GDPR Addendum

 

GENERAL DATA PROTECTION CONTRACTUAL ADDENDUM

This Addendum dated 3rd May 2018 (the “Addendum”) amends, with effect from and including 25 May 2018 (the “Effective Date”), the General Terms and Conditions between Hexagon Webworks Ltd (registered in England under company number 05533762) trading as Electric Hosting (“Electric Hosting”) and you, (“Controller”) and any other agreements entered into between the parties (the “Agreement”).

To the extent this Addendum is not consistent with any terms of the Agreement the terms of this Addendum shall prevail. Other than as indicated herein, capitalised terms and definitions contained herein shall have the same meaning as specified in the Agreement.

BACKGROUND

(A) As of 25 May 2018 the General Data Protection Regulation (EU) 2016/679 (“GDPR”) will apply in the EEA replacing Directive 95/46/EC and its local implementing legislation in the UK, the Data Protection Act 1998 (“DPA 1998”). Accordingly, the parties can no longer rely on compliance with the DPA 1998 in the UK as being sufficient for controlling, processing or protecting data.

(B) In order to comply with its legal and regulatory obligations, the parties wish to update the terms of the Agreement to comply with the GDPR on the terms as set out in this Addendum. Therefore, the parties, intending to be legally bound, and in consideration of the needs for both parties to comply with their respective obligations under the GDPR, agree that any data controller, processing and protection provisions (and/or any other provisions in the Agreement relating to the DPA 1998) shall, as at the Effective Date, be deleted and the following clause shall be incorporated into the Agreement:

1 DATA PROCESSING

1.1 For the purposes of this Agreement the following defined terms shall have the following meanings:
“Data Protection Law” shall mean (a) Data Protection Act 1998; or (b) from 25th May 2018, the General Data Protection Regulation ((EU) 2016/679 (“GDPR”), read in conjunction with and subject to any applicable UK national legislation that provides for specifications or restrictions of the GDPR’s rules; or (c) from the date of implementation, any applicable legislation that supersedes or replaces the GDPR in the UK or which applies the operation of the GDPR as if the GDPR were part of UK national law, which may include the Data Protection Act 2017;

“personal data”, “controller”, “processor”, “data subject”, and “processing” (and other parts of the verb ‘to process’) shall have the meaning set out in the Data Protection Law.

1.2 Each party shall comply at all times with Data Protection Law and shall not perform its obligations under this Agreement in such a way as to cause the other to breach any of its applicable obligations under Data Protection Law.

1.3 In the context of this Agreement, Hexagon Webworks will act as “processor” to the Controller who may act as either “processor” or “controller” with respect to the personal data. Notwithstanding the foregoing, the parties acknowledge that:

1.3.1 where Hexagon Webworks only provides colocation services under the Agreement Hexagon Webworks will not be a Processor; and

1.3.2 where personal data is not accessible to Hexagon Webworks it shall not be a Processor, and therefore, in either case, the obligations of clause 1.7 shall not apply to Hexagon Webworks.

1.4 The Controller represents and warrants to Hexagon Webworks that with respect to any personal data processed pursuant to this Agreement:

1.4.1 all personal data is necessary for the purpose for which it is processed, accurate and up-to-date (and Controller shall at all times comply with Hexagon Webworks’s standard acceptable use policy);

1.4.2 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the personal data;

1.4.3 the Controller has obtained all the necessary consents from data subjects to process the personal data and to outsource the processing of any personal data to Hexagon Webworks and the Controller covenants that it shall notify Hexagon Webworks in writing if there are any material changes to these consents or to the personal data that Hexagon Webworks processes under this Agreement; and

1.4.4 it is not aware of any circumstances likely to, and will not instruct Hexagon Webworks to process the personal data in a manner that is likely to, give rise to a breach of the Data Protection Law (or any other applicable data protection or privacy laws).

1.5 The Controller acknowledges and agrees that pursuant to its obligation under Article 28(1) of the GDPR to only appoint processors providing sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR, it has assessed Hexagon Webworks’s applicable technical and organisational measures and considers them to be sufficient, taking into account the nature, scope, context and purpose of the processing undertaken pursuant to the Agreement.

1.6 Controller acknowledges and agrees that it is responsible for ensuring the compliance of any of its businesses, affiliates or subsidiaries located in a territory outside the EEA with Data Protection Law in relation to transfers of personal data from Hexagon Webworks to Controller.

1.7 Where Hexagon Webworks processes personal data on behalf of Controller, with respect to such processing, Hexagon Webworks shall:

1.7.1 process the personal data only in accordance with the Agreement (as amended by this Addendum) and the documented instructions of the Controller given from time to time. The Controller acknowledges that Hexagon Webworks is under no duty to investigate the completeness, accuracy or sufficiency of such instructions and any additional instructions outside the scope of this Agreement (as amended by this Addendum) require prior written approval between Hexagon Webworks and Controller (including agreement on any fees payable by Controller to Hexagon Webworks for carrying out such instructions);

1.7.2 only permit the personal data to be processed by persons who are bound by enforceable obligations of confidentiality and take steps to ensure such persons only act on Hexagon Webworks’s instructions in relation to the processing;

1.7.3 protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the personal data and having regard to the nature of the personal data which is to be protected (and the Controller shall notify Hexagon Webworks immediately if the nature of such personal data changes in a material way);

