PART 1: PROVISIONS RELATING TO PERSONAL DATA
1. DEFINITIONS
1.1 Terms used but not defined in this document shall have the meaning ascribed to them in the main body of the Customer T&Cs.
1.2 Specific terms used in this document are set out below.
1 Applicable Laws: means:
1a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.
1b) To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Equali is subject.
2 Applicable Data Protection Laws: means:
2a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
2b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which Equali is subject, which relates to the protection of personal data.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing: shall have the meanings given to them in the GDPR (and Process and Processed shall be construed accordingly).
3 EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
UK GDPR: the retained EU law version of theGeneral Data Protection Regulation ((EU) 2016/679) (UK GDPR).
2. TERMS
2.1 Each Party undertakes to comply with all applicable requirements of the Applicable Data Protection Laws in connection with the Agreement.
2.2 Each of the Parties acknowledges and agrees that for the purposes of the Applicable Data Protection Laws, the Customer is the Controller; and Equali is the Processor in relation to the Processing by Equali of any Personal Data.
2.3 Without prejudice to the generality of paragraph 2.1 of this document, Equali shall, in relation to any Personal Data processed in connection with the performance by Equali of its obligations under these Subscription Terms and Conditions:
2.3.1 process that Personal Data only on the documented written instructions of the Customer unless Equali is required by Applicable Laws to otherwise process that Personal Data. Where Equali is relying on Applicable Laws as the basis for processing Personal Data, Equali shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Equali from so notifying the Customer;
2.3.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
2.3.3 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:-
(a) the Customer or Equali has provided appropriate safeguards in relation to the transfer;
(b) the data subject has enforceable rights and effective legal remedies;
(c) Equali complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(d) Equali complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data.
2.3.4 assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
2.3.5 ensure that any personnel engaged and authorised by Equali to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
2.3.6 notify the Customer without undue delay on becoming aware of a Personal Data Breach;
2.3.7 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Services unless required by Applicable Law to store the Personal Data; and
2.3.8 maintain complete and accurate records and information to demonstrate its compliance.
2.4 The Customer provides its prior, general authorisation for Equali to appoint processors to process any Personal Data, provided that Equali:-
2.4.1 shall ensure that the terms on which it appoints such processors comply with Data Protection Legislation, and are consistent with the obligations imposed on Equali in this document;
2.4.2 shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of Equali; and
2.4.3 shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to Equali's reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Legislation, the Customer shall indemnify Equali for any losses, damages, costs (including legal fees)and expenses suffered by Equali in accommodating the objection.
2.5 The Customer provides its prior, general authorisation for Equali to transfer Personal Data outside of the UK provided that Equali ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of Equali, including any request to enter standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time(where the UK GDPR applies to the transfer).
2.6 The Customer represents, undertakes and warrants that all Personal Data has been and shall be collected and Processed by the Customer in accordance with the Applicable Data Protection Laws and, without limitation to the foregoing, the Customer shall take all steps necessary, including providing appropriate fair collection notices and ensuring that there is a lawful basis for Processing, in order to ensure the Processing of Personal Data by Equali is in accordance with the Applicable Data Protection Laws.
PART 2: DESCRIPTION OF DATA PROCESSING
The details of Equali’s Processing activities under this Agreement are as follows: