Data Processing Addendum

As referred to in the Kinspeed Standard Terms and Conditions 

Definition

For any other defined terms please see Kinspeed Standard Terms and Conditions.

“Data Protection Legislation”

means all applicable legislation in force from time to time in the United Kingdom applicable to data protection and privacy including, but not limited to, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”); the Data Protection Act 2018 (and regulations made thereunder); and the Privacy and Electronic Communications Regulations 2003 as amended; and any applicable guidance or codes of practice issued by the Information Commissioner’s Office or other applicable regulatory authorities from time to time.

1. Data Processing

1.1. In this Addendum, the terms “personal data”, “processing”, “data subject”, “controller”, “processor”, and “personal data breach” shall have the meanings defined in Article 4 of the UK GDPR, and the terms “Data Processor” and “Data Controller” shall have the same meanings as “processor” and “controller” respectively. The term “domestic law” means the law of the United Kingdom or a part thereof.

1.2. The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Addendum shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.

1.3. For the purposes of the Data Protection Legislation and for this Addendum, the Client is the “Data Controller” and Kinspeed is the “Data Processor”.

1.4. The scope, nature, and purpose of the processing; the duration of the processing; the type(s) of personal data; and the category or categories of data subject are set out in Schedule 1 hereto.

1.5. The Data Controller shall (without prejudice to the generality of sub-Clause 1.2) ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to or the lawful collection of personal data by the Data Processor for the purposes described in this Agreement and for the duration thereof.

1.6. The Data Processor shall (without prejudice to the generality of sub-Clause 1.2), with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement:

1.6.1. process the personal data only on the written documented instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by domestic law. The Data Processor shall promptly notify the Data Controller before carrying out such processing unless it is prohibited from doing so by that law;

1.6.2. ensure that it has in place appropriate technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage, or destruction. Such measures shall be appropriate and proportionate to the potential harm resulting from such events and to the nature, scope, and context of the personal data and processing involved, taking into account the current state of the art in technology and the cost of implementing those measures;

1.6.3. ensure that any and all persons with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential;

1.6.4. not transfer any personal data outside of the EEA to any country that does not have adequacy status unless the following conditions are satisfied or with the consent of the Data Controller (which shall be deemed to have been given where the Data Controller specifies the host or third party or the Services intrinsically require the personal data to be transferred to a named Third Party);

a) the Data Processor ensures there are appropriate safeguards for the transfer of personal data including standard contract clauses; and

b) affected data subjects have enforceable rights and effective legal remedies; and

c) the Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred

1.6.5. assist the Data Controller, at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to impact assessments, security, breach notifications, and consultations with supervisory authorities or other applicable regulatory authorities (including, but not limited to, the Information Commissioner’s Office);

1.6.6. notify the Data Controller without undue delay of any personal data breach of which it becomes aware;

1.6.7. on the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by domestic law; and

1.6.8. maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Addendum and to allow for audits, including inspections, by the Data Controller and/or any party designated by the Data Controller. The Data Processor shall inform the Data Controller immediately if, in its opinion, any instruction infringes the Data Protection Legislation.

1.7. The Data Processor shall not sub-contract any of its obligations with respect to the processing of personal data under this Addendum to another processor without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints another processor, the Data Processor shall:

1.7.1. enter into a written agreement with the other processor, which shall impose upon that other processor substantially the same obligations as are imposed upon the Data Processor by this Addendum, which the Data Processor hereby undertakes shall reflect the requirements of the Data Protection Legislation at all times;

1.7.2. ensure that the other processor complies fully with its obligations under that agreement and the Data Protection Legislation; and

1.7.3. remain fully liable to the Data Controller for the performance of that other processor’s obligations and the acts or omissions thereof.

1.8. Kinspeed may, at any time alter this Addendum, replacing it with any applicable data processing clauses or similar terms adopted by the Information Commissioner or that form part of an applicable certification scheme. 

SCHEDULE 

1. Data Processing

Scope

Services as set out in an Agreement.

Nature

Processing of personal data as may be required to provide the Services.

Purpose

In order to fulfil the obligations of the Agreement.

Duration

The Term of the Agreement.

2. Types of Personal Data

This is dependent on the Services set out in the Agreement.

3. Categories of Data Subject

This is dependent on the Services set out in the Agreement.

4. Organisational and Technical Data Protection Measures

As per good industry practice.