Data Protection Addendum
This Data Protection Addendum ("Addendum") forms part of any agreement in which the URL to this Addendum is referenced, including, where applicable, OC&C’s Standard Terms and Conditions and the terms set out in the relevant engagement letter (each such agreement, a "Principal Agreement") and is entered into by and between the OC&C entity (“Processor”) and client entity (“Controller”) that are the parties to the Principal Agreement. References in this Addendum to the Principal Agreement shall include any statement of work or similar binding document entered into under that agreement.
In this Addendum, the following terms shall have the meanings set out below:
•"processing", "processor", "data subject", "personal data" and “supervisory authority” shall have the meaning given in Article 4 of the GDPR. References to “supervisory authority” in this Addendum shall include the UK Information Commissioner’s Office.
•"Data Protection Legislation" means the GDPR and any other applicable laws relating to the protection of personal data and privacy.
•“GDPR” means Regulation (EU) 2016/679 (“EU GDPR”) and the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018, supplemented by section 205(4) of the Data Protection Act 2018) (“UK GDPR”).
•"Personal Data" means the personal data described in Annex 1 to this Addendum, as varied by any supplementary information in the Principal Agreement, (together, the “Details of Processing”).
•"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
•“SCCs” means the terms and information at https://occ-prod-appsvc-cm.azurewebsites.net/media/2971/occ-sccs.pdf, as may be updated by the Processor from time to time where reasonably required for either party’s compliance with Data Protection Legislation.
Data Protection Roles
1. The Processor shall act as a processor of the Controller for the processing of the Personal Data. Nothing in this Addendum relieves the Processor of its own obligations as a processor under the Data Protection Legislation. If a person other than, or in addition to, the Controller is the controller of the Personal Data, the Controller shall accurately and promptly relay to the Processor instructions it receives from that person.
2. If there is any conflict or inconsistency between any of the terms of the Principal Agreement, the following order of precedence shall apply to the extent necessary to resolve such conflict or inconsistency: first, the terms of any SCCs incorporated into this Addendum, second, any other terms of this Addendum and lastly, any other terms of the Principal Agreement.
3. The Processor shall:
3.1 process Personal Data only in accordance with documented instructions from the Controller (which may be specific instructions or instructions of a general nature as set out in this Addendum or as otherwise notified in writing by the Controller to the Processor during the duration of the Principal Agreement), unless the Processor is obliged to proceed otherwise under applicable laws of the UK, EU or an EU Member State to which the Processor is subject (by way of example only, investigations by law enforcement or data protection authorities), in which case the Processor shall inform the Controller of such legal requirements before processing, unless the relevant applicable law prohibits such communication on account of an important public interest. The Controller shall ensure that any instructions it provides to the Processor comply fully with the Data Protection Legislation and the Controller shall be solely responsible for the accuracy, quality and legality of the Personal Data processed by the Processor;
3.2 immediately notify the Controller if, in its opinion, an instruction from the Controller infringes the Data Protection Legislation. The Controller acknowledges that any information provided in such notice shall not constitute legal advice and the Controller shall not rely on it as such;
3.3 not subcontract any of its processing operations except in accordance with this clause 3.3. The Controller acknowledges and agrees that the Processor may engage sub-processors to provide any of the services under the scope of the Principal Agreement. Subject to this clause 2.4, the Controller hereby provides its general authorisation to the Processor for it to engage sub-processors to process Personal Data on behalf of the Controller including the sub-processors listed in Annex 2. Where a sub-processor is engaged by the Processor to carry out specific processing activities on behalf of the Controller, the Processor shall ensure that it enters into a written contract with such sub-processor containing data protection obligations no less onerous than those set out in this Addendum. The Processor shall remain liable for the acts and omissions of any such sub-processor. The use of the sub-processors shall be at the discretion of the Processor, provided it complies with the following:
i The Processor will notify the Controller, by email in advance about any planned additional or replacement sub-processors;
ii The Controller may object to such changes within fourteen (14) calendar days of being notified by the Processor, provided it has good cause to do so. If no objection is raised by the Controller within 14 days of that notice, the sub-processor shall be deemed authorised by the Controller.
