Your browser is no longer supported. Please upgrade your browser to improve your experience.

Data Processing Agreement

This Data Processing Agreement:
(i) is supplemental to the Contract entered into between Valeport and Supplier for the supply of certain Services and specifies Valeport requirements for processing of Personal Data by the Supplier in performance of the Services; and
(ii) shall remain in force for the longer of either (a) the duration of the Contract; or (b) until such time as all processing of Personal Data by the Supplier has ceased.

1. Definitions

The rules of interpretation and defined terms in the Contract apply to this Data Processing Agreement together with and including the following definitions:

Contractmeans the agreement between the Supplier and Valeport for the sale and purchase of the Services incorporating Valeport’s Data Protection Requirements namely this Data Processing Agreement;
Controllershall have the meaning given in applicable Data Protection Laws from time to time;
Data Protection Lawsmeans any applicable law relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including:

(a)      the GDPR;

(b)      the Data Protection Act 2018;

(c)      any laws which implement any such laws;

(d)      any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; and

(e)      all guidance, guidelines, codes of practice and codes of conduct issued by any relevant Supervisory Authority relating to such Data Protection Laws (in each case whether or not legally binding);

Data Subjectshall have the meaning given in applicable Data Protection Laws from time to time;
GDPRmeans the General Data Protection Regulation, Regulation (EU) 2016/679;
International Organisationshall have the meaning given in applicable Data Protection Laws from time to time;
Personal Datashall have the meaning given in applicable Data Protection Laws from time to time;
Personal Data Breachshall have the meaning given in applicable Data Protection Laws from time to time;
Processinghas the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processing, processed, and processes shall be construed accordingly);
Processorshall have the meaning given in applicable Data Protection Laws from time to time;
Protected Datameans Personal Data received from or on behalf of Valeport, or otherwise obtained in connection with the performance of the Supplier’s obligations under the Contract;
Servicesmeans the Services which are the subject matter of the Contract of which this Data Processing Agreement forms part;
Sub-Processormeans any agent, subcontractor or other third party engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data;
Supervisory Authoritymeans any regulator, authority or body responsible for administering Data Protection Laws;
Suppliermeans the person (legal or natural) who supplies the Services to Valeport.

2. Data Processing Relationship

The parties agree that Valeport is a Controller and that the Supplier is a Processor for the purposes of processing Protected Data pursuant to the Contract. The Supplier shall, and shall ensure its Sub-Processors and each of the Supplier Personnel shall, at all times comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Services. Nothing in the Contract relieves the Supplier of any responsibilities or liabilities under Data Protection Laws.

3. Only Process to the Extent Permitted

The Supplier shall only process (and shall ensure Supplier Personnel only process) the Protected Data in accordance with this Data Processing Agreement, the standard terms and conditions of the Contract and Valeport’s written instructions from time to time (including when making any transfer) except where otherwise required by applicable law (and in such a case shall inform Valeport of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). The Supplier shall immediately inform Valeport if any instruction relating to the Protected Data infringes or may infringe any Data Protection Law.

4. Implement Technical and Organisational Measures

The Supplier shall at all times implement and maintain appropriate technical and organisational measures to protect Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Such technical and organisational measures shall be at least equivalent to the technical and organisational measures set out in the Schedule to this Data Processing Agreement and shall reflect the nature of the Protected Data.

5. Controls over Sub-Processing

5.1. The Supplier shall:
5.1.1. not permit any processing of Protected Data by any agent, subcontractor or other third party (except its own employees that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior specific written authorisation of that Sub-Processor by Valeport and only then subject to such conditions as Valeport may require;
5.1.2. ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services;
5.1.3. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a binding written contract containing the same obligations as under this Data Processing Agreement in respect of Protected Data that (without prejudice to, or limitation of, the above):
5.1.3.1. includes providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Protected Data will meet the requirements of all Data Protection Laws; and
5.1.3.2. is enforceable by the Supplier,
and ensure each such Sub-Processor complies with all such obligations.
5.1.4. remain fully liable to Valeport under the Contract for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own; and
5.1.5. ensure that all persons authorised by the Supplier or any Sub-Processor to process Protected Data are reliable and:
5.1.5.1. adequately trained on compliance with this Data Processing Agreement as applicable to the processing;
5.1.5.2. informed of the confidential nature of the Protected Data and that they must not disclose Protected Data;
5.1.5.3. subject to a binding and enforceable written contractual obligation to keep the Protected Data confidential; and
5.1.5.4. provide relevant details and a copy of each agreement with a Sub-Processor to Valeport on request.

