2.  Data Protection

​

2.1   Roles of the parties, and processing activities

​

(a)   In relation to all Client Personal Data, the parties acknowledge and agree that to the extent the Supplier Processes Client Personal Data on behalf of the Client in connection with the provision of the Services, the Client shall be considered a Controller and Supplier shall be considered a Processor.

​

(b)   Each of the parties acknowledges and agrees that the subject-matter and duration of the Processing carried out by the Supplier on behalf of Client, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are accurately documented in Annex 1 to this DPA (which may from time to time be updated by the written agreement of the parties).

​

(c)   If at any time either party considers that the relationship between the parties and/or the scope of Processing carried out by the Supplier no longer corresponds with clause 2.1(a) or (b), that party shall promptly notify the other and the parties shall discuss and agree in good faith such steps that may be required to reflect the true status and/or the scope of Processing undertaken by the Supplier.

​

​

2.2   General obligations of the parties

​

Each party shall comply with the obligations imposed on it by applicable Data Privacy Laws with regard to Client Personal Data Processed by it in connection with Services. Client acknowledges and agrees that Supplier’s compliance with applicable Data Privacy Laws may be dependent on Client’s compliance with applicable Data Privacy Laws and accordingly Supplier will not be liable for failure to comply with applicable Data Privacy Laws where such failure results from a failure of Client to comply with applicable Data Privacy Laws (including any failure to comply with clause 2.4).

​

2.3   Obligations of Supplier

​

(a)  Supplier shall only Process Client Personal Data in accordance with the documented instructions of Client (including those in Annex 1, as updated), unless required to do so by European Law to which Supplier is subject, in which event Supplier shall inform Client of such legal requirement unless prohibited from doing so by European Law on important grounds of public interest.

​

(b)  Supplier shall inform Client if, in Supplier’s opinion, an instruction given by Client to Supplier under clause 2.3(a) infringes the Data Privacy Laws.

​

(c)  Supplier shall ensure that any persons authorised by it to Process Client Personal Data are subject to an obligation of confidentiality.

​

(d)  Supplier shall implement appropriate technical and organisational measures to ensure that Client Personal Data is subject to a level of security appropriate to the risks arising from its Processing by Supplier or its sub-processors, taking into account the factors and measures stated in Article 32 of the GDPR.

​

(e)  Supplier shall notify Client without undue delay after becoming aware of a Personal Data Breach.

​

(f)   Taking into account the nature of the Processing, Supplier shall assist Client by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to requests for exercising a Data Subject's rights under Chapter III of the GDPR. For the avoidance of doubt, such assistance may be provided by Supplier providing, as part of the Services, the Client with functionality to fulfil such requests on a self-service basis and, where Supplier does so, Supplier shall not be obliged to provide any further assistance unless and to the extent that such functionality cannot be used to fulfil the relevant request.

​

(g)  Taking into account the nature of the Processing and the information available to Supplier, Supplier shall assist Client with regard to Client’s compliance with its obligations under the following Articles of the GDPR:

​

(i)     Article 32 (Security of Processing);

​

(ii)    Articles 33 and 34 (Notification and communication of a Personal Data Breach);

​

(iii)   Article 35 (Data protection impact assessment); and

​

(iv)   Article 36 (Prior consultation by Client with the Supervisory Authority).

​

(h)  Upon termination of Services that required the Processing of Client Personal Data (in whole or in part) Supplier shall, at the election of Client, deliver up or destroy such Client Personal Data which is in the possession of, or under the control of, Supplier unless European Law requires Supplier to store such Client Personal Data.

​

(i)   Supplier shall be generally entitled to appoint further processors to process the Client Personal Data in accordance with clause 2.6.

​

(j)   Supplier shall, at the request of Client, provide Client with all information necessary to demonstrate Supplier’s compliance with its obligations under this clause 2.3 and, if and to the extent that such provision of information does not demonstrate Supplier’s compliance with its obligations under this clause 2.3, Supplier shall allow for and contribute to audits and inspections conducted by or on behalf of Client subject to the following:

​

(i)   the Client may perform such audits no more than once per year, save that further audits may be performed if an audit reveals any material non-compliance by Interstellar with its obligations in this clause 2.3 (the scope of such further audits being limited to auditing Interstellar’s compliance with those obligations that were not complied with);

​

(ii)   the Client shall, and shall procure that any third party auditor will, enter into a confidentiality agreement in such form as is reasonably requested by Supplier prior to the conduct of such audit;

​

(iii)  audits must be conducted during regular business hours (i.e. 9am to 5pm UK time) and must not unreasonably interfere with the Supplier's business;

​

(iv)  the Client must provide the Supplier with any audit reports generated pursuant to any audit at no charge, unless prohibited by applicable law. The Client shall keep the audit reports confidential and may use the audit reports only for the purposes of meeting its audit requirements under Data Privacy Laws and/or confirming compliance with the requirements of this clause 2.3;

​

(v)  Client shall, prior to the conduct of an audit, submit an audit plan to the Supplier at least six weeks (or such shorter period as required by law or by a Supervisory Authority) in advance of the proposed commencement date of the audit, setting out the proposed scope, duration and start date of the audit. The Supplier will review the audit plan and will notify the Client within two weeks of receiving the audit plan if agrees with the plan or if it has any objections in respect of the same. The Supplier will work cooperatively with the Client to agree a final audit plan;

​

(vi)   nothing in this clause shall require the Supplier to breach any duties of confidentiality owed to any of its clients, employees or other third-parties;

​

(vii)   notwithstanding anything else in this DPA and/or the Agreement, all audits are at the Client's sole cost and expense.

