Rolec Data Processing Addendum
This Data Processing Addendum (this “Addendum”) forms part of the written or electronic agreement between Rolec Services Ltd (“Supplier”) and you (“You” or “Your”) for the products and/or solutions identified in the agreement (collectively, the “Services”) with Supplier (the “Agreement”).
1. Application. This Addendum only applies to the extent that the GDPR governs Supplier’s Processing of Your data (including Customer Data). Section 7 of this Addendum only applies to the extent that the GDPR governs Supplier’s Processing of Customer Personal Data.
2. Definitions. Capitalised terms used, but not defined, herein have the meanings set forth in the Agreement. As used in this Addendum, the following terms have the following meanings:
2.1. “Customer Data” shall mean the data, information or material provided, inputted, or submitted by You or on Your behalf into the Services, which may include data relating to Your customers and/or employees or other individuals.
2.2. “Customer Personal Data” means any Personal Data that is provided by You to Supplier and Processed by Supplier as Data Processor as part of Supplier’s provision of the Services to You.
2.3. “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
2.4. “Data Processor” a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.
2.5. “Data Protection Laws” means all applicable UK and/or EU laws and regulations governing the use or processing of Personal Data, including GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time.
2.6. “GDPR” means EU General Data Protection Regulation 2016/679.
2.7. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.8. “Privacy Notice” means Supplier’s privacy notice issued to you, or published on its websites, which may be amended by Supplier from time to time.
2.9. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and “Process”, “Processed” and “Processes” shall be construed accordingly.
2.10. “Supervisory Authority” means an independent public authority which is established under applicable European Union member state law and which concerns itself with the Processing of Personal Data.
3. Interpretation. Where there is any inconsistency between the terms of this Addendum and any other terms of the Agreement, the terms of this Addendum shall take precedence.
4. Supplier as Data Processor
4.1. For the purposes of the Agreement, the parties agree that You are the Data Controller with respect to Customer Personal Data and as Data Controller, You have sole responsibility for its legality, reliability, integrity, accuracy and quality.
4.2. You warrant and represent that:
4.2.1. You will comply with and will ensure that Your instructions for the Processing of Customer Personal Data will comply with the Data Protection Laws;
4.2.2. You are authorised pursuant to the Data Protection Laws to disclose any Customer Personal Data which You disclose or otherwise provide to Supplier regarding persons other than You;
4.2.3. You will where necessary, and in accordance with the Data Protection Laws, obtain all necessary consents and rights and provide all necessary information and notices to Data Subjects in order for:
(i) You to disclose the Customer Personal Data to Supplier;
(ii) Supplier to Process the Customer Personal Data for the purposes set out in the Agreement;
(iii) Supplier to disclose the Customer Personal Data to: (a) Supplier’s agents and service providers; (b) law enforcement agencies; (c) any other person in order for Supplier to meet any of its legal obligations, including statutory or regulatory reporting; and (d) any other person who has a legal right to require disclosure of the information, including where the recipients of the Customer Personal Data are outside the EEA.
4.3. During the term of the Agreement, Supplier warrants and represents that it:
4.3.1. shall comply with the Data Protection Laws applicable to Supplier while such Customer Data is in Supplier’s control;
4.3.2. when acting in the capacity of a Processor, shall only Process the Customer Data:
(i) as is necessary for the provision of the Services and the performance of Supplier’s obligations under the Agreement; or
(ii) otherwise on Your written instructions.
5. Supplier as Data Controller. Where, and to the extent that Supplier Processes Your Personal Data as a Data Controller in accordance with its Privacy Notices, Supplier shall comply with all Data Protection Laws applicable to Supplier as Data Controller.
6. Analytics. You agree that Supplier may record, retain and use Customer Data generated and stored during Your use of the Services (including Customer Personal Data, which Supplier shall Process as Data Controller as set out in the Privacy Notice, on the basis of Supplier’s legitimate business interests), in order to:
6.1. carry out research and development to improve Supplier, and Supplier’s affiliates’, services, products and applications;
6.2. develop and provide new and existing functionality and services (including statistical analysis, benchmarking and forecasting services) to You and other Supplier customers;
6.3. deliver advertising, marketing (including in-product messaging) or information to You which may be useful to You, based on Your use of the Services;
6.4. provide You with location-based services (for example location relevant content) where Supplier collects geo-location data to provide a relevant experience,
provided that Supplier shall only record, retain and use the Customer Data and/or Process Customer Personal Data on a pseudonymised basis, displayed at aggregated levels, which will not be linked back to You or to any living individual. If at any time You do not want Supplier to use Customer Data in the manner described in this Section 6, please contact Supplier at the email address set out in the Privacy Notice.
7. Processing of Customer Personal Data. If the GDPR governs Supplier’s Processing of Customer Personal Data, then Supplier shall comply with the following provisions.
7.1. Generally. Supplier shall:
7.1.1. taking into account the nature of the Processing, assist You by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Your obligation to respond to requests from individuals for exercising Data Subjects’ rights;
7.1.2. taking into account the nature of the Processing, and the information available to it, provide reasonable assistance to You in ensuring compliance with Supplier’s obligations relating to:
(i) notifications to Supervisory Authorities;
(ii) prior consultations with Supervisory Authorities;
(iii) communication of any breach to Data Subjects; and
(iv) privacy impact assessments.
7.2. Personnel. Supplier shall:
7.2.1. take reasonable steps to ensure the reliability of any personnel who may have access to the Customer Personal Data;
7.2.2. ensure that access to the Customer Personal Data is strictly limited to those individuals who need to know and/or access the Customer Personal Data for the purposes of the Agreement; and
7.2.3. ensure that persons authorised to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.3. Security and Audit.
7.3.1. Supplier shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Customer Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure.
7.3.2. Supplier has in place and shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, but not limited to:
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and . resilience of processing systems and services;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
7.3.3. Supplier has and shall maintain and enforce an information security management program (“Security Program”) which contains appropriate administrative, physical, technical and organisational safeguards, policies and controls.
7.4. Data Breach. Supplier shall notify You if it becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data arising from any act or omission of Supplier or its sub- processors.
7.5. Transfer of Personal Data
7.5.1. You acknowledge that the provision of the Services may require the Processing of Customer Personal Data by sub-processors in other territories. Supplier shall not transfer Customer Personal Data outside the United Kingdom to a sub-processor where such transfer is not subject to: (a) an adequacy decision (in accordance with Article 45 of the GDPR); (b) appropriate safeguards (in accordance with Article 46 of the GDPR); or (c) binding corporate rules (in accordance with Article 47 of the GDPR), without Your prior written consent.
7.6. Return and Deletion. At Your option, Supplier shall delete or return all Customer Personal Data to You at the end of the provision of the Services and delete all existing copies of Customer Personal Data unless Supplier is under a legal obligation to require storage of that data or Supplier has another legitimate business reason for doing so.
7.7. Use of Sub-Processors.
7.7.1. You agree that Supplier has general authority to engage third parties, partners, agents or service providers, including its Affiliates, to Process Customer Personal Data on Your behalf in order to provide the applications, products, services and information You have requested or which Supplier believes is of interest to You (“Approved Sub-Processors”). Supplier shall not engage a sub-processor to carry out specific Processing activities which fall outside the general authority granted above without Your prior specific written authorisation and, where such other sub-processor is so engaged, Supplier shall ensure that the same obligations set out in this Addendum shall be imposed on that sub-processor.
7.7.2. Supplier shall be liable for the acts and omissions of its Approved Sub-Processors to the same extent Supplier would be liable if performing the services of each Approved Sub-Processor directly under the terms of this Addendum.