Log in  

Data Protection Schedule

1. DEFINITIONS AND INTERPRETATIONS
1.1. In this Data Protection Schedule both the definitions in User Agreement and the following definitions shall apply:
1.1.1. Controller shall have the meaning given in Article 4 of the UK GDPR.
1.1.2. Data Subject means an identified or identifiable natural person who is the subject of any Personal Data.
1.1.3. Data Protection Laws means the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the Data Protection Regulations), the General Data Protection Regulation (EU) 2016/679 (as applicable), the UK GDPR (as defined in the Data Protection Regulations) (and any respective local implementing laws) and the Privacy and Electronic Communications Directive 2002/58/EC (and any respective local implementing laws) as amended, replaced or superseded from time to time, to the extent that the same is applicable in accordance with its own terms to a Party.
1.1.4. Inadequate Country means a country which is (i) outside the UK (ii) outside of the European Economic Area and (iii) not a country which has been determined by the European Commission as ensuring an appropriate level of protection for the purposes of Article 45 of the GDPR.
1.1.5. Personal Data shall have the meaning given in Article 4 of the UK GDPR.
1.1.6. Processor shall have the meaning given in Article 4 of the UK GDPR.
1.1.7. Provided Personal Data means, in relation to either Party, Personal Data provided to it by the other Party.
1.1.8. Sub-processor means a natural or legal person, public authority, agency or any other body contracted by ARI to process Provided Personal Data.
1.1.9. Supervisory Authority shall have the meaning given in Article 4 of the UK GDPR.

2. WHERE A PARTY IS A CONTROLLER
2.1. Where the Data Protection Laws determine that a party is a controller in relation to any Provided Personal Data, the party undertakes to:
2.1.1. comply with Data Protection Laws when processing Provided Personal Data;
2.1.2. rely on a valid legal ground under Data Protection Laws for its processing, including obtaining Data Subjects’ appropriate consent if required or appropriate under Data Protection Laws;
2.1.3. take reasonable steps to ensure that Provided Personal Data is (i) accurate, complete and current and limited to what is necessary in relation to the processing; and (ii) kept in a form which permits identification of Data Subjects for no longer than is necessary for the processing (unless a longer retention is required or allowed under applicable law);
2.1.4. implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of Provided Personal Data is performed in accordance with Data Protection Laws;
2.1.5. not transfer any Provided Personal Data to any Inadequate Country, unless such Party ensures (i) that the transfer is at all times subject to one of the appropriate safeguards permitted by Article 46 of GDPR and (ii) that in all other respects the transfer complies with the UK GDPR;
2.1.6. respond to Data Subject requests to exercise their rights of (i) access, (ii) rectification, (iii) erasure, (iv) data portability, (v) restriction of Processing, (vi) objection to the Processing, and (vii) the rights related to automated decision-making and profiling, if and as required under Data Protection Laws;
2.1.7. co-operate with the other Party to fulfil their respective data protection compliance obligations under Data Protection Laws; and
2.1.8. in the case of the Client:
2.1.8.1. where it transfers any Provided Personal Data to a third party, provide details of the transferee and the relevant Provided Personal Data to KYCIC promptly upon KYCIC’s reasonable request therefor; and
2.1.8.2. ensure that Provided Personal Data is only made available to Client for the purpose of mitigating the relevant Client’s risks and meeting that Client’s regulatory requirements from time to time applying;
2.1.8.3. ensure that Provided Personal Data is not used to determine a person’s suitability for any benefit or employment in breach of any Data Protection Laws.

3. WHERE THE CLIENT AND/OR KYCIC ARE PROCESSORS
3.1. Where, in relation to any Provided Personal Data the Data Protection Laws determine that KYCIC is a Processor and/or a Sub-Processor the provisions of paragraphs 3 to 7 apply.
3.2. For the purposes of Article 28.3 of GDPR, the subject matter of the processing, duration of the processing and nature and purpose of the processing is as stated in the Schedule.
3.3. KYCIC shall:
3.3.1. process the Provided Personal Data only in accordance with the Client’s documented instructions, including where relevant for transfers of Provided Personal Data outside the United Kingdom and/or European Economic Area (EEA) (unless required to do so by European Union, Member State and/or UK law to which ARI is subject, in which case KYCIC shall inform Client of that legal requirement before processing unless prohibited by that law);
3.3.2. ensure that persons authorised to process Provided Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.3.3. take all measures required pursuant to Article 32 of the GDPR;
3.3.4. appoint Sub-processors only in accordance with paragraph 5 below;
3.3.5. taking into account the nature of the processing, assist Client by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to requests for exercising a Data Subject’s rights laid down in Chapter III of the GDPR;
3.3.6. taking into account the nature of the processing and the information available to KYCIC, assist Client in ensuring compliance with Client’s obligations to:
3.3.6.1. keep Provided Personal Data secure (Article 32 GDPR).
3.3.6.2. notify Provided Personal Data breaches to the Supervisory Authority (Article 33 GDPR).
3.3.6.3. advise Data Subjects when there has been a Provided Personal Data breach (Article 34 GDPR).
3.3.6.4. carry out data protection impact assessments (Article 35 GDPR); and
3.3.6.5. consult with the Supervisory Authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR);
3.3.7. at the choice of Client, delete or return all Provided Personal Data to Client upon termination of this Agreement, save to the extent that United Kingdom or EU member state law requires retention of the Provided Personal Data;
3.3.8. make available to Client all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Schedule and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client as set out in paragraph 4 below (and immediately inform the Client if, in its opinion, an instruction infringes Data Protection Laws);
3.3.9. comply with Article 30 of the GDPR;
3.3.10. co-operate on request, with the Information Commissioner’s Office (or any successor body thereto) in the performance of its tasks; and
3.3.11. notify the Client without undue delay after becoming aware of a Provided Personal Data breach, and in no event less than 48 hours from becoming aware of such Provided Personal Data breach.

