1. DEFINITIONS AND INTERPRETATION
1.1 The following terms shall have the following meanings hereunder:
Company: means Endorse Medical Limited.
Company Data: means the personal data disclosed to the Supplier by or on behalf of the Company and in this context “disclose” includes directly or indirectly giving the Supplier, or arranging for the Supplier to have, access to personal data in any manner and in any form or format whatsoever, including by instructing the Supplier to collect personal data directly from the Data Subject (or anyone authorised by the Data Subject to provide it). The categories of personal data are more particularly described in the Schedule.
Controller: has the meaning given to that term in the Data Protection Legislation.
Data Protection Legislation: means (i) until the GDPR is directly applicable in the United Kingdom, the Data Protection Act 1998; (ii) once the GDPR is directly applicable in the United Kingdom, the GDPR and any national implementing laws, regulations and secondary legislation in the United Kingdom relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time; and then (iii) any successor legislation to the GDPR or the Data Protection Act 1998.
Data Subject: means an individual who is the subject of any of the Company Data. The categories of Data Subject are more particularly described in the Schedule.
GDPR: means the General Data Protection Regulation 2016/679.
Main Agreement: means any contract entered into between the Company and the Supplier for the purchase of goods and/or services pursuant to the Company’s Terms and Conditions of Purchase.
Processor: has the meaning given to that term in the Data Protection Legislation.
Supervisory Authority: means any relevant supervisory authority under the Data Protection Legislation.
Supplier: means any individual, firm, partnership, company or organisation or any other undertaking, which receives a purchase order from the Company pursuant to the Main Agreement.
1.2 A reference to a particular law is a reference to it as it is in force for the time being taking account of any amendment, extension, application or re-enactment and includes any subordinate legislation for the time being in force made under it.
1.3 Words in the singular include the plural and in the plural include the singular.
1.4 Any reference to parties shall refer to the Company and the Supplier and party shall be interpreted accordingly.
1.5 Any phrase introduced by the terms including, include, in particular or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding or following those terms.
2. PRELIMINARY INFORMATION
2.1 The Company and the Supplier acknowledge that, for the purposes of the Data Protection Legislation, the Company is the Controller and the Supplier is the Processor of any Company Data.
2.2 The GDPR requires that a written agreement be entered into between a Controller and a Processor in order to allow the processing of personal data by the Processor on behalf of the Controller. For this reason, the parties have agreed to enter into a supplementary agreement to the Main Agreement pursuant to these data processing terms (this Processing Agreement). For the avoidance of doubt, this Processing Agreement is expressly incorporated into the Main Agreement.
2.3 The Schedule to this Processing Agreement sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Company Data and categories of Data Subject.
2.4 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.4 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
3. OBLIGATIONS OF THE SUPPLIER
3.1 The Supplier shall process the Company Data subject to and in accordance with the Company’s express written instructions from time to time.
3.2 If the Supplier considers that any instruction from the Company contravenes the Data Protection Legislation, it shall immediately notify the Company, giving reasonable details.
3.3 In accordance with its obligations under the Data Protection Legislation, the Supplier shall implement appropriate technical and organisational measures against unauthorised or unlawful processing of the Company Data, and against accidental loss or destruction of or damage to the Company Data, to ensure compliance with the Data Protection Legislation. For the avoidance of doubt, said measures shall include, at a minimum and where appropriate, pseudonymising and encrypting the Company Data, ensuring confidentiality, integrity, availability and resilience of the Supplier’s systems and services, ensuring that availability of and access to the Company Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by the Supplier.
3.4 The Supplier shall:
(a) comply with its obligations as a Processor under the Data Protection Legislation in relation to the processing of personal data by it under this Processing Agreement;
(b) keep such records and information as are necessary to demonstrate compliance with the Data Protection Legislation in relation to the processing of personal data under this Processing Agreement by both the Supplier and the Company (so far as possible) and promptly provide them to the Company on request;
(c) permit the Company, any auditor appointed by the Company, or a Supervisory Authority to have access to the Supplier’s premises, personnel and records, without notice, to the extent reasonably required for verifying compliance with the Data Protection Legislation and the requirements of this Processing Agreement;
(d) promptly take such steps as the Company requests it to take, to ensure that the measures implemented under clause 3.3 above are sufficient to ensure the Company’s compliance with the Data Protection Legislation; and
(e) generally assist the Company to ensure compliance with the Company’s obligations under the Data Protection Legislation in relation to the processing of the Company Data under this Processing Agreement.
3.5 The Supplier shall promptly comply with any request from the Company requiring the Supplier to return, update or otherwise amend, transfer, delete or destroy the Company Data.
3.6 The Supplier shall not transfer any of the Company Data outside the European Economic Area, except upon and in accordance with the express written instructions or agreement in writing of the Company. Where the Supplier has transferred any of the Company Data outside the European Economic Area on the express written instruction of the Company, the Company may require the Supplier to transfer the Company Data back to within the European Economic Area at any time in the event of a change in law which makes it unlawful for the Company Data to be processed in the jurisdiction outside the European Economic Area where it is being processed.