1.7.4 remain entitled to appoint third party sub-processors. Where Hexagon Webworks appoints a third party sub-processor, it shall, with respect to data protection obligations:

(a) ensure that the third party is subject to, and contractually bound by, at least the same obligations as Hexagon Webworks; and

(b) remain fully liable to Controller for all acts and omissions of the third party, and all sub-processors engaged by Hexagon Webworks as at the effective date of this Addendum shall be deemed authorized;

1.7.5 in addition to the sub-processors engaged pursuant to paragraph 1.7.4 (above), be entitled to engage additional or replacement sub-processors, subject to:

(a) the provisions of paragraph 1.7.4(a) and 1.7.4(b) being applied; and

(b) Hexagon Webworks notifying the Controller of the additional or replacement sub-processor, and where Controller objects to the additional or replacement sub-processor, the parties shall discuss the objection in good faith;

1.7.6 notify Controller without undue delay after becoming aware that it has suffered a personal data breach;

1.7.7 at Controller’s cost and not more than once in any 12 month period permit Controller (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit (during business hours and on reasonable notice) Hexagon Webworks’s data processing activities to enable Controller to verify and/or procure that Hexagon Webworks is complying with its obligations under clause 1.2. Controller shall ensure that its adheres to any applicable Hexagon Webworks site and security policies in the performance of such audit or inspection;

1.7.8 on Controller’s reasonable request and at Controller’s cost, assist Controller to respond to requests from data subjects who are exercising their rights under the Data Protection Law (insofar as it is reasonable for Hexagon Webworks to do so);

1.7.9 save where such countries have been deemed by the European Commission to be providing an adequate level of protection pursuant to the relevant provisions of Data Protection Law, not process personal data outside the EEA without the prior written consent of Controller and, where Controller consents to such transfer, to comply with any reasonable instructions notified to Hexagon Webworks by it. Notwithstanding the foregoing, Hexagon Webworks is expressly permitted to and instructed by Controller that it may transfer personal data to any Hexagon Webworks subsidiary and any Hexagon Webworks subcontractor, subject to first ensuring that adequate protections are in place to protect the personal data consistent with the requirements of Data Protection Law;

1.7.10 on Controller’s reasonable request and at Controller’s cost, assist (insofar as it is reasonable to do so, taking into account the nature of the information available to the Hexagon Webworks and any restrictions on disclosing the information, such as confidentiality) Controller to comply with the Controller’s obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of the Data Protection Law), comprising (if applicable): (a) notifying a supervisory authority that Controller has suffered a personal data breach; (b) communicating a personal data breach to an affected individual; (c) carrying out an impact assessment; and (d) where required under an impact assessment, engaging in prior consultation with a supervisory authority; and

1.7.11 unless applicable law requires otherwise, upon termination of the Agreement delete or return all personal data provided by Controller to Hexagon Webworks (except to the extent this is not reasonably technically possible or prohibited by law).

2 INDEMNITY

2.1 Controller shall indemnify and hold harmless on demand Hexagon Webworks for any loss, damage, liabilities, penalties, expenses or fines incurred (whether foreseeable or unforeseeable or direct or indirect) (“Losses”) as a result of:

2.1.1 the Controller breaching its obligations under clause 1 (Data Processing);

2.1.2 any unsuccessful claim by a data subject when such claim holds both Controller and Hexagon Webworks as jointly and severally liable under the Data Protection Laws.

2.2 Where under Data Protection Law (including without limitation Article 82 of the GDPR) Hexagon Webworks and Controller incur joint and several liability (as Controller and Processor with any other person) and, as such, Hexagon Webworks incurs Losses (other than for damage caused by processing where it has not complied with obligations under Data Protection Law specifically directed to Processors or where it has acted outside or contrary to Controller’s lawful instructions under the Agreement), Controller shall indemnify Hexagon Webworks on demand against all such Losses, save for such liability as corresponds directly to Hexagon Webworks’s part of the responsibility for the damage caused by Hexagon Webworks’s breach of the obligations of Data Protection Law or under this Agreement.

3 LIMITATION OF LIABILITY

3.1 Neither party excludes or limits liability to the other party for any matter for which it would be unlawful for the parties to exclude liability.

3.2 Subject to Clause 3.1, with respect to any claim relating to a breach of Data Protection Law or a breach of this Addendum, Hexagon Webworks shall not in any circumstances be liable to the Controller whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:

3.2.1 any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill; and

3.2.2 any loss or corruption (whether direct or indirect) of personal data or information;

3.3 Subject to Clause 3.1, Hexagon Webworks’ total aggregate liability to the Controller in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with a breach of Data Protection Laws or a breach of this Addendum or any collateral contract shall in all circumstances be limited to the greater of:

3.3.1 the Charges paid or payable by Controller to Hexagon Webworks under the relevant Agreement in the Initial Term; or

3.3.2 the total Charges paid or payable by the Controller to Hexagon Webworks under the relevant Agreement in the contract year concerned.

4 GOVERNING LAW AND JURISDICTION

This Addendum and any dispute or claim arising out of or in connection with it, or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England. The parties agree that the courts of England will have exclusive jurisdiction to settle any dispute (whether contractual or non-contractual) arising from or in connection with the Addendum.