Yordex Ltd, trading name Yordex (“yordex”, “we” or “our”) are committed to protecting and respecting your privacy.
This schedule is an addendum to the Yordex Terms and the Yordex Privacy Policy. It sets out how Yordex processes personal data in compliance with the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) and the Data Protection Act 2018 (collectively, “the Data Protection Legislation”).
WHEREAS:
(A) The Controller has appointed the Processor to undertake the Services (as defined below) on its behalf pursuant to this agreement.
(B) In order to perform the Services on the Controller’s behalf, the Processor will require certain Personal Data (as defined below) to be made available to it by the Controller.
(C) The parties now wish to enter into this agreement (as defined below) in order to regulate the provision and use of the Personal Data.
IT IS HEREBY AGREED
Definitions and Interpretation
The words and expressions below will have the meanings set out next to them:
“Data Protection Laws” means the Data Protection Act 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and any other law or regulation that may apply to the processing of Personal Data or privacy under any applicable jurisdiction;
“Controller” means “data controller” or “controller” as defined in the Data Protection Laws;
“Processor” means “data processor” or “processor” as defined in the Data Protection Laws;
“Data Subject” means “data subject” as defined in the Data Protection Laws;
“Personal Data” means “personal data” as defined in the Data Protection Laws and provided to the Processor by the Controller hereunder;
“Personal Data Breach” means “personal data breach” defined in the Data Protection Laws
“Privacy Policy” The Yordex Privacy Policy which can be found on https://www.yordex.com/legal/privacy-policy
“Security Requirements” means the security requirements set out in Part 1.B of the Schedule relating to the processing of the Personal Data;
1. Processing
1.1 The Processor hereby undertakes to the Controller that it will undertake the Services in accordance with this agreement and shall process any Personal Data only in accordance with the Privacy Policy (and shall meet the Security Requirements in Part A of the Schedule) and using all reasonable skill and care throughout the term of this agreement. The Processor shall not process any other Personal Data other than as authorised to do so in the Privacy Policy, except where required by any applicable law. If it is so required, the Processor shall promptly notify the Controller before such processing the Personal Data unless prohibited by such applicable law.
1.2 The Controller and the Processor hereby acknowledge that in relation to the Personal Data and for the purposes of the Data Protection Laws, the Customer is the Controller and the Supplier is the Processor.
2. Obligations of the Controller
2.1 The Controller shall provide the Personal Data to the Processor together with such other information as the Processor may reasonably require in order for the Processor to provide the Services in accordance with this agreement.
2.2 The Controller’s legal basis for processing this information can be found in the Privacy Policy
3. Obligations of the Processor
3.1 The Processor undertakes to the Controller that it shall process the Personal Data only in accordance with: (i) the Controller’s express written instructions from time to time; (ii) the terms of this agreement; (iii) the terms of this agreement; and (iv) with all Data Protection Laws.
3.2 The Processor shall ensure that only such of its employees who may be required by the Processor to assist it in meeting its obligations under this agreement shall have access to the Personal Data. The Processor shall ensure that all employees used by it to provide the Services have undergone training in the laws of data protection and in the care and handling of the Personal Data in accordance with such laws. The Processor will ensure that all of its employees who have access to the Personal Data are bound by the duty of confidentiality.
3.3 The Processor hereby agrees to assist the Controller with any request from a Data Subject, including subject information requests and a Data Subject’s other rights under the Data Protection Laws, which may be received by the Controller or the Processor from time to time without additional charge.
3.4 The Processor undertakes to the Controller that it will not disclose the Personal Data or any part thereof to any third party unless and only to the extent instructed to do so by the Controller, except as necessary to comply with European Union or UK law to which it is subject.
3.5 The Processor undertakes to the Controller that it will not export the Personal Data or any part thereof outside the European Economic Area in any circumstances other than at the specific written permission of the Controller.
3.6 The Processor shall provide such cooperation as the Controller reasonably considers to be necessary to enable the Controller to verify the Processor’s compliance with the Data Protection Laws and the terms of this agreement. Such cooperation may include allowing its data processing facilities, procedures and documentation to be submitted for scrutiny by auditors of the Controller.
3.7 The Processor warrants that it has appropriate operational and technological processes and procedures in place to safeguard against any unauthorised or accidental access, loss, destruction, damage, theft, use or disclosure of the Personal Data and in order for it to comply with the Security Requirements set out in Part A of the Schedule. The Processor further undertakes to maintain such processes and procedures for the term of this agreement.