iii If the Controller makes use of its right to objection pursuant to clause 3.3(ii), then the Processor shall be entitled to terminate the Principal Agreement with immediate effect and without liability by giving written notice to the Controller.
iv The Processor may replace a sub-processor without prior notice if such replacement is pertinent for the safety of the Personal Data or for other urgent reasons. In this case, the Processor shall inform the Controller immediately about the appointment of such new sub-processor and clauses 3.3(ii) and 3.3(iii) shall apply accordingly;
3.4 implement appropriate technical and organizational measures to prevent any Personal Data Breach, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as risks of varying likelihood and severity to the rights and freedoms of natural persons, including, as appropriate: (i) the pseudonymization and encryption of all Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In assessing the appropriate level of security, Processor shall take account of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. The Processor shall implement and maintain each of the technical and organizational measures set out in Annex 3;
3.5 ensure that persons authorised to process Personal Data have committed themselves to confidentiality (or are already bound by law to a professional obligation to maintain confidentiality). Further, the Processor shall only engage sub-processors that offer sufficient guarantees to implement appropriate technical and organizational measures in a manner that the processing will meet the requirements of the Data Protection Legislation and this Addendum;
3.6 provide, at the Controller’s cost, all cooperation and information to the Controller as is reasonably necessary for the Controller to demonstrate compliance with its obligations pursuant to Data Protection Legislation, including, upon reasonable request and where the provision of information alone is insufficient to demonstrate such compliance, by allowing for and contributing to one annual audit conducted by the Controller or any supervisory authority having competent jurisdiction (or on their behalf by a representative other than a competitor of the Processor) on reasonable prior notice to the Processor from time to time. The Controller shall use its best endeavours to perform such audit without causing material interruption to the Processor's operations or business. The audit shall not grant the Controller access to trade secrets or proprietary information and the Controller shall ensure its personnel conducting such audit are subject to strict obligations of confidentiality;
3.7 notify the Controller without undue delay (and within 72 hours, where feasible using reasonable endeavours) after becoming aware of a Personal Data Breach. The notification to the Controller will include at least: (i) the nature of the breach; (ii) the impacted data categories; (iii) the identified and potential consequences of the breach; and (iv) the measures the Processor takes to mitigate the consequences of the breach. The Processor shall take any reasonable measures necessary to mitigate damage resulting from the breach. The Processor shall provide all additional information reasonably requested by the Controller with regard to the breach and will reasonably assist the Controller in notifying the breach to a supervisory authority and/or the data subjects concerned;
3.8 taking into account the nature of the processing and the information available to the Processor, assist the Controller with its obligations under Article 32 to 36 of the GDPR and by appropriate technological and organisational measures, insofar as is possible, to respond to requests by data subjects exercising their rights under Chapter III of the GDPR; and
3.9 at the option of the Controller, delete or return to the Controller all Personal Data after the expiry or termination of the Principal Agreement, and delete any existing copies unless applicable law requires storage of the Personal Data.
4. The Controller hereby authorises the Processor to transfer Personal Data outside the European
Economic Area (“EEA”) and United Kingdom (“UK”) (each a “Restricted Transfer”) subject to the requirements of the Data Protection Legislation. The Processor may also make a Restricted Transfer if this is required by Data Protection Legislation to which the Processor is subject, provided that the Processor informs the Controller of that requirement before processing, unless applicable law prohibits such information on important grounds of public interest.
5. The SCCs shall be deemed incorporated into this Addendum and shall apply to any transfer of Personal Data between the parties if that transfer would directly result in a breach of the GDPR by either party if the SCCs did not apply.
6. Any authorisations or other consents provided under clauses 3.3 and 4 of this Addendum shall be deemed to apply to any consents required under the SCCs.
Rights and Obligations of the Controller
7. The Controller shall use its best endeavours to anonymise, in accordance with good industry practice, any Personal Data before disclosing it or making it available to the Processor.
8. Changes to the object of processing and changes to procedures shall be agreed jointly between the parties and shall be specified in writing or in electronic form.
9. The Controller shall place all instructions in writing or in electronic form. Oral instructions must be confirmed without undue delay in writing or in electronic form.
10. The Controller shall inform the Processor without undue delay if it detects errors or irregularities in the audit results of the processing.
11. The Controller is obliged to treat confidentially all business secrets and data security measures of the Processor of which the Controller becomes aware throughout the contractual relationship. This obligation shall survive termination of the Principal Agreement.
12. Except where expressly stated otherwise, each party shall bear its costs of providing any assistance or cooperation under this Addendum.
ANNEX 1: DETAILS OF PROCESSING
This Annex 1 includes details of the processing of Personal Data as required by Article 28(3) of the GDPR and, where applicable, the relevant SCCs.
Processing of Personal Data
|Subject matter: Processing in connection with the provision of the services provided under the Principal Agreement.|
|Nature: Collecting, structuring, retrieving, aggregating, formatting, anonymizing, pseudonymizing, deleting and destroying.|
|Duration: The term of the Principal Agreement and subsequent storage by the Processor and its sub-processors in accordance with their standard archiving lifecycles.|
|Location: The locations in which the Controller and the Processor and its group companies are established from time to time and those locations set out in Annex 2.|
Purposes of the Processing and further processing / Processing operations
The Processing is necessary for the following purposes:
|To provide the services under the Principal Agreement, namely consultancy services, including research and corporate due diligence activities.|
The Client Personal Data relates to the following categories of data subjects:
|Survey respondents and/or interviewees (including experts) where these are specified by the Controller and/or personnel relating to one or more organisations (or part thereof) relevant to corporate transactions that are the subject of the Services.|
Categories of Personal Data
The Client Personal Data Processed falls within the following categories:
The following personal data where its processing by the Processor is regulated by the GDPR and the Processor or its sub-processors directly or indirectly receive it from the Controller or where it relates to specific data subjects about whom the Controller instructs the Processor to collect the personal data:
· Survey and/or interview responses, including opinions, experiences and biographical information.
Personnel information, including, where applicable name, contact and job-related information e.g. job title and description tenure, remuneration (such as salary, bonus and benefits), tenure, education, performance-related information including appraisals, and place and location of work.
Special categories of Personal Data and/or criminal offence/conviction data
The Client Personal Data Processed falls within the following special categories of Personal Data/criminal offence/conviction data:
Rights and obligations of the Controller
|The rights and obligations of the Controller in relation to the Personal Data shall be as set out in this Addendum and the Data Protection Legislation.|
Restricted Transfers (where applicable)
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
|One-off, subject to any other transfer frequencies set out in the Principal Agreement for a specific sub-processor.|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
|In respect of any transfer where the data importer is the Controller, the duration specified in the data importer’s data retention policy. In all other cases, the duration specified above in this Annex 1, subject to any derogations set out in any supplementary information in the Principal Agreement.|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
|As specified above in this Annex 1 subject to any derogations set out in any supplementary information in the Principal Agreement.|
Details of contact person:
For the Controller: As set out in the Principal Agreement.
For the Processor: OC&C Data Protection Manager, email address: firstname.lastname@example.org
ANNEX 2: LIST OF AUTHORISED SUBPROCESSORS
|Name of Sub-processor||Purpose of the Processing/subcontracted Services||Location of Processing|
|IntelliSurvey||Survey Provider||UK, EEA, USA, India|
|Savanta||Survey Provider||UK EEA, Canada, India|
|Dynata||Survey Provider||UK, EEA, USA, Philippines|
|Toluna||Survey Provider||UK, EEA, India|
|GLG Surveys||Survey Provider||UK, EEA, USA, Australia|
|Skim||Survey Provider||EEA, USA|
|Survey Monkey||Survey Provider||UK, USA, Canada, Australia|
|Potluc||Survey Provider||EEA, Canada|
|Processor’s group companies from time to time||The provision of the Services generally||UK, EEA, USA, China, Australia, Brazil, India|
ANNEX 3: SECURITY MEASURES
1. SECURITY PROGRAM
Processor will maintain a written information security program of policies, procedures and controls aligned to ISO27002, or substantially equivalent standard, governing the processing, storage, transmission and security of Personal Data (the “Security Program”). The Security Program includes industry-standard practices designed to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Processor updates the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, although no such update will materially reduce the commitments, protections or overall level of service provided to Controller as described herein.
