Data Processing Agreement

  1. Interpretation and Definitions

Capitalised terms used in this Data Processing Agreement and not otherwise defined in the Agreement between Lanterne and the Customer shall have the meaning given to herein or in the Data Protection Legislation.

Controller, Processor, Data Subject, Personal Data, personal data breach, Processing and appropriate technical and organisational measures” shall each have the meaning given to it in the Data Protection Legislation.

“Data Subject Request” means a request from a Data Subject to access, correct, amend, transfer, or delete that Data Subject's Personal Data consistent with their rights under the Data Protection Legislation.

"Standard Contractual Clauses" means as applicable (a) the standard contractual clauses available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR ("EU SCCs"); and (b) the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office under S119A(1) of the Data Protection Act available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf  effective from 21 March 2022 ("UK Addendum").

“Sub-processor” means any natural or legal person, public authority, agency, or other body which possesses Personal Data on behalf of a data Controller or a data Processor.

2.        Data Processing Obligations

2.1        This Data Processing Agreement only applies to the Processing of Personal Data by Lanterne on behalf of the Customer pursuant to the Agreement. 

2.2        The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and Lanterne is the Data Processor of the Personal Data and a description of the Personal Data and the Processing activities undertaken by Lanterne is set out in clause 5.

  1. Lanterne’s processing obligations

  1. To the extent that Lanterne processes any Personal Data on behalf of Customer in connection with the Services, Lanterne shall:

  1. only Process such Personal Data in accordance with the purposes set out in this Agreement and notify Customer immediately if in its opinion the Customer’s instructions infringes applicable law;

  1. maintain a record of its Processing activities under this Agreement in accordance with and to the extent required by Article 30(2) GDPR, and Lanterne shall at any time upon request, deliver up to Customer details of such Processing activities;

  1. ensure that access to any such Personal Data is restricted to those of its personnel who need to have access in order to perform the Services and who are subject to confidentiality obligations in respect of the Personal Data;

  1. notify Customer without undue delay if it suffers a Personal Data Breach, if it receives any Data Subject Request relating to the Personal Data, and shall: (a) not respond to the Data Subject Request without Customer’s prior written consent and in accordance with Customer’s instructions; and (b) shall provide such assistance as Customer may reasonably require in respect of such Personal Data in order for Customer to comply and respond to the Data Subject Request in accordance with the Data Protection legislation;

  1. provide reasonable assistance to Customer in inputting into and carrying out data protection impact assessments and, to the extent required under the Data Protection Legislation, prior notification under Article 36 of GDPR; and

  1. ensure that it has implemented appropriate organisational and technical measures in order to comply with its obligations under this paragraph 3, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, including, inter alia, as appropriate:

  1. the pseudonymization and encryption of Personal Data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
  3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

  1. To the extent legally permitted, Customer shall be responsible for any costs arising from Lanterne’s provision of assistance beyond the existing functionality of the Services.

  1. Lanterne is permitted to engage a Sub-processor to Process any of the Personal Data on Customer’s behalf in connection with the Services. The Customer pre-approves Lanterne’s use of third party processors for the purposes of fulfilling its obligations. Lanterne shall:

  1. inform Customer prior to the appointment or removal of any such Sub-processor, thereby giving Customer an opportunity to object to the appointment or removal. If Customer objects on reasonable grounds, Lanterne shall either: i) alter its plans to use the Sub-Processor with respect to Personal Data, or (ii) take corrective steps to remove Customer’s objections. If none of the above options are reasonably available or the issue is not resolved within 30 days of the objection, either party may terminate this Agreement; and

  1. ensure that such Sub-processor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on Lanterne under this Data Processing Agreement; and

  1. ensure that the Sub-processor’s Processing of such Personal Data terminates upon termination of Lanterne’s right to Process the data,

provided that Lanterne shall be liable for the acts and omissions of such Sub-processors in relation to the Processing of such Personal Data.

  1. Customer acknowledges that Lanterne and its Sub-Processors may Process Personal Data outside of the EEA or UK in non-adequate countries. Lanterne will abide by the requirements of the Data Protection Legislation regarding the transfer and Processing of Personal Data from the EEA or UK. Lanterne will ensure that transfers of Personal Data to a third country or an international organization that does not ensure an adequate level of protection are subject to appropriate safeguards as described in Article 46 of the GDPR or UK GDPR such as the Standard Contractual Clauses.

  1. If any Personal Data transfer between the Customer and Lanterne requires execution of the Standard Contractual Clauses to comply with the Data Protection Legislation the parties shall comply with the Schedule hereto (Standard Contractual Clauses). As applicable, execution of the Agreement includes execution of the Standard Contractual Clauses.

  1. In the event any replacement Standard Contractual Clauses include a transition period for implementation, Lanterne shall notify the Customer of the date on which such Standard Contractual Clauses shall become effective which in any event shall be prior to the expiration of such transition period.

