personal Data Breaches to the DPC or the ICO, as applicable, within seventy two (72) hours), and communication of Personal Data Breaches to Data Subjects where the breach is likely to result in a high risk to the rights of such Data Subjects. Taking into account the nature of Our Processing of the Personal Data and the information available to Us and We shall co-operate with You and take such reasonable commercial steps as are directed by You to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
11. RESTRICTED TRANSFERS
11.1 A Restricted Transfer may not be made by Us (other than transfers to our Affiliates and by any agents and contractors for the purposes of performing the Services, and You shall endeavour to obtain explicit consent from relevant Data Subjects in respect of such potential transfers) without the prior written consent of You (such consent not to be unreasonably withheld, delayed or conditioned), and if such consent has been obtained (or is unnecessary), such Restricted Transfer may only be made where there are Appropriate Safeguards in place with regard to the rights of Data Subjects (including but not limited to the Standard Contractual Clauses, binding corporate rules, or any other model clauses approved by the DPC or the ICO, as applicable).
11.2 Subject to paragraph 11.3, in the event of any Restricted Transfer by Us to a contracted Sub-processor, to any Affiliate of You or otherwise (“Data Importer”) for which your consent has been obtained (or is unnecessary), We and You shall procure that (i) You (where the Restricted Transfer is being made at the request of You) or Us acting as agent for and on behalf of You (where the Restricted Transfer is being made at the request of Us), and (ii) the Data Importer, shall enter into the Standard Contractual Clauses in respect of such Restricted Transfer. The Party who is entering into the Appropriate Safeguards with a Data Importer shall comply with the guidance of any relevant regulatory authority on Restricted Transfers in particular with respect to the use of Standard Contractual Clauses and any additional or supplementary measures required to be taken in the context of any such Restricted Transfers including the requirement to carry out risk assessments and to adopt mitigating measures to ensure essentially equivalent protection for Data Subjects in the jurisdiction of the Data Importer.
11.3 Paragraph 11.1 or 11.2 shall not apply to a Restricted Transfer if other compliance steps (which may include, but shall not be limited to, obtaining explicit consents from Data Subjects) have been taken to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Legislation.
11.4 Where a transfer becomes a Restricted Transfer, for any reason, to include the revocation or invalidation of an Adequacy Decision, the Parties shall comply with Clause 11.1 and take the necessary steps to comply with applicable Data Protection Legislation in respect of such transfers.
11.5 In the event that (i) either Party is required to enter into the Standard Contractual Clauses in accordance with this paragraph 11 and (ii) there is any conflict or ambiguity between any provision contained in this Data Processing Addendum and any provision contained in such Standard Contractual Clauses, the Standard Contractual Clauses shall take precedence in respect of such conflict (other than in respect of legislative references etc. which have been updated pursuant to Data Protection Legislation since the date of approval of such Standard Contractual Clauses).
12. SUB-PROCESSORS
12.1 You agree and acknowledge that We may seek to have Your Data Processed by any of Our Affiliates and by any agents and contractors listed at Data Processing Addendum 2 for the purpose of providing the Service (a “Sub-processor”). The list of the categories of Sub-processors used by Us may be maintained on our website at or may be otherwise notified to You by Us from time to time. If you object to such sub-processing arrangements, then You should confirm this to Us and, if you do so confirm, You acknowledge that You may no longer be able to avail of some or all of Our Services.
12.2 We must enter into a data processing contract with the Sub-processor which places the same data protection obligations on the Sub-processor as We have in this Data Processing Addendum (in particular, providing sufficient guarantees to implement Appropriate Technical and Organisational Measures in such a manner that the Processing will meet the requirements of Data Protection Legislation).
12.3 With respect to each Sub-processor, We shall, before the Sub-processor first Processes Your Data, ensure that the Sub-processor is capable of providing the level of protection for Your Data required by this Data Processing Addendum.
12.4 We will respect the conditions for engaging Sub-processors as set out in Article 28 (4) of the GDPR or UK GDPR, as applicable.
13. WARRANTIES
13.1 We warrant and undertake to You that:
13.1.1 We will Process Your Data in compliance with our obligations under Data Protection Legislation;
13.1.2 We will maintain Appropriate Technical and Organisational Measures against the unauthorised or unlawful Processing of Your Data and against the accidental loss or destruction of, or damage to, Your Data; and
13.2 You hereby warrant and undertake that:
13.2.1 You have complied with and shall comply with Your obligations under Data Protection Legislation;
13.2.2 You have the right to transfer (or to authorise Data Subjects to transfer) Your Data to Us in accordance with the terms of this Data Processing Addendum;
13.2.3 Your instructions that are set out in this Data Processing Addendum accurately reflect the instructions of the Data Controller to the extent that We are a Data Processor on behalf of the Data Controller;
13.2.4 You shall and shall cause, appropriate notices to be provided to, and valid consents (where required) to be obtained from, Data Subjects, in each case that are necessary for Us to Process (and have Processed by Sub-processors) Personal Data under or in connection with this Data Processing Addendum, including Processing outside the EEA on the basis of any of the legal conditions for such transfer and Processing set out in paragraph 12 above;
13.2.5 You shall not, by act or omission, cause Us to violate any Data Protection Legislation, notices provided to, or consents obtained from, Data Subjects as a result of Us or Our Sub-processors Processing the Personal Data; and
14. INDEMNITY
14.1 You agree to indemnify and keep indemnified and defend Us against all costs, claims, damages or expenses incurred by Us or for which We may become liable due to any failure by You or Your employees or agents to comply with any of our obligations under this Data Processing Addendum and/or under Data Protection Legislation and/or any breach of any warranty provided by You in this Data Processing Addendum.
14.2 If any third party makes a claim against Us, or notifies an intention to make a claim against Us, We shall: (i) give You written notice of the claim as soon as reasonably practicable; (ii) not make any admission of liability in relation to the claim without Your prior written consent; (iii) at Our request, allow You to conduct the defence of the claim against Us including settlement; and (iv) co-operate and assist to a reasonable extent with Your defence of the claim against Us.
15. LIMITATION OF LIABILITY
15.1 To the extent permitted by law, We shall not under any circumstances be liable to You for any of Your costs or losses relating to this schedule.
15.2 For the avoidance of doubt, the limitation of liability provisions set out in clause 14 of Terms apply in respect of the obligations of the Parties under this schedule.
15.3 Unless required to do so by the DPC, the ICO or any other competent supervisory authority, We shall not make any payment or any offer of payment to any Data Subject in response to any complaint or any claim for compensation arising from or relating to the Processing of Your Data, without the prior written agreement of You.
15.4 You acknowledge and agree that We are reliant on You for direction as to the extent to which We are entitled to use and process Your Data. Consequently, We will not be liable for any claim brought by a Data Subject arising from any action or omission by Us, to the extent that such action or omission resulted directly from Your instructions and/or the transactions contemplated by this Data Processing Addendum.
16. CONSEQUENCES OF TERMINATION ON YOUR DATA.
16.1 Upon termination or expiry of the Terms, at the choice of You, We shall Delete or return all Your Data to You and Delete existing copies of Your Data, unless legally required/entitled to store Your Data for a period of time. If You make no such election within a ten (10) day period of termination or expiry of the Terms, We may Delete any of Your Data in our possession; and if You elect for destruction rather than return of Your Data, We shall as soon as reasonably practicable ensure that all Your Data is Deleted from Our System, unless legally required/entitled to store Your Data for a period of time.
SCHEDULE 1
LIST OF AUTHORISED SUB-PROCESSORS
Name of Sub-processor | Location of Sub-processor | Details of service to be provided |
SWIFTAPP | UK and Romania | Carry out some development work to the software on behalf of Klyant. |
