Data Protection Addendum

This Data Protection Addendum ("Addendum") amends the Operating Agreement between:

 

(i) Jigsaw Conferences Ltd of 23 Commerce Road, Peterborough PE2 6LR - company number 04788489 ("Company"): and

(ii) (Supplier company name) ......................................................................................................................................................

......................................................................................................................................................................................................

(iii) (Supplier company address), (Supplier company number)..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

dated (Orginal data of Operating Agreement) ("Supplier") ........./............../............... ("Main Agreement")

 

Company and Supplier also enter into this Addendum on behalf of their Affiliates to the extent that Company and Supplier have also entered into the Main Agreement on behalf of their Affiliates.

Background

A. The Supplier provides the Services to Company under the Main Agreement. As part of the provision of the Services, Supplier will Process the Company Personal data on behalf of the Company (all as defined below).
B. The parties acknowledge that for the purposes of the Data Protection laws, Company is the Data Controller and Supplier is the Data Processor in respect of the Company personal Data.
C. In Consideration of the mutual obligations set out in the Addendum, the parties hereby agree that the terms and conditions set out below shall be deemed to be incorporated into the Main Agreement.
Except as modified below, the terms of the Main Agreement shall remain in full force and effect.

Exhibits

Exhibit 1: Main terms;
Exhibit 2: Details of Processing of Company Personal Data; and
Exhibit 3: Standard Contractual Clauses (Template).

This Addendum is entered into and becomes a binding part of the Main Agreement with effect from the date of the last dated signature below.

 

Supplier Data Protection Addendum

 

EXHIBIT 1 - MAIN TERMS

1. Definitions and Interpretation

1.1 In this Addendum, the following terms shall have the meaning set out below;

1.1.1 "Affiliate" means any entity that directly or indirectly controls, is controlling, or is under common control with another entity:

1.1.2 "Applicable Laws" means all UK, European Union or Member State applicable laws, statutes and regulations from time to time in force.

1.1.3 "Company Personal Data" means any Personal Data Processed by Supplier or a Subprocessor on behalf of Company pursuant to or in connection with the Main Agreement:

1.1.4 "Data Protection Laws" means:

1.1.4.1 - prior to and including 24 May 2018, the Data Protection Act 1998: nd from and including 25 May 2018, (i) unless GDPR is no longer directly applicable in the UK, GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998: and

1.1.4.2 - any data protection or privacy laws within the hospitality or services industries legislation applicable to Company and Supplier;

1.1.5 "EEA" means the European Economic Area, and, to the extent that the UK is no longer part of the European Economic Area, the UK;

1.1.6 "GDPR" means the European Union General Data Protection Regulation 2016/679;

1.1.7 "Regulator" means those government departments and regulators, statutory and other entities, communities and bodies which, whether under state, rules, regulations, codes of practice or otherwise, are entitled by any Applicable law to supervise, regulate investigate or influence the matters dealt with in this Addendum or any other affairs of Company, including ant data protection supervisory authority;

1.1.8 "Services" means the services and other activities carried out by our or on behalf of Supplier for Company pursuant to the Main Agreement;

1.1.9 "Standard Contractual Clauses" means the standard contractual clauses referred to in Exhibit 3 (as amended as indicated (in italics) in those contractual clauses and under clause 6.2 of this Addendum);

1.1.10 "Subprocessor" means any (i) Affiliate of Supplier which Process Company Personal Data in connection with the Main Agreement and (ii) person appointed by or on behalf of Supplier or any of its Affiliates (excluding an employee of Supplier or such Affiliates) to Process Company Personal Data on behalf of Company in connection with the Main Agreement; and

1.1.11 the terms "Controller" "Data Subject" "Member State", "Personal Data Breach". "Processed" and "Processing" shall have the same meaning as in the GDPR, and their cognate terms shall be constructed accordingly.

1.2 With regard to the subject matter of this Addendum, in the event of any conflicts or inconsistencies between the provisions of this Addendum, the provisions of this Addendum shall prevail.

1.3 The parties agree that any provisions in the Main Agreement that seeks to restrict or prohibit the parties' ability to vary the Main Agreement shall not apply so as to prevent the parties from entering into this Addendum and varying the Main Agreement as set out in this Addendum.

1.4 Any words following the terms "including", "include", "for example " or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

2. Processing of Company Personal Data

2.1 Both parties shall comply with all applicable requirements of the Data Protection Laws in the Processing of Company Personal Data by Supplier, including the type of Personal data Processed and the relevant categories of Data Subjects, as required by Article 28(3) of the GDPR.

3. Supplier obligations 

3.1 Supplier shall:

3.1.2 Process the Company Personal Data only on Company's instructions unless otherwise required by Applicable Laws to which Supplier is subject, in which case Supplier shall, to the extent permitted by Applicable laws, inform Company of that legal requirement before such Processing;

3.1.3 take appropriate technical and organisational security measures to protect against unauthorised or unlawful processing and accidental loss or destruction of, or damage to, the Company Personal Data which is appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Company Personal data to be protected, and having measures. Those measures may include, where appropriate, pseudonymizing and encrypting the Company Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access of the Company Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by Supplier;

3.1.4 ensure that all personnel who have access to and/or Process Company Personal Data are obliged to keep it confidential;

3.1.5 not transfer any company Personal Data to a country outside of the EEA without obtaining Company's proir written consent;

3.1.6 assist Company in responding to any request from a Data Subject and in ensuring compliance with Company's obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with Regulations;

