1.1.1. applicable law means applicable law of the United Kingdom (or of a part of the United Kingdom);

1.1.2. Controller, Data Subject, International Organisation, Personal Data, Personal Data Breach, Processor and processing shall have the respective meanings given to them in applicable Data Protection Laws from time to time (and related expressions, including process, processed, and processes shall be construed accordingly);

1.1.3. Data Protection Laws means all applicable law relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including:

1. the GDPR;
2. the Data Protection Act 2018;
3. any laws which implement or supplement any such laws;
4. any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; and
5. all guidance, guidelines and codes of practice issued by any relevant Data Protection Supervisory Authority relating to such Data Protection Laws (in each case whether or not legally binding);

1.1.4. Data Protection Supervisory Authority means any regulator, authority or body responsible for administering Data Protection Laws;

1.1.5. GDPR means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);

1.1.6. Processing End Date means, in respect of any Protected Data, the earlier of:

1. the end of the provision of the relevant Services related to the processing of such Protected Data; or
2. once processing by OIIKII of such Protected Data is no longer required for the purpose of OIIKII’s performance of its relevant obligations under this DPA;

1.1.7. Protected Data means Personal Data received from or on behalf of the User, or otherwise obtained in connection with the performance of OIIKII’s obligations under this DPA; and

1.1.8. Sub-Processor means any Processor engaged by OIIKII (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data.

1.2. Unless otherwise expressly stated in this DPA:

1.2.1. OIIKII’s obligations and the User’s rights and remedies under this clause 1 are cumulative with, and additional to, one another and those under any other provisions of this DPA; and

1.2.2. this clause 1 shall prevail over any other provision of the Agreement in the event of any conflict.

Compliance with Data Protection Laws

1.3. The parties agree that the OIIKII is a Controller and that the User is a Processor for the purposes of processing Protected Data pursuant to this DPA. The User shall, and shall ensure the Sub-Processors and each of the User’s Personnel shall, at all times comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Services and shall not by any act or omission cause the User (or any other person) to be in breach of any of the Data Protection Laws. Nothing in this DPA relieves the User of any responsibilities or liabilities under Data Protection Laws.

1.4. The User shall indemnify and keep indemnified OIIKII against:

1.4.1 all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a Data Protection Supervisory Authority) arising out of or in connection with any breach by the User of its obligations under this clause 1; and

1.4.2. All amounts paid or payable by the OIIKII to a third party which would not have been paid or payable if the User’s breach of this clause 1 had not occurred.

Instructions

1.5 The User shall only process (and shall ensure the User’s Personnel only process) the Protected Data in accordance with the schedule, this DPA and OIIKII’s written instructions from time to time (including with regard to any transfer to which clause 1.12 relates) except where otherwise required by applicable law (and in such a case shall inform the User of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). The User shall immediately inform OIIKII if any instruction relating to the Protected Data infringes or may infringe any Data Protection Laws. The User shall retain records of all instructions relating to the Protected Data received from OIIKII.

Security

1.6 The User shall at all times implement and maintain appropriate technical and organisational measures to protect Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Such technical and organisational measures shall be at least equivalent to the technical and organisational measures set out in Part B of the schedule and shall reflect the nature of the Protected Data.

1.7. During the period in which the User processes any Protected Data, it shall undertake a documented assessment at least every 12 months of whether the security measures implemented comply with clause 1.6.

1.8. Except as agreed by the parties by way of a binding variation of this DPA, The User may not make any change to the security measures it applies to the Protected Data from time to time to the extent any such change would conflict with the provisions of this DPA.

Sub-processing and personnel

1.9. The User shall:

1.9.1. not permit any processing of Protected Data by any agent, sub-contractor, Sub-Processor or other third party (except its own employees that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior specific written authorisation of that third party by OIIKII;

1.9.2. ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services;

1.9.3. prior to any Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a binding written contract containing the same obligations as under this clause 1 in respect of Protected Data and that (without prejudice to, or limitation of, the foregoing):

1. includes providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Protected Data will meet the requirements of all Data Protection Laws and comply with the Users’ obligations under this DPA; and
2. is enforceable by the User,

1.9.4. remain fully liable to OIIKII under this DPA for all the acts and omissions of each Sub-Processor and each of the User’s Personnel as if they were its own; and

1.9.5. ensure that all persons authorised by the User or any Sub-Processor to process Protected Data are reliable and:

1. adequately trained on compliance with this clause 1 as applicable to the processing;
2. informed of the confidential nature of the Protected Data and that they must not disclose Protected Data; and
3. subject to a binding and enforceable written contractual obligation to keep the Protected Data confidential; and

1.9.6. promptly provide all relevant details concerning, and a copy of, each agreement with a Sub-Processor to OIIKII on request.

Assistance

1.10. The User shall promptly:

1.10.1. provide such information and assistance (including by taking all appropriate technical and organisational measures) as OIIKII may require in relation to the fulfilment of OIIKII’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws); and

1.10.2. provide such information, co-operation and other assistance to OIIKII as OIIKII reasonably requires (taking into account the nature of processing and the information available to the User) to ensure compliance with the OIIKII’s obligations under Data Protection Laws, including with respect to:

1. security of processing (including with any review of security measures);
2. data protection impact assessments (as such term is defined in Data Protection Laws);
3. prior consultation with a Data Protection Supervisory Authority regarding high risk processing; and
4. any remedial action and/or notifications in response to any Personal Data Breach and/or any complaint or request relating to either party’s obligations under Data Protection Laws relevant to this DPA, including (subject in each case to OIIKII’s prior written authorisation) regarding any notification of the Personal Data Breach to Data Protection Supervisory Authorities and/or communication to any affected Data Subjects.

1.11. The User shall:

1.11.1. promptly record and refer all requests and communications received from Data Subjects or any Data Protection Supervisory Authority to OIIKII which relate (or which may relate) to any Protected Data (and in any event within three days of receipt); and

1.11.2. not respond to any such requests or communications without the OIIKII’s express written approval and strictly in accordance with OIIKII’s written instructions unless and to the extent required by applicable law.

International transfers

1.12 The User shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to any country or territory outside the United Kingdom or to any International Organisation without the prior written authorisation of OIIKII (which may be refused or granted subject to such conditions as OIIKII deems necessary).

Records and audit

1.13. The User shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of OIIKII. Such records shall include all information: (a) necessary to demonstrate both parties’ compliance with this clause 1; (b) that each party is required to record and/or maintain under any Data Protection Laws; and (c) that OIIKII may reasonably require from time to time. The User shall make copies of such records available to OIIKII promptly (and in any event within seven days) on request from time to time.

1.14. The User shall (and shall ensure all Sub-Processors shall) promptly make available to the User such information as is reasonably required to demonstrate The User’s and OIIKII’s compliance with their respective obligations under this clause 1 and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by OIIKII (or another auditor mandated by OIIKII) for this purpose at OIIKII’s request from time to time. The User shall provide (or procure) access to all relevant premises, systems, personnel and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice (not being more than two Business Days) and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection.

Breach

1.15. The User shall promptly (and in any event within 48 hours):

1.15.1. notify OIIKII if it (or any of the Sub-Processors or the User’s Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data; and

1.15.2. provide all information as the User requires to report the circumstances referred to in clause 1.15.1 to a Data Protection Supervisory Authority and to notify affected Data Subjects under Data Protection Laws.

Deletion/return

1.16. Subject to clause 1.17, The User shall (and shall ensure that each of the Sub-Processors and the User Personnel shall) within not less than two Business Days and not more five Business Days of the relevant Processing End Date securely delete the Protected Data (and all copies) except to the extent that storage of any such data is required by applicable law (and, if so, The User shall inform OIIKII of any such requirement and shall securely delete such data as soon as it is permitted to do so under applicable law).

1.17. The User shall (and shall ensure that each of the Sub-Processors and the User’s Personnel shall) promptly comply with any requests from the User for the secure return and/or disclosure to OIIKII of any Protected Data in, provided such request is received within three Business Days of the relevant Processing End Date.

1.18. Within three Business Days of the date for performance of any obligation under clause 1.16, the User shall notify OIIKII in writing:

1.18.1. with confirmation of the extent to which it has complied with all obligations under clause 1.16 to delete Protected Data;

1.18.2. if applicable, of the full details of any failure to comply with any obligation under clause 1.16 (in which case the User shall notify OIIKII immediately once this has been corrected); and

1.18.3. if applicable, of the full details of any Protected Data that continues to be stored as required by applicable law (together with confirmation of the relevant law(s)).

Survival

1.19. This clause 1 shall survive termination or expiry of this DPA for any reason.

Cost

1.20. The User shall perform all its obligations under this clause 1 at its own cost and expense and at no cost or expense to OIIKII.

Rights of Data Subjects

1.21. Nothing in this DPA affects the rights of Data Subjects under Data Protection Laws (including those in Articles 79 and 82 of the GDPR or in any similar Data Protection Laws) against OIIKII, the User or any Sub-Processor.