Services
We accept all major credit cards for fast and easy payment
1.1. In this Addendum:
| Applicable law | means applicable law of the United Kingdom (or of a part of the United Kingdom); |
|---|---|
| Controller | has the meaning given in applicable Data Protection Laws from time to time; |
| Data Protection Laws | means, as binding on either party or the Services:(a) the GDPR;
(b) the Data Protection Act 2018;
(c) any laws which implement or supplement any such laws; and
(d) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; |
| Data Subject | has the meaning given in applicable Data Protection Laws from time to time; |
| GDPR | means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time); |
| International Organisation | has the meaning given in applicable Data Protection Laws from time to time; |
| Personal Data | has the meaning given in applicable Data Protection Laws from time to time; |
| Personal Data Breach | has the meaning given in applicable Data Protection Laws from time to time; |
| Processing | has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed and processes shall be construed accordingly); |
| Processor | has the meaning given in applicable Data Protection Laws from time to time; |
| Protected Data | means Personal Data received from or on behalf of the Agency in connection with the performance of OIIKII’s obligations under this Agreement; and |
| Sub-Processor | means any Processor engaged by OIIKII (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data on behalf of the Agency. |
The parties agree that the Agency is a Controller and that OIIKII is a Processor for the purposes of processing Protected Data pursuant to this Agreement. The Agency shall, at all times, comply with all Data Protection Laws in connection with the processing of Protected Data. The Agency shall ensure all instructions given by it to OIIKII in respect of Protected Data (including the terms of this Agreement) shall at all times be in accordance with all Data Protection Laws. Nothing in this Agreement relieves the Agency of any responsibilities or liabilities under any Data Protection Laws.
OIIKII shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of this Agreement.
The Agency shall indemnify and keep indemnified OIIKII against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Agency of its obligations under this Addendum.
5.1. OIIKII shall only process (and shall ensure OIIKII Personnel only process) the Protected Data in accordance with Part B of this Addendum and this Agreement (including with regard to any transfer to which clause 11 of this Part A relates), except to the extent:
5.1.1. that alternative processing instructions are agreed between the parties in writing; or
5.1.2. otherwise required by applicable law (and shall inform the Agency of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest).
5.2. If OIIKII believes that any instruction received by it from the Agency is likely to infringe the Data Protection Laws it shall promptly inform the Agency and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing. The Fees payable to OIIKII shall not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this clause 5.2.
6.1. OIIKII shall implement and maintain the technical and organisational measures set out in Part B of this Addendum to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
6.2. During the period in which OIIKII processes any Protected Data, the Agency shall undertake a documented assessment at least every 12 months of whether the security measures implemented in accordance with clause 6.1 of this Part A are sufficient (taking into account the state of technical development and the nature of processing) to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. The Agency shall notify OIIKII within 10 days of full details of the assessment and its outcome and of any additional measures the Agency believes are required as a result of the assessment. OIIKII shall not be obliged to implement any further or alternative security measures except as agreed as a binding variation of this Agreement.
7.1. OIIKII shall:
7.1.1. not permit any processing of Protected Data by any Sub-Processor without the prior specific written authorisation of the Agency;
7.1.2. prior to any Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure such Sub-Processor is appointed under a binding written contract containing materially the same obligations as under this Addendum (including those relating to sufficient guarantees to implement appropriate technical and organisational measures) and ensure such Sub-Processor complies with all such obligations;
7.1.3. remain fully liable to the Agency under this Agreement for all the acts and omissions of each Sub-Processor as if they were its own; and
7.1.4. ensure that all natural persons authorised by OIIKII or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
The Agency hereby grants general authority to authorise OIIKII to engage its Affiliates and any third-parties approved by OIIKII to act as Sub-Processors to OIIKII under this Agreement (the “Sub-Processors”), including as to new or replacement Sub-Processors. Notwithstanding this general authorisation, OIIKII will notify Client of any intended changes to its Sub-Processors and give the Agency a reasonable opportunity, which shall not exceed ten (10) days, to object on commercially reasonable grounds to any such changes. OIIKII agrees that it will enter into a written contract with each such Sub-Processor that includes terms equivalent to those set out in this Agreement, and remains fully liable to the Agency for the performance of each such Sub-Processor’s obligations thereunder.
9.1. OIIKII shall (at the Agency’s cost and expense) assist the Agency in ensuring compliance with the Agency’s obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to OIIKII.
9.2. OIIKII shall (at the Agency’s cost and expense) and taking into account the nature of the processing, assist the Agency (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the Agency’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR in respect of any Protected Data.
9.3. OIIKII shall promptly refer to the Agency all requests it receives for exercising any Data Subjects’ rights under Chapter III of the GDPR which relate to any Protected Data. It shall be the Agency’s responsibility to reply to all such requests as required by applicable law.
To the extent that Applicable Data Protection Law applies to the processing of User Personal Data, OIIKII agrees that it will not transfer Protected Data out of the EEA, or the United Kingdom, to a country that has not been identified by the ICO, European Commission or a Supervisory Authority under Data Protection Law as a country that provides an adequate level of data protection except where OIIKII has ensured appropriate safeguards are in place, such as the Standard Contractual Clauses or International Data Transfer Agreement approved by the European Commission unless otherwise required by applicable law.
OIIKII shall, in accordance with Data Protection Laws, make available to the Agency on request such information that is in its possession or control as is necessary to demonstrate OIIKII’s compliance with the obligations placed on it under this Addendum and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by the Agency (or another auditor mandated by the Agency) for this purpose (subject to a maximum of one audit request in any 12 month period under this clause 12).
OIIKII shall notify the Agency without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.
13.1. On the end of the provision of the Services relating to the processing of Protected Data (the Processing End Date), at the Agency’s cost and expense and the Agency’s option, OIIKII shall either return all of the Protected Data to the Agency or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires OIIKII to store such Protected Data. To the extent the Agency has not notified OIIKII within 14 of the Processing End Date that it requires the return of any Protected Data OIIKII is irrevocably authorised to securely dispose of the Protected Data at the Agency’s cost and expense.
14.1. This Addendum shall survive termination or expiry of this Agreement:
14.1.1. indefinitely in the case of clauses 4 and 14 of this Part A; and
14.1.2. in the case of all other clauses and provisions of this Addendum, until the later of: