Terms & Conditions: Data Processing Addendum

Osprey Consultants Limited is providing, where applicable to the customer’s specific contract service level agreement with Osprey Consultants Limited, certain Remote Access & Telephone IT Support, Backup Monitoring and E-mail services, to the customer that has received and accepted these Data Processing Terms (“Customer”) on and pursuant to its general terms and conditions.

This Addendum is entered into by Osprey Consultants Limited and Customer and sets out the Data Processing Terms applicable to the Services and form part of and are subject to the Osprey Consultants Limited’s general terms and conditions (Agreement).

Terms not defined in these Data Processing Terms shall have the meaning set out in the Agreement.

  1. DEFINITIONS

In these Data Processing Terms:

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party;

Customer Personal Data” means personal data contained in the customers’ files, folders and databases to be backed up through the Services;

Customer Representative” means the person designated by Customer from time to time who will act as its primary contact regarding the performance of the Agreement;

Data Processing Terms” means the terms set out in this Addendum;

Data Protection Legislation” means, as applicable: (a) the GDPR (from 25 May 2018 onwards); and/or (b) the data protection laws applicable in the jurisdiction of Osprey Consultants Limited, in each case as may be amended or supplemented from time to time;

Osprey Consultants” means either Osprey Consultants Limited.

“GDPR” means the General Data Protection Regulation 2016/679;

Services” means the services provided under the Agreement and includes (i) Remote Access & Telephone IT Support, (ii) IT Systems Backup Monitoring Alerts via the Customer’s E-mail system to Osprey Consultants Limited and Remote Access Software installed on the Customer’s personal computers and/or servers that are subject to the Services,  Backup E-mail Gateway Service, if applicable, (iii) and/ or any disaster recovery services; and includes the technical support services related thereto.

Sub-Processors” means third parties authorised under these Data Processing Terms to process Customer Personal Data in order to provide parts of the Services and any related technical support.

The terms “controller“, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the GDPR.

  1. EFFECTIVE DATE AND DURATION

These Data Processing Terms shall become effective on 25 May 2018, (the “Effective Date”) and until such time, all existing provisions in the Agreement in relation to data protection and privacy, shall continue to apply between the parties. Upon the Effective Date the provisions of these Data Processing Terms shall supersede and replace (without any further action by the parties) the pre-existing provisions of the Agreement in relation to data protection and privacy.

  1. NATURE AND PURPOSE OF PROCESSING

3.1
The Customer expressly acknowledges and agrees that Osprey Consultants Limited has no control or influence over the content of the Customer Personal Data, which may include, among other things, personal data and sensitive personal data (as defined under the GDPR) relating to the Customer’s or its customer’s own clients, customers, suppliers, employees, other personnel or other data subjects within the meaning of the GDPR). Should Customer wish to further categorise the data subjects or types of personal data to incorporate into these terms, it may provide such information to Osprey Consultants Limited.

3.2
Customer instructs Osprey Consultants Limited to process the Customer Personal Data in accordance with the Agreement and otherwise on the instructions of the contact persons designated by the Customer or such third party as the Customer has confirmed in writing (including email) is authorised to provide such instructions (an “Authorised Agent”), taking into account the nature of the Services, including any related technical support and for the duration of the Agreement. The Customer remains at all times fully liable for any instructions given by its contact person(s) or an Authorised Agent.

3.3
The parties acknowledge and agree that any instructions may be given by email or orally where the Customer or Authorised Agent is using Osprey Consultants Limited’s technical support team, provided that Osprey Consultants Limited shall keep a record of such oral instructions.

3.4
The Customer further acknowledges and agrees that it (and/or its customer if its customer (also) qualifies as the Controller) is responsible for determining the purposes for and manner in which the Customer Personal Data is processed and hereby undertakes that it and, where applicable, its customer has taken, and shall, throughout the duration of the Agreement, take all measures concerning the Customer Personal Data to ensure compliance with its obligations under the Data Protection Legislation, including the processing activities carried out by the Services and any authorisations required in respect of the provision of such Services by Osprey Consultants Limited under these Data Processing Terms. 

  1. OSPREY CONSULTANTS LIMITED’S PERSONNEL

4.1
Osprey Consultants Limited will impose and maintain appropriate contractual obligations regarding confidentiality on any personnel authorised by Osprey Consultants Limited to access the Customer Personal Data.

4.2
Osprey Consultants Limited will implement and maintain access controls and policies in order to restrict Osprey Consultants Limited personnel processing Customer Personal Data to those Osprey Consultants Limited personnel who need to process Customer Personal Data to provide the Services to the Customer.

  1. SECURITY MEASURES

5.1
Osprey Consultants Limited has implemented and will maintain appropriate technical and organisational security measures to prevent unauthorised access to the Customer Personal Data, unauthorised or unlawful alteration, disclosure, destruction or unlawful processing of the Customer Personal Data or accidental loss or destruction of, or damage to, the Customer Personal Data, in each case taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing pursuant to the Services.

5.2
Customer is solely responsible for its use of the Services, including securing the account authentication credentials, systems and devices (including the Protected Equipment) Customer use to access the Services.

  1. STORAGE AND TRANSFERS OF PERSONAL DATA

6.1
Osprey Consultants Limited shall store Customer Personal Data in it’s office or datacentres located in EEA, or, if applicable, following the exit of the United Kingdom from European Union, the United Kingdom, provided it qualifies as a third country covered by Article 45, subsection 1 of the GDPR (an Adequate Jurisdiction).

