Data Protection Terms
Data Processing Terms
1. Where Xplor (Processor Party) processes any personal data in connection with this Agreement as a processor (or subprocessor) on behalf of Company acting as a controller (or appointing processor) (Controller Party), Processor Party shall:
1.1. only process such personal data as is necessary to fulfil its obligations under the Agreement or to comply with applicable Law;
1.2. only engage subprocessors that are (i) part of the Processor Party’s group companies or (ii) in place at the time of the Commencement Date, inform the Controller Party of any intended changes to subprocessors thereby giving Controller Party a reasonable opportunity to object to the intended changes, ensure that all subprocessors are bound as appropriate by terms similar to the Data Processing Terms, and be responsible for any breach of those terms by such subprocessor;
1.3. not transfer personal data outside the EEA or UK or otherwise across international boundaries save where the transfer is allowed by applicable Law;
1.4. taking into account the nature of the Processor Party’s processing and the information available to Processor Party, provide reasonable assistance to the Controller Party: (i) in complying with Controller Party’s obligations to respond to requests from individuals; and (ii) maintain the security of processing;
1.5. on the expiration or termination of this Agreement and following a request from Controller Party, promptly delete all personal data save to the extent that Processor Party is required to retain any personal data by applicable Law;
1.6. notify Controller Party without undue delay, on becoming aware of any personal data breach relating to the personal data;
1.7. ensure that all persons with access to the personal data are bound by confidentiality obligations; and
1.8. take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data, and against the accidental loss or destruction of, or damage to personal data.
2. In the event that either party receives any complaint, notice or communication (including from either a supervisory authority or a data subject) which relates directly to the processing of personal data in connection with this Agreement or to the other party’s compliance with applicable Law, it will notify the other party and provide the other party and the supervisory authority (if applicable) with reasonable co-operation and assistance in relation to any such complaint, notice or communication.
3. Each party will keep at its normal place of business, such records as required by the GDPR (whether in electronic form or hard copy) relating to its processing of personal data (Records).
4. Each party will permit the other party’s third-party representatives, on reasonable notice during normal business hours and at the other party’s expense and subject to appropriate confidentiality obligations, to inspect all Records for the sole purpose of auditing the processing party’s compliance with its obligations under the Data Processing Terms. Such audit rights may be exercised only once in any calendar year during the term of this Agreement.
5. Each party warrants that it will comply with all of its obligations under applicable Law in respect of the processing of Personal Data in connection with this Agreement.
6. In this Exhibit A the words controller, data subject, personal data, personal data breach, process, processor and supervisory authority all have the meanings given by Article 4 of the General Data Protection Regulation (EU) 206/679.
7. The nature and purpose of the processing covered by this Exhibit is for the purposes of the Agreement, categories of data subject are individuals (staff and customers) authorized by Company to access the Platform and the types of personal data are basic details and membership information relating to customers and basic details and professional information relating to Company staff or agents (as more particularly set out in the parties’ privacy statements).
8. In the event of conflict between the terms of this Exhibit A and the provisions of the rest of the Agreement, the terms of this Exhibit A will take precedence.