Data Protection Addendum

Data Protection Addendum

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

This Addendum shall be effective as at May 25th 2018.

  1. Definitions
    1. In this addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      1. "Applicable Law" means: (1) any statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of; (2) the common law and laws of equity as applicable to the parties from time to time; and (3) any binding court order, judgment or decree.
      2. "Cambridge Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Cambridge pursuant to or in connection with the Principal Agreement;
      3. "Contracted Processor" means Vendor or Sub-processor;
      4. "Data Protection Laws" means any Applicable Law relating to the processing, privacy, and use of Personal Data, as applicable to Cambridge, the Vendor and/or the Services, including: (a) in the United Kingdom: the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any laws or regulations implementing Directive 2002/58/EC (ePrivacy Directive); and/or the General Data Protection Regulation (EU) 2016/679 (GDPR); and (b) any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority;
      5. "Data Protection Losses" means all liabilities and other amounts, including all: (1) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages; (2) loss or damage to reputation, brand or goodwill; (3) to the extent permitted by Applicable Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; and (ii) compensation paid to a Data Subject; and (iii) costs of compliance with investigations by a Supervisory Authority; and (4) the costs of loading Cambridge Personal Data, to the extent the same are lost, damaged or destroyed, and any loss or corruption of Cambridge Personal Data (including the costs of rectification or restoration of Cambridge Personal Data);
      6. “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed;
      7. "Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Cambridge pursuant to the Principal Agreement;
      8. "Sub-processor" means any person (including any third party and any Vendor Affiliate, but excluding an employee of Vendor) appointed by or on behalf of Vendor or any Vendor Affiliate to Process Personal Data on behalf of Cambridge in connection with the Principal Agreement; and
      9. "Vendor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
    2. The terms "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
    3. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
  2. Processing of Cambridge Personal Data
    1. Both parties shall comply with all applicable requirements of Data Protection Laws.
    2. The parties acknowledge that for the purposes of Data Protection Laws, Cambridge is the Data Controller and Vendor is the Data Processor.
    3. Without prejudice to the generality of section 2.1, Cambridge will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Cambridge Personal Data to Vendor for the duration and purposes of the Principal Agreement.
    4. Without prejudice to the generality of section 2.1, Vendor shall:
      1. comply with all applicable Data Protection Laws in the Processing of Cambridge Personal Data;
      2. not Process any Cambridge Personal Data other than on Cambridge’s documented instructions and Annex 1 to this Addendum unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Vendor shall to the extent permitted by Applicable Laws inform Cambridge of that legal requirement before the relevant Processing of that Personal Data.
    5. Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of Cambridge Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Cambridge may make reasonable amendments to Annex 1 by written notice to Vendor from time to time as Cambridge reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section) confers any right or imposes any obligation on any party to this Addendum.
  3. Vendor
    1. Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Cambridge Personal Data, ensuring in each case that access is strictly limited to those individuals who need access to Cambridge Personal Data to supply the Services in accordance with the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor.
    2. Vendor shall ensure that any employee, agent or contractor of any Contracted Processor who may have access to Cambridge Personal Data is subject to a binding written contractual obligation with the Contracted Processor to keep Cambridge Personal Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Vendor shall, where practicable and not prohibited by Applicable Law, notify Cambridge of any such requirement before such disclosure).
  4. Security
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to Cambridge Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    2. In assessing the appropriate level of security, Vendor shall take account in particular of the risks that are presented by Processing, in particular, from a Personal Data Breach.
  5. Sub-processing
    1. Vendor shall give Cambridge prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 4 weeks of receipt of that notice, Cambridge notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment, Vendor shall not appoint (or disclose any Cambridge Personal Data to) the proposed Sub-processor except with the prior written consent of Cambridge.
    2. Vendor may continue to use those Sub-processors already engaged by Vendor as at the date of this Addendum and identified in Annex 2, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
    3. With respect to each Sub-processor, Vendor shall:
      1. before the Sub-processor first Processes the Cambridge Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for the Cambridge Personal Data required by the Principal Agreement;
      2. ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Sub-processor; and on the other hand the Sub-processor, is governed by a written contract on the same terms as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR; and
