Data Protection Addendum
This Data Protection Addendum („Addendum“) forms part of any agreement in which the URL to this Addendum is referenced, including, where applicable, OC&C’s Terms of Business set out in an engagement letter (each such agreement, a „Principal Agreement“) and is entered into by and between the OC&C entity (“Processor”) and client entity (“Controller”) that are the parties to the Principal Agreement. References in this Addendum to the Principal Agreement shall include any statement of work or similar binding document entered into under that agreement.
1. Definitions
In this Addendum, the following terms shall have the meanings set out below:
1.1. „Applicable Privacy Laws“ means all applicable data protection and privacy laws applicable to the Processing of Personal Data, including, when and where applicable, (a) the GDPR and various implementing regulations in applicable EU member states; (b) the UK Data Protection Act 2018; (c) the Privacy Act 1988 Australia (d) Personal Data (Privacy) Ordinance. (Cap. 486) Hong Kong (“PDPO”); (e) U.S. state and federal data protection laws, rules, or regulations; (f) the Personal Information Protection and Electronic Documents Act Canada (“PIPEDA”) (g) Personal Information Protection Law China (“PIPL”) and (g) similar laws enacted anywhere in the world addressing the protection or the use, transmission, or other Processing of Personal Data, each as amended, modified, and/or supplemented by the guidance or regulatory decisions of any relevant Supervisory Authority or other data protection regulatory authority.
1.2. „Data Subject“ means any natural person about whom Personal Data relates.
1.3. “GDPR” means Regulation (EU) 2016/679 (“EU GDPR”) and the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018, supplemented by section 205(4) of the Data Protection Act 2018) (“UK GDPR”).
1.4. „Personal Data“ means the personal data described in Annex 1 to this Addendum, as varied by any supplementary information in the Principal Agreement, (together, the “Details of Processing”).
1.5. “Personal Data Breach“ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.6. „Processing“ means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, access, consultation, use, acquisition, transfer, hosting (via server, web, cloud, or otherwise), disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Any activity defined as processing by or otherwise subject to the requirements of Applicable Privacy Laws shall fall within this definition. „Processed“, „Process“ and any other variations of „Processing“ shall also be defined as set out above.
1.7. “SCCs” means the terms and information (including the UK IDTA) at https://occ-prod-appsvc-cm.azurewebsites.net/media/2971/occ-sccs.pdf, as may be updated by the Processor from time to time where reasonably required for either party’s compliance with Applicable Privacy Laws.
1.8. „Supervisory Authority“ means any data protection authority or other governmental, regulatory, administrative, judicial, or other agency or similar body that has authority to implement, enforce, and/or oversee compliance with Applicable Privacy Laws.
In this Addendum, references to any Applicable Privacy Laws and to terms defined therein shall be replaced with or incorporate (as the case may be) references to any Applicable Privacy Laws replacing, amending, extending, re-enacting, or consolidating such Applicable Privacy Laws and the equivalent terms defined in such Applicable Privacy Laws once in force and applicable.
2. Data Protection Roles
2.1. The Processor shall act as a processor of the Controller for the Processing of the Personal Data. Nothing in this Addendum relieves the Processor of its own obligations as a processor under Applicable Privacy Laws. If a person other than, or in addition to, the Controller is the controller of the Personal Data, the Controller shall accurately and promptly relay to the Processor instructions it receives from that person.
2.2. If there is any conflict or inconsistency between any of the terms of the Principal Agreement, the following order of precedence shall apply to the extent necessary to resolve such conflict or inconsistency: first, the terms of any SCCs incorporated into this Addendum, second, any other terms of this Addendum and lastly, any other terms of the Principal Agreement.
3. Processor Obligations
The Processor shall:
3.1. Process Personal Data only in accordance with documented instructions from the Controller (which may be specific instructions or instructions of a general nature as set out in this Addendum or as otherwise notified in writing by the Controller to the Processor during the duration of the Principal Agreement), unless the Processor is obliged to proceed otherwise under Applicable Privacy Laws (by way of example only, investigations by law enforcement or data protection authorities), in which case the Processor shall inform the Controller of such legal requirements before Processing, unless Applicable Privacy Laws prohibit such communication. The Controller shall ensure that any instructions it provides to the Processor comply fully with Applicable Privacy Laws and the Controller shall be solely responsible for the accuracy, quality and legality of the Personal Data Processed by the Processor;
3.2. notify the Controller if, in its opinion, an instruction from the Controller infringes Applicable Privacy Laws. The Controller acknowledges that any information provided in such notice shall not constitute legal advice and the Controller shall not rely on it as such;
3.3. not subcontract any of its Processing operations except in accordance with this clause 3.3. The Controller acknowledges and agrees that the Processor may engage sub-processors to provide any of the services under the scope of the Principal Agreement. Subject to this clause 3.3, the Controller hereby provides its general authorisation to the Processor for it to engage sub-processors to Process Personal Data on behalf of the Controller including the sub-processors listed in Annex 2. Where a sub-processor is engaged by the Processor to carry out specific Processing activities on behalf of the Controller, the Processor shall ensure that it enters into a written contract with such sub-processor containing data protection obligations no less onerous than those set out in this Addendum. The Processor shall remain liable for the acts and omissions of any such sub-processor. The use of the sub-processors shall be at the discretion of the Processor, provided it complies with the following:
i. the Processor will notify the Controller, by email in advance about any planned additional or replacement sub-processors;
ii. the Controller may object to such changes within fourteen (14) calendar days of being notified by the Processor, provided it has good cause to do so. If no objection is raised by the Controller within 14 days of that notice, the sub-processor shall be deemed authorised by the Controller.
