Clauses relating to the processing of personal data between Controllers and Processors

Definitions

“Agreement” means the agreement in place between Payzone UK Limited and the other party to whom notice of these clauses has been given;

“Controller” has the meaning given to such term in the GDPR;

“Data Laws" means all applicable laws and regulations relating to the processing and privacy of personal data, including the Data Protection Act 1998 (up to including 24th May 2018) and (with effect from and including 25th May 2018) the GDPR;

“Data Regulator” means the Information Commissioner’s Office or any successor body which has regulatory authority for the purposes of the Data Laws;

“Data Subject” has the meaning given to such term in the GDPR;

“GDPR” means the General Data Protection Regulation (EU) 2016/679 and any applicable laws and regulations which supplement and/or replace the GDPR;

“Personal Data” has the meaning given to such term in the GDPR;

“Personal Data Breach” has the meaning given to such term in the GDPR;

“Processing” shall have the meaning given to such term in the GDPR (and “Process” and “Processed” shall be construed accordingly);

“Processor" shall have the meaning given to such term in the GDPR;

“Relevant Data Subject” means a Data Subject in respect of the Relevant Personal Data; and

“Relevant Personal Data” has the meaning given to such term in paragraph 1.1.

Clauses:

1. DATA PROTECTION

1.1. Each party shall comply with its obligations under the Data Laws with regard to its Processing of any Personal Data in connection with the Agreement (“Relevant Personal Data”).

1.2. The parties acknowledge that the factual arrangement between them dictates the classification of each party as either a Controller and/or a Processor in respect of any Relevant Personal Data for the purposes of the Data Laws. Accordingly, in this paragraph 1:

1.2.1. references to the “Controller” shall be construed as a reference to the applicable party in its capacity as a Controller (as a matter of fact in accordance with the Data Laws) in respect of any Relevant Personal Data; and

1.2.2. references to the “Processor” shall be construed as a reference to the applicable party in its capacity as a Processor (as a matter of fact in accordance with the Data Laws) in respect of any Relevant Personal Data.

1.3. Without prejudice to the generality of paragraph 1.1, the Controller shall:

1.3.1. where required to do so under the Data Laws make notification(s) to the Data Regulator in relation to its Processing of the Relevant Personal Data;

1.3.2. ensure it is entitled to provide the Relevant Personal Data to the Processor as required for the Processor to perform its obligations under the Agreement in accordance with the Data Laws; and

1.3.3. ensure that, if and to the extent applicable, all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable the Processor to Process the Relevant Personal Data as required as required for the Processor to perform its obligations under the Agreement in accordance with the Data Laws.

1.4. Without prejudice to the generality of paragraph 1.1, the Processor shall:

1.4.1. subject to paragraph 1.4.2, Process the Relevant Personal Data for and on behalf of the Controller for the purposes of performing its obligations under the Agreement and only in accordance with the terms of the Agreement and any written instructions from the Controller from time to time;

1.4.2. unless prohibited by law, immediately notify the Controller (and prior to undertaking the applicable Processing) if:

1.4.2.1. the Processor is required by the Data Laws or any other applicable law to act other than in accordance with the instructions of the Controller with regard to any Processing of Relevant Personal Data; and/or

1.4.2.2. the Processor considers, in its opinion, that any of the Controller’s instructions with regard to any Processing of Relevant Personal Data infringe the Data Laws or any other applicable law;

1.4.3. ensure that only the Processor’s properly authorised personnel (including contractors where applicable, but without prejudice to paragraph 1.9) shall have access to or Process the Relevant Personal Data and that such personnel have entered into appropriate contractually-binding obligations to keep the Relevant Personal Data confidential or are subject to an appropriate statutory obligation of confidentiality;

1.4.4. implement and maintain technical and organisational security measures against the unauthorised or unlawful Processing of Relevant Personal Data and against the accidental loss or destruction of, or damage to, Relevant Personal Data sufficient to comply at least with the obligations imposed by the Data Laws;

1.4.5. without prejudice to the generality of paragraph 1.4.4, ensure that the measures implemented pursuant to such paragraph are appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the Relevant Personal Data to be protected, having regard to the state of technological development and the cost of implementing any measures;

1.4.6. assist the Controller (taking into account the nature of the Processing), by the implementation, provision and use of appropriate technical and organisational measures (insofar as possible), to fulfil its obligations to respond to requests from Relevant Data Subjects for exercising their rights under the Data Laws;

1.4.7. without prejudice to the generality of paragraph 1.4.6:

1.4.7.1. notify the Controller promptly (and in any event within seven (7) days) following its receipt of any subject access request the Processor receives from any person who is a Relevant Data Subject (and not respond to any such subject access request without the Controller’s prior written consent);

1.4.7.2. promptly provide the Controller with all reasonable co-operation and assistance (including the provision of all relevant records and information) required by the Controller in relation to any subject access request made by any person who is a Relevant Data Subject;

1.4.8. notify the Controller promptly (and in any event within seven (7) days) following the Processor’s receipt of:

1.4.8.1. any notice or communication from the Data Regulator which relates to the Processing of the Relevant Personal Data; or

1.4.8.2. any complaint from any person who is a Relevant Data Subject and which relates (directly or indirectly) to the Processing of Relevant Personal Data;

1.4.9. not respond to any notice, communication or complaint referred to in paragraph 1.4.8 without the Controller’s prior written consent (except if and to the extent otherwise required by the Data Laws);

