Data Processing Terms
Introduction
These are the Data Processing Terms and Conditions (the “Data Processing Terms”) on which Keepme Ltd, a company registered in England and Wales under company no. 11714351, with registered address at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom (“Keepme”), provide the Service (as herein defined) to customers (the “Customer”).
WHEREAS:
(1) Under a written agreement between the Customer and Keepme (the “Service Agreement”) Keepme provides to the Customer the Service described in the Service Agreement.
(2) The provision of the Service by Keepme may involve it in processing Personal Data on behalf of the Customer.
(3) Under EU Regulation 2016/679 General Data Protection Regulation (the “GDPR”) (Article 28, paragraph 3), the Customer is required to put in place an agreement in writing between the Customer and any organisation which processes personal data on its behalf governing the processing of that data.
(4) The Parties have agreed to follow the Data Processing Terms to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by Keepme for the Customer.
(5) The Data Processing Terms are to apply to all processing of Personal Data carried out for the Customer by Keepme and to all Personal Data held by Keepme in relation to all such processing.
(6) The Data Processing Terms shall form a part of the Service Agreement.
IT IS AGREED as follows:
1. Definitions and Interpretation
1.1 In the Data Processing Terms, unless the context otherwise requires, the following expressions have the following meanings:
“Customer”, “Data Processor”, “processing”, and “data subject” shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively in Article 4 of the GDPR;
“ICO” means the UK’s supervisory authority, the Information Commissioner’s Office;
“Personal Data” means all such “personal data”, as defined in Article 4 of the GDPR for as long as it is directly applicable in the United Kingdom and any successor legislation in the United Kingdom to the GDPR, as is, or is to be, processed by Keepme on behalf of the Customer, as described in the Service Agreement;
“Service” means those services and/or facilities described in the Service Agreement which are provided by Keepme to the Customer and which the Customer uses for the purposes described in the Service Agreement;
“Sub-Processor” means a sub-processor appointed by Keepme to process the Personal Data; and
“Sub-Processing Agreement” means an agreement between Keepme and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 10.
1.2 Unless the context otherwise requires, each reference in the Data Processing Terms to:
1.2.1 “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
1.2.2 a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
1.2.3 the “Service Agreement” is a reference to collectively the Order Confirmation; the T&C’s; the Privacy Policy; and the Data Processing Terms as amended or supplemented at the relevant time;
1.2.4 a Clause or paragraph is a reference to a Clause of the Data Processing Terms.
1.2.5 a “Party” or the “Parties” refer to the parties to the Service Agreement.
1.3 The headings used in the Data Processing Terms are for convenience only and shall have no effect upon the interpretation of the Data Processing Terms.
1.4 Words imparting the singular number shall include the plural and vice versa.
1.5 References to any gender shall include all other genders.
1.6 References to persons shall include corporations.
2. Scope and Application of the Data Processing Terms
2.1 The provisions of the Data Processing Terms shall apply to the processing of the Personal Data described in the Service Agreement, carried out for the Customer by Keepme, and to all Personal Data held by Keepme in relation to all such processing whether such Personal Data is held at the date of the Service Agreement or received afterwards.
2.2 The provisions of the Data Processing Terms supersede any other arrangement, understanding, or agreement made between the Parties at any time relating to the Personal Data.
2.3 The Data Processing Terms shall continue in full force and effect for so long as Keepme is processing Personal Data on behalf of the Customer, and thereafter as provided in Clause 9.
3. Provision of the Service and Processing Personal Data
Keepme is only to carry out the Service, and only to process the Personal Data received from the Customer:
3.1 for the purposes of the Service and not for any other purpose;
3.2 to the extent and in such a manner as is necessary for those purposes; and
3.3 strictly in accordance with the express written authorisation and instructions of the Customer (which may be specific instructions or instructions of a general nature or as otherwise notified by the Customer to Keepme).
4. Data Protection Compliance
4.1 All instructions given by the Customer to Keepme shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. Keepme shall act only on such written instructions from the Customer unless Keepme is required by law to do otherwise (as per Article 29 of the GDPR).
4.2 Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under the Data Processing Terms or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
4.3 The Customer hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
4.4 Keepme shall ensure that its obligations under the Data Processing Terms are satisfactorily performed in accordance with any and all applicable legislation from time to time in force in the United Kingdom (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO.
4.5 Keepme shall provide all reasonable assistance (at the Customer’s cost) to the Customer in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
4.6 When processing the Personal Data on behalf of the Customer, Keepme shall:
4.6.1 only transfer the Personal Data to and/or process the Personal Data in a country outside the European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”), where said country complies with the obligations for Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred;
4.6.2 only transfer the Personal Data to any third party strictly subject to the terms of a suitable agreement, as set out in Clause 10;
4.6.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Customer or as may be required by law (in which case, Keepme shall inform the Customer of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
4.6.4 implement appropriate technical and organisational measures, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure;
4.6.5 if so requested by the Customer (and within the reasonable timescales required by the Customer) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
4.6.6 keep records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the GDPR;
4.6.7 make available to the Customer any and all such information as is reasonably required and necessary to demonstrate Keepme’s compliance with the GDPR;
4.6.8 on reasonable notice provide the Customer with any information reasonably required in order to assess and verify compliance with the provisions of the Data Processing Terms and both Parties’ compliance with the requirements of the GDPR; and
4.6.9 inform the Customer immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
5. Data Subject Access, Complaints, and Breaches
5.1 Keepme shall, at the Customer’s cost, assist the Customer in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
5.2 Keepme shall notify the Customer without undue delay if it receives:
5.2.1 a subject access request from a data subject; or
5.2.2 any other complaint or request relating to the processing of the Personal Data.
