VSL Vanguard Services Limited - Client Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered by and between VSL (hereinafter, “Company”) on behalf of itself and its Affiliates, and ……………………………………. (hereinafter, the “Client”) on behalf of itself and its Affiliates. Company in the text below will be referred to as the “Parties”, and individually as “Party”.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum integral to the agreement established between Company and the Client (the “Agreement”).

  1. DEFINITIONS

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:

  • Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. “Control” for the purposes of this definition means direct or indirect ownership or control of at least 50%.
  • Applicable Law(s)” means all applicable data protection, privacy, and electronic marketing legislation, including (as applicable) the GDPR, UK’s Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003, as well as any equivalent laws anywhere in the world, to the extent any such laws apply to Personal Data to be processed hereunder by Client.
  • Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
  • The terms “Commission“, “Data Subject“, “Member State“, “Personal Data Breach“, “Process/Processing“, “Controller“, “Processor“, and “Supervisory Authority” shall have the same meanings given to them in the GDPR.
  • GDPR” means UK General Data Protection Regulation 2016/679 and any subsequent amendments, replacements, or supplements.
  • Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, which is processed by Client on behalf of Company pursuant to or in connection with the Client
  • Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors or sub-processors established in third countries, as adopted by the Ufrom time to time under Directive 95/46/EC or the GDPR, as applicable.
  • Sub-processor” means any third party engaged directly by the Client to Process any Personal Data pursuant to or in connection with the Client The term shall not include employees or contractors of Client.
  • Client Services” means any services provided by Client to Company, including any storage, software, or platform services, pursuant to an agreement, purchase order, license, or subscription.
  1. SCOPE OF PROCESSING
    • Client shall Process Personal Data as described in Annex 1 (Details of Processing of Personal Data) attached hereto.
    • Client shall Process Personal Data as a Processor or Sub-processor acting on behalf of Company as the Controller or Processor of such Personal Data, as applicable.
    • Company hereby instructs Client to Process Personal Data only for the limited purposes of providing Client Services and solely for the benefit of Company.
    • Client shall only Process the Personal Data in accordance with, (i) the terms of this DPA, (ii) the terms of the Agreement between the Parties, (iii) solely on documented instructions from the Company, unless Processing is required by Applicable Laws (in which case, Client must inform Company in advance of such requirement, unless prohibited to do so by law), and (iv) in compliance with all applicable Laws.
    • Client shall notify Company without undue delay if Client determines that it can no longer meet instructions of the Company or its obligations under this DPA.
  1. SUB-PROCESSING
    • Client shall not subcontract any Processing of Personal Data to any additional third party without prior written consent of Company regarding each such subcontracting activity and third party. Notwithstanding the foregoing, Company authorizes Client to engage Sub-processors without limitation for the limited purposes of Processing Personal Data as strictly necessary for the fulfilment of Client’s obligations under the Agreement, provided that Client:
      • Provides to Company at least thirty (30) days prior written notice of its intention to engage or replace a Sub-processor. Such notice shall be sent the nominated Company contact and must include at least: (i) the name of the Sub-processor; (ii) the type of Personal Data Processed by such Sub-processor and for which purposes; (iii) description of the data subjects whose Personal Data shall be Processed by such Sub-processor, and (iv) location of the Data Processing performed by such Sub-processor.
      • Conducts the level of due diligence necessary to ensure that such Sub-processor is capable of meeting the requirements of this DPA and any Applicable Laws; and
      • Ensures that the arrangement between the Client and the Sub-processor is governed by a written contract binding on the Sub-processor, which (i) requires the Sub-processor to Process Personal Data in accordance with this DPA or standards that are no less onerous than this DPA; and (ii) includes and relies on the Standard Contractual Clauses, which shall form part of the contract between Client and its Sub-processors and shall be binding on both Client and its Sub-processor, to the extent that any Personal Data may be Processed by such Sub-processor outside of the EEA.
    • Company may object to the engagement of any Sub-processor on reasonable privacy, data protection or security grounds. In such case, the Client shall only engage Sub-processor for the provision of Client Services to the Company after completing appropriate risk assessment and ensuring appropriate technical and organisational controls are in place. Should Company object to the engagement of the Sub-processor, Company may terminate or suspend its Agreement with Client, with immediate effect and without penalty.
    • Client shall remain fully liable to Company at all times for the performance of any of its Sub-processors’ obligations and its Processing activities relating to Personal Data.
  1. VENDOR PERSONNEL
    • To the extent permissible under applicable law, Client shall conduct an appropriate background investigation of all employees or contractors of the Client and who may have access to Personal Data (“Client Personnel”), prior to allowing them such access. If the background investigation reveals that the Client Personnel are not suited to access Personal Data, then Client shall not provide the Client Personnel with access to Personal Data.
    • Client shall ensure that all Client Personnel: (i) has such access only as necessary for the purposes of providing Company with the Client Services and complying with Applicable Laws; (ii) is contractually bound to confidentiality requirements no less onerous than this DPA; (iii) is provided with appropriate privacy and security training; (iv) is informed of the confidential nature of Personal Data, and required to keep it confidential; and (v) is aware of the Client’s duties and obligations under this DPA.
  1. SECURITY
    • Client represents and warrants that it has implemented and will maintain appropriate technical, physical, and organizational measures to protect the Personal Data against accidental or unlawful or accidental loss, alteration, destruction, unauthorized disclosure, or access and, in particular, where the processing involves the transmission of data over a network, against all anticipated unlawful forms of processing.
    • Having regard to the state of the art and cost of their implementation, Client agrees and warrants that such measures shall ensure a level of security appropriate to the risks presented by the Processing (including the risks of a Personal Data Breach), and the nature of Personal Data to be protected, and without limitation shall ensure that such measures include:
      • The pseudonymization and/or encryption of Personal Data, in transit and at rest.
      • The ability to ensure the on-going confidentiality, integrity, availability, and resilience of Processing systems and services.
      • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
    • The Client shall keep records of its Processing activities performed on behalf of Company, which shall include at least:
      • The details of the Client as Personal Data Processor, any representatives, Sub-processors, data protection officers and Client Personnel having access to Personal Data.
      • The categories of Processing activities performed.
      • Information regarding Cross-Border Data Transfers (as further specified in Section 11 of this DPA), if any; and
      • Description of the technical and organizational security measures implemented in respect of the Processed Personal Data.
    • Without derogating form Company’s Audit Rights under Section 10, Company reserves the rights to inspect the records maintained by the Client under this Section 5 at any time.
  1. DATA SUBJECT RIGHTS
    • Client shall reasonably assist Company in responding to requests to exercise Data Subject rights or Consumer rights (including any complaints regarding the Processing of Personal Data) under Applicable Laws, including, without limitation, applicable Data Protection Laws (Data Subject Request(s)”).
    • Client shall:
      • Promptly notify Company if it receives a Data Subject Request in respect of Personal Data.
