1.1The definitions in Plug and Play Terms and Conditions shall apply except where expressly stated otherwise. In addition, in these data processing terms and conditions:
Controller, data subject, personal data, process, processor and supervisory authority shall, for the purposes of this Data Processing Terms and Conditions, have the meanings set out in the GDPR;
GDPR means the General Data Protection Regulation (Regulation (EU) 2016/679), or similar legislation as implemented under English law (including any national implementing laws, regulations and secondary legislation), in each case as applicable and in force in the United Kingdom from time to time including the Data Protection Act 2018. References to Article numbers of the GDPR shall be deemed to include the equivalent provisions in the event the Article numbers in the legislation are changed from time to time;
Model Clauses means the clauses established pursuant to Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection (or any equivalent clauses subsequently introduced pursuant to the implementation of the GDPR);
Plug and Play’s Personnel means the employees, staff, other workers and agents of Plug and Play and any of Plug and Play’s subcontractors or agents who are engaged in the provision of the Services from time to time;
2 DATA PROCESSING
2.1In the event Plug and Play processes personal data in the course of performing its obligations under the Agreement, the parties agree that, for the purposes of the GDPR, the Client shall be the controller and Plug and Play shall be the processor.
2.2The Client instructs Plug and Play (and authorises Plug and Play to instruct any sub-processor it appoints) to:
2.2.1process the Client’s personal data; and
2.2.2transfer the Client’s personal data outside the European Economic Area (provided that in respect of any transfers outside the European Economic Area an adequacy decision applies in relation to the relevant third country or an appropriate safeguard is in place in relation to the transfers (such as the Model Clauses)), in each case as reasonably necessary for the performance of and in accordance with the terms of the Agreement.
2.3The parties agree that the processing of personal data by Plug and Play on behalf of the Client is as follows (as may be updated by the parties in writing from time to time):
2.3.1the subject-matter, nature and purpose of the processing of the processing is the performance of the Services;
2.3.2the duration of the processing is the term of the Agreement and for such further time as the parties shall agree in writing;
2.3.3the type(s) of personal data depend on the circumstances and particular Services provided and may include name, contact details, employment information and other personal data;
2.3.4the categories of data subjects depend on the circumstances and particular Services provided and include individuals providing personal data on websites hosted by Plug and Play.
2.4Plug and Play, to the extent it is acting as processor in respect of such personal data, agrees to:
2.4.1process the personal data on documented instructions from the Client (including those set out in the Agreement), unless required to do so by English, European Union (“EU”) or EU Member State law to which Plug and Play is subject. In such a case, Plug and Play shall inform the Client of that legal requirement before processing (unless that law prohibits such information on important grounds of public interest);
2.4.2not transfer the personal data outside the European Economic Area without the prior written consent of the Client , except as permitted under clauses 2.2 and 2.4.1;
2.4.3ensure that Plug and Play’s Personnel authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
2.4.4taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of the varying likelihood and severity of rights and freedoms of natural persons, in relation to the Client’s personal data, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including considering those measures referred to in Article 32 of the GDPR (‘Security of processing’);
2.4.5taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising data subjects’ rights laid down in Chapter III (‘Rights of the data subject’) of the GDPR;
2.4.6taking into account the nature of the processing and information available to Plug and Play, provide assistance to the Client in order to assist the Client in ensuring the Client’s compliance with the obligations set out in GDPR Article 32 (‘Security of processing’), Article 33 (‘Notification of a personal data breach to the supervisory authority’), Article 34 (‘Communication of a personal data breach to the data subject’), Article 35 (‘Data protection impact assessment’), and Article 36 (‘Prior consultation’), in each case solely in relation to processing of the Client’s personal data;
2.4.7at the option of the Client, delete or return all the Client’s personal data to the Client after the end of the provision of services relating to processing, and delete existing copies, unless applicable laws require retention of the personal data and save for back-up or archive data which is kept in accordance with Plug and Play’s data retention procedures;
2.4.8make available to the Client all information necessary to demonstrate compliance with Article 28 of the GDPR and permit audits and inspections conducted by the Client or an auditor appointed by the Client; and
2.4.9immediately inform the Client if, in its opinion, an instruction of the Client pursuant to clause 2.4.8 infringes the GDPR or other EU or EU Member State data protection provisions.
2.5The Client generally consents to Plug and Play engaging sub-processors in relation to the personal data and specifically consents to the engagement of those sub-processors engaged by Plug and Play on 25 May 2018 where an Agreement was in force between the parties at that date or otherwise at the date of the Agreement.
2.6Plug and Play shall inform the Client of any intended changes concerning the addition or replacement of such processors. The Client shall have the right to object to any changes, where it has reasonable grounds to consider the use of such processors would not comply with the GDPR, and if it does object it must notify Plug and Play in writing within 5 days of being informed of the change
2.7Where Plug and Play receives written notice from the Client in accordance with clause 2.6 Plug and Play shall not appoint the proposed sub-processor until reasonable steps have been taken to address the objections raised by the Client and Client has been provided with a reasonable written explanation of the steps taken.
2.8Plug and Play shall ensure that the arrangement between it and each sub-processor contemplated by clauses 2.5 to 2.7 is governed by a written contract including equivalent data protection obligations as those set out in the Agreement which are required by Article 28(3) of the GDPR.
2.9The Client shall reimburse Plug and Play for all costs, expenses and time (at the Plug and Play’s standard rates) reasonably incurred by Plug and Play in connection with the fulfilment of Plug and Play’s obligations under clauses 2.4.5 to 2.4.9. Plug and Play shall invoice the Client in relation thereto and such invoices shall be paid in accordance with the terms of the Agreement.
2.10The Client shall (at its own cost) provide assistance requested by Plug and Play in relation to the fulfilment of Plug and Play’s obligation to cooperate with the relevant supervisory authority under Article 31 GDPR. Notwithstanding any other provision of the Agreement, Plug and Play shall be entitled to respond to and provide all relevant information in respect of requests or orders issued by such supervisory authority.
2.11The Client warrants and represents that:
2.11.1it will at all times remain duly and effectively authorised to give the instruction set out in clause 2.2.
2.11.2it has all authority, grounds, rights and consents necessary to enable Plug and Play to process the personal data in accordance with the GDPR for the purposes of the Agreement;
2.11.3it shall comply with the GDPR and all other applicable laws and regulations, relevant industry codes of practice and guidance in relation to the processing of personal data; and
2.11.4the information set out in clause 2.3 is accurate.
2.12The Client shall indemnify Plug and Play at all times against all claims, demands, costs (including legal costs on a full indemnity basis), damages, expenses, losses, fines and liabilities incurred by Plug and Play arising out of or in connection with:
2.12.1any breach by the Client of clause 2.11;
2.12.2any act or omission of processing by the Client, its affiliates or third party suppliers which infringes the GDPR; and
2.12.3notwithstanding clause 2.4.9, the provision of unlawful or inadequate instructions by the Client in relation to the personal data.
2.13For the avoidance of doubt, Plug and Play shall not be liable for or responsible for any breach of this Part 3 (Data Processing Terms and Conditions) due to the acts or omissions of the Client.