  1. Upon termination or expiry of this Agreement, Lanterne shall cease all Processing of any Personal Data Processed on Customer’s behalf under this Agreement and shall, at Customer’s option, return or destroy and delete all such Personal Data.

  1. In order to demonstrate Lanterne’s compliance with the Data Protection Legislation and the terms of this Data Processing Agreement, Lanterne shall:

  1. provide Customer with such information as Customer reasonably requests from time to time to enable Customer to satisfy itself that Lanterne is complying with its obligations under this Data Processing Agreement and the Data Protection Legislation; and

  1. allow Customer, at Customer’s sole cost and expense access (on reasonable notice and no more than once a year) to its premises where Personal Data is Processed under this Agreement to allow Customer to audit its compliance with this Data Processing Agreement and the Data Protection Legislation and shall provide reasonable co-operation as requested by Customer in the performance of such audit. The Parties shall agree in advance on the reasonable start date, duration and security and confidentiality controls applicable to such audit.

  1. Obligations of Customer

  1. Customer shall:

  1. have at all times during the term of this Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data;

  1. provide clear and comprehensible written instructions to Lanterne for the processing of Personal Data to be carried out under this Agreement; and

  1. ensure that it has all the necessary licences, permissions, consents and notices in place to enable lawful transfer of Personal Data to Lanterne for the duration and purposes of this Agreement.

  1. Processing Particulars
  1. Data Subjects. The categories of Data Subjects whose Personal Data may be Processed in connection with the Agreement are Customers' end users.
  2. Categories of Personal Data. The categories of Personal Data which may be Processed in connection with the Agreement are Location data.
  3. Special Categories of Personal Data. Special categories of Personal Data, if any, to be Processed in connection with the Agreement are N/A.
  4. Processing Operations. Lanterne will Process the Customer's Personal Data as necessary to perform the services pursuant to the Agreement. Such Processing operations may include the following: collecting, recording, organizing, storing, use, alteration, disclosure, transmission, combining, retrieval, consultation, archiving and/or destruction.
  5. Frequency: Continuous basis.
  6. Duration. Lanterne will Process the Personal Data on the Customer's behalf for the duration of the Agreement.


Schedule

Standard Contractual Clauses


The parties agree that the applicable Standard Contractual Clauses are incorporated into the Data Processing Agreement by reference, as if they had been set out in full, and are populated as follows. Unless expressly stated below, any optional clauses contained within the Standard Contractual Clauses shall not apply.

The following Standard Contractual Clauses shall apply where Personal Data is transferred to a third country (unless the transfer is permitted on the basis of an adequacy decision):

  1. CONTROLLER 🡪 PROCESSOR (Module Two of the Standard Contractual Clauses) if Customer, acting as a Controller, is making a restricted transfer of Personal Data subject to the GDPR and/or the UK GDPR (as applicable) to Lanterne, acting as a Processor;

  1. PROCESSOR 🡪 PROCESSOR (Module Three of the Standard Contractual Clauses) if Customer, acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and/or the UK GDPR (as applicable) to Lanterne acting as a Processor; and/or

  1. PROCESSOR 🡪 CONTROLLER (Module Four of the Standard Contractual Clauses) if Lanterne, acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and/or the UK GDPR (as applicable) to Customer, acting as a Controller.

UK Addendum

The parties agree that the UK Addendum is incorporated into the Data Processing Agreement by reference, as if it had been set out in full, and is populated and shall be read against the EU SCCs as follows. Unless expressly stated below, any optional clauses contained within the UK Addendum shall not apply.

Start Date

The UK Addendum is effective from the date of Agreement.

  1. Table 1: Parties

Exporter and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

Importer and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

  1. Table 2: Selected SCCs, Modules and Clauses

As applicable, Module 2, Module 3 or Module 4 of the EU SCCs as incorporated by reference into the Data Processing Agreement including any supplementary clauses set out within this Schedule 5.

  1. Table 3: Appendix Information

As set out in Annex 1 and Annex 2 of the of the Standard Contractual Clauses below.

  1. Table 4: Ending this Addendum when the Approved Addendum Changes

In the event the Information Commissioner's Office issues a revised Approved Addendum, in accordance with Section ‎18 of the UK Addendum which as a direct result of such changes has a substantial, disproportionate and demonstrable increase in: (a) the data importer's direct costs of performing its obligations under the Addendum; and/or (b) the data importer's risk under the Addendum, the data importer may terminate this UK Addendum on reasonable written notice to the data exporter in accordance with Table 4 and paragraph 19 of the UK Addendum.

Supplementary clauses for Module Two and Module Three

Erasure and deletion: For the purposes of Clause 8.5, Section II of Module Two and Module Three of the Standard Contractual Clauses the data importer shall delete the Personal Data in accordance with clause 3.7 of the Data Processing Agreement.