iii. if the Controller makes use of its right to objection pursuant to clause 3.3(ii), then the Processor shall be entitled to terminate the Principal Agreement with immediate effect and without liability by giving written notice to the Controller.
iv. the Processor may replace a sub-processor without prior notice if such replacement is pertinent for the safety of the Personal Data or for other urgent reasons. In this case, the Processor shall inform the Controller immediately about the appointment of such new sub-processor and clauses 3.3(ii) and 3.3(iii) shall apply accordingly;
3.4. implement appropriate technical and organisational measures to prevent any Personal Data Breach, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as risks of varying likelihood and severity to the rights and freedoms of natural persons, including, as appropriate: (i) the pseudonymisation and encryption of all Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing. In assessing the appropriate level of security, Processor shall take account of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed. The Processor shall implement and maintain each of the technical and organisational measures set out in Annex 3;
3.5. ensure that persons authorised to Process Personal Data have committed themselves to confidentiality (or are already bound by law to a professional obligation to maintain confidentiality). Further, the Processor shall only engage sub-processors that offer sufficient guarantees to implement appropriate technical and organisational measures in a manner that the Processing will meet the requirements of Applicable Privacy Laws and this Addendum;
3.6. provide, at the Controller’s cost, all cooperation and information to the Controller as is reasonably necessary for the Controller to demonstrate compliance with its obligations pursuant to Applicable Privacy Laws, including, upon reasonable request and where the provision of information alone is insufficient to demonstrate such compliance, by allowing for and contributing to one annual audit conducted by the Controller or any Supervisory Authority having competent jurisdiction (or on their behalf by a representative other than a competitor of the Processor) on reasonable prior notice to the Processor from time to time. The Controller shall use its best endeavours to perform such audit without causing material interruption to the Processor’s operations or business. The audit shall not grant the Controller access to trade secrets or proprietary information and the Controller shall ensure its personnel conducting such audit are subject to strict obligations of confidentiality;
3.7. notify the Controller without undue delay (and within 72 hours, where feasible using reasonable endeavours) after becoming aware of a Personal Data Breach. The notification to the Controller will include at least: (i) the nature of the breach; (ii) the impacted data categories; (iii) the identified and potential consequences of the breach; and (iv) the measures the Processor takes to mitigate the consequences of the breach. The Processor shall take any reasonable measures necessary to mitigate damage resulting from the breach. The Processor shall provide all additional information reasonably requested by the Controller with regard to the breach and will reasonably assist the Controller in notifying the breach to a Supervisory Authority and/or the Data Subjects concerned;
3.8. taking into account the nature of the Processing and the information available to the Processor, assist the Controller with its obligations under Article 32 to 36 of the GDPR and by appropriate technological and organisational measures, insofar as is possible, to respond to requests by Data Subjects exercising their rights under Chapter III of the GDPR; and
3.9. at the option of the Controller, delete or return to the Controller all Personal Data after the expiry or termination of the Principal Agreement, and delete any existing copies unless applicable law requires storage of the Personal Data.
4. Restricted Transfers
4.1. Where applicable, the Controller authorises the Processor to transfer Personal Data outside the European Economic Area (“EEA”) and United Kingdom (each a “Restricted Transfer”) subject to the requirements of Applicable Privacy Laws. The Processor may also make a Restricted Transfer if this is required by Applicable Privacy Laws to which the Processor is subject, provided that the Processor informs the Controller of that requirement before Processing, unless Applicable Privacy Laws prohibit such communication.
4.2. The SCCs shall be deemed incorporated into this Addendum and shall apply to any transfer of Personal Data between the parties if that transfer would directly result in a breach of the GDPR by either party if the SCCs did not apply.
4.3. Any authorisations or other consents provided under clauses 3.3 and 4.1 of this Addendum shall be deemed to apply to any consents required under the SCCs.
5. Rights and Obligations of the Controller
5.1. The Controller shall use its best endeavours to anonymise, in accordance with good industry practice, any Personal Data before disclosing it or making it available to the Processor.
5.2. Changes to the object of Processing and changes to procedures shall be agreed jointly between the parties and shall be specified in writing.
5.3. The Controller shall place all instructions in writing. Oral instructions must be confirmed without undue delay in writing.
5.4. The Controller shall inform the Processor without undue delay if it detects errors or irregularities in the audit results of the Processing.
5.5. The Controller is obliged to treat confidentially all business secrets and data security measures of the Processor of which the Controller becomes aware throughout the contractual relationship. This obligation shall survive termination of the Principal Agreement.
5.6. Except where expressly stated otherwise, each party shall bear its costs of providing any assistance or cooperation under this Addendum.