1.4.10. promptly provide the Controller with all reasonable co-operation and assistance (including the provision of all relevant records and information) required by the Controller in connection with any notice, communication or complaint referred to in paragraph 1.4.8;

1.4.11. notify the Controller promptly upon becoming aware of any:

1.4.11.1. breach of this paragraph 1;

1.4.11.2. any breach of the Data Laws in relation to the Relevant Personal Data; or

1.4.11.3. any Personal Data Breach in relation to the Relevant Personal Data,
providing full details thereof to the extent known to the Processor (or, where necessary, in phases but always without undue delay);

1.4.12. in respect of any matters referred to in paragraph 1.4.11:

1.4.12.1. promptly implement any measures reasonably necessary to restore the security of compromised Relevant Personal Data; and

1.4.12.2. provide reasonable co-operation and assistance (including the provision of all relevant records and information) to the Controller in connection therewith, including in respect of the making of any notifications to the Data Regulator and affected Data Subjects relating to any such matter;

1.4.13. carry out, without undue delay, any request from the Controller requiring it to amend, transfer or delete the Relevant Personal Data or any part of the Relevant Personal Data; and

1.4.14. except if to the extent otherwise required by the Data Laws and any other applicable law, cease Processing all Relevant Personal Data after termination of the Agreement as soon as such Processing is no longer required for the purposes of the Agreement and return or delete (as directed in writing by the Controller) all Relevant Personal Data and all copies in its possession or control.

1.5. Without prejudice to the generality of paragraph 1.1, the Processor shall maintain complete and accurate records and information to demonstrate its compliance with the Data Laws regarding Relevant Personal Data and this paragraph 1, including (with regard to Relevant Personal Data):

1.5.1. records of its details, the Controller’s details and the details of its data protection officer;

1.5.2. records of the categories of Processing carried out on behalf of the Controller;

1.5.3. records of the details of any transfers to any third countries, where applicable, and the safeguards in place for that transfer;

1.5.4. records of the measures it has in place pursuant to paragraph 1.4.4; and

1.5.5. such other records as are required to be maintained pursuant to the Data Laws;

1.6. The Processor shall promptly provide to the Controller (and to the Data Regulator where applicable), upon request:

1.6.1. copies of the records maintained pursuant to paragraph 1.5;

1.6.2. a copy of the Relevant Personal Data which is Processed by the Processor at that time, in the format and on the media reasonably specified by the Controller; and

1.6.3. all information necessary to demonstrate the Controller’s and the Processor’s compliance with the Data Laws regarding Relevant Personal Data and the Processor’s compliance with this paragraph 1, including to demonstrate compliance by any third party of any obligations imposed on them by the Processor pursuant to any requirements of the Controller as contemplated by this paragraph 1.

1.7. Without prejudice to any other provisions of this paragraph 1, the Processor shall permit the Controller or its representatives (upon reasonable prior notice) to audit and inspect the Processor’s compliance with the Data Laws regarding Relevant Personal Data and this paragraph 1 (and shall promptly provide all reasonable co-operation, information and assistance with regard to any such audit).

1.8. At the Controller’s request (and taking into account the nature of the Processing and the information available to the Processor), the Processor shall promptly provide such assistance to the Controller (including the provision of all relevant records and information) as is required to ensure compliance with obligations imposed on the Controller in respect of:

1.8.1. the implementation of technical and organisational security measures relating to the Processing of Relevant Personal Data;

1.8.2. obligations relating to notifications to the Data Regulator and/or any Relevant Data Subjects required by the Data Laws regarding any Personal Data Breach; and/or

1.8.3. considering and undertaking any Data Protection Impact Assessments (including any required consultation with the Data Regulator) in accordance with Data Laws.

1.9. The Processor shall not, without the Controller’s prior written consent:

1.9.1. transfer any Relevant Personal Data to a country, territory or jurisdiction that is outside both the United Kingdom and the European Economic Area (and then only in accordance with the terms of that consent and ensuring that it meets the requirements of the Data Laws regarding such transfer, including ensuring that adequate safeguards are in place);

1.9.2. disclose or allow access to the Relevant Personal Data to a third party, including to a sub-processor (and then only in accordance with the terms of that consent and any specific written instructions given by the Controller relating to such disclosure or access); or

1.9.3. appoint any sub-processor to Process any Relevant Personal Data (and then subject always to paragraph 1.10).

1.10. Where the Controller gives written consent to the appointment of a sub-processor for the purposes of paragraph 1.9.3, the Processor shall:

1.10.1. only appoint any such sub-processor in accordance with the terms of that consent;

1.10.2. where such consent is of a general nature, inform the Controller of any intended changes concerning the addition or replacement of sub-processors and shall not effect any such changes without the Controller’s prior written consent;

1.10.3. prior to the sub-processor undertaking any Processing, put in place a written contract with the sub-processor which:

1.10.3.1. contains the same terms as the provisions of this paragraph 1 relating to such Processing and which otherwise meets the requirements of the Data Laws; and

1.10.3.2. prohibits the sub-processor from appointing any third party to Process the Relevant Personal Data; and

1.10.4. remain fully liable to the Controller for the performance of the sub-processor's obligations under such contract and for any breach of those obligations.

1.11. The Processor shall, without undue delay, enter into such additional agreements with the Controller and/or agree to such amendments to the Agreement as may be required to comply with the Data Laws.