Data Protection
Definitions
1. This Data Protection Schedule applies when Dendra is Processing Customer Personal Data as part of the Services being provided to the Customer under the Agreement.
2. In this Data Protection Schedule, the following terms shall have the meanings set out below in addition to the defined terms set out in the Terms of Service:
Applicable Data Protection Laws: means (i) the UK retained law version of the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation (‘UKGDPR’), (ii) the Data Protection Act 2018 including any future replacement legislation in the UK; and/or (iii) any laws relating to data protection or privacy which apply to Dendra.
Applicable Laws: means the laws of England and Wales or of any member of the European Union or by the laws of the European Union or any other country which are applicable to Dendra or a Subprocessor in processing Personal Data.
Customer Personal Data: means any Personal Data Processed by Dendra on behalf of the Customer in connection with the Agreement.
EEA: means the European Economic Area.
Subprocessor: means any person (including any third party and any Dendra Affiliate but excluding an employee of Dendra) appointed by or on behalf of Dendra or any Dendra Affiliate to Process Personal Data on behalf of the Customer in connection with the Agreement.
Dendra Affiliate: means any person (including any third party and any Dendra Affiliate but excluding an employee of Dendra) appointed by or on behalf of Dendra or any Dendra Affiliate to Process Personal Data on behalf of the Customer in connection with the Agreement.
3. The terms "Data Controller", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" shall have the same meaning as in the Applicable Data Protection Laws. The word "include" shall be construed to mean include without limitation.
Processing of Customer Personal Data
4. Dendra shall i) comply with all Applicable Data Protection Laws in the processing of Customer Personal Data; ii) not process Customer Personal Data other than on the Customer’s documented instructions unless Processing is required by Applicable Data Protection Laws, in which case Dendra shall to the extent permitted by Applicable Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of that Personal Data; iii) notify the Customer as soon as reasonably possible in the event that the Customer’s instructions, in Dendra’s opinion, contravene any Applicable Data Protection Laws; and iv) ensure that any transfer of Customer Personal Data out of the EEA and the UK is carried out in accordance with Applicable Data Protection Laws and using a lawful transfer mechanism.
5. The Customer, as necessary for the provision of the Services and subject to the Agreement, instructs Dendra by this express written confirmation, to i) process Customer Personal Data (and hereby authorises Dendra to instruct each Subprocessor to do the same) at the agreed geographic location(s); and ii) transfer Customer Personal Data to Subprocessors and Dendra Affiliates based outside of the EEA, subject to the condition that any such transfer is in full compliance with the GDPR and Applicable Data Protection Laws on the basis of the ICO’s International Data Transfer Agreement, the Standard Contractual Clauses or some other lawful mechanism.
6. The Customer shall ensure that any instructions it gives to Dendra in relation to the Customer Personal Data shall be lawful. Dendra shall inform the Customer as soon as reasonably practicable if it believes that any instruction given by the Customer to be in breach of Applicable Laws.
7. In relation to the Customer Personal Data i) the Customer will ensure that (where it acts as a Data Controller in respect of Personal Data) it has all necessary consents, processes and notices in place to enable the lawful transfer of the personal data to Dendra for the duration and purposes of the Agreement; ii) the subject matter of the Processing is the use of the Services by the Customer and the Users; iii) the duration of the Processing is the duration of the Agreement plus any retention periods set out in the Agreement; iv) the nature and purpose of the Processing is to enable Dendra to provide and the Customer to receive the Services; and v) the types of Personal Data to be Processed (which may include names, business email addresses and business phone numbers); vi) the categories of Data Subject are employees and agents of the Customer.
Dendra Personnel
8. Dendra shall take reasonable steps to ensure the reliability of their respective employees, agents or contractor who may have access to the Customer Personal Data, ensuring in each case that access is limited to those individuals who need to know/access the relevant Customer Personal Data, as necessary for the purposes of the Agreement, and that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Security
9. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Dendra shall in relation to the Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Dendra’s technical and organisational measures are set out in Dendra’s Information Security Management Toolkit.
Subprocessing
10. The Customer authorises Dendra to appoint (and permit each Subprocessor appointed in accordance with paragraphs 11-13 to appoint) Subprocessors in accordance with paragraphs 11-13.
11. Dendra shall inform Customer of the appointment of any new Subprocessor. If, within 14 days of publication of that information, the Customer notifies Dendra in writing of any objections (on reasonable grounds) to the proposed appointment: Dendra shall take reasonable steps to address the objections raised by the Customer and shall provide the Customer with a reasonable written explanation of the steps taken. If the Customer remains dissatisfied with such explanation, then the Customer shall be entitled to terminate the Agreement (including any Order Form(s)) with immediate effect.
12. With respect to each Subprocessor, Dendra shall i) ensure that the arrangement between on the one hand Dendra, or the relevant intermediate Subprocessor; and on the other hand, the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in the Agreement; ii) provide to Customer for review such copies of the Contracted Processors' agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Schedule) as Customer may request from time to time and iii) remain fully liable to the Customer for any breach or non-compliance directly caused by the performance of the Subprocessor
13. Dendra shall ensure that each Subprocessor performs the obligations under the written contract referred to in paragraph 12.
Data Subject Rights
14. Taking into account the nature of the Processing, Dendra shall implement appropriate technical and organisational measures to aid the fulfilment of the Customer’s obligations as a Data Controller to respond to requests to exercise Data Subject rights under Applicable Data Protection Laws. Dendra’s technical and organisational measures are set out in Dendra’s Information Security Management Toolkit.
15. Dendra shall i) promptly notify the Customer if it receives a request from a Data Subject under the Applicable Data Protection Laws in respect of Customer Personal Data; and ii) ensure that Dendra and any Subprocessor does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws, in which case Dendra shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before Dendra or the Subprocessor responds to the request.
Personal Data Breach
16. Dendra shall notify Customer promptly, and without undue delay, upon Dendra becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.
17. Dendra shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
18. Dendra shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of the Customer by article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Dendra.
Deletion or Return of Customer Personal Data
19. Subject to paragraphs 20 and 21, Dendra shall promptly and in any event within 90 days of the date of cessation of any Services involving the Processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Data.
20. Subject to paragraph 19, Customer may in its absolute discretion by written notice to Dendra within 30 days of the Cessation Date request that Dendra (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in a commonly used format; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by Dendra. Dendra shall comply with any such written request within 45 days.