Data Processing Addendum

This Schedule sets out the additional terms, requirements, and conditions on which TES will process personal data when providing the Services under this Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.

The table below sets out the subject-matter, nature and purpose, duration of the processing, the type(s) of personal data being processed, and the categories of data subjects, as required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679), as well as details of any third-party processors already engaged by TES on the Commencement Date of the Agreement (the “Table”):

Definitions

“Applicable Laws”: the law of the European Union (for so long as and to the extent that they apply to the Data Processor), the law of any member state of the European Union and/or the UK Data Protection Legislation and any other law that applies in the UK.

“controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing” and “appropriate technical and organisational measures”: as defined in the Data Protection Legislation.

“Data Protection Legislation”: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.

“UK Data Protection Legislation”:  all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

For the purposes of this Schedule, the Customer will be referred to as the “Data Controller”, and TES will be referred to as the “Data Processor”.

1. Compliance with Data Protection Legislation

• This Schedule is intended to ensure that the Data Controller’s appointment of the Data Processor is compliant with Data Protection Legislation, and the Data Processor may, at any time on not less than 30 days’ notice, revise this Schedule by replacing it with any applicable controller to processor standard clauses or similar terms approved by the relevant supervisory authority forming part of an applicable certification scheme to which the Data Processor is subject.
• Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
• The Data Processor shall, in providing the Services, comply with its privacy policy relating to the privacy and security of personal data as may be notified to the Data Controller from time to time, as such document may be amended from time to time by the Data Processor in its sole discretion.

2. Roles of the parties

The parties acknowledge that for the purposes of the Data Protection Legislation, the Data Controller is the controller and the Data Processor is the processor. The Table sets out the scope, nature and purpose of processing by the Data Processor, the duration of the processing and the types of personal data and categories of Data Subject.

3. Data Controller’s Responsibilities

Without prejudice to the generality of Clause 1.1, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to the Data Processor and/or lawful collection of the personal data by the Data Processor on behalf of the Controller for the duration and purposes of this Agreement.

4. Data Processor’s Responsibilities

Without prejudice to the generality of Clause 1.1, the Data Processor shall, in relation to any personal data processed in connection with the performance by the Data Processor of its obligations under this Agreement:

• process that personal data only on the documented written instructions of the Data Controller unless the Data Processor is required by Applicable Laws to otherwise process that personal data. Where the Data Processor is relying on Applicable Laws as the basis for processing personal data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller;
• ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to: the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
• ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential; and
• not transfer any personal data outside of the European Economic Area and the United Kingdom unless either: the Commission has decided, in accordance with Article 45 of the General Data Protection Regulation ((EU) 2016/679), that the third country, a territory or one or more specified sectors within that third country, or the international organisation to which personal data is to be transferred, ensures an adequate level of protection; or, the following conditions are fulfilled:
  • the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer; and
  • the data subject has enforceable rights and effective legal remedies,

where, in all cases, the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the personal data;

• assist the Data Controller, at the Data Controller’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• notify the Data Controller without undue delay, and where practicable, within 48 hours, on becoming aware of a personal data breach;
• at the written direction of the Data Controller, delete or return personal data and copies thereof to the Data Controller on termination of the Agreement unless required by Applicable Law to store the personal data; and
• maintain complete and accurate records and information to demonstrate its compliance with this clause 4 and allow for audits by the Data Controller or the Data Controller’s designated auditor, only so far as is necessary in order to demonstrate compliance, provided that the Data Controller: provides the Data Processor with no less than 30 days’ notice of such audit or inspection; and the parties agree the scope, duration, and purpose of such audit or inspection in advance. If the Data Controller becomes privy to any confidential information of the Data Processor as a result of this clause 4(h), the Data Controller shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Data Controller acknowledges that the Data Processor shall only be required to use reasonable endeavours to assist the Data Controller in procuring access to any third-party assets, records or information as part of any audit.
  

5. Third party processors

5.1     The Data Controller acknowledges and consents to the appointment on the Commencement Date by the Data Processor of the third parties listed in the Table as sub-processors of the personal data being processed under this Agreement.

5.2     The Data Processor confirms that: (a) it shall impose on all sub-processors the same data protection obligations as set out in clauses 1, 4, and 5; and (b) such sub-processors as referred to in clause 5.1 are common to all customers of the Data Processor and the Data Processor shall remain fully liable for the actions of its sub-processors at all times.

5. 3     The Data Processor shall give the Data Controller prior notice of the appointment of any new sub-processors and provide the Data Controller with full details of the processing to be undertaken by the sub-processor, thereby giving the Data Controller the opportunity to object to such appointment. If the Data Processor so notifies the Data Controller of any changes to sub-processors and the Data Controller objects to such changes, the Data Controller will be entitled to terminate this Agreement (without liability for either party, and such termination will be deemed to be a no-fault termination) if the Data Controller has reasonable grounds for objecting to such changes by reason of the changes causing, or being likely to cause, the Data Controller to be in breach of the Data Protection Legislation.