      3. provide to Cambridge for review such copies of the Contracted Processors' agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Cambridge may request from time to time.
    4. Vendor shall, where the Sub-processor fails to fulfil its obligations in accordance with the contract referred to in section 5.3.2, remain fully liable to Cambridge for the performance of that Sub-processor’s obligations. The acts or omissions of any Sub-processor in connection with the processing of the Cambridge Personal Data shall be deemed the act or omission of Vendor.
  6. Data Subject Rights
    1. Taking into account the nature of the Processing, Vendor shall provide such assistance to Cambridge as Cambridge reasonably requires to ensure that Cambridge complies with Data Protection Laws, including with respect to:
      1. security of processing;
      2. data protection impact assessments (as such term is defined in Data Protection Laws);
      3. prior consultation with a Supervisory Authority regarding high risk processing; and
      4. any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or complaint relating to either party’s obligations under the Data Protection Laws relevant to the Principal Agreement and/or this Addendum, including (subject in each case to Cambridge's prior written authorisation) regarding any notification of the Personal Data Breach to Supervisory Authorities and/or communication to any affected Data Subjects.
    2. Vendor shall:
      1. promptly notify Cambridge if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Cambridge Personal Data;
      2. provide such information and cooperation and take such action as Cambridge reasonably requests in relation to each request from a Data Subject, within the timescales reasonably required by Cambridge; and
      3. ensure that the Contracted Processor does not respond to that request except on the documented instructions of Cambridge or as required by Applicable Laws to which the Contracted Processor is subject, in which case Vendor shall to the extent permitted by Applicable Laws inform Cambridge of that legal requirement before the Contracted Processor responds to the request.
  7. Personal Data Breach
    1. Vendor shall notify Cambridge without undue delay (but in no event later than 12 hours) upon Vendor or any Sub-processor becoming aware of a Personal Data Breach affecting Cambridge Personal Data.
    2. Vendor shall provide Cambridge without undue delay (but in no event later than 24 hours) with sufficient information about the Personal Data Breach to allow Cambridge to meet any obligations to report or inform any Data Subject or Supervisory Authority of the Personal Data Breach under the Data Protection Laws. Such information shall as a minimum include details regarding:
      1. the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
      2. the name and contact details of Vendor's data protection officer or other relevant contact from whom more information may be obtained;
      3. the likely consequences of the Personal Data Breach; and
      4. the measures taken or proposed to be taken to address the Personal Data Breach;
    3. Vendor shall promptly (and in any event within 3 days) inform Cambridge if it receives a complaint relating to either party’s obligations under the Data Protection Laws relevant to the Principle Agreement and/or this Addendum and provide Cambridge with full details of such complaint.
  8. Deletion or return of Cambridge Personal Data
    1. Subject to sections 8.2 and 8.3 Vendor shall promptly, and in any event within 14 days, at Cambridge’s written request, either securely Delete or securely return all the Cambridge Personal Data in such form as Cambridge reasonably requests after the earlier of:
      1. the date of cessation of any Services involving the Processing of the Cambridge Personal Data (the "Cessation Date"); or
      2. once Processing by the Contracted Processor of any Protected Data is no longer required for the purpose of Vendor’s performance of its relevant obligations under this Agreement;
      and securely Delete existing copies (unless storage of any Cambridge Personal Data is required by Applicable Law and, if so, the Supplier shall inform the Customer of any such requirement).
    2. Vendor shall provide written certification to Cambridge that it has fully complied with this section 8 within 1 month of the Cessation Date.
  9. Audit rights
    1. Subject to section 9.2, Vendor shall make available to Cambridge on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Cambridge or an auditor mandated by Cambridge in relation to the Processing of Cambridge Personal Data by the Contracted Processors.
    2. Information and audit rights of Cambridge only arise under section 9.1 to the extent that the Principal Agreement does not otherwise give it information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).
  10. Restricted Transfers
    1. Vendor shall not transfer Cambridge Personal Data to any country outside the European Economic Area without Cambridge’s prior written consent.
  11. Indemnities
    1. Vendor shall indemnify and keep indemnified Cambridge in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, Cambridge arising from or in connection with:
      1. any breach by Vendor of any of its obligations under clauses 1 to 10 (inclusive); or
      2. Vendor (or any person acting on its behalf) acting outside or contrary to the lawful Processing Instructions of Cambridge in respect of the processing of Cambridge Personal Data.
  12. Conflicts
    1. Unless otherwise expressly stated in the Principal Agreement, Vendor’s obligations and Cambridge’s rights and remedies under clauses 1 to 11 (inclusive) are cumulative with, and additional to, any other provisions of the Principal Agreement.
    2. Nothing in this Addendum reduces Vendor's obligations under the Principal Agreement in relation to the protection of Cambridge Personal Data or permits Vendor to Process (or permit the Processing of) Cambridge Personal Data in a manner which is prohibited by the Principal Agreement.
    3. Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.