Data (Sub)Processing Addendum

Overview

This Data (Sub)Processing Addendum is an addendum ("Addendum") to an agreement (as supplemented, amended and/or modified by the relevant Statement of Work, (if any) ("Agreement") entered into between the Client and Axsuma in respect of certain services ("Services") provided by Axsuma.

This Addendum shall only apply if and to the extent that the UK Data Protection Act 2018 and the UK GDPR applies to any Personal Data processed under the Agreement and we are considered the Data Processor and you are considered the Data Controller in respect of such Personal Data; or we are considered the Sub-Processor and you are considered the Data Processor in respect of such Personal Data, as the case may be.

Any defined term used in this Addendum and not defined herein shall have the meaning as indicated in the Agreement. Any reference to "process" in this Agreement for the purposes of this Addendum be construed to be a reference to "sub-process" if and to the extent we are considered the Sub-Processor and you are considered the Data Processor in respect of such Personal Data, where applicable and appropriate.

1. Definitions

1.1 In this Addendum:

• "Data Controller", "Data Processor", "(Data) Sub-Processor", "Data Subject", "Personal Data", "Personal Data Breach" and "Supervisory Authority" shall have the meanings as defined in the Data Protection Legislation;
• "Data Protection Legislation" means all applicable data protection and privacy legislation and regulation in force from time to time in the UK including without limitation the UK GDPR; the UK Data Protection Act 2018 (and regulations made thereunder); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), as amended, any subsequent reenactment, replacement or amendment of such laws, and any national implementing law and binding UK guidance (as applicable) issued by the national supervisory authority responsible for ensuring compliance with applicable data protection legislation;
• "UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018;
• "we", "our" or "us" means the Axsuma contracting entity as defined in the Agreement and "you" and "your" refers to you, our Client, or such other entity as defined in the Agreement.

2. Data Processing

2.1 We shall:

• only carry out processing of any such Personal Data on your documented instructions as set out in the Agreement and as may be communicated by you to us from time to time;
• take and/or implement appropriate technical and organisational measures against unauthorised or unlawful processing of such Personal Data, and against accidental loss, alteration or destruction of, or damage to, such Personal Data;
• notify you without undue delay if we become aware of any Personal Data Breach affecting such Personal Data;
• not modify, amend or alter the contents of such Personal Data other than as necessary for the purposes of performing the Services;
• not disclose or permit the disclosure of any such Personal Data to a Data Subject unless authorised by you, except as otherwise provided in this Addendum. Any such obligation shall not apply where disclosure is required by law or regulation. In such circumstances we shall reasonably endeavour to provide prior notification to you of such disclosure, unless such notification is itself precluded by law;
• only use and process such Personal Data in accordance with the terms of this Addendum and in compliance with the provisions of Data Protection Legislation, and only then to the extent necessary for and in connection with the performance of the Services. This shall be without prejudice to clause 2.15;
• only transfer such Personal Data to countries outside our own, subject to those protections that are required under the Data Protection Legislation;
• on termination of the Agreement or any earlier termination of our right or obligation to process Personal Data on your behalf, and as otherwise directed by you in respect of such Personal Data, we shall either: (a) destroy the Personal Data and all copies thereof; (b) transfer the Personal Data to you or such other third party as you may direct; or (c) archive the Personal Data subject to agreement on terms of archiving including costs, unless storage or other processing of the Personal Data is required by any laws, regulations and/or internal Axsuma compliance policies we are subject to.

2.2 Clause 2.1.8 shall be without prejudice to our rights when we are the Data Controller in relation to any Personal Data.

2.3 Data Subject Requests

If we receive any complaint, notice or communication which relates directly or indirectly to the processing of such Personal Data (including requests from Data Subjects for the exercising of their statutory rights), we shall notify you without undue delay and provide you with reasonable co-operation and assistance in relation to any such complaint, notice or communication. You shall be responsible for any costs arising from our provision of such assistance.

2.4 Compliance Assistance

We shall provide reasonable assistance to you, having regard to the nature of processing and the information available to us, in order to assist you to comply with your obligations under the Data Protection Legislation (including the notification of a Personal Data Breach to the relevant Supervisory Authority and to the Data Subject(s) affected, and the preparation of data protection impact assessments, where appropriate). You shall be responsible for any costs arising from our provision of such assistance.

