1.1 In this Data Policy, defined terms shall have the same meaning and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition in this Data Policy, the following definitions have the meanings given below:
Applicable Law: means any applicable law or regulation of the European Union (“EU”), the European Economic Area (“EEA”) or any of the EU or EEA’s member states from time to time together with any applicable law or regulation in the United Kingdom from time to time (provided that, in the event of any conflict between the foregoing, the laws and regulations of the United Kingdom shall prevail for the purposes of this definition);
Appropriate Safeguards:means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
Controller:has the meaning given to that term in Data Protection Laws;
Data Protection Laws:means all Applicable Laws relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including the following laws to the extent applicable in the circumstances:
(a) the GDPR;
(b) the Data Protection Act 2018;
(c) any laws which implement any such laws; and
(d) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing (including where applicable, the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 as modified by applicable domestic law from time to time);
Data Protection Losses:means all liabilities, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
(b) to the extent permitted by Applicable Law:
(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
(iii) the reasonable costs of compliance with investigations by a Supervisory Authority;
Data Subject:has the meaning given to that term in Data Protection Laws;
Data Subject Request:means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
GDPR:means the General Data Protection Regulation, Regulation (EU) 2016/679;
International Recipient:means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 8.1 without the Customer’s prior written authorisation;
Onward Transfer:means a Transfer from one International Recipient to another International Recipient;
Personal Data:has the meaning given to that term in Data Protection Laws;
Personal Data Breach:means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
Platform Data:means Personal Data in the RISC Vision Data;
Processing:has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
Processing Instructions:has the meaning given to that term in paragraph 4.1(a);
Processor:has the meaning given to that term in Data Protection Laws;
Protected Data:means Personal Data in the Customer Data;
Sub-Processor:means another Processor engaged by RISC Vision for carrying out processing activities in respect of the Protected Data on behalf of the Customer;
Supervisory Authority:means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;
Transfer:bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (or to the extent wider the definition of ‘transfer’ in equivalent provisions of UK Data Protection Laws). Without prejudice to the foregoing, this term also includes all Onward Transfers. Related expressions such as “Transfers”, “Transferred” and “Transferring” shall be construed accordingly; and
UK Data Protection Laws:means Data Protection Laws that form part of the law of England and Wales, Scotland and/or Northern Ireland from time to time.
2. Platform Data
2.1 Some of the Platform Data made available to you via the RISC Vision Platform will include Personal Data. You and we are separate, independent Controllers of Platform Data. We are not joint Controllers.
2.2 You and we hereby agree that we each have a legitimate interest in processing Platform Data, namely the furtherance of our respective businesses, and that this is the lawful basis on which any processing will take place.
3. Protected Data
3.1 We hereby agree that, for the Protected Data, you are the Controller and we are the Processor. Nothing in our Agreement relieves you of any responsibilities or liabilities under any Data Protection Laws.
3.2 To the extent you are not sole Controller of any Protected Data you warrant that you have full authority and authorisation of all relevant Controllers to instruct us to process the Protected Data in accordance with our Agreement.
3.3 We shall process Protected Data in compliance with the obligations of Processors under Data Protection Laws in respect of the performance of our obligations under our Agreement.
3.4 You shall ensure that you and each User shall at all times comply with:
(a) all Data Protection Laws in connection with the processing of Protected Data, the use of the RISC Vision Platform (and each part thereof) and the exercise and performance of your respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
(b) the terms of our Agreement.
3.5 You warrant, represent and undertake, that at all times:
(a) all Protected Data (if processed in accordance with our Agreement) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws;
(b) fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by us and our Sub-Processors in accordance with our Agreement;
(c) the Protected Data is accurate and up to date;
(d) you shall establish and maintain adequate security measures to safeguard the Protected Data in your possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to us (or anyone acting on our behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by us or any other person;
(e) all instructions given by you to us in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
(f) you have undertaken due diligence in relation to our processing operations and commitments and are satisfied (and all times you continue to use the RISC Vision Platform remain satisfied) that:
(i) our processing operations are suitable for the purposes for which you propose to use the RISC Vision Platform and engage us to process the Protected Data;
(ii) the technical and organisational measures adopted by us from time to time shall (if we comply with such measures) ensure a level of security appropriate to the risk in regards to the Protected Data; and
(iii) hawse have sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
4. Instructions and details of processing of Protected Data
4.1 Insofar as we process Protected Data on your behalf, we:
(a) unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under our authority shall) process the Protected Data only on and in accordance with your documented instructions as set out in this paragraph 4.1 and paragraphs 4.3 and 4.4 (including when making a Transfer of Protected Data to any International Recipient), as updated from time to time (“Processing Instructions”);
(b) if Applicable Law requires us to process Protected Data other than in accordance with the Processing Instructions, shall notify you of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
(c) to the maximum extent permitted by applicable law, we shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with your Processing Instructions.
