ADDENDUM ON DATA PROTECTION AND DATA PROTOCOL
to the [NAME OF AGREEMENT] dated [DATE] (the “Agreement”)
Date of this Addendum: [DATE]
BETWEEN:
1. Corp360 a company incorporated in Vietnam with its principal place of business at Ha Noi, Vietnam (”CORP360”);
2. [Vendor], a company incorporated in [Country] with its [registered office address/principal place of business] at [ADDRESS] (the “Supplier”).
RECITALS:
1. The parties wish to address changes in the law which have been introduced by the GDPR.
IT IS AGREED as follows:
| “Addendum” | means this addendum together with any appendices to it; |
| “Customer’s Data” | means any data supplied or made available by the Customer to CORP360, which may include personal data; |
| “Data Protection Legislation” | means the Data Protection Act 2018, the GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and all other applicable laws relating to the processing of personal data, privacy, the protection of personal data in electronic communications, and direct marketing, including any applicable law or regulation which supersedes, replaces or implements in the United Kingdom any of the foregoing; |
| “Data Protocol” | means a protocol setting out the types of personal data which may be processed by CORP360 in the performance of the Services, the subject matter of the processing, and the duration of the processing, as set out in the Agreement, and any further data protocol which is agreed in writing and signed by the parties; and |
| “GDPR” | means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). |
- aPPENDICES
Appendix 1
Data Protection
1. CORP360 shall be a data processor and process data on behalf of CORP360’s Customer hence CORP360’s supplier is considered as a sub-processor.
2. CORP360 shall ensure that it has consented by its Customer and entitled to make the Customer Data available to Supplier so that Supplier may lawfully process any personal data in accordance with the Agreement as amended by this Addendum (or as otherwise instructed in writing by CORP360 or CORP360’s Customer ) on CORP360 Customer’s behalf.
3. Supplier shall only process CORP360 or CORP360’s Customer Data as is described in, and for the purposes set out in the Data Protocol.
4. Supplier will not process any CORP360 or CORP360’s Customer Data on behalf of CORP360 or CORP360’s Customer for any other purpose, nor process any other personal data on behalf of CORP360 or CORP360’s Customer, without CORP360 or CORP360 Customer’s prior written consent. If Supplier requires access to, or identifies a need to process, any other personal data in order to provide the Services, it shall notify the CORP360, and such processing shall be subject to the Data Protocol (as updated or amended to address that additional processing).
5. In respect of any personal data processed by Supplier and/or which is accessed by Supplier in the provision of the Services, Supplier shall:
5.1 implement appropriate technical and organisational measures to ensure the security of the same when processed by it or when in its possession or control, including against unauthorised or unlawful processing and accidental loss, destruction or damage, and a level of security appropriate to the data security risks presented by processing such data; and taking into account the data protection by design and by default principles under the GDPR;
5.2 assist CORP360 and CORP360’s Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Supplier;
5.3 regularly review and update the technical and organisational measures implemented pursuant to paragraph 5.1 above in order to demonstrate to CORP360 and CORP360’s Customer that the processing of CORP360’s Customer Data by Supplier is performed in accordance with the Data Protection Legislation;
5.4 not transfer any personal data to any country outside the European Economic Area (EEA) without CORP360 and CORP360’s Customer’s prior written consent (which may be refused at CORP360 or CORP360 Customer ’s sole discretion), subject to compliance with paragraph 8 below and provided always that the transfer complies with the Data Protection Legislation;
5.5 provide to CORP360 and CORP360’s Customer all information, including written details of its data processing activities, as is required by CORP360 and CORP360’s Customer to demonstrate Supplier’s compliance with the Data Protection Legislation and the terms of the Agreement, and allows its facilities, procedures and documentation which relate to the processing of CORP360 and CORP360’s Customer to be inspected and audited by CORP360 or CORP360’s Customer, a representative of CORP360 or CORP360’s Customer or a regulatory body subject at all times to Supplier’s reasonable security restrictions and procedures; and
5.6 shall ensure that access to CORP360 and CORP360’s Customer Data is limited to those of Supplier’s employees and contract personnel who need access to CORP360 and CORP360’s Customer Data to assist Supplier in the performance of the Agreement and that each of Supplier’s employees and contract personnel are subject to confidentiality obligations in respect of CORP360 and CORP360’s Customer Data and had appropriate and recent training in data protection, and Supplier shall ensure that such access is revoked once no longer required and shall procure that such employees and contract personnel comply with the Data Protection Legislation in so far as it applies to them.
6. The parties acknowledge that:
6.1 Supplier will only implement such measures as would be expected of an ordinary business without reference to CORP360 or CORP360’s Customer specific operational requirements;
6.2 nothing herein shall require Supplier to vary the Services so as to meet any changed operational requirements imposed or required by the GDPR, including without limitation meeting the privacy by design and the right to be forgotten principles unless and to the extent agreed by the parties;
6.3 CORP360 and CORP360’s Customer has had an opportunity to review the proposed measures;
6.4 Supplier’s responsibility to restore or recover any CORP360 and CORP360’s Customer Data is limited to the backup and data restoration obligations agreed by the parties, failing that it shall be the most recent backup taken;
6.5 the Supplier is responsible for the training and supervision of its personnel and agents in delivering the Services which includes taking appropriate measures against unsafe practices;
6.6 that any measures taken in order to safeguard can only take into account commonly understood and accepted security threats; and
6.7 the security measures adopted by Supplier may need to change or be enhanced as circumstances required, which may entail and be subject to an additional third party cost and costs of implementation is solely Supplier’s responsibilities in accordance with the Agreement.
