Data Processing Agreement
Capitalised terms used in this Data Processing Agreement and not otherwise defined in the Agreement between Lanterne and the Customer shall have the meaning given to herein or in the Data Protection Legislation.
“Controller, Processor, Data Subject, Personal Data, personal data breach, Processing and appropriate technical and organisational measures” shall each have the meaning given to it in the Data Protection Legislation.
“Data Subject Request” means a request from a Data Subject to access, correct, amend, transfer, or delete that Data Subject's Personal Data consistent with their rights under the Data Protection Legislation.
"Standard Contractual Clauses" means as applicable (a) the standard contractual clauses available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR ("EU SCCs"); and (b) the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office under S119A(1) of the Data Protection Act available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf effective from 21 March 2022 ("UK Addendum").
“Sub-processor” means any natural or legal person, public authority, agency, or other body which possesses Personal Data on behalf of a data Controller or a data Processor.
2. Data Processing Obligations
2.1 This Data Processing Agreement only applies to the Processing of Personal Data by Lanterne on behalf of the Customer pursuant to the Agreement.
2.2 The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and Lanterne is the Data Processor of the Personal Data and a description of the Personal Data and the Processing activities undertaken by Lanterne is set out in clause 5.
provided that Lanterne shall be liable for the acts and omissions of such Sub-processors in relation to the Processing of such Personal Data.
Schedule
Standard Contractual Clauses
The parties agree that the applicable Standard Contractual Clauses are incorporated into the Data Processing Agreement by reference, as if they had been set out in full, and are populated as follows. Unless expressly stated below, any optional clauses contained within the Standard Contractual Clauses shall not apply.
The following Standard Contractual Clauses shall apply where Personal Data is transferred to a third country (unless the transfer is permitted on the basis of an adequacy decision):
UK Addendum
The parties agree that the UK Addendum is incorporated into the Data Processing Agreement by reference, as if it had been set out in full, and is populated and shall be read against the EU SCCs as follows. Unless expressly stated below, any optional clauses contained within the UK Addendum shall not apply.
Start Date
The UK Addendum is effective from the date of Agreement.
Exporter and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.
Importer and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.
As applicable, Module 2, Module 3 or Module 4 of the EU SCCs as incorporated by reference into the Data Processing Agreement including any supplementary clauses set out within this Schedule 5.
As set out in Annex 1 and Annex 2 of the of the Standard Contractual Clauses below.
In the event the Information Commissioner's Office issues a revised Approved Addendum, in accordance with Section 18 of the UK Addendum which as a direct result of such changes has a substantial, disproportionate and demonstrable increase in: (a) the data importer's direct costs of performing its obligations under the Addendum; and/or (b) the data importer's risk under the Addendum, the data importer may terminate this UK Addendum on reasonable written notice to the data exporter in accordance with Table 4 and paragraph 19 of the UK Addendum.
Supplementary clauses for Module Two and Module Three
Erasure and deletion: For the purposes of Clause 8.5, Section II of Module Two and Module Three of the Standard Contractual Clauses the data importer shall delete the Personal Data in accordance with clause 3.7 of the Data Processing Agreement.
Audit: The parties acknowledge that the data importer complies with its obligations under Clause 8.9, Section II of Module Two and Module Three of the Standard Contractual Clauses by (i) acting in accordance with clause 3.8 of the Data Processing Agreement and (ii) exercising its contractual audit rights it has agreed with its Sub-Processors. For the purposes of Clause 8.9(e), Section II of Module Three of the Standard Contractual Clauses, the data exporter shall ensure the results are provided to the relevant controller(s) on a confidential basis and that the controller(s) have committed themselves to confidentiality in respect of the same.
Notifications: For the purposes of Clause 8, Section II of Module Three of the Standard Contractual the data exporter shall use all reasonable endeavours to ensure any instructions provided by the relevant controller(s) are directed via the data exporter. The data exporter shall be responsible for ensuring any notifications provided by the data importer are promptly notified to the relevant controller(s) in order to fulfil the data importer’s notification obligations pursuant to Clause 8.