3.8 The Processor shall promptly assist the Controller in complying with any obligations under the Data Protection Laws in respect of the Processor’s processing of the Personal Data only, including obligations to investigate, remediate and provide information to regulatory authorities or Data Subjects about Personal Data Breaches (as such term is defined in the Data Protection Laws) without undue delay, to carry out privacy impact assessments and to consult with regulatory authorities regarding processing which is the subject of a privacy impact assessment.
3.9 The Processor shall notify the Controller’s Data Protection Officer promptly if: (a) it receives a legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited; (b) it is of the opinion that an instruction from the Controller violates applicable European Union or UK law, unless it is legally prohibited from notifying the Controller on important grounds of public interest.
3.10 The Processor shall without undue delay and in any event within twenty four (24) hours of becoming aware notify the Controller’s Data Protection Officer in writing of any Personal Data Breach. The Processor will provide all reasonable assistance to the Controller regarding any Personal Data Breach. The Processor will also provide all reasonable assistance to the Controller in relation to its obligations to notify the regulatory authorities and affected Data Subjects. The Processor must have a written data security incident/breach policy or procedure in place.
4. Indemnity
The Processor hereby agrees to indemnify the Controller against all losses, costs, expenses, damages, liabilities, demands, claims, fines, actions or proceedings which the Controller may incur arising out of any breach by the Processor of Clause 5 and/ or Clause 8.
5. Ownership
5.1 All right, title and interest in the Confidential Information shall vest solely in the Controller or its licensees.
6. Consequences of Termination
6.1 On termination of this agreement for whatever reason, the Processor shall cease to use the Personal Data and Confidential Information and shall arrange for the prompt and safe return of all Personal Data and Confidential Information belonging to Controller together with all copies of the Personal Data Confidential Information in its possession or control or that of its agents or contractors, save where it is required to retain such data for compliance with applicable European Union or UK law or card scheme rules.
6.2 Termination of this agreement shall not affect any rights or obligations of either party which have accrued prior to the date of termination and all provisions which are expressed to, or do by implication, survive the termination of this agreement shall remain in full force and effect.
7. Assignation & Subcontracting
7.1 The Processor shall, at all times, be responsible as between itself and the Controller for the observance by its assignees of the obligations contained in this agreement as if such sub-contractors were the Processor.
7.2 The Processor shall: (i) ensure that it has a written contract (the "Processing Contract") in place with the relevant subcontractor which meets the requirements of Data Protection Laws and which imposes on the subcontractor the same obligations in respect of processing of the Controller Personal Data as are imposed on the Processor under this agreement; (ii) remain fully liable to the Controller for any acts or omissions of the subcontractor under the Processing Contract.
8. Restricted Transfers
8.1 Subject to clause 8.3, the Controller (as "data exporter") and the Processor, (as "data importer") hereby enter into the Model Clauses in respect of any Restricted Transfer from the Controller to the Processor.
8.2 The Model Clauses shall come into effect under clause 8.1 on the earlier of:
8.2.1 the data exporter becoming a party to them;
8.2.2 the data importer becoming a party to them; and
8.2.3 commencement of the relevant Restricted Transfer.
8.3 Clause 8.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of the Data Protection Laws.
9. General Terms
Changes in Data Protection Laws, etc.
9.1 The Controller may:
9.1.1 by at least 30 (thirty) calendar days' written notice to Processor from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under clause 8.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Laws, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Laws, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Laws; and
9.1.2 propose any other variations to this agreement which the Controller reasonably considers to be necessary to address the requirements of the Data Protection Laws or any guidance issued by the UK Information Commissioner from time to time.
9.2 If the Controller gives notice under clause 9.1.1:
9.2.1 the Processor shall ensure (and ensure that any affected Sub-processors promptly co-operate) that equivalent variations are made to any agreement put in place under clause 7; and
9.2.2 the Controller shall not unreasonably withhold or delay agreement to any consequential variations to this agreement proposed by Processor to protect the Processors against additional risks associated with the variations made under clause 9.1.1.
9.3 If the Controller gives notice under clause 9.1.1, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the Controller's notice as soon as is reasonably practicable.
A. Security Requirements
1. In performing the Services pursuant to this agreement, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to processing risks as per Article 32 of the GDPR, including inter alia as appropriate:
a) The pseudonymisation and encryption of personal data
b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed
3. Take steps to ensure that any person/employee acting under the authority of the processor who has access to the personal data does not process them except on the instructions of this agreement.
