- You (the “Controller”) and Amity Corporation Ltd., with registered office in Cornwall Court, 19 Cornwall Street, Birmingham, United Kingdom (the “Processor”) have concluded an agreement according to which the Processor is obliged - if required by the Controller to do so - to process the Personal Data (as defined below) connected with the Services on behalf of the Controller (the “Agreement”);
- the fulfilment of the Agreement requires the Processor to process personal data of several data subjects on behalf of the Controller as further described in Annex I (respectively, “Personal Data” and “Data Subjects”);
- Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC / the Data Protection Act 2018 (the “Data Protection Law”) requires to regulate the processing activities carried out by the Processor through a legal act binding on the processor and providing specific instructions as to the processing of the personal data;
- the Processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Data Protection Law and ensure the protection of the rights of the Data Subjects;
- with this data processing agreement (the “Data Processing Agreement”), the Controller and the Processor intend to regulate the processing of Personal Data necessary to execute the Agreement according to the applicable Data Protection Law.
The Controller and the Processor have entered into this Data Processing Agreement as follows.
- Purpose of the regulation
The purpose of this Data Processing Agreement is to govern the processing activities that the Processor will carry out on behalf of the Controller to execute the Agreement and to establish the conditions under which the Processor may process the Personal Data relating to the Data Subjects.
- Obligations of the processor
The Processor undertakes to:
process the Personal Data exclusively on behalf of the Controller, only as long as necessary to execute the Agreement, and in accordance with the Data Protection Law and the instructions and conditions provided by the Controller with this Data Processing Agreement;
ensures that the persons processing the Personal Data under its authority, including its employees, interns, and consultants have committed themselves to confidentiality and have received proper instructions to process the Personal Data in accordance with the Data Protection Law and the instructions provided for by the Controller;
implement all technical and organisational measures to ensure a level of security appropriate to the risk presented by the nature, scope, context, and purposes of the processing of Personal Data;
when engaging another processor (the “Sub-processor”),
- appoint only Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures to respect the requirements of the Data Protection Law;
- impose on the Sub-processor, by way of a contract, the same obligations imposed on the Processor under this Data Processing Agreement;
- inform the Controller of such appointment;
notify to the Controller any request received by Data Subjects and assist the Controller to fulfil such requests;
assist the Controller to:
- identify and implement the adequate technical and organisational measures;
- identify and notify a data breach to the competent supervisory authority without undue delay after having become aware of it;
- notify a data breach to the Data Subjects when it is likely to result in a high risk to the rights and freedoms of natural persons;
- carry out a data protection impact assessment and consult the authority on its results when it indicates that the processing would result in a high risk for the Data Subjects;
upon termination of this Data Processing Agreement, at the choice of the Controller, delete or return to the Controller all Personal Data, except where retaining Personal Data is required to comply with an obligation upon the Processor, in which case it shall inform the Controller of such obligation;
upon request of the Controller, made it available all information necessary to demonstrate compliance with the instructions provided for in this Data Processing Agreement. The Processor also undertakes to allow the Controller to carry out audit activities by itself or, at its own cost, through an independent auditor to verify the compliance with the instructions set out in this Data Processing Agreement. In any case, the Controller undertakes to:
- keep all the information collected during the audit as confidential;
- inform the Processor at least 10 days before the audit;
- conduct the audit only to the extent strictly necessary to verify compliance with this Data Processing Agreement and the Data Protection Law, during normal working hours and in a manner that does not unreasonably disrupt the normal activities of the Processor;
- bear any cost related to the audit;
when required by the Data Protection Law, the Processor shall maintain and keep updated a record of processing activities according to the requirements set forth by the applicable Data Protection Law;
when necessary under the applicable Data Protection Law, the Processor shall appoint a Data Protection Officer and communicate its contacts to the Controller.
This Data Processing Agreement has the same duration of the Agreement signed between the Controller and the Processor and will cease should the Agreement expire or be terminated for any reason.
- Processor Liability
The Processor undertakes to indemnify and hold harmless the Controller for any damage or sanction resulting to the Controller for its failure to comply with this Data Processing Agreement or with the applicable Data Protection Law and from any damage, expense, cost or charge arising out of a violation of the data protection obligations imposed to any Sub-processor.
- Changes to Data Protection Law
In the event of any change to the applicable Data Protection Law that may affect the responsibilities and obligations imposed under this Data Processing Agreement, the Controller and the Processor undertake to discuss and negotiate in good faith any possible amendment necessary to comply with the amended Data Protection Law.
Whenever a provision of this Data Processing Agreement be or becomes invalid or not applicable, such provision will be considered autonomously in respect thereto and, if possible, it will be replaced by a lawful provision which truthfully reflects the intention of the parties pursuant to this Data Processing Agreement and, if applicable, does not affect the validity and/or applicability of any further provisions thereof.
- Order of precedence
In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Agreement on data protection, the provisions of this Data Processing Agreement shall prevail.
- Applicable Law and Jurisdiction
This Data Processing Agreement is regulated by the United Kingdom Law.
Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of London.