Data Protection Addendum
1. INTRODUCTORY TERMS
1.1. We process personal data in the course of providing the services under the Agreement. Data protection laws apply to the processing of that data which require that specific provisions are included in the Agreement in respect of processing for which we are a Processor (as defined below).
1.2. This DPA, as amended by us from time to time by written notice to you, forms part of and shall be deemed incorporated into the Agreement.
1.3. If there is any conflict or inconsistency between the terms of this DPA and the Agreement, the terms of the DPA shall prevail to the extent necessary to resolve the conflict or inconsistency.
2. DEFINITIONS
2.1. Expressions defined in the Agreement shall have the same meanings when used in this DPA.
2.2. In this DPA, the following expressions shall have the following meanings:
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process and Processing
Shall have the respective meanings given to them (and terms used for similar concepts) in Data Protection Laws, and Customer Personal Data means the Personal Data set out in the Description of Processing where such data is Processed by us as a Processor on your behalf;
Data Protection Laws
Any applicable legislation in force from time to time relating to the protection of personal data of individuals including the GDPR and the Data Protection Act 2018 (or any successor legislation);
Description of Processing
The description of our Processing of the Customer Personal Data attached to this DPA;
GDPR
The UK GDPR (as defined in section 3(10) of the Data Protection Act 2018, supplemented by section 205(4) of the Data Protection Act 2018) and, to the extent applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679;
Liabilities
All losses, reasonable costs, charges, expenses, legal and other professional costs awarded against, suffered, incurred or paid by us or you, as applicable (and Liability shall be construed accordingly); and
Services
The services provided by us to you under the Agreement.
Statement of Work
A statement of work executed under the YLD Master Services Agreement (MSA) entered into between the Parties (and where the Agreement is the MSA, references to Agreement in this DPA shall include each Statement of Work made under that MSA).
3. ROLES AND DATA PROCESSING RESPONSIBILITIES
3.1. You acknowledge and agree that: (i) you are a Controller and that we are a Processor for the purposes of Processing Customer Personal Data; and (ii) we are a Controller in relation to any Processing described in our privacy and cookie policies located at https://www.yld.io/privacy-policy.
3.2. In respect of any Customer Personal Data Processed by us, we shall:
3.2.1 only Process Customer Personal Data in accordance with your documented instructions from time to time unless we are required by the laws applicable in the UK, any member state of the European Union or the European Union (as applicable) to Process that data otherwise than in accordance with those instructions (in which case we shall notify you unless the law prohibits us from doing so on public interest grounds);
3.2.2 ensure that those of our staff who have access to and/or Process Customer Personal Data are committed to keeping that data confidential;
3.2.3 implement appropriate technical and organisational measures to protect against accidental, unlawful or unauthorised destruction, loss, alteration or disclosure of, or access to, Customer Personal Data in accordance with our obligations under Data Protection Laws. You acknowledge that you are solely responsible for assessing whether the technical and organisational measures we implement are appropriate for a particular type of Personal Data. You shall conduct such assessment before providing or making available the Customer Personal Data to us;
3.2.4 with your general authorisation (which you hereby provide) engage other Processors to Process the Customer Personal Data (Sub-Processor) provided we notify you of any intended changes concerning the addition or replacement of Sub-Processor(s) and provide you with the opportunity to object to such changes. Any objections must be notified to us in writing within 14 days of the date of our notice to you. If we do not receive an objection from you within such period, you shall be deemed to have agreed to our use of such Sub-Processor. If you object within such period or after we notify you in writing that a Sub-Processor we propose does not accept some or all of the obligations set out above in this DPA (or after we notify you in writing that an existing Sub-Processor is no longer bound by some or all of those obligations), then we and you shall, acting in good faith, discuss, and each of us use reasonable (but commercially prudent) endeavours to resolve your objections. If we are unable to resolve these within fourteen (14) days of your objection, we or you may terminate the Agreement without liability on giving seven (7) days’ written notice to the other Party. A list of any Sub-Processors used by us shall be set out in the applicable Statement of Work. Our use of Sub-Processors does not relieve us of our obligations to you under this DPA and we will enter into a written agreement with each Sub-Processor with terms and information equivalent to the mandatory terms and information required under Article 28(3) of the GDPR;
3.2.5 not transfer any Customer Personal Data outside of the United Kingdom and European Economic Area (EEA) if such transfer would directly cause you to breach your obligations under Article 44 of the GDPR. Subject to the foregoing provisions of this paragraph 3.2.5, you hereby consent to us and any of our Sub-Processors transferring Customer Personal Data outside the UK and EEA. You shall promptly enter into any standard contractual clauses issued by the UK Secretary of State, European Commission or other competent body relating to the transfer of Personal Data to third countries (as defined by Data Protection Law) as we require to comply with this DPA and/or Data Protection Laws. Any such standard clauses entered into between you and us pursuant to this paragraph 3.2.5 shall, once executed, be incorporated into and form part of this DPA and such standard contractual clauses shall take precedence over any other terms of this DPA in the event of any conflict or inconsistency;