3.1.7 promptly notify Company if any Supplier or any Subprocessor receives a request from a Data Subject under any Data Protection law in respect of Company Personal Data:

3.1.8 at Company's written request, delete/destroy and/or return to Company the Company Personal Data and copies of it on the termination of the Main Agreement unless Supplier is required by Applicable Laws to store specific Company Personal data beyond the termination of the Main Agreement, unless Supplier is required by  Applicable Laws to store specific Company Personal data beyond the termination of the Main Agreement 9in which case Supplier shall delete such Company Personal data as soon as it is permitted by Applicable Laws);

3.1.9 notify Company without undue delay upon Supplier or any subprocessor becoming aware of personal Data breach affecting the Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report to the Regulator, or inform data Subjects, of the personal Data Breach under the Data Protection laws; and

3.1.10 maintain complete and accurate records and information to demonstrate Supplier's compliance with this Agreement and allow for reasonable audits, including inspection of Supplier premises by Company or its designated auditor, on reasonable notice, in order to verify compliance with this Addendum.

4. Subprocessing

4.1 Company authorises Supplier to appoint and permit each Subprocessor appointed in accordance with this clause 4 to appoint Subprocessors in accordance with this clause 4 and any restrictions in the Main Agreement.

4.2 Supplier and each of its Affiliates may continue to use those Subprocessors already engaged by Supplier or its Affiliates as at the date of this Addendum, subject to Supplier and each Affiliate in each case as soon as practicable meeting the obligations set out in clause 4.4.

4.3 Supplier shall inform Company before it or any of its Affiliates appoints any new Subprocessor. If within 14 days of receipt of that notice, Company notifies Supplier in writing of any objections (on reasonable grounds) to the proposed appointment:

4.3.1 Supplier shall work with Company in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and

4.3.2 where such a change cannot be made within 3 months from the Supplier receipt of Company's notice, notwithstanding anything in the Main Agreement, Company may by written notice to Supplier with immediate effect terminate the Main Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.

4.4 With respect to each Subprocessor, Supplier or its relevant Affiliate shall:

4.4.1 before the Subprocessor first Processes Company Personal Data (or, where relevant, in accordance with clause 4.2) carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by this Addendum and the Main Agreement;

4.4.2 ensure that the arrangement with the Subprocessor is governed by the Written contract including terms which offer at least the same level protection for Company Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR

4.4.3 if that arrangement involves a transfer of Company Personal Data to a location outside of the EEA, ensure that adequate safeguards are in place in compliance with Data Protection laws; and 

4.4.4 provide to Company for review such copies of an agreement with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Company may request from time to time.

4.5 Supplier shall ensure that each of its Affiliates that are Subprocessors performs the obligations under the Addendum as they apply to Processing of Company Personal Data carried out by that Affiliate as if it were a party to this Addendum in place of Supplier.

5. International Transfers 

To the extent that Company has given its consent to the transfer of Company Personal Data by Supplier to a country outside the EEA pursuant to clause 3.1.5, the parties shall ensure that adequate safeguards are in place in compliance with Data Protection Laws. To this end, the parties may agree to enter into the Standard Contractual Clauses.

6. General Terms

6.1 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clause (where applicable), this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Main Agreement, and the parties hereby submit to the choice of jurisdiction stipulated in the MAin Agreement with respect to any disputes or claims howsoever arising under this Addendum

6.2 Company may;

6.2.1 by at least 30 calendar days' written notice to Supplier from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual  Clauses entered into under clause 5 of this Agreement above) which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those transfers to be made (or continued to be made) without breach of that Data Protection Law; and 

6.2.2 propose any other variations to this Addendum which Company reasonably considers to be necessary to address the requirements of any Data Protection Laws.

6.3 Neither Company nor Supplier shall require the consent or approval of any of their Affiliates to amend this Addendum.

6.4 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid unenforceable part had never been contained therein.

EXHIBIT 2 - DETAILS OF PROCESSING OF COMPANY PERSONAL DATA

This Exhibit 2 includes certain details of the processing of Compnay Personal Data by the Supplier as required by Article 28(3) of the GDPR.

 

Types of Personal Data

Customer details as follows:

Name

Address

Employment Details

Email Address

Phone Number

Address History

Bank Details

Client(s) Booking Metadata (times, catering and Accommodation)

Proposal Data (Date of Event)

Delegate(s) Data

Accounting Details

IP Address

Vehicle Registration 

Categories of Data Subject Customers that have a current or past booking proposal or confirmation. An individual that has made inquiries about entering into a contract but never entered into that agreement.
Subject matter and duration of the Processing of Company Personal Data This is set out in the Main Agreement and in this Addendum
The nature and purpose of the Processing of Company Personal Data The processing of the customer personal data are necessary to enable the processor to perform the required checks and enable the customer to book packages and services within hospitality arena. Managing the customer's booking process and collecting payment. Reporting fraud and complying with legal obligations, improving the services offered to the customer.
The Obligations and rights of Company and its Affiliates  These are set out in the Main Agreement and in this Addendum 


EXHIBIT 3 - STANDARD CONTRACTUAL CLAUSES

[In the interests of brevity, the Standard Contractual Clauses have been omitted from this Exhibit 3. However, should the standard Contractual Clauses be required by the parties in the event of a cross-border transfer of data outside of the EEA, the Company will provide a copy of such Standard Contractual Clauses for completion and agreement by the parties.

The Standard Contractual clauses shall be based on the standard contractual clauses for the transfer of personal data from the EEA to third-party countries (controller-to-processor transfer) contained in the annex to the Commission Decision of 5 February 2010, as amended or replaced.]