6. Assistance with Data Subject Access Requests

6.1. The Supplier shall (at its own cost and expense):
6.1.1. promptly provide such information and assistance (including by taking all appropriate technical and organisational measures) as Valeport may require in relation to the fulfilment of Valeport’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws); and
6.1.2. provide such information, co-operation and other assistance to Valeport as Valeport reasonably requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with Valeport’s obligations under Data Protection Laws, including with respect to:
6.1.2.1. security of processing;
6.1.2.2. data protection impact assessments (as such term is defined in Data Protection Laws);
6.1.2.3. prior consultation with a Supervisory Authority regarding high risk processing; and
6.1.2.4. any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or any complaint or request relating to either party’s obligations under Data Protection Laws relevant to the Contract, including (subject in each case to Valeport’s prior written authorisation) regarding any notification of the Personal Data Breach to supervisory authorities and/or communication to any affected Data Subjects.
6.2. The Supplier shall (at no cost to Valeport) record and refer all requests and communications received from Data Subjects or any Supervisory Authority to Valeport which relate (or which may relate) to any Protected Data promptly (and in any event within three days of receipt) and shall not respond to any without Valeport’s express written approval and strictly in accordance with Valeport’s instructions unless and to the extent required by law.

7. No Data Processing outside of the EEA

The Supplier shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the European Economic Area or to any International Organisation without the prior written authorisation of Valeport (which may be refused or granted subject to such conditions as Valeport deems necessary).

8. Accurate Record Keeping

The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of Valeport. Such records shall include all information necessary to demonstrate its and Valeport’s compliance with this Data Processing Agreement the information referred to in Articles 30(1) and 30(2) of the GDPR and such other information as Valeport may reasonably require from time to time. The Supplier shall make copies of such records available to Valeport promptly (and in any event within 3 Business Days) on request from time to time.

9. Compliance Audit Right

The Supplier shall (and shall ensure all Sub-Processors shall) promptly make available to Valeport (at the Supplier’s cost) such information as is reasonably required to demonstrate the Supplier’s and Valeport’s compliance with their respective obligations under Data Processing Agreement and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by Valeport (or another auditor mandated by Valeport) for this purpose at Valeport’s request from time to time. The Supplier shall provide (or procure) access to all relevant premises, systems, personnel and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice (not being more than two Business Days) and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection.

10. Notification of Personal Data Breach

The Supplier shall promptly (and in any event within 24 hours) notify Valeport if it (or any of its Sub-Processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data and provide all information as Valeport requires to report such circumstances to a Supervisory Authority and to notify affected Data Subjects under Data Protection Laws.

11. No Retention of Protected Data

The Supplier shall (and shall ensure that each of the Sub-Processors and Supplier Personnel shall) without delay (and in any event within 3 days), at Valeport’s written request, either securely delete or securely return all the Protected Data to Valeport in such form as Valeport reasonably requests after the earlier of:
11.1. the end of the provision of the relevant Services related to processing of such Protected Data; or
11.2. once processing by the Supplier of any Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under the Contract,
and securely delete existing copies (except to the extent that storage of any such data is required by applicable law and, if so, the Supplier shall inform Valeport of any such requirement).

12. Indemnity

The Supplier shall indemnify and keep indemnified Valeport against:
12.1. all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a Supervisory Authority) arising out of or in connection with any breach by the Supplier of its obligations under this clause
12.2. all amounts paid or payable by Valeport to a third party which would not have been paid or payable if the Supplier’s breach of this Data Processing Agreement had not occurred.

13. Survival of Terms

The obligations in this Data Processing Agreement shall survive termination or expiry of the Contract for any reason.