SCHEDULE 3 DATA PROTECTION
In this Schedule 3 the following definitions apply:
Data Controller has the meaning set out in the Data Protection Legislation;
Data Processor has the meaning set out in the Data Protection Legislation;
Data Protection Legislation means all privacy laws applicable to any Personal Data processed under or in connection with this Agreement, including, without limitation, the Data Protection Directive 95/46/EC (as the same may be superseded by the General Data Protection Regulation 2016/679 (the “GDPR”)), the Privacy and Electronic Communications Directive 2002/58/EC and all national legislation implementing or supplementing the foregoing and all associated codes of practice and other guidance issued by any applicable data protection authority, all as amended, re-enacted and/or replaced and in force from time to time;
Personal Data has the meaning set out in the Data Protection Legislation and relates only to personal data of which the Customer is the Data Controller and in relation to which Thoughtonomy is providing the Services under this Agreement; and
process and other derivations such as “processed” and “processing” means any use of or processing applied to any Personal Data and includes “processing” as defined in the Data Protection Legislation.
Services means the services contemplated under the terms of this Agreement to be provided by Thoughtonomy during the duration of the Agreement including but not limited to the Special Terms and Professional Services Scope in Schedule 1 and Maintenance and Support terms in Schedule 2
22.1 The Parties agree that the performance of the services anticipated under this Agreement and in particular the Services set out in Schedule 1 and 2 may involve the processing of Personal Data as follows:
Receipt, analysis, storage, duplication, deletion of Personal Data necessary for the provision of the Services
Applicable personal data may include: title, first name, last name, address, date of birth, health information, financial pension details of clients or prospective clients of the Customer or beneficiaries or dependants of the same,
Such use of Personal Data will be until the earliest of (i) expiry/termination of this Agreement or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under this Agreement.
23.1 Each party warrants to the other that it (or its applicable Affiliate) has complied with, and undertakes to continue to comply with, the Data Protection Legislation at all times.
23.2 In respect of the parties’ rights and obligations under this Agreement regarding the Personal Data, the parties hereby acknowledge and agree that the Customer is the Data Controller (or acting as agent on behalf of an Affiliate that is a Data Controller) and Thoughtonomy is the Data Processor and accordingly Thoughtonomy agrees that it shall process all Personal Data in accordance with its obligations pursuant to this Schedule 3.
23.3 Thoughtonomy warrants that it shall:
only process the Personal Data in order to provide the Services contemplated herein and shall act only in accordance with this Agreement and the Customer’s written instructions issued from time to time;
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed pursuant to this Agreement;
take reasonable steps to ensure the reliability of any of its staff who will have access to the Personal Data and ensure that anyone who accesses it shall respect and maintain all due confidentiality;
not engage any sub-processors in the performance of the Services without the prior written consent of the Customer and otherwise in accordance with this Schedule 3 at all times;
not cause or permit any Personal Data to be transferred or processed outside the European Economic Area without first seeking the instructions of the Customer, which may include the requirement to execute the Standard Contractual Clauses for transfers from Data Controllers to Data Processors approved by the Commission pursuant to Decision 2010/87/EU, as amended by Commission Implementing Decision (EU) 2016/2297;
immediately notify the Customer of any actual or alleged incident of unauthorised or accidental disclosure of or access to any Personal Data or other breach of this Agreement by any of its staff, sub-processors or any other identified or unidentified third party;
where applicable in respect of any Personal Data processed pursuant to this Agreement, provide full cooperation and assistance to the Customer in ensuring compliance with:
a) the Customer’s obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Chapter III of the GDPR, including by notifying the Customer of any written subject access requests Thoughtonomy receives relating to the Customer’s obligations under the Data Protection Legislation; and
b) the Customer’s obligations set out under Articles 32 – 36 of the GDPR to:
c) ensure the security of the processing;
d) notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to Personal Data;
e) carry out any data protection impact assessments (“DPIA”) of the impact of the processing on the protection of Personal Data; and
f) consult the relevant supervisory authority prior to any processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the Customer to mitigate the risk;
make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this provision and allow for and contribute to any audits, including inspections, conducted by the Customer or another auditor mandated by the Customer; and
at the request of the Customer, delete or return to the Customer all Personal Data processed pursuant to this Agreement at the end of the Term.
24.1 Without prejudice to any other rights or remedies of the Customer in the event of a breach of Clause 2 or Clause 4 of this Agreement by Thoughtonomy but subject to Clause 8 of this Agreement, Thoughtonomy agrees to indemnify and keep indemnified and defend at its own expense the Customer (and any applicable Affiliate Data Controller that Customer is acting as agent for due to its capacity as service company for such Affiliate) against all costs, claims, damages or expenses incurred by the Customer or for which the Customer (or any Affiliate) may become liable due to any failure by the Data Processor or its employees or agents to comply with any of its obligations under this Agreement.
24.2 Thoughtonomy shall ensure that any person it engages to provide services on its behalf in connection with this Agreement does so only on the basis of a written contract which imposes on such person terms equivalent to those imposed on Thoughtonomy in this Schedule 3 (“Relevant Terms“). Thoughtonomy shall procure the performance by such person of the Relevant Terms and shall be directly liable to the Customer for any breach by such person of any of the Relevant Terms.