4. AUDIT RIGHTS
4.1. Upon the Client’s reasonable request, KYCIC agrees to provide the Client with any documentation or records (which may be redacted to remove confidential commercial information not relevant to the requirements of this Data Processing Schedule) which will enable it to verify and monitor KYCIC’s compliance with this Data Processing Schedule, within 14 days of receipt of such request.
4.2. Where, in the reasonable opinion of the Client, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR, the Client will be entitled, upon reasonable prior written notice to KYCIC and upon reasonable grounds, to conduct an on-site audit of KYCIC’s premises used in connection with the Service, solely to confirm compliance with its data protection and security obligations under this Data Processing Schedule. Any audit carried out by the Client will be conducted in a manner that does not disrupt, delay or interfere with KYCIC’s performance of its business. The Client shall ensure that the individuals carrying out the audit are under the same confidentiality obligations as set out in this Agreement.

5. USE OF SUB-PROCESSORS
5.1. The Client provides its consent for KYCIC to use Sub-processors as listed in paragraph
5.2 below in the performance of its obligations under this Agreement . Where KYCIC uses any other third-party KYCIC shall:
5.1.1. enter into a legally binding written agreement that places the equivalent data protection obligations as those set out in this Data Processing Schedule to the extent applicable to the nature of the services provided by such Sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the UK GDPR;
5.1.2. remain liable for the performance of the Sub-processor; and
5.1.3. inform the Client of any intended changes concerning the addition or replacement of a Sub-processor and give the Client the opportunity to object to such changes.
5.2. The current list of KYCIC’s Sub-processors handling Provided Personal Data in relation to which KYCIC acts as Processor under the terms of this Agreement and/or any Agreement is:
5.2.1  Supplier Name: Amazon Web Services; Purpose: Database Hosting; Processing Country/Location: Ireland/Singapore;
5.2.2  Supplier Name: Powergate (Equinix (EMEA) Acquisition Enterprises B.V.); Purpose: Server hosting content management system: data centre for ARI/KYCIC products & services; Processing Country/Location: UK;
5.2.3  Supplier Name: Interxion HeadQuarters B.V.; Purpose: Server hosting content management system: data centre for ARI/KYCIC products & services; Processing Country/Location: UK;
5.2.4 Supplier Name: ALM Services; Purpose: Contracting agency providing development resources; Processing Country/Location: Poland;
5.2.5 Supplier Name: PRK Global Kft.; Purpose: Contracting agency providing research and administrative resources; Processing Country/Location: Hungary.

6. TRANSFERS OF PERSONAL DATA TO NON-EEA COUNTRIES
6.1. Where a transfer to a data recipient whose organisation is established outside of the EEA and United Kingdom is necessary for the purposes of this Agreement , the Parties acknowledge and accept that the data recipient shall either provide adequate safeguards as set out in Article 46 of the GDPR or rely on one of the derogations for specific situations set out in Article 49 of the GDPR to transfer Provided Personal Data to a third country or an international organisation.

7. CLIENT OBLIGATIONS 7.1. Client warrants and represents to KYCIC that:
7.1.1. all instructions provided to KYCIC in relation to the processing of Provided Personal Data are lawful and are provided in accordance with the Data Protection Laws.
7.1.2. it shall only provide instructions to KYCIC that are in accordance with the terms of this Agreement and this Data Processing Schedule; and
7.1.3. all Provided Personal Data is sourced lawfully and that it is solely responsible for determining the purpose for which Provided Personal Data may be processed by KYCIC.
7.1.4. Client acknowledges and agrees that KYCIC is reliant on Client for direction as to the extent to which KYCIC is entitled to use and process Provided Personal Data. Consequently, subject to paragraph 3.3 (h), KYCIC shall not be liable for any claim brought by a subject of Provided Personal Data and arising from any breach by KYCIC of the Data Protection Laws to the extent that such action or omission resulted from Client’s instructions.