      • Provide full cooperation and assistance in relation to any Data Subject Request.
      • Ensure that it does not respond to Data Subject Requests except on the documented instructions of Company or as strictly required by Applicable Laws to which the Client is subject; and
      • Maintain electronic records of Data Subject Requests (under Applicable Laws).
  1. LEGAL DISCLOSURE AND PERSONAL DATA BREACH
    • Client shall notify Company within 24 hours of Client becoming aware of:
      • any request for disclosure of Personal Data by a Supervisory Authority and/or any other law enforcement authority or court unless prohibited under criminal law specifically requiring Client to preserve the confidentiality of a law enforcement investigation.
      • any Personal Data Breach reasonably suspected or known to be affecting Personal Data. Client shall provide Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects or data protection authorities of the Personal Data Breach under the Applicable Laws. Other than as required by law, Client shall not make any public statements or other disclosures about a Personal Data Breach affecting Personal Data without Company’s prior written consent, which may be provided, at Company’s discretion, on a case-by-case basis.
    • Client shall provide Company with the following details, as possible:
      • The nature of the Personal Data Breach, including the categories of Data Subjects concerned and the categories of Personal Data and data records concerned.
      • The measures proposed or taken by Client in cooperation with Company to address the Personal Data Breach; and
      • The measures Company could take to mitigate the possible adverse effects of the Personal Data Breach.
    • Client shall take any actions necessary to investigate any suspected or actual Personal Data Breach and mitigate any related damages.
    • Client shall fully cooperate with Company and take such steps as are directed by Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
  1. DELETION OR RETURN OF PERSONAL DATA
    • Upon expiration or termination of the provision of Client Services, Client shall, at the choice of the Company, promptly delete or return all copies of Personal Data in its and/or any of its Sub-processors’ possession or control, except as required to be retained in accordance with Applicable Laws. In such a case, Client warrants that it will guarantee the confidentiality of Personal Data and will not actively process Personal Data anymore and will guarantee the return and/or destruction of the Personal Data as requested by Company when the legal obligation to not return or destroy the information is no longer in effect.
    • Upon prior written request by the Company, the Client’s Chief Privacy Officer or equivalent shall provide written certification to Company that Client has fully complied with this section.
  1. PROVISION OF INFORMATION AND ASSISTANCE
    • Client shall cooperate and reasonably assist Company with any data protection impact assessments, prior consultations regarding relevant competent data protection authorities and with any other assistance related to compliance with the obligations of the Company pursuant to the GDPR and other Applicable Laws. The scope of such assistance shall be limited to the Processing of the Personal Data by the Client.
  1. AUDIT RIGHTS
    • Client shall promptly make available to Company, upon written request, all information necessary to demonstrate compliance with this DPA and with any Applicable Laws, including industry-standard third-party audit certifications.
    • Client shall allow for and contribute to audits, including inspections, by Company and/or an auditor mandated by Company. In any event, a third-party auditor shall be subject to confidentiality obligations. Client may object to the selection of the auditor if it reasonably believes that the auditor does not guarantee confidentiality, security or otherwise puts at risk the Client’s business.
  1. CROSS-BORDER DATA TRANSFER
    • Personal Data may be transferred from United Kingdom (“UK”) to countries that offer adequate levels of data protection under or pursuant to the adequacy decisions published by the relevant data of UK (“Adequacy Decisions”) as applicable, without any further safeguard being necessary.
    • If the Processing of Personal Data by Processor includes transfers from UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Client for the lawful transfer of personal data as defined in the UK GDPR, then the Standard Contractual Clauses shall apply.
    • Where the transfer of Personal Data is made subject to the Standard Contractual Clauses, these shall be completed and signed simultaneously with the execution of this DPA by Company and Client. The “data importer” thereunder shall be Client, and the “data exporter” shall be Company. Client shall and shall ensure that each Sub-processor engaged in the Processing of such Personal Data shall, comply with the data importer’s obligations, and Company shall comply with the data exporter obligations, in each case under the applicable Standard Contractual Clauses. If requested by Company, Client will ensure and procure that its Sub-processor(s) enter into Standard Contractual Clauses with Company directly.
    • The Standard Contractual Clauses will not apply to Personal Data that relates to individuals located outside of the UK and EEA, or that is not transferred, either directly or via onward transfer, outside the EEA. For data transfers originating from other countries outside of the UK and EEA, Client shall abide by all Applicable Laws of the territory of origin of the Personal Data.
    • Client shall provide Company with all relevant information to enable Company to comply with its obligations in case of cross-border transfers of Personal Data. Company may object to the transfer of Personal Data under this Section 11 on privacy and security grounds. In such case, the Client shall not effectuate such transfer of Personal Data or Company may terminate or suspend the provision of Client Services with immediate effect without penalty.
  1. INDEMNIFICATION
    • Client shall indemnify, to the extent provided by Client’s PII, defend, and hold harmless Company, its Affiliates, and their respective officers, directors, and employees from and against claims and proceedings and all liability, loss, costs, fines, and expenses (including reasonable legal fees) arising in connection with (i) Client’s unlawful or unauthorized Processing, destruction of, or damage to any Personal Data; and/or (ii) Client’s (including the Client Personnel and Client’s Sub-processors) failure to comply with its obligations under this DPA, the existing Agreement or any further instructions as to such Processing given in writing by Company in accordance to this DPA.
  1. MISCELLANEOUS
    • Severance: Should any provision of this DPA be determined invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    • Notice: All notices required under this DPA shall be sent to Company by email.
    • Notices to Client shall be sent to: HR@vsluk.com
    • Order of Precedence: In the event of any conflict between the terms of this DPA and other documents binding on Parties, the terms of these documents will be interpreted according to the following order of precedence: (i) the Standard Contractual Clauses, solely to the extent applicable in accordance with Section 11 above; (ii) this DPA; (iii) any terms of agreement, purchase orders, license, or subscription, pursuant to which Client Services are provided.
    • Modifications by Client: Client may by at least forty-five (45) calendar days’ prior written notice to Company, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under, any Data Protection Laws, to allow Processing of Personal Data to be made (or continue to be made) without breach of that Data Protection Law. Pursuant to such notice, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the lawful requirements identified in Client’s notice as soon as is reasonably practicable.
    • Modifications by Company: Company may by at least thirty (30) calendar days’ prior written notice to Client, vary the terms of this DPA and/or any Standard Contractual Clauses applicable pursuant to Section 11 of this DPA, as necessary to allow the Processing of Personal Data to be made (or continue to be made) without breach of applicable Data Protection Laws, or to otherwise protect the interests of Company, in each case as reasonably determined by Company at its discretion. If Client objects to said variations within the notice period, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in notice from the Company as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days of such notice, then Company may, by written notice to the other Party, with immediate effect and without penalty, terminate the Agreement to the extent that it relates to the Client Services which are affected by the proposed variations (or lack thereof).

