DATA PROCESSING AGREEMENT is committed to the correct processing of data and has created the following Data Processing Agreement in accordance to the applicable Data Protection Laws. Please be aware the following agreement will hear on be known as Schedule 1.

“Data Controller” Has the meaning given to ‘Data Controller’, or ‘Controller’ as appropriate, in the Data Protection Laws;
“Data Breach” Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
“Data Processor” Has the meaning given to ‘Data Processor’, or ‘Processor’ as appropriate, in the Data Protection Laws;
“Data Protection Laws” Means any and all laws, statutes, enactments, orders or regulations or other similar instruments of general application and any other rules, instruments or provisions in force from time to time relating to the processing of personal data and privacy applicable to the performance of this Agreement, including where applicable the Data Protection Act 1998, the Data Protection Bill, the Regulation of Investigatory Powers Act 2000, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and the GDPR (Regulation (EU) 2016/679), as amended or superseded;
“GDPR” Means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC as updated, superseded or repealed from the time to time;
“Personal Data” Has the meaning given in the Data Protection Laws.
2.1 Each Party shall comply with its obligations as a Data Controller or Processor under the applicable Data Protection Laws.
2.2 If it is found that the Publisher, pursuant to this Agreement, processes Personal Data on behalf of , the Publisher acknowledges that is the Data Processor , and that the Publisher is the Data Controler.
2.3 In the event that clause 2.2 applies, the Data Processor shall comply with its obligations under applicable Data Protection laws and as set out in this Schedule I.
3.1 The Data Processor warrants that it has complied, and shall continue to comply, with the requirements of the applicable Data Protection Laws and all other data protection legislation in any jurisdiction relevant to the exercise of its rights or the performance of its obligations under this Agreement.
4.1 In respect of any Personal Data to be processed by the Data Controller pursuant to this Agreement, the Data Controller shall:
4.1.1 have in place and at all times maintain appropriate technical and organizational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk and shall implement any reasonable security measures as requested by from time to time;
4.1.2 not engage any sub-controllers without the prior specific or general written authorisation of (and in the case of general written authorisation; the Data Controller shall inform of any intended changes concerning the addition or replacement of other controller and shall have the right to object to such changes);
4.1.3 ensure that each of the Data Controller’s employees, agents, consultants, subcontractors and sub-controllers are made aware of the Data Processor’s obligations under this Schedule I and enter into binding obligations with the Data Processor to maintain the levels of security and protection required under this Schedule I. The Data Controller shall ensure that the terms of this Schedule I are incorporated into each agreement with any sub-controller, subcontractor, agent or consultant to the effect that the sub-controller, subcontractor, agent or consultant shall be obligated to act at all times in accordance with duties and obligations of the Data controller under this Schedule I. The Data Controller shall at all times be and remain liable to for any failure of any employee, agent, consultant, subcontractor or sub-controller to act in accordance with the duties and obligations of the Data Processor under this Schedule I;
4.1.4 process that Personal Data only on behalf of in accordance with instructions and to perform its obligations under this Agreement or other documented instructions from and for no other purpose save to the limited extent required by law;
4.1.5 ensure that all persons authorised to access the Personal Data are subject to obligations of confidentiality and receive training to ensure compliance with this Agreement and the Data Protection Laws;
4.1.6 make available to all information necessary to demonstrate compliance with the obligations laid out in Article 28 of GDPR and this Schedule I and allow for and contribute to audits, including inspections, conducted by or another auditor mandated by, of the Data Controller’s data processing facilities, procedures and documentation (and the facilities, procedures and documentation of any sub-Controller) in order to ascertain compliance with Article 28 GDPR and this Schedule I, within 5 working days of request by , and, following any such audit, without prejudice to any other rights of , the Data Controller shall implement such measures which considers reasonably necessary to achieve compliance with the Data Controller’s obligations under this Schedule I; provided that, in respect of this provision the Data Controller shall imtely inform if, in its opinion, an instruction infringes Data Protection Laws;
4.1.7 taking into account the nature of the processing, provide assistance to “ “, within such timescales as “ “ may require from time to time, at no charge to , in connection with the fulfilment of the obligation as Data Processor to respond to requests for the exercise of data subjects’ rights pursuant to Chapter III of the GDPR to the extent applicable;
4.1.8 provide with assistance in ensuring compliance with articles 32 to 36 (inclusive) of the GDPR (concerning security of processing, data breach notification, communication of a personal data breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities) to the extent applicable to, taking into account the nature of the processing and the information available to the Data Controller;
4.1.9 (at no additional cost to ) deal promptly and properly with all enquiries or requests from relating to the Personal Data and the data processing activities, promptly provide to in such form as may request, a copy of any Personal Data requested by;
4.1.10(at no additional cost to assist (where requested by ) in connection with any regulatory or law enforcement authority audit, investigation or enforcement action in respect of the Personal Data;
4.1.11 imtely notify in writing about:
(a) any Data Breach or any accidental loss, disclosure or unauthorised access of which the Data Controller becomes aware in respect of Personal Data that it Controlled on behalf of;
(b) any request for disclosure of the Personal Data by a law enforcement authority (unless otherwise prohibited);
(c) any access request or complaint received directly from a data subject.
It being accepted by the Data Processor that:
(d)the Data Controller remains responsible for any complaints or claims made by Data Subjects, third parties or any regulatory or law enforcement authority to the extent such complaints or claims are the result of an infringement of Data Protection Laws by the Data Controller.
4.1.12 maintain a record of its processing activities in accordance with Article 30 of the GDPR.
4.1.13 indemnify against all liabilities, claims, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses) suffered or incurred by or for which it may become liable as a result of or in connection with any failure of the Data Controller, its employees, agents, consultants, subcontractors or sub-controller’s to comply with this Schedule I.
4.2 reserves the right to take legal action for any damages (financial or reputational) and the Data Controller shall indemnify and its clients in respect of any fines, damages or complaints made to us as a result of the Data Controller’s use of personal data.
4.3 Notwithstanding anything to the contrary set out in this Agreement, to the extent that there is any duplication or conflict between definitions or clauses used in the Agreement and this Schedule I, the definitions and clauses set out in this Schedule I will apply and take precedence. In all other respects the Agreement shall continue to be in effect.
5.1 In respect of any Personal Data to be processed by a party acting as Data Controller pursuant to this Agreement for which the other party is Data Processor, the Data Controller shall not transfer the Personal Data outside the EEA or to an international organisation without:
5.1.1 obtaining the written permission of the Data Processor;
5.1.2 ensuring appropriate levels of protection, including any appropriate safeguards if required, are in place for the Personal Data in accordance with the Data Protection Laws;
5.1.3 notifying the Data Processor of the protections and appropriate safeguards in paragraph 5.1.2 above;
5.1.4 documenting and evidencing the protections and appropriate safeguards in paragraph 5.1.2 above and allowing the Data Processor access to any relevant documents and evidence.
6.1. As required by Article 28 of the GDPR if at any point you will be processing data on behalf of the Data Processor, please specify this to the Data Processor and they will pass you the relevant pre due diligence questions before moving forward this this activity.
January 2019