4.3 You acknowledge and agree that the execution of any computer command to process (including deletion of) any Protected Data made in the use of the RISC Vision Platform by a User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). You shall ensure that Users do not execute any such command unless authorised by you (and by all other relevant Controller(s)) and you acknowledge and accept that, if any Protected Data is deleted pursuant to any such command, we are under no obligation to seek to restore it.
4.4 The processing of the Protected Data by us under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in schedule 1.
5. Technical and organisational measures
Taking into account the nature of the processing, you and we shall implement and maintain appropriate technical and organisational measures:
(a) in relation to the processing of Platform Data by you;
(b) in relation to the processing of Protected Data by us; and
(c) subject to paragraph 7.1, to assist you insofar as is possible (taking into account the nature of the processing) in the fulfilment of your obligations to respond to Data Subject Requests relating to Protected Data, in each case at your cost.
6. Using staff and other Processors
6.1 You hereby give us general authorisation to engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data in accordance with our Agreement.
6.2 We shall:
(a) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under paragraphs 3 to 1 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures); and
(b) remain fully liable for all the acts and omissions of each Sub-Processor as if they were our own.
6.3 We shall ensure that all persons authorised by us (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case we shall, where practicable and not prohibited by Applicable Law, notify you of any such requirement before such disclosure).
7. Assistance with compliance and Data Subject rights
7.1 We shall refer all Data Subject Requests we receive to you without undue delay. You shall pay us for all work, time, costs and expenses incurred in connection with such activity.
7.2 We shall provide such assistance as you reasonably require (taking into account the nature of processing and the information available to us) to you in ensuring compliance with your obligations under Data Protection Laws with respect to:
(a) security of processing;
(b) data protection impact assessments (as such term is defined in Data Protection Laws);
(c) prior consultation with a Supervisory Authority regarding high risk processing; and
(d) notifications to the Supervisory Authority and/or communications to Data Subjects by you in response to any Personal Data Breach,
provided you shall pay us for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph.
8. International data Transfers
8.1 Subject to paragraphs 8.2 and 8.4, neither party shall Transfer any Platform Data or Protected Data:
(a) from any country to any other country; and/or
(b) to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without the other party’s prior written authorisation except where it is required to Transfer the Protected Data by Applicable Law (and shall inform the other party of that legal requirement before the Transfer, unless those laws prevent it doing so).
8.2 Each party hereby authorises the other to Transfer any Platform Data or Protected Data to any International Recipient(s), provided all Transfers of Platform Data or Protected Data to an International Recipient (and any Onward Transfer) shall be (to the extent required under Data Protection Laws) effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of our Agreement (including this Data Policy) shall constitute your instructions with respect to Transfers of Protected Data in accordance with paragraph 4.1(a).
8.3 You hereby undertake to comply with our reasonable requests intended to ensure that any Transfer of Platform Data or Protected Data to an International Recipient (and any Onward Transfer) is effected by way of Appropriate Safeguards and in accordance with Data Protection Laws, including (without limitation) by promptly executing any Standard Contractual Clauses (or other documents) that we consider necessary or desirable to give effect to Appropriate Safeguards from time to time. We have no obligation under our Agreement to provide any access to the RISC Vision Platform unless and until you have complied with all our reasonable requests pursuant to this paragraph
8.4 You acknowledge that due to the nature of cloud services, the Platform Data and Protected Data may be Transferred to other geographical locations in connection with use of the RISC Vision Platform further to access and/or computerised instructions initiated by Users. You acknowledge that we do not control such processing and you shall ensure that Users (and all others acting on your behalf) only initiate the Transfer of Platform Data or Protected Data to other geographical locations if Appropriate Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.
9. Information and audit
9.1 We shall maintain, in accordance with Data Protection Laws binding on us, written records of all categories of processing activities carried out on your behalf.
9.2 On request, we shall, at your cost, provide you (or auditors mandated by you) with a copy of the third party certifications and audits to the extent made generally available to our customers. Such information shall be confidential to us.
10. Breach notification
10.1 In respect of any Personal Data Breach involving Protected Data, we shall, without undue delay (and in any event within 72 hours):
(a) notify you of the Personal Data Breach; and
(b) provide you with details of the Personal Data Breach.
11. Deletion of Protected Data and copies
When it is no longer reasonably necessary for us to process any element of Protected Data, we shall dispose of the relevant Protected Data as soon as reasonably practicable. We shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement.
12. Compensation and claims
12.1 We shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Agreement:
(a) only to the extent caused by the processing of Protected Data under our Agreement and directly resulting from our breach of our Agreement; and
(b) in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by you.
12.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Agreement, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
(a) make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
(b) consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under our Agreement for paying the compensation.
12.3 You shall not be entitled to claim back from us any part of any compensation paid by you in respect of such damage to the extent that you are liable to indemnify or otherwise compensate us in accordance with our Agreement.
12.4 This paragraph 12 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
(a) to the extent not permitted by Applicable Law (including Data Protection Laws); and
(b) that it does not affect the liability of either party to any Data Subject.