5.3 Keepme shall, at the Customer’s cost, cooperate fully with the Customer and assist as required in relation to any subject access request, complaint, or other request, including by:
5.3.1 providing the Customer with full details of the complaint or request;
5.3.2 providing the necessary information and assistance in order to comply with a subject access request;
5.3.3 providing the Customer with any Personal Data it holds in relation to a data subject (within the timescales required by the Customer); and
5.3.4 providing the Customer with any other information requested by the Customer.
5.4 Keepme shall notify the Customer immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
6. Data Protection Officer
If the Customer has appointed a Data Protection Officer in accordance with Article 37 of the GDPR, the Customer shall provide the contact details of said officer to Keepme.
7. Liability and Indemnity
7.1 The Customer shall be liable for, and shall indemnify (and keep indemnified) Keepme in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, Keepme and any Sub-Processor arising directly or in connection with:
7.1.1 any non-compliance by the Customer with the GDPR or other applicable legislation;
7.1.2 any Personal Data processing carried out by Keepme or Sub-Processor in accordance with instructions given by the Customer that infringe the GDPR or other applicable legislation; or
7.1.3 any breach by the Customer of its obligations under the Data Processing Terms, except to the extent that Keepme or Sub-Processor is liable under sub-Clause 7.2.
7.2 Subject to the T&C’s Keepme shall be liable for any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against the Customer arising directly or in connection with Keepme’s Personal Data processing activities that are subject to the Data Processing Terms:
7.2.1 only to the extent that the same results from Keepme’s breach of the Data Processing Terms; and
7.2.2 not to the extent that the same is or are contributed to by any breach of the Data Processing Terms by the Customer.
7.3 The Customer shall not be entitled to claim back from Keepme or Sub-Processor any sums paid in compensation by the Customer in respect of any damage to the extent that the Customer is liable to indemnify Keepme or Sub-Processor under sub-Clause 7.1.
7.4 Nothing in the Data Processing Terms (and in particular, this Clause 7) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR.
8. Intellectual Property Rights
All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Customer or Keepme) shall belong to the Customer or to any other applicable third party from whom the Customer has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). Keepme is licensed to use such Personal Data under such rights only for the term of the Service Agreement, for the purposes of the Service, and in accordance with the Data Processing Terms.
9. Confidentiality
9.1 Keepme shall maintain the Personal Data in confidence, and in particular, unless the Customer has given written consent for Keepme to do so, Keepme shall not disclose any Personal Data supplied to Keepme by, for, or on behalf of, the Customer to any third party. Keepme shall not process or make any use of any Personal Data supplied to it by the Customer otherwise than in connection with the provision of the Service to the Customer.
9.2 Keepme shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
9.3 The obligations set out in in this Clause 9 shall continue for a period of five (5) years after the cessation of the provision of Service by Keepme to the Customer.
9.4 Nothing in the Data Processing Terms shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
10. Appointment of Sub-Processors
10.1 Keepme shall have the right to sub-contract any of its obligations or rights under the Data Processing Terms without the prior written consent of the Customer.
10.2 In the event that Keepme appoints a Sub-Processor, Keepme shall:
10.2.1 enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon Keepme by the Data Processing Terms and which shall permit both Keepme and the Customer to enforce those obligations; and
10.2.2 ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the GDPR.
10.3 In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, Keepme shall remain fully liable to the Customer for failing to meet its obligations under the Data Processing Terms.
11. Deletion and/or Disposal of Personal Data
11.1 Keepme shall, at the written request of the Customer, delete (or otherwise dispose of) the Personal Data or return it to the Customer in the format(s) reasonably requested by the Customer within a reasonable time after the earlier of the following:
11.1.1 the end of the provision of the Service under the Service Agreement; or
11.1.2 the processing of that Personal Data by Keepme is no longer required for the performance of Keepme’s obligations under the Service Agreement.
11.2 Following the deletion, disposal, or return of the Personal Data under sub-Clause 11.1, Keepme shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case Keepme shall inform the Customer of such requirement(s) in writing.
12. Consideration
Keepme accepts the obligations in the Data Processing Terms in consideration of the payment of the Fees from the Customer under the Service Agreement.
13. Law and Jurisdiction
13.1 The Data Processing Terms (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
13.2 Any dispute, controversy, proceedings or claim between the Parties relating to the Data Processing Terms (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the Dispute Resolution procedure pursuant to the General Terms and Conditions of Service forming part of the Service Agreement.