1.1 SECURITY ORGANIZATION. Processor shall designate a Information Security Officer or equivalent responsible for coordinating, managing, and monitoring Processor’ information security function, policies, and procedures.
1.2 POLICIES. Processor’ information security policies shall be (i) documented; (ii) reviewed and approved by management, including after material changes to the Services; and (iii) published, and communicated to personnel, contractors, and third parties with access to Personal Data, including appropriate ramifications for non-compliance.
1.3 RISK MANAGEMENT. Processor shall perform information security risk assessments as part of a risk governance program that is established with the objective to regularly test, assess and evaluate the effectiveness of the Security Program. Such assessment shall be designed to recognize and assess the impact of risks and implement identified risk reduction or mitigation strategies to address new and evolving security technologies, changes to industry standard practices, and changing security threats.
1.4 CERTIFICATIONS AND ATTESTATIONS. Processor shall establish and maintain sufficient controls to meet certification and attestation for the objectives stated in Cyber Essentials Plus (or equivalent standards) for the Security Program supporting the processing of Personal Data. At least once per calendar year, Processor shall obtain an assessment against such standards and audit methodologies by an independent third-party auditor and make the executive reports available to the Controller
1.5 PHYSICAL SECURITY MEASURES
(i) DATA CENTER FACILITIES. The data centre facilities include (1) physical access restrictions and monitoring that shall include a combination of any of the following: multi-zone security, man-traps, appropriate perimeter deterrents (e.g. fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (2) fire detection and fire suppression systems both localized and throughout the data centre floor.
(ii) SYSTEMS, MACHINES AND DEVICES. The systems, machines and devices include (1) physical protection mechanisms; and (2) entry controls to limit physical access.
(iii) MEDIA. Processor shall use NIST 800-88 industry standard (or substantially equivalent) destruction of sensitive materials, including Personal Data, before such media leaves Processor’ data centres for disposition.
1.6 TECHNICAL SECURITY MEASURES
(i) ACCESS ADMINISTRATION. Access to the Personal Data by Processor employees and contractors is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production instances. Individuals are assigned a unique user account. Individual user accounts shall not be shared. Access privileges are based on job requirements using the principle of least privilege access and are revoked upon termination of employment or consulting relationships. Infrastructure access includes appropriate user account and authentication controls, which will include the required use of VPN connections, complex passwords with expiration dates, account lock-out enabled, and a two-factor authenticated connection.
(ii) LOGGING AND MONITORING. The production infrastructure log activities are centrally collected, are secured in an effort to prevent tampering, and are monitored for anomalies by a trained security team. Processor shall provide a logging capability in the platform that captures login and actions taken by users in the Processor application.
(iii) SEPARATION CONTROL. Where appropriate, Processor applies relevant principles of corporate separateness to the data it stores.
(iv) PSEUDONYMIZATION. Where appropriate, Processor pseudonymizes personal data using a suitable method, having regard to the potential risks affecting that data, its transfer and the rights and freedoms of the individuals to whom it relates.
(v) FIREWALL SYSTEM. An industry-standard firewall is installed and managed to protect Processor systems by residing on the network to inspect all ingress connections routed to the Processor environment.
(vi) VULNERABILITY MANAGEMENT. Processor conducts quarterly security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, Processor will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with Processor’s then-current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems.
(vii) ANTIVIRUS. Processor updates antivirus, anti-malware, and anti-spyware software on regular intervals and centrally logs events for effectiveness of such software.
(viii) CHANGE CONTROL. Processor evaluates changes to platform, applications, and production infrastructure to minimize risk and such changes are implemented following Processor’s standard operating procedure.
(ix) CONFIGURATION MANAGEMENT. Processor shall implement and maintain standard hardened configurations for all system components within the Services. Processor shall use industry standard hardening guides, such as guides from the Centre for Internet Security, when developing standard hardening configurations.