3.7 If the Supplier receives any complaint, notice or communication which relates directly or indirectly to the processing of the Company Data or to either party’s compliance with the Data Protection Legislation, it will immediately notify the Company and provide the Company with full co-operation and assistance.
3.8 The Supplier agrees promptly to assist the Company in responding to any request from any Data Subject which is received by the Company or the Supplier.
3.9 The Supplier will ensure that access to the Company Data is limited to:
(a) those personnel of the Supplier and its Company-approved sub-Processors who need access to the Company Data to meet the Supplier’s obligations under this Processing Agreement (the Supplier Personnel); and
(b) in the case of any access by any Supplier Personnel, such part or parts of the Company Data as is strictly necessary for performance of that member of the Supplier Personnel’s duties.
3.10 The Supplier will ensure that all of the Supplier Personnel:
(a) are bound by appropriate obligations of confidentiality in respect of the Company Data;
(b) have undertaken training in the laws relating to processing of personal data; and
(c) have undergone appropriate vetting and other appropriate security checks to ensure their reliability.
3.11 Notwithstanding any other provision of this Processing Agreement, the Supplier shall not without the Company’s prior written consent:
(a) sub-contract any of its obligations in relation to the processing of the Company Data or otherwise authorise any third party to Process Company Data on its behalf (except to the extent a specific third party has been approved for this purpose in writing by the Company and subject to the Supplier entering into a written agreement with the third-party processor which incorporates terms which are substantially similar to those set out in this Processing Agreement.); or
(b) assign or otherwise transfer (as applicable) its rights and obligations under this Processing Agreement.
3.12 The Supplier shall promptly notify the Company in writing:
(a) of any breach or suspected breach of any of the Supplier’s obligations under clauses 3.3 to 3.6 and 3.9 to 3.10 inclusive; and
(b) of any other unauthorised or unlawful processing of any of the Company Data; and
(c) of any other loss or destruction of or damage to any of the Company Data; and
(d) such notification under this clause 3.12 as aforesaid shall contain all such information as is required for the Company to discharge its responsibilities under the Data Protection Legislation in relation to such breach or suspected breach.
3.13 Following notification as aforesaid under clause 3.12, the Supplier shall promptly, at the Supplier’s sole cost and expense:
(a) provide the Company with all such information and cooperation as the Company may request in connection with investigating such breach or suspected breach; and
(b) take such steps as the Company requires it to take to mitigate the adverse effects of any such breach or suspected breach.
3.14 The Supplier shall indemnify and hold the Company harmless against any failure by the Supplier to fulfil any obligation of the Supplier under this Processing Agreement and also for the consequences of any such failure as aforesaid.
4.1 Any proposed amendment to this Processing Agreement shall be agreed in good faith in writing by both parties.
4.2 The provisions of clause 4.1 shall apply without limitation whether the amendment is required in order to comply with the Data Protection Legislation, applicable law, or any requirements stipulated by the Company.
5.1 No failure, delay or omission by either party in exercising any right, power or remedy provided by law or under this Processing Agreement shall operate as a waiver of that right, power or remedy, nor shall it preclude or restrict any future exercise of that or any other right or remedy. No single or partial exercise of any right, power or remedy provided by law or under this Processing Agreement shall prevent any future exercise of it or the exercise of any other right, power or remedy.
5.2 In the event of any conflict, the terms of this Processing Agreement shall prevail over the terms of the Main Agreement.
5.3 This Processing Agreement and any dispute or claim arising out of or in connection with it, its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with the laws of England and Wales.
5.4 The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of, or in connection with, this Processing Agreement, its subject matter or formation (including non-contractual disputes or claims)
Schedule – Processing, Company Data and Data Subjects
A1. Processing by the Supplier
A1.1 Scope, nature and purpose of processing
The scope, nature and purpose of the processing activities required for the provision of goods and/or services by the Supplier to the Company under the Main Agreement.
A1.2 Duration of the processing
The duration of the processing corresponds to the duration of the Main Agreement.
A2. Types of Company Data
- Identity Data including first name, last name, username or similar identifier.
- Contact Data including billing address, delivery address, email address and telephone numbers.
- Financial Data including bank account and payment card details.
- Transaction Data including details about payments to and from the Data Subject.
- Technical Data including internet protocol (IP) address, the Data Subject’s login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
- Profile Data including the Data Subject’s username and password, or orders requested by the Data Subject.
- Usage Data including information about how the Data Subject uses the website of the Supplier.
- Communications Data including the Data Subject’s communication preferences.
A3. Categories of Data Subject
- The Company’s employees (including temporary or casual workers).
- The Company’s group companies’ employees (including temporary or casual workers).
- The Company’s customers and potential customers.
- The Company’s business partners.
The Company’s suppliers (other than the Supplier) and sub-contractors.
- The Company’s agents.
- Individuals identified in documents processed by the Company in providing services to its customers.