Rolec Data Processing Addendum
This Data Processing Addendum (this “Addendum”) forms part of the written or electronic agreement between Rolec Services Ltd (“Supplier”) and you (“You” or “Your”) for the products and/or solutions identified in the agreement (collectively, the “Services”) with Supplier (the “Agreement”).
1. Definitions. Capitalised terms used, but not defined, herein have the meanings set forth in the Agreement. As used in this Addendum, the following terms have the following meanings:
1.1. “Customer Data” shall mean the data, information or material provided, inputted, or submitted by You or on Your behalf into the Services, which may include data relating to Your customers and/or employees or other individuals.
1.2. “Customer Personal Data” means any Personal Data that is provided by You to Supplier and Processed by Supplier as Data Processor as part of Supplier’s provision of the Services to You.
1.3. “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.4. “Data Processor” a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.
1.5. “Data Protection Laws” means all applicable UK and/or EU laws and regulations governing the use or processing of Personal Data, including without limitation GDPR, UK GDPR and the Data Protection Act 2018.
1.6. “GDPR” means EU General Data Protection Regulation 2016/679.
1.7. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.8. “Privacy Notice” means Supplier’s privacy notice issued to you, or published on its websites, which may be amended by Supplier from time to time.
1.9. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and “Process”, “Processed” and “Processes” shall be construed accordingly.
1.10. “Supervisory Authority” means an independent public authority which is established under applicable European Union member state law and which concerns itself with the Processing of Personal Data.
1.11. “UK GDPR” means the GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
2. Interpretation. Where there is any inconsistency between the terms of this Addendum and any other terms of the Agreement, the terms of this Addendum shall take precedence.
3. Supplier as Data Processor
3.1. For the purposes of the Agreement, the parties agree that You are the Data Controller with respect to Customer Personal Data and as Data Controller, You have sole responsibility for its legality, reliability, integrity, accuracy and quality.
3.2. You warrant and represent that:
3.2.1. You will comply with and will ensure that Your instructions for the Processing of Customer Personal Data will comply with the Data Protection Laws;
3.2.2. You are authorised pursuant to the Data Protection Laws to disclose any Customer Personal Data which You disclose or otherwise provide to Supplier regarding persons other than You;
3.2.3. You will where necessary, and in accordance with the Data Protection Laws, obtain all necessary consents and rights and provide all necessary information and notices to Data Subjects in order for:
(i) You to disclose the Customer Personal Data to Supplier;
(ii) Supplier to Process the Customer Personal Data for the purposes set out in the Agreement;
(iii) Supplier to disclose the Customer Personal Data to: (a) Supplier’s agents and service providers; (b) law enforcement agencies; (c) any other person in order for Supplier to meet any of its legal obligations, including statutory or regulatory reporting; and (d) any other person who has a legal right to require disclosure of the information, including where the recipients of the Customer Personal Data are outside the EEA.
3.3. During the term of the Agreement, Supplier warrants and represents that it:
3.3.1. shall comply with the Data Protection Laws applicable to Supplier while such Customer Data is in Supplier’s control;
3.3.2. when acting in the capacity of a Processor, shall only Process the Customer Data:
(i) as is necessary for the provision of the Services and the performance of Supplier’s obligations under the Agreement; or
(ii) otherwise on Your written instructions.
4. Data Controller Obligations
4.1. To the extent that a party acts as a data controller each party shall comply with the provisions of this paragraph 4. The respective roles in this paragraph 4 apply whether either party receives the Personal Data from the other, their representatives, or directly from data subjects (as relevant).
4.2. Each party agrees to comply with Data Protection Law in connection with its own processing of the Personal Data.
4.3. The Supplier shall process the Personal Data only for the purposes of performing its obligations or exercising its rights under or in connection with the Agreement.