Sub-Processors: For the purposes of Clause 9, Section II of Module Two and Module Three of the Standard Contractual Clauses, the Parties agree that option 2: general written authorization shall apply and the data importer shall notify the data exporter of any changes in accordance with clause 3.3 of the Data Processing Agreement. For the purposes of Clause 9, Section II of Module Three of the Standard Contractual Clauses, the data importer shall notify the data exporter of any changes to a Sub-Processor and the data exporter shall be responsible for ensuring such notifications are provided to the relevant controller(s) and shall inform the data importer of any objections within the time frames specified. Copies of any Sub-Processor agreements (redacted as appropriate) requested from the data importer shall be provided to the data exporter for onward provision to the relevant controller, as applicable.
Data Subject Rights: For the purposes of Clause 10(a) to (c) Section II of Module Three of the Standard Contractual Clauses, the parties acknowledge that given the nature of the Processing by the data importer it would not be appropriate for the data importer to notify or assist the controller directly in respect of any requests received from a Data Subject.
Transfer impact assessment: For the purposes of Clause 14(c), Section III of Module Two and Module Three of the Standard Contractual Clauses, the data exporter acknowledges a transfer impact assessment is to be made available by the data importer on request which the data exporter accepts as sufficient to fulfil the data importer’s obligations pursuant to Clause 14(c) and 14(a) of the Standard Contractual Clauses.
For the purposes of Clause 14(c), 15.1(b) and 15.2, Section III of Module Two and Module Three of the Standard Contractual Clauses, the parties agree that “best efforts” and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
Governing law and Jurisdiction: For the purposes of Clause 17 and 18, Section IV of Module Two and Module Three of the EU SCCs, the parties agree that the laws and courts of the Republic of Ireland will apply. For the purpose of the UK Addendum, the parties acknowledge and accept that the laws and courts of England and Wales will apply.
Supplementary clauses for Module Four
Erasure and Deletion: For the purposes of Clause 8.1(d), Section II of Module Four of the Standard Contractual Clauses, the data exporter shall delete the Personal Data in accordance with clause 3.7 of the Data Processing Agreement.
Governing law and Jurisdiction: For the purposes of Clauses 17 and 18, Section IV of Module Four of the EU SCCs and the UK Addendum, the parties agree that the laws and courts of England and Wales will apply.
Annex 1 to the Standard Contractual Clauses (Module Two and Module Three)
Data exporter: Customer is the data exporter.
Data importer: The data importer is Lanterne.
The parties contact details are as set out in the Agreement.
Data Subjects: As detailed in clause 5 of the Data Processing Agreement.
Categories of data: As detailed in clause 5 of the Data Processing Agreement.
Special categories of data: As detailed in clause 5 of the Data Processing Agreement.
Frequency, duration and retention: As detailed in clause 5 of the Data Processing Agreement.
Nature and purpose of the Processing: As detailed in clause 5 of the Data Processing Agreement.
Sub-Processors: Any sub-processor appointed by the Processor will Process the Personal Data to assist the Processor in providing the services pursuant to the Agreement, as described above for the duration of the Agreement.
The competent supervisory authority shall be determined in accordance with Clause 11, Section II of Module Two and Module Three of the EU SCCs. In respect of the UK Addendum, the competent supervisory shall be read as the Information Commissioner.
Annex 1 to the Standard Contractual Clauses (Module Four)
Data exporter: Customer is the data exporter.
Data importer: The data importer is Lanterne.
The parties contact details are as set out in the Agreement.
Data Subjects: As detailed in clause 5 of the Data Processing Agreement.
Categories of data: As detailed in clause 5 of the Data Processing Agreement.
Special categories of data: As detailed in clause 5 of the Data Processing Agreement.
Frequency, duration and retention: As detailed in clause 5 of the Data Processing Agreement.
Nature and purpose of the Processing: As detailed in clause 5 of the Data Processing Agreement.
Sub-Processors: Any sub-processor appointed by the Processor will Process the Personal Data to assist the Processor in providing the services pursuant to the Agreement, as described above for the duration of the Agreement.
|