Data Processing Agreement
Background, Purpose & Definitions
The Parties to this Data Processing Agreement are defined in Annex 1. This Data Processing Agreement governs each Party’s rights and obligations, in order to ensure that all processing of personal data is conducted in compliance with applicable data protection legislation, including EU Regulation 2016/679 (“GDPR”) and its applicable national implementation from its effective date.
Processor will process personal data in order to deliver services under the Agreement, as specified in Annex 1. The ultimate recipient of the services will be UK Hub Data Exchange ltd (UKDE) or companies entitled to use the UK Hub Service. UKDE’s terms regarding processing of personal data are published on this website.
To the extent this Data Processing Agreement refers to documents published on this website, they shall be considered an integrated part of the Data Processing Agreement. UKDE may make changes to the documents published on this website on at least 30 days’ prior notice. UKDE shall involve both the Controller and/or the Processor when making changes to documents which may affect delivery of the Processor’s services.
The subject-matter, nature and purpose of the processing, the types of personal data and the categories of data subjects involved are specified in Annex 1.
When this Data Processing Agreement is used in delivery of services by a data processor’s sub-contractor (or further down the contractor chain), the term Controller will refer to the data processor and the term Processor to the data processor’s sub-contractor.
The terms “personal data”, “sensitive personal data”, “processing”, “controller”, “processor”, “data subject” etc. used herein shall have the meaning assigned to them in applicable European data privacy legislation.
Obligations of the controller
The Processor’s undertakings
The Processor shall comply with all provisions for protection of personal data set out in this Data Processing Agreement and in applicable data protection legislation.
The Processor shall comply with the instructions and routines issued by the Controller in relation to the processing of personal data. The Processor shall immediately notify the Controller if the Processor is of the opinion that an instruction from the Controller is in violation of any applicable data protection regulation.
Restrictions On Use
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement planned, systematic and appropriate technical and organisational measures to ensure a level of security appropriate to the risk with regard to the confidentiality, integrity and accessibility of the processing of personal data.
- A detailed description of the Processor’s information security measures shall be made available to the Controller upon request.
Requests from the data subjects
- Taking into account the nature of the processing, the Processor shall implement appropriate technical and organisational measures in order to support the Controller’s obligation to facilitate exercise of the rights of the data subjects pursuant to GDPR chapter 3.
Assistance to the Controller
- The Processor shall by appropriate technical and organisational measures reasonably assist the Controller with the Controller’s:
- Compliance with, and documentation of compliance with, applicable data protection legislation.
- Obligation to implement technical and organisational measures.
- Obligation to conduct data protection impact assessments.
- Obligation to conduct prior consultations with applicable data protection authorities.
- Assistance as set out above shall be carried out the extent necessary, taking into account the Controller’s need, the nature of the processing and the information available to the Controller.
- The Processor may claim compensation for its assistance to the Controller if and as set out in the Agreement.
Incident and personal data breach notifications
- Any processing of personal data in violation with established routines, instructions from the Controller or applicable data protection legislation, as well as any security breaches, shall be treated as an incident.
- The Processor shall have in place technical and organisational measures to follow up incidents, which shall include re-establishing of the normal state of affairs, eliminating the cause of the incident and preventing its re-occurrence.
- The Processor shall without undue delay after becoming aware of the incident notify the Controller of:
- Any breach of this Data Processing Agreement.
- Of accidental, unlawful or unauthorized access to, use or disclosure of personal data.
- That the personal data may have been compromised; or
- A breach of the integrity of the personal data.
- The Processor shall provide the Controller with all information necessary, and assistance to enable the Controller to comply with applicable data protection legislation and enabling the Controller to answer any inquiries from the applicable data protection authorities and/or the data subjects. The Controller is the party responsible to notify the applicable data protection authority of incidents in accordance with applicable law.
- The Processor shall make available all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or third party auditor mandated by the Controller.
- The Controller shall cover the costs for engaging its third party auditor. The Processor shall be entitled to claim compensation for assisting the Controller or third party auditor in accordance with compensation section of this section.
- The Processor shall keep confidential all personal data and other confidential information provided to it under the Agreement or this Data Processing Agreement. The Processor shall ensure that each member of its staff, whether employed or hired employee, having access to or being involved with the processing of personal data under the Agreement undertakes a duty of confidentiality and is informed of and complies with the obligations of this Data Processing Agreement. The duty of confidentiality shall also apply after termination of the Agreement or this Data Processing Agreement.
- The Controller has the right to demand security audits performed by an independent third party. The Processor shall allow for and contribute to the performance of security audits by a third party engaged by the Controller. The third party auditor shall provide a report of the security audit to both Parties.
- The Controller shall cover the costs for engaging its third party auditor. The Processor shall be entitled to claim compensation for assisting the Controller’s third party auditor in accordance with compensation section of this section.
- The Controller is entitled to submit audit reports to the applicable data protection authority and other third parties who are entitled to view the report.
