1.1. In this Data Processing Addendum:
1.1.1. Terms such as “process/processing”, “data subject”, “processor”, “controller”, “personal data”, “personal data breach” and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.1.2. “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in the Annex to this Data Processing Addendum (Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Controller in accordance with section 6.1;
1.1.3. “EEA” means the UK or the European Economic Area;
1.1.4. “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation);
1.1.5. “Sub-processor” means any data processor (including an affiliate of Shepper) appointed by Shepper to process personal data on behalf of the Controller.
2.1. This Data Processing Addendum shall apply where, in the course of providing the Service, Shepper processes any Personal Data as processor on the Customer’s behalf.
3.1. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out in the Annex to this Data Processing Addendum.
3.2. The Customer warrants that it has all necessary rights to provide the Personal Data to Shepper for the purposes of the performance of the Service.
4.1. Shepper shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
4.2. Shepper shall take reasonable steps to ensure the reliability of any employee, agent, contractor and Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes of the performance of this Agreement in the context of that person’s or party’s duties to Shepper.
4.3. Shepper shall ensure that all such persons or parties involved in the processing of Personal Data:
4.3.1. are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
4.3.2. have undergone adequate training in the use, care, protection and handling of Personal Data.
5.1. Shepper shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.
6.1. Subject to section 6.3, the Customer provides its general authorisation to Shepper to engage any Sub-processor selected by Shepper.
6.2. As at the date of this Data Processing Addendum, Shepper has engaged those Sub-processors set out in the Annex to this Data Processing Addendum (Authorised Sub-processors). Shepper shall give the Customer not less than thirty (30) days’ prior written notice of any intended change concerning the addition or replacement of a Sub-processor, thereby giving the Customer the opportunity to object to such changes. Each such notice shall include details of the processing activities to be undertaken by the additional or replacement Sub-processor and the identity and location of the Sub-processor.
6.3. With respect to each Sub-processor, Shepper shall:
6.3.1. carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Data Processing Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Data Processing Addendum;
6.3.2. include terms in the contract between Shepper and each Sub-processor which are equivalent to those set out in this Data Processing Addendum, and shall supervise compliance thereof;
6.3.3. remain fully liable to the Customer for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
7. DATA SUBJECT RIGHTS
7.1. Shepper shall without undue delay notify the Customer if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in Chapter III of GDPR, and shall provide full details of that request.
7.2. Shepper shall co operate as reasonably requested by the Customer to enable the Customer to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or this Agreement.
8. INCIDENT MANAGEMENT
8.1. In the case of a Personal Data Breach, Shepper shall without undue delay notify the Personal Data Breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under Data Protection Laws.
9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
9.1. Shepper shall, at the Customer’s request, provide reasonable assistance to the Customer with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Customer or any of its affiliates which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Shepper on behalf of the Customer and taking into account the nature of the processing and information available to Shepper.
10. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
10.1. Shepper shall promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of Personal Data by Shepper; or (ii) termination of this Agreement, at the choice of the Customer either:
10.1.1. return a complete copy of all Personal Data to the Customer by secure file transfer in such format as notified by the Customer to Shepper and securely wipe all other copies of Personal Data processed by Shepper or any Authorised Sub-processor; or
10.1.2. securely wipe all copies of Personal Data processed by Shepper or any Authorised Sub-processor,
and in each case provide written certification to the Customer that it has complied fully with this section 10.
11. AUDIT RIGHTS
11.1. Shepper shall make available to the Customer on request all information necessary to demonstrate compliance with this Data Processing Addendum and Data Protection Laws and allow for and contribute to audits, including inspections by the Customer or an independent auditor mandated by the Customer of any premises where the processing of Personal Data takes place.
11.2. Shepper shall permit the Customer or an independent auditor mandated by the Customer during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of Data Protection Laws and this Data Processing Addendum are being complied with.
11.3. Shepper shall provide reasonable co operation to the Customer in respect of any such audit and shall at the request of the Customer, provide the Customer with evidence of compliance with its obligations under this Data Processing Addendum and Data Protection Laws.
12. INTERNATIONAL TRANSFERS
12.1. Shepper shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the UK or the EEA without an adequate level of protection unless Shepper provides appropriate safeguards (such as entering into (or procuring that any relevant Sub-processor of Shepper enters into) an agreement with the Customer on Standard Contractual Clauses (as adopted by the European Commission)), and on condition that enforceable data subject rights and effective legal remedies for data subjects are available in accordance with Article 46 GDPR.
13.1. Shepper shall be entitled to charge the Customer reasonable costs based on its standard billing rates for providing any support or carrying out requests made under this Data Processing Agreement.
Subject-matter of the processing
Processing for the purposes of provision of the Service
Duration of the processing
For the term of this Agreement
Nature and purpose of the processing
Processing for the purposes of provision of the Service