Audit: The parties acknowledge that the data importer complies with its obligations under Clause 8.9, Section II of Module Two and Module Three of the Standard Contractual Clauses by (i) acting in accordance with clause 3.8 of the Data Processing Agreement and (ii) exercising its contractual audit rights it has agreed with its Sub-Processors. For the purposes of Clause 8.9(e), Section II of Module Three of the Standard Contractual Clauses, the data exporter shall ensure the results are provided to the relevant controller(s) on a confidential basis and that the controller(s) have committed themselves to confidentiality in respect of the same.

Notifications: For the purposes of Clause 8, Section II of Module Three of the Standard Contractual the data exporter shall use all reasonable endeavours to ensure any instructions provided by the relevant controller(s) are directed via the data exporter. The data exporter shall be responsible for ensuring any notifications provided by the data importer are promptly notified to the relevant controller(s) in order to fulfil the data importer’s notification obligations pursuant to Clause 8.

Sub-Processors: For the purposes of Clause 9, Section II of Module Two and Module Three of the Standard Contractual Clauses, the Parties agree that option 2: general written authorization shall apply and the data importer shall notify the data exporter of any changes in accordance with clause 3.3 of the Data Processing Agreement. For the purposes of Clause 9, Section II of Module Three of the Standard Contractual Clauses, the data importer shall notify the data exporter of any changes to a Sub-Processor and the data exporter shall be responsible for ensuring such notifications are provided to the relevant controller(s) and shall inform the data importer of any objections within the time frames specified. Copies of any Sub-Processor agreements (redacted as appropriate) requested from the data importer shall be provided to the data exporter for onward provision to the relevant controller, as applicable.

Data Subject Rights: For the purposes of Clause 10(a) to (c) Section II of Module Three of the Standard Contractual Clauses, the parties acknowledge that given the nature of the Processing by the data importer it would not be appropriate for the data importer to notify or assist the controller directly in respect of any requests received from a Data Subject. 

Transfer impact assessment: For the purposes of Clause 14(c), Section III of Module Two and Module Three of the Standard Contractual Clauses, the data exporter acknowledges a transfer impact assessment is to be made available by the data importer on request which the data exporter accepts as sufficient to fulfil the data importer’s obligations pursuant to Clause 14(c) and 14(a) of the Standard Contractual Clauses.

For the purposes of Clause 14(c), 15.1(b) and 15.2, Section III of Module Two and Module Three of the Standard Contractual Clauses, the parties agree that “best efforts” and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

Governing law and Jurisdiction: For the purposes of Clause 17 and 18, Section IV of Module Two and Module Three of the EU SCCs, the parties agree that the laws and courts of the Republic of Ireland will apply. For the purpose of the UK Addendum, the parties acknowledge and accept that the laws and courts of England and Wales will apply.

Supplementary clauses for Module Four

Erasure and Deletion: For the purposes of Clause 8.1(d), Section II of Module Four of the Standard Contractual Clauses, the data exporter shall delete the Personal Data in accordance with clause 3.7 of the Data Processing Agreement.

Governing law and Jurisdiction: For the purposes of Clauses 17 and 18, Section IV of Module Four of the EU SCCs and the UK Addendum, the parties agree that the laws and courts of England and Wales will apply.

Annex 1 to the Standard Contractual Clauses (Module Two and Module Three)

  1. Parties

Data exporter: Customer is the data exporter.

Data importer: The data importer is Lanterne.

The parties contact details are as set out in the Agreement.

  1. Description of Transfer

Data Subjects: As detailed in clause 5 of the Data Processing Agreement.

Categories of data: As detailed in clause 5 of the Data Processing Agreement.

Special categories of data: As detailed in clause 5 of the Data Processing Agreement.

Frequency, duration and retention: As detailed in clause 5 of the Data Processing Agreement.

Nature and purpose of the Processing: As detailed in clause 5 of the Data Processing Agreement.

Sub-Processors: Any sub-processor appointed by the Processor will Process the Personal Data to assist the Processor in providing the services pursuant to the Agreement, as described above for the duration of the Agreement.

  1. Competent supervisory authority

The competent supervisory authority shall be determined in accordance with Clause 11, Section II of Module Two and Module Three of the EU SCCs. In respect of the UK Addendum, the competent supervisory shall be read as the  Information Commissioner.  

Annex 1 to the Standard Contractual Clauses (Module Four)

  1. Parties

Data exporter: Customer is the data exporter.

Data importer: The data importer is Lanterne.

The parties contact details are as set out in the Agreement.

  1. Description of Transfer

Data Subjects: As detailed in clause 5 of the Data Processing Agreement.

Categories of data: As detailed in clause 5 of the Data Processing Agreement.

Special categories of data: As detailed in clause 5 of the Data Processing Agreement.

Frequency, duration and retention: As detailed in clause 5 of the Data Processing Agreement.

Nature and purpose of the Processing: As detailed in clause 5 of the Data Processing Agreement.

Sub-Processors: Any sub-processor appointed by the Processor will Process the Personal Data to assist the Processor in providing the services pursuant to the Agreement, as described above for the duration of the Agreement.