 

 

IN WITNESS WHEREOF, this DPA is entered into and becomes binding between the Parties with effect from the date first set out above.

On behalf of the VSL:

Full Name:               Craig Cherry

Position:                  Managing Director

Address:                  VSL House, Bawtry Road, Blyth, Worksop, Nottinghamshire.  S81 8HJ

Other information necessary in order for the contract to be binding (if any):

               

Signature: 

On behalf of the Client:

Full Name:        ……………………………………………………………………

Position:           …………………………………………………………………… 

Address:           ……………………………………………………………………

Other information necessary in order for the contract to be binding (if any):

Signature:        ……………………………………………………………………

ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA

This Annex 1 includes certain details of the processing of Personal Data.

Description of Client Services: Processing data from Company in order to provide our products and services.

Duration of the processing: as long as Client Services are provided

The nature and purpose of the processing: The nature and purpose of the processing is to provide our services for our client. 

Types of personal data processed: Data to be processed includes contact details of Company and data subjects plus data related to the processing of requests, complaints, and other interactions resulting from provision of the services. This includes data subject name, contact details, email, phone number, payment details, billing address, and interactions by emails / phone / post etc.….

List of sub-processors:

Name of Sub-processor

Services Performed

Sub-processor Location

Purpose of Processing

DPA in place with Sub-processor

(Yes or No)