3.2.6 provide such assistance (at your cost and to such extent permitted by Data Protection Laws) as you may reasonably require in responding to any request from a Data Subject and in ensuring compliance with your obligations under Data Protection Laws with respect to security, breach notifications, data protection impact assessments and consultations with any data protection regulators. In no event shall we be obliged to respond directly to any such request or correspondence unless specifically required to do so by law;
3.2.7 without undue delay after becoming aware of a Personal Data Breach, notify you of that breach including, to the extent the information is available, the nature of the breach, the impacted categories of Customer Personal Data; any material consequences of the breach and the measures we have taken to mitigate the consequences of the breach. Any notification made by us under this paragraph 3.2.7 shall be made without any admission of liability and we shall not be liable for any decisions made (or not made) by you based on such notification; and
3.2.8 for the sole purpose of demonstrating our compliance with this DPA, provide such information as you reasonably require, or where, in our reasonable opinion, the provision of information alone is not reasonably sufficient for that purpose, allow for and contribute to an audit (including inspection) of the relevant parts of our business by up to two (2) of your representatives (in each case, at your cost, including any auditors’ or administrative fees). You shall give not less than one (1) month’s prior written notice prior to the date you wish to conduct the audit and shall conduct any such audit no more than once per calendar year at such time and date that is convenient for us (except where required otherwise by a data protection regulator having competent jurisdiction). You shall promptly notify us in writing of any non-compliance discovered by such audit. You shall not disclose to any third party (other than, where applicable, the external auditor performing the audit) any information or reports obtained or produced in connection with any such audit and shall use such information and reports solely for the purposes of meeting your regulatory audit requirements and/or confirming our compliance with the requirements of this DPA. You shall provide us a copy of any reports produced in connection with any such audits promptly following completion. You shall ensure that you take reasonable steps and any steps we request to minimise any interruption to our business when exercising your rights under this paragraph 3.2.8. If a third party conducts the audit, we may object to the auditor if the auditor is, in our reasonable opinion, not suitably qualified or independent, our competitor or a competitor of our shareholders, or otherwise manifestly unsuitable. If we do object, we may require you to appoint another auditor or to conduct the audit yourself.
3.3 You shall: (i) ensure that all documented instructions you issue to us comply with Data Protection Laws; (ii) be and remain solely responsible for the content of the Description of Processing, for determining the lawful basis and conditions for the Processing of all Customer Personal Data in connection with the Agreement and for the accuracy, quality, and legality of all Customer Personal Data and the means by which you acquired that data; and (iii) not seek our assistance in respect of any activities or tasks that can reasonably be performed by you. You shall immediately notify us in writing if the Description of Processing is inaccurate or incomplete at any time together with full details.
3.4 To the extent permitted by law, we accept no liability for any: (i) inaccurate data (including Personal Data) provided to you as part of the Services to the extent that such inaccuracy arises from incorrect data provided by you, any Data Subjects or any sources that are not Sub-Processors; or (ii) representations, guarantees or conditions that the Services or the Customer Personal Data are fit for a particular purpose or shall meet your requirements.
3.5 We shall not be liable for any Liabilities in connection with this DPA or the Services to the extent that we are not in any way responsible for the event giving rise to the Liabilities or you are responsible for the Liabilities, in each case, in accordance with Article 82 of the GDPR. Notwithstanding any term of this DPA or the Agreement, except to the extent our liability to you cannot be limited or excluded by applicable law, our total aggregate liability to you under each Agreement arising from or in connection with any breach of this DPA or any other terms relating to data protection, privacy or security in the Agreement shall be subject to the liability cap set out in the applicable Agreement, or if no such cap is specified, such liability shall be limited to an amount equal to the total fees paid by you to us in the 6 months prior to the date the claim arose.
3.6 Notwithstanding paragraphs 3.2.1 and 3.7, we shall have no obligation to comply (nor any Liability for non-compliance) with your use of the Services or any of your instructions which in our opinion shall or are likely to: (i) vary the provisions of the Agreement; (ii) be inconsistent with the Description of Processing; or (iii) breach any Data Protection Laws (by way of example only, if we notify you of a security vulnerability or concern that you have not addressed or permitted us to address on your behalf). If we notify you of any of the circumstances set out in paragraphs 3.6(i) to (iii) and you do not promptly remedy any inconsistency or non-compliance to our reasonably satisfaction, we may terminate the applicable Agreement without liability on providing no less than 7 days’ written notice.
3.7 We shall immediately notify you if, in our opinion, any documented instructions you provide to us breach Data Protection Laws. You shall not rely on such notice, which you acknowledge and agree does not constitute legal advice. You shall seek independent legal advice if you wish to determine whether any instruction received by us and which we believe breaches Data Protection Laws, is in fact a breach or likely to be a breach of those laws.
3.8 Following expiry or termination of the Agreement (at your option and sole cost) we shall either return to you or delete any Customer Personal Data Processed by us solely as a Processor, in each case, in accordance with the Agreement, except where we are required to store it pursuant to applicable law.