General Data Protection Regulation - Data Processing Addendum

Data Processing Addendum




In this Addendum:


"Data Controller", "Data Processor", "Data Subject" and "Personal Data" shall have the meanings as defined in the Data Protection Legislation;


"Data Protection Legislation" means all legislation and regulatory requirements in force from time to time relating to the use of personal data and the privacy of electronic communications applicable to the Services and/or your use of the portal; and


"you" means as defined in the agreement to which this an addendum;



"Services" means as defined in the agreement to which this an addendum;



"we", "our" or "us" means as defined in the agreement to which this an addendum.


Data processing


To the extent that we process any Personal Data on your behalf while performing the Services, the parties agree that we shall do so as a Data Processor and that you shall be the Data Controller and in any such case we shall:


maintain at all times an appropriate notification under the Data Protection Legislation (where required);


only carry out processing of any such Personal Data on your documented instructions from time to time;


take and/or implement appropriate technical and organisational measures against unauthorised or unlawful processing of such Personal Data, and against accidental loss, alteration or destruction of, or damage to, such Personal Data, and ensure the security of such data at all times;


notify you without undue delay of any security breach affecting any Personal Data;


not modify, amend or alter the contents of such Personal Data other than as reasonably necessary for the purposes of performing the Services;


not disclose or permit the disclosure of any such Personal Data to a Data Subject unless authorised by you. This obligation shall not apply where disclosure is required by law or regulation. In such circumstances we shall provide prior notification to you of such disclosure, unless such notification is itself precluded by law;


only use and process such Personal Data in accordance with the terms of this contract and in compliance with the provisions of the Data Protection Legislation, and only then to the extent absolutely necessary for and in connection with the performance of the Services. This shall be without prejudice to clause 2.13;


where relevant, applicable and appropriate, only transfer such personal data to countries outside the European Economic Area subject to appropriate protections, such as standard data protection clauses approved by the European Commission;


on termination of the agreement to this is an addendum or any earlier termination of our right or obligation to process Personal Data on your behalf, and as otherwise directed by you in respect of such Personal Data, we shall either:


destroy the Personal Data and all copies thereof;


transfer the Personal Data to you or such other third party as you may direct; or


archive the Personal Data subject to agreement on terms of archiving including costs,

unless storage or other processing of the Personal Data is required by applicable laws, regulations or our internal compliance policies.


Clause 2.1(i) shall be without prejudice to our rights when we are the Data Controller in relation to the Personal Data.


If we receive any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data or to compliance by us or you with the Data Protection Legislation (including requests from Data Subjects for the exercising of their statutory rights), we shall promptly notify you and shall provide you with full co-operation and assistance in relation to any such complaint, notice or communication. You shall be responsible for any costs arising from our provision of such assistance.


We shall provide reasonable assistance to you, having regard to the nature of processing and the information available to us in order to assist you to comply with your obligations under the Data Protection Legislation. You shall be responsible for any costs arising from our provision of such assistance


We shall keep and provide to you on request a record of our use of the Personal Data and processing activities and shall make available to you such information reasonably necessary (and allow for and contribute to audits or inspections) to demonstrate compliance with our data processing obligations set out in this Addendum. You shall be responsible for any costs arising from our contribution to any such audits or inspections, which shall be limited to one per year unless otherwise required by a supervisory authority.


We shall ensure our employees or other representatives who are authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.


We shall have no liability to you for any loss, damage, costs, expenses or other claims for compensation arising from any Personal Data or instructions supplied by you which are incomplete, incorrect, inaccurate, illegible, out of sequence or in the wrong form, or otherwise not fitting any relevant description or warranty, arising from their late arrival or non-arrival, or any other fault of yours.


We will not be liable for any claim brought by a Data Subject arising from any action or omission by us to the extent that such action or omission resulted from our fulfilment of your instructions.


You hereby warrant and undertake that you have obtained all necessary permissions for us to process the Personal Data and that you are entitled to transfer the Personal Data to us for the purposes of us performing the Services in accordance with this contract. You further warrant and undertake that you have fully complied with your obligations under the Data Protection Legislation regarding our processing of the Personal Data.


You shall indemnify us against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by us arising out of or in connection with any breach of the warranties contained in clause 2.9.


You specifically authorise all Vistra Group companies and any third parties to act as sub-processors in connection with the performance of the Services.


You hereby authorise us to engage third parties to process the Personal Data on our behalf in connection with the performance of the Services provided that we:


give you prior notice of any new appointment of any such sub-processor before authorising any such new sub-processor to process Personal Data, such notice to be given no less than thirty (30) days before any sub-processing commences. If you object (such objection to be exercised reasonably) to our use of a new sub-processor you shall be entitled to terminate the contract upon written notice provided that such notice is given within fourteen (14) days of receipt of our notification of the appointment of the sub-processor, which shall be the extent of your remedies;


enter into a written subcontract with such third party to ensure that it only processes the Personal Data in performing the specific obligations required of it under the subcontract and on data processing terms no less onerous than those which bind us under the contract (in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Legislation); and


remain at all times liable under the terms of this Addendum (subject however to the terms of the agreement to which this is an agreement) for all obligations in respect of the Personal Data, including for all acts or omissions of any third party sub-processor, subject in any event to any limitation of liability clauses set out in the contract.


For the avoidance of doubt nothing in this Addendum shall bind us, or create any obligation to you by us, in respect of our rights as Data Controller in relation to any information collected for the purposes of credit control and market research purposes and to inform you about our services and products, legal developments and training sessions or events which we believe may be of interest to you. We may share your personal information with other companies in our group for any of the above purposes. We may also share your information with business partners and suppliers with whom we may have outsourced certain of our business functions. External organisations may also conduct general audits and quality checks on us and we may share your information with those organisations as part of such audit or check.


We reserve the right to make changes to this Data Processing Addendum from time to time.


In the event of any contradiction / inconsistency between the terms of this Addendum and any term in the agreement to which this is an addendum, in respect of any processing of Personal Data the terms of this Addendum shall prevail.

Schedule 1 - Processing of Data

Type of data that may be processed

Personal data provided to us in relation to the Company or its beneficial owners, including personal data provided directly to us by a data subject or third party. The personal data processed under our contract may include (depending upon the scope of the Services provided):

  • name and contact information such as home or business address, job title, email address and telephone number;
  • biographical information including date of birth, tax identification number and passport number or national identity card details, country of domicile and/or nationality
  • information relating to financial situation such as income, expenditure, assets and liabilities, sources of wealth, as well as bank account details;
  • an understanding of the goals and objectives in procuring our Services;
  • information about employment, education, family or personal circumstances, and interests, where relevant; and
  • information to assess whether a person may represent a politically exposed person or money laundering risk.

Categories of data subject whose data may be processed

Personal data related to individuals associated with the Company (including its past, current and future shareholders, beneficial owners (including people with significant control), directors, officers, employees, professional advisers, agents and contractors).

Nature and purpose of processing

Such processing as is necessary to:

  • enable us to provide the Services to you;
  • comply with our obligations and exercise our rights under our contract with you, including the collection, recording, organisation, use, disclosure, restriction, erasure or destruction of data; and
  • enable third party contractors who we use to provide the Services or part of the Services to carry out their functions

Duration of processing

The period of our contract and the longer of such additional period as is specified in the terms of the contract regarding data retention, is required in relation to any limitation period for contractual claims or is required for compliance with the law.