4.4. Each of the parties will in its capacity as data controller of the Personal Data, use reasonable endeavours to:
4.4.1. Notify the other promptly upon becoming aware of any actual or suspected security incident; and
4.4.2. Promptly provide the other with all the information in its/their possession or control in relation to the security incident and assist the other to seek to mitigate the effects of the security incident, comply with the Data Protection Law and adhere to guidance issued by the Information Commissioner’s Office (ICO) with regard to security breach management and reporting and not make any announcement or publish or broadcast any information about the security incident (other than to the ICO and/or data subjects as required by Data Protection Law) or authorise or permit the same except after having notified the other of its intention to do the same.
4.5. At the end of the engagement between the parties, or on a party’s instructions, each party shall return or destroy (at the other party’s election) all Personal Data provided by the other.
5. Processing of Customer Personal Data. When Processing Customer Personal Data, the Supplier shall comply with the following provisions:
5.1. Generally. Supplier shall:
5.1.1. taking into account the nature of the Processing, assist You by appropriate technical and organisational measures, insofar as this is reasonably possible, for the fulfilment of Your obligation to respond to requests from individuals for exercising Data Subjects’ rights;
5.1.2. taking into account the nature of the Processing, and the information available to it, provide reasonable assistance to You in ensuring compliance with Your obligations relating to:
(i) notifications to Supervisory Authorities;
(ii) prior consultations with Supervisory Authorities;
(iii) communication of any breach to Data Subjects; and
(iv) privacy impact assessments.
5.2. Personnel. Supplier shall:
5.2.1. take reasonable steps to ensure the reliability of any personnel who may have access to the Customer Personal Data;
5.2.2. ensure that access to the Customer Personal Data is strictly limited to those individuals who need to know and/or access the Customer Personal Data for the purposes of the Agreement; and
5.2.3. ensure that persons authorised to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. Security and Audit.
5.3.1. Supplier shall implement and maintain technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Customer Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures shall, as a minimum, meet the standards required by Data Protection Laws.
5.3.2. Supplier has in place and shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, but not limited to:
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.3.3. Supplier has and shall maintain and enforce an information security management program (“Security Program”) which contains appropriate administrative, physical, technical and organisational safeguards, policies and controls.
5.4. Data Breach. Supplier shall notify You if it becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data arising from any act or omission of Supplier or its sub- processors.
5.5. Transfer of Personal Data
5.5.1. You acknowledge that the provision of the Services may require the Processing of Customer Personal Data by sub-processors in other territories. Supplier shall not transfer Customer Personal Data outside the United Kingdom to a sub-processor where such transfer is not subject to: (a) an adequacy decision (in accordance with Data Protection Laws); (b) appropriate safeguards (in accordance with Data Protection Laws); or (c) binding corporate rules (in accordance with Data Protection Laws), without Your prior written consent.
5.6. Return and Deletion. At Your option, Supplier shall delete or return all Customer Personal Data to You at the end of the provision of the Services and delete all existing copies of Customer Personal Data unless Supplier is under a legal obligation to require storage of that data or Supplier has another legitimate business reason for doing so.
5.7. Use of Sub-Processors.
5.7.1. You agree that Supplier has general authority to engage third parties, partners, agents or service providers, including its Affiliates, to Process Customer Personal Data on Your behalf in order to provide the applications, products, services and information You have requested (“Approved Sub-Processors”), subject to such Approved Sub-Processors being included on the Supplier’s list of standard sub-processors at https://www.rolecserv.com/rolec-smart-solutions/sub-processors. Supplier shall not engage a sub-processor to carry out specific Processing activities which fall outside the general authority granted above without Your prior specific written authorisation and, where such other sub-processor is so engaged, Supplier shall ensure that the same obligations set out in this Addendum shall be imposed on that sub-processor.
5.7.2. Supplier shall be liable for the acts and omissions of its Approved Sub-Processors to the same extent Supplier would be liable if performing the services of each Approved Sub-Processor directly under the terms of this Addendum.
5.8.1. The provisions of this Addendum shall survive termination of the Agreement.
RODPAED-V01-R2 Rolec Data Processing Addendum