6.2
Technical support services outside of normal business hours may be provided by a Osprey Consultants Limited Affiliate located within the EEA.

  1. SUB-PROCESSING

7.1
The Customer hereby specifically authorises the engagement of any Osprey Consultants Limited Affiliate as a sub-Processor.

7.2
Customer also generally authorises the use of third party sub-Processors by Osprey Consultants Limited, provided that:

  1. Osprey Consultants Limited shall restrict the sub-Processor’s processing of the Customer Personal Data to processing that is necessary to provide or maintain the Services;
  2. Osprey Consultants Limited shall enter into contractual arrangements with such sub-Processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein to the extent applicable to the processing activities being provided by such sub-Processor; and
  3. if a sub-Processor fails to comply with its data protection obligations, Osprey Consultants Limited shall remain fully liable to the Customer for the performance (or failure of performance) of the sub-Processor’s data protection obligations.

7.3
Osprey Consultants Limited shall maintain an up to date list of its sub-Processors relating to any Services it provides to the Customer. Osprey Consultants Limited shall provide the list to the Customer upon written request.

7.4
Osprey Consultants Limited will, notify the Customer if any new sub-Processor is appointed after the Effective Date and Customer shall have the opportunity to object to the use of such sub-Processor. If the Customer:

  1. does not respond (in writing) within 30 days from the date of the notification, it will deemed to have given its authorisation to the use of such sub-Processor;
  2. responds by refusing (in writing) its authorisation and a mutually acceptable resolution to such refusal cannot be agreed, it may terminate the Agreement for convenience or terminate the service or that part of the service which is provided by Osprey Consultants Limited using the relevant sub-Processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new third party Sub-processor.

7.5
Notwithstanding sub-sections 7.1 to 7.4 above, and subject to applicable law, Osprey Consultants Limited may freely use sub-contractors or suppliers that do not qualify as processors under the Data Protection Legislation, including but not limited to energy suppliers, equipment suppliers, transport suppliers, technical service providers, hardware vendors etc.) without having to inform or seek prior authorisation from the Customer.

7.6
Osprey Consultants Limited will impose and maintain appropriate contractual obligations regarding confidentiality on any sub-Processors authorised by Osprey Consultants Limited to access the Customer Personal Data.

  1. ASSISTANCE WITH DATA SUBJECT REQUESTS

8.1
The Customer acknowledges and agrees that it shall be responsible for compliance with any requests from data subjects under Data Protection Legislation.

8.2
Osprey Consultants Limited agrees to provide reasonable assistance to the Customer without undue delay, taking into account the nature and functionality of the Services, in respect of the Customer’s or its customers’ obligations regarding:

  1. requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Customer Personal Data, provided that the Customer acknowledges that Osprey Consultants Limited only holds the Customer Personal Data in encrypted form, and any such actions shall therefore be performed by the Customer or an Authorised Agent on its behalf and not by Osprey Consultants Limited;
  2. the investigation of any incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alternation of Customer Personal Data and the notification to the supervisory authority and data subjects in respect of such incidents;
  3. at the expense and cost of the Customer, the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority.
  1. DEMONSTRATING COMPLIANCE

9.1
Osprey Consultants Limited may use independent third party auditors to periodically verify the adequacy of the security controls that apply to the Services.

9.2
Osprey Consultants Limited shall not be required to disclose any business confidential or commercially sensitive information, other customers’ information or information that it reasonably considers could be used to compromise the security or integrity of its systems.

  1. DATA BREACH

10.1
If Osprey Consultants Limited becomes aware of unauthorised access to any Customer Personal Data on Osprey Consultants Limited’s equipment or in Osprey Consultants Limited’s facilities and such unauthorised access results in loss, disclosure or alteration of that data, Osprey Consultants Limited will notify the Customer without undue delay, providing sufficient information to enable the Customer to assess the breach and its obligations regarding notifying supervisory authorities or data subject under the Data Protection Legislation. Such notification shall be provided to the Customer Representative. For the avoidance of doubt, Osprey Consultants Limited shall not be required to notify Customer of any unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

10.2
Customer is solely responsible for complying with incident notification laws applicable to Customer under the Data Protection Legislation. Notwithstanding the foregoing, the parties will cooperate and provide all reasonable assistance with respect to complying with third party notification obligations under the Data Protection Legislation.

10.3
Osprey Consultants Limited’s notification of or response to a data breach incident under this Clause 10 will not be construed as an acknowledgement by Osprey Consultants Limited or any of its Affiliates of any fault or liability with respect to the data breach.

  1. LIABILITY

Any claims under this Addendum shall be subject to the same terms and conditions as the Agreement between Osprey Consultants Limited and the Customer, including but not limited to the exclusions and limitations set forth in the general terms and conditions.

  1. DELETION OF CUSTOMER DATA

Customer hereby instructs Osprey Consultants Limited and any sub-processors to, within three months of the date of termination of the Agreement, delete all Customer Personal Data and upon request provide written confirmation (including by email) to the Customer that it has taken such measures.

By accepting these Data Processing Terms, Customer agrees that save as set out herein, all other terms of any Agreement remain in force. In the event of any discrepancy between these Data Processing Terms and the remainder of the Agreement, these Data Processing Terms shall prevail.