7. Supplier shall immediately and in any event within 24 hours upon becoming aware of the same, notify the CORP360 if it becomes aware of any breach or potential breach of this Appendix 1, or if it otherwise has reason to consider that there has been a personal data breach and shall provide CORP360 and CORP360’s Customer with all such details of the breach as are required by CORP360 and CORP360’s Customer, and fully cooperate with CORP360 and CORP360’s Customer in respect of any breach or potential breach and all measures to be taken in response to it, including providing such assistance as CORP360 and CORP360’s Customer may require to allow it to inform a regulatory authority or data subject of a personal data breach, to conduct a data protection impact assessment or to consult with a regulatory authority regarding the processing of personal data. CORP360 and CORP360’s Customer shall likewise notify Supplier if it becomes aware of any breach or potential breach of this Appendix 1 by Supplier.
8. In respect of any transfer of CORP360 or CORP360’s Customer outside the EEA to a country without a decision of adequacy by the European Commission where CORP360 or CORP360’s Customer has given express written consent pursuant to paragraph 5.4 above, Supplier shall prior to such transfer:
8.1 put in place appropriate safeguards to protect such CORP360 and CORP360’s Customer Data to the reasonable satisfaction, which may include:
8.1.1 executing with CORP360 and CORP360’s Customer the European Union’s model contract for exporting personal data to a data processor or data controller located outside the EEA in the form required by CORP360 or CORP360’s Customer, as such model contract may be amended from time to time; or
8.1.2 ensuring that the export of personal data is subject to codes of practice or other mechanisms, such as the US Privacy Shield, which provide an adequate level of protection and are approved or adopted by the European Commission for those purposes; and
8.2 put in place enforceable data subject rights and effective legal remedies for data subjects as required by the Data Protection Legislation.
9. For the puroses of paragraphs 5.4 and 9 CORP360 and CORP360’s Customer has consented to the appointment of [insert Supplier registered name] as a sub-processor.
10. Supplier shall immediately notify CORP360 and CORP360’s Customer if it receives any:
10.1 complaint, notice or communication which relates directly or indirectly to the processing of personal data under the Agreement or to either party’s compliance with the Data Protection Legislation, and shall provide full cooperation to CORP360 and CORP360’s Customer in connection with any such complaint, notice or communications; and
10.2 any request or objection from a data subject relating to any personal data pursuant to the Data Protection Legislation (including requests for access to personal data; rectification or erasure of personal data; restrictions of processing personal data; and portability of personal data), and Supplier shall provide all such assistance as CORP360 or CORP360’s Customer may require to allow it to respond to requests made by data subjects in accordance with the Data Protection Legislation, and shall not respond to a data subject in respect of any such request or objection without the prior written consent of CORP360 and CORP360’s Customer
11. Supplier shall not disclose or provide CORP360 or CORP360’s Customer Data to any third party, including any sub-contractor, or allow any sub-contractor to process CORP360 or CORP360’s Customer Data except to the extent that such sub-contractor has been expressly approved by CORP360 or CORP360’s Customer in writing and then only for such purposes as CORP360 or CORP360’s Customer has expressly authorised, and provided that:
11.1 it enters into a written agreement with such sub-contractor which imposes on the sub-contractor obligations equivalent to the data protection obligations imposed on CORP360 under this Appendix 1;
11.2 Supplier notifies CORP360 and CORP360’s Customer of any intended changes to or replacements of any such sub-contractor to which CORP360 and CORP360’s Customer may object;
11.3 Supplier remains responsible for all acts and omissions of such sub-contractors, and for all processing carried out by such sub-contractors; and
11.4 the sub-contractor’s processing of CORP360 and CORP360’s Customer Data immediately terminates on the termination or expiry of the Agreement.
Appendix 2
Data Protocol[1]
Supplier’s name:
Date of Agreement:
Agreement name:
Reference no.:
1. Purpose
Supplier shall process personal data only to the extent necessary to:
(a) host and make available various computer services to CORP360 and CORP360’s Customer, and
(b) provide incidental support to CORP360 and CORP360’s Customer in its access to and use of any CORP360 and CORP360’s Customer’s personal data.
2. Types of personal data to be processed by Supplier
The personal data may include personal data relating to CORP360 and CORP360’s Customer’s staff, clients or suppliers.
The types of personal data which may be held may include:
(a) that of its employees, including sensitive data or special categories of data, bank details, contact details, health and medical information, performance appraisals and all other personal data related to the employment function;
(b) identification documents for clients, such as passport and driving licences, contact details, data relating to a client in connection with legal advice being provided by CORP360 and CORP360’s Customer (which may include sensitive data or special categories of data); and
(c) contact details for suppliers and other customers.
3. Duration of processing
Supplier shall only process personal data for the purposes described above during the Term of the Agreement. Following termination or expiry of the Agreement, Supplier shall comply with any termination provisions; failing which after a reasonable period of time and in the absence of any other instructions given under the Agreement it shall without any liability to CORP360 and CORP360’s Customer for doing so permanently erase the personal Data.
4. Service Providers
The following Hosting Facilities are used by the [Supplier] (with links to their terms of use):
[Hosting Provider terms Insert URL][2]
[NAME] [LINK TO TERMS]]
[1] Notes: This needs to be tailored for each Customer/project.
[2] Notes: An example only.
Sản phẩm
Tin tức