​

​

2.4   Obligations of Client

​

(a)  Without prejudice to the generality of clause 2.2, Client shall ensure that:

​

(i)   the supply to Supplier of Client Personal Data by or on behalf of the Client for the purposes of Processing undertaken by the Supplier and its permitted sub-processors where such Processing is authorised by Client shall comply with the Data Privacy Laws;

​

(ii)  there is a lawful basis in respect of Supplier’s Processing of the Client Personal Data and Data Subjects have been provided with a privacy policy or notice that complies with the requirements of Article 13/14 of the GDPR in respect of such Processing; and

​

(iii)  the instructions given by Client to Supplier by operation of clause 2.3(a) shall comply with the Data Privacy Laws.

​

2.5  Costs of compliance

​

The Client acknowledges and agrees that the remuneration in respect of the Services does not take into account costs that may be incurred by Supplier in complying with any additional obligations under this DPA not required by law. Accordingly, Client will pay Supplier in respect of any material costs that are (or are to be) reasonably incurred by Supplier outside the ordinary course of its business in respect of the performance by Supplier of its additional obligations in this DPA, except where such performance is required as a result of a breach by Supplier of its obligations under this DPA. Where practicable to do so, Supplier will seek Client’s written approval prior to incurring such costs.

​

2.6  Supplier’s appointment of sub-processors

​

(a) Notwithstanding any other provision of the Agreement (including this DPA), Supplier shall be entitled to appoint further Processors to Process the Processing of Client Personal Data (“Sub-processor”). The following apply in respect of the appointment of Sub-processors:

​

(i)   the Client approves the appointment of the Sub-processor’s identified in Annex 1;

​

(ii)  Supplier shall notify Client in writing of its intention to engage any additional Sub-processor. Such notice shall give details of the identity of such Sub-processor and the services to be supplied by it;

​

(iii) the Supplier shall only use a Sub-processor that has provided sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Privacy Laws and ensures the protection of the rights of data subjects;

​

(iv) the Supplier shall impose, through a legally binding contract between the Supplier and the Sub-processor, data protection obligations on the Sub-processor that are in all material respects equivalent to those set out in this DPA and which in any event meet the requirements set out in the Data Privacy Laws;

​

(v)  the Client shall be entitled to object to the appointment of the Sub-processor where it considers that such appointment will not comply with the requirements of this clause 2.6. Client shall be deemed to have approved the engagement of the Sub-processor if it has not served a notice in writing on Supplier objecting (in accordance with this clause 2.6(a)(v)) to such appointment within seven days of the date that the notice is deemed to be received by Client in accordance with clause 2.6(a)(ii);

​

(vi)  where the Client objects to the proposed appointment, the Supplier will use commercially reasonable efforts to provide the Services without the use of the relevant Sub-processor. Where the Supplier is unable to provide the Services notwithstanding its use of such commercially reasonable efforts, the Supplier shall have no liability for any failure to provide the relevant Services in accordance with the Agreement; and

​

(vii)  the Supplier shall remain fully liable for all acts or omissions of the Sub-processors as if they were acts or omissions of the Supplier.

​

​

2.7  Restricted Transfers

​

Between the parties

​

(a)  The parties acknowledge and agree that the transfer from the Client to the Supplier, and/or the Processing by the Supplier, of Client Personal Data does not constitute a Restricted Transfer. If and to the extent that such transfer or Processing of Client Personal Data becomes a Restricted Transfer, the parties shall enter into a separate addendum to implement a transfer mechanism to ensure that the Restricted Transfer complies with the International Transfer Requirements.

​

By the Supplier

​

(b)  Client acknowledges and agrees that Client Personal Data may be transferred by Supplier to Sub-processors located in a Restricted Country, which may be considered a Restricted Transfer. In the event of the transfer being considered a Restricted Transfer, the Supplier shall enter into a transfer mechanism to ensure that the Restricted Transfer meets the International Transfer Requirements, and Supplier shall provide details of the relevant transfer mechanism on request.

​

Failure of transfer mechanism

​

(c)  The parties acknowledge and agree that to the extent either party consider the use of the relevant lawful transfer mechanism relied on in respect of a Restricted Transfer is no longer an appropriate lawful transfer mechanism to legitimise the relevant Restricted Transfer pursuant to the International Transfer Requirements, the Restricted Transfer shall be suspended and the parties shall work together in good faith to agree and put in place an alternative lawful transfer mechanism or such other supplementary measures to enable the Restricted Transfer to continue.. To the extent the parties agree that certain supplementary measures are required to legitimise the relevant Restricted Transfer, the parties shall, acting reasonably and in good faith, allocate the costs between the parties accordingly.

​

(d)  In addition to clause 2.7(c), the parties will each use commercially reasonable efforts to ensure that the Services can continue to be provided in all material respects in accordance with the Agreement despite the suspension of the Restricted Transfer.

​

(e)  Without prejudice to the Supplier’s obligations under clauses 2.7(c) and 2.7(d), the Supplier shall have no liability under the Agreement for any inability to provide the relevant Services in accordance with the Agreement as a result of the suspension of such Restricted Transfer pursuant to clauses 2.7(c).

​

​

2.8  Losses / Liability

​

(a)  Where, in accordance with the provisions Article 82 of the GDPR, both parties are responsible for the act, or omission to act, resulting in the payment of Losses by a party, or both parties, then each party shall only be liable for that part of such Losses which is in proportion to its respective responsibility.

​

(b)  Each party’s liability under or in connection with this DPA shall be limited in accordance with the liability and limitation provisions of the Agreement.

3  General​

This DPA constitutes the entire agreement and understanding between the parties in respect of the matters set out in this DPA and supersedes any previous agreement or any other part of the Agreement between the parties in relation to such matters.

​

​