(x) DATA ENCRYPTION IN TRANSIT. Processor shall use industry standard encryption to encrypt Personal Data in transit over public networks to the Personal Data.
(xi) DATA ENCRYPTION AT REST. Processor shall provide encryption at rest capability for data level encryption.
1.7 ORGANIZATIONAL SECURITY MEASURES.
(i) DATA CENTER INSPECTIONS. Processor reviews its third party data center / cloud providers security provisions to ensure they comply with the Processor’s Security Program.
(ii) PERSONNEL SECURITY. Processor performs background screening on all employees and all contractors who have access to Personal Data in accordance with Processor’s then-current applicable standard operating procedure and subject to applicable law.
(iii) SECURITY AWARENESS AND TRAINING. Processor maintains a security and privacy awareness program that includes appropriate training and education of Processor personnel. Such training is conducted at time of hire and at least annually throughout employment at Processor.
(iv) SOFTWARE AND ASSET INVENTORY. Processor shall maintain an inventory of all software components (including, but not limited to, open source software) used in the Services, and inventory all media and equipment where Personal Data is stored.
(v) WORKSTATION SECURITY. Processor shall implement and maintain security mechanisms on personnel workstations, including firewalls, anti-virus, and full disk encryption. Processor shall restrict personnel from disabling security mechanisms.
1.8 DATA BACKUP. Processor backs up all client data in accordance with Processor’s standard operating procedure.
1.9 DISASTER RECOVERY. Processor shall (i) maintain a disaster recovery (“DR”) related plan that is consistent with industry standards for the Personal Data processing relevant to the Services; (ii) test the DR plan at least once every year; (iii) make available summary test results which will include the actual recovery point and recovery times; and (iv) document any action plans within the summary test results to promptly address and resolve any deficiencies, concerns, or issues that prevented or may prevent the Personal Data from being recovered in accordance with the DR plan.
1.10 BUSINESS CONTINUITY. Processor shall maintain a business continuity plan (“BCP”) to minimize the impact to its provision and support of the Personal Data processing from an event. The BCP shall: (i) include processes for protecting personnel and assets and restoring functionality in accordance with the time frames outlined therein; and (ii) be tested annually and updated based on any deficiencies, identified during such tests.
1.11 PERSONNEL. In the event of an emergency that renders the customer support telephone system unavailable, all calls are routed to an answering service that will transfer to a Processor telephone support representative, geographically distributed to ensure business continuity for support operations.
2 MONITORING, MANAGEMENT AND NOTIFICATION.
2.1 INCIDENT MONITORING AND MANAGEMENT. Processor will monitor, analyse, and respond to security incidents in a timely manner in accordance with Processor’s standard operating procedure. Processor’s security group will escalate and engage response teams as may be necessary to address a security incident.
2.2 BREACH NOTIFICATION. Processor will report to Controller any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (a “Breach”) without undue delay following determination by Processor that a Breach has occurred.
2.3 REPORT. The initial report will be made to Controller security contact(s) designated in Processor’s Support Portal (or if no such contact(s) are designated, to the primary technical contact designated by Controller). As information is collected or otherwise becomes available, Processor shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Controller to notify relevant parties, including affected individuals, government agencies, and data protection authorities in accordance with Data Protection Legislation. The report will include the name and contact information of the Processor contact from whom additional information may be obtained. Processor shall inform Controller of the measures that Processor will adopt to mitigate the cause of the Breach and to prevent future Breaches.
2.4 CUSTOMER OBLIGATIONS. Controller will cooperate with Processor by providing any information that is reasonably requested by Processor to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.
3 PENETRATION TESTS BY A THIRD-PARTY
Processor contracts with third-party vendors to perform quarterly tests on the Processor applications to identify risks and remediation options that help increase security. Processor shall make executive reports from annual penetration testing available.
The above measures may be adjusted by Processor from time to time (including as a result of the evolution of technology) provided that such changes shall not reduce the overall standard of security provided by the measures.