Use of subcontractors
- Any use of subcontractors by the Processor for directly executing services related to processing of personal data shall be subject to prior acceptance by the Controller. Any other legal entity which conducts processing of personal data on behalf of the Processor pursuant to this Data Processing Agreement shall be construed as a subcontractor. This applies regardless of whether the subcontractor is partly or fully owned by the Processor, by the same parent as the Processor, or is organized within the same company group as Processor.
- The Controller accepts the Processor’s use of the subcontractors specified in Annex 1.
- The Processor shall, by written agreement with its subcontractors, ensure that any processing of personal data carried out by a subcontractor is subjected to the same obligations and limitations as those imposed on the Processor pursuant to this Data Processing Agreement.
- The Processor may use the standard EPIM Data Processor Agreement towards subcontractors.
- If the Processor makes any changes to the standard EPIM Data Processor Agreement, such shall be clearly marked with “track changes” or similar function. When using subcontractors in third countries, cf. below, the Processor shall ensure that conditions for transfer of personal data to third countries is met.
- If the Processor plans to change an existing or add a new subcontractor, it shall notify the Controller in writing 3 months prior to any processing by the new subcontractor. The Controller is entitled to object to the change of subcontractors by providing written notification within 4 weeks from receipt of the written notification. To the extent the Controller does not notify the Processor otherwise, the change of subcontractors shall be deemed as accepted.
Transfer of personal data to third countries
- The Processors’ use of subcontractors outside the EU/EEA for processing of personal data on its behalf shall be in accordance with the European Commission’s Adequacy decisions, EU-US Privacy Shield Framework, EU Standard Contractual Clauses for transfer to third countries, or another specifically stated lawful basis for the transfer of personal data to a third country. The same applies when personal data is stored within the EU/EEA, but may be accessed outside the EU/EEA by the subcontractor.
- If transfer to – or access from – a third country will be based on Standard Contractual Clauses, the Controller hereby grants the Processor a power of attorney to enter into Standard Contractual Clauses on behalf of the Controller.
- In the event of breach of this Data Processing Agreement, or a breach of obligations according to applicable law on processing of personal data, the relevant provisions regarding breach in the Agreement shall apply.
- Claims from one Party due to the other Party’s non-compliance with the Data Processing Agreement shall be subject to the same limitations as in the Agreement. In assessing whether the limitation in the Agreement has been reached, claims under this Data Processing Agreement and the Agreement shall be viewed in conjunction, and the limitation in the Agreement shall be viewed as a total limitation. The Controller may act on behalf of the ultimate data controller (EPIM or EPIM’s customer) in handling a claim by the ultimate data controller against the Processor.
- The Processor shall notify the Controller without undue delay if it will or has reason to believe it will be unable to comply with any of its obligations under this Data Processing Agreement.
Terms and termination of this data processing agreement
- This Data Processing Agreement shall be effective from the date it is signed by both Parties and until the Agreement expires or until the Processor’s obligations in relation to the delivery of services in accordance with the Agreement is otherwise terminated, except for those provisions in the Agreement and Data Processing Agreement that shall continue to apply after termination.
- Any provisions of the Agreement with regards to deletion of data upon termination of the Agreement shall apply for this Data Processing Agreement. If no such provisions are specified in the Agreement, the following shall apply upon termination of this Data Processing Agreement:
- The personal data and all other data belonging to the Controller shall be returned in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of the personal data and other data. The Processor shall first return and subsequently delete all remaining personal data and other data belonging to the controller. The Processor (and its subcontractors) shall immediately stop the processing of personal data from the date stipulated by the Controller.
- As an alternative to returning the personal data (or other data), the Controller may at its sole discretion instruct the Processor in writing, that all or parts of the personal data (or other data) shall be deleted by the Processor, unless the Processor is prevented by statutory law from deleting the personal data.
- The Processor is not entitled to retain any copies of any personal data and/or other data provided by the Controller in relation to the Agreement or this Data Processing Agreement in any format. All physical and logical access to such personal data or other data shall be deleted or removed.
- The Processor shall at its own initiative provide the Controller with a written declaration whereby the Processor warrants that all personal data or other data mentioned above has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy or prints, or kept the data on any medium.
- The obligations pursuant to above sections shall continue to apply after termination. Further, the provisions of the Data Processing Agreement shall apply in full to any personal data retained by the Processor in violation of the Data Processing Agreement and/or the Agreement.
Dispute & Jurisdiction
- Dispute resolution and jurisdiction provision of the Agreement shall apply for the Data Processing Agreement.
- The Parties may add custom provisions to the Data Processing Agreement in Annex 2.
Annex 1 – Specification of processing of personal data
- The parties (individually referred to as “Party” and jointly referred to as “the Parties”) to this Data Processing Agreement are as set out below and in the corresponding Agreement.
- Data Controller
- The Data Controller is [Company name] (“Controller”).
- Company organisation number:
- Company contact person and contact details shall be specified in the Agreement.
- Data Processor
- The Data Processor is [Company name] (“Processor”).
- Company organisation number:
- Company contact person and contact details shall be specified in the Agreement.
Categories of Data
Purpose of the data processing
Annex 2 – Additional Provisions
[The Parties may add custom provisions to the Data Processing Agreement in this Annex 2.]