2.5 Records and Audits

We shall keep and provide to you on request a record of our use of the Personal Data and processing activities and shall make available to you such information as reasonably necessary (and, subject to the remainder of this clause, allow for and contribute to audits or inspections) to demonstrate compliance with our data processing obligations set out in the Agreement and this Addendum. Any audits would have to be notified to us with no less than 30 days' prior written notice, shall be limited to one per year unless otherwise required by a Supervisory Authority, and you shall be responsible for any costs and expenses arising from our contribution to any such audits or inspections.

2.6 Confidentiality

We shall ensure our employees or other representatives who are authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.7 Instruction Compliance

We shall notify you without undue delay if we believe that any instruction provided by you to us is violating the Data Protection Legislation.

2.8 Liability for Your Data

We shall have no liability to you for any loss, damage, costs, expenses or other claims for compensation arising from any Personal Data or instructions supplied by you which are incomplete, incorrect, inaccurate, illegible, out of sequence or in the wrong form, or otherwise not fitting any relevant description or warranty, arising from their late arrival or non-arrival, or any other fault of yours.

2.9 Data Subject Claims

We will not be liable for any claim brought by a Data Subject arising from any action or omission by us to the extent that such action or omission resulted from our fulfilment of your instructions.

2.10 Liability Limits

Our total, aggregate liability under this Addendum shall be subject to the liability provisions included in the Agreement, including our total, aggregate liability under the Agreement.

2.11 Your Warranties

You hereby warrant and undertake that you have obtained all necessary permissions for us to process the Personal Data and that you are entitled to transfer the Personal Data to us for the purposes of us performing the Services in accordance with the Agreement. You further warrant and undertake that you have fully complied with, and shall fully comply with, your obligations under the Data Protection Legislation regarding our processing of the Personal Data.

2.12 Indemnity

You shall defend and indemnify us against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by us arising out of or in connection with any breach of the warranties contained in clause 2.11.

2.13 Sub-Processors

You specifically authorise all members of Axsuma, and the third parties referred to in Annex 2 to this Addendum, to act as sub-processors in connection with the performance of the Services.

2.14 New Sub-Processors

You hereby also provide your general consent for us to use other sub-processors than those referenced or referred to in clause 2.13 in connection with the performance of the Services, provided that in such case we shall:

• give you prior notice of any new appointment of any such sub-processor before authorising any such new sub-processor to process Personal Data, such notice to be given no less than thirty (30) days before any sub processing commences. If you object (such objection to be exercised reasonably) to our use of any such new sub-processor you shall be entitled to terminate your engagement with us upon written notice provided that such notice is given within fourteen (14) days of receipt of our notification of the appointment of the sub-processor, which shall be the extent of your remedies;
• enter into a written subcontract with such sub-processor to ensure that it only processes the Personal Data in performing the specific obligations required of it under the subcontract and on data processing terms in compliance with the Data Protection Legislation; and
• remain at all times liable under the terms of the Agreement for all obligations in respect of the Personal Data, including for all acts or omissions of any sub processor, in accordance with the terms and conditions of this Addendum and the Agreement.

2.15 Our Rights as Data Controller

For the avoidance of doubt, nothing in this engagement shall bind us, or create any obligation to you by us, in respect of our rights as Data Controller in relation to any information collected for the purposes of credit control and/or market research purposes and to inform you about our services and products, legal developments and/or training sessions or events which we believe may be of interest to you. We may share your personal information with business partners and suppliers with whom we may have outsourced certain of our business functions. External organisations may also conduct general audits and quality checks on us and we may share your information with those organisations as part of such audit or check.

2.16 Amendments to Processing

The details in this Addendum (including any annex attached hereto) of the subject matter, duration, nature and purpose of the processing, and the categories of Data Subjects may be updated by the parties' agreement in writing from time to time.

2.17 Precedence

In the event of any contradiction / inconsistency between the terms of this Addendum and any term in the Agreement in respect of any processing of Personal Data, the terms of this Addendum shall prevail.