Data Processing Policy
1) Data Protection
1.1 ArtAML has agreed to provide Services to the Client. In the performance of such Services, ArtAML will process Protected Data (defined below) on behalf of the Client.
1.2 In consideration for the Client engaging the services of ArtAML, ArtAML shall:
1.2.1 comply with the data security, confidentiality and other obligations imposed on it under this Data Processing Agreement, and
1.2.2 In line with the Data Protection Legislation ensure technical and organisational measures are undertaken to:
a) prevent unauthorised release of, or unauthorised access to, all Protected Data accessed, processed or received by ArtAML from or through the Client;.
b) prevent unauthorised access to the Client’s information and communication systems (“Systems”) by or through any of ArtAML’s Personnel or ArtAML systems, and;
c) maintain the security and integrity of ArtAML’s systems in furtherance of the foregoing,
1.3 For the purposes of this Data Processing and Agreement:
ArtAML Personnel means all employees, staff, other workers, agents and consultants of ArtAML and of any sub-contractors who are engaged in the provision of the Services under this Data Processing Agreement from time to time;
Business Purposes means the Services described in this Data Processing Agreement or relevant Main Agreement or any other purpose specifically identified in Appendix A;
Data Protection Officer,
Personal Data Breach,
Processing ……………….. shall bear their respective meanings given in the Data Protection Legislation;
Data Protection Legislation means the UK Data Protection Legislation and for so long as applicable to the UK any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications);
Data Subject Requests means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation relating to the Protected Data;
Main Agreement means a commercial agreement entered into by the parties to which this Data Processing Agreement is incorporated;
Protected Data means any personal data received from or on behalf of the Client or otherwise obtained, created, generated, transmitted, stored or processed in connection with the performance of the ArtAML’s obligations under this Data Processing Agreement or the Main Agreement and which is not Anonymised Data (as defined below);
UK Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
1.4 ArtAML and the Client acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and the ArtAML is the Data Processor of any Protected Data in relation to which ArtAML is providing the Services.
1.5 Appendix 1 sets out the details of the processing of personal data as required by Article 28(3) of the GDPR. The Client may make reasonable amendments to Appendix 1 by written notice to ArtAML from time to time as the Client reasonably considers necessary to meet those requirements.
1.6 In the event of any conflict between the terms of this Data Processing Agreement and the Main Agreement, this Data Processing Agreement shall prevail.
2) Personal Data Types and Processing Purposes
2.1 The Client and ArtAML acknowledge that for the purpose of the Data Protection Legislation, the Client is the controller and ArtAML is the processor.
2.2 The Client retains control of the Protected Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices, and the Client further warrants to ArtAML that:
2.2.1 it has obtained and will obtain and maintain any necessary consents and has a lawful basis for any processing instructions it gives to ArtAML; and
2.2.2 it has in place and will maintain in place appropriate technical and organisational measures against:
a) unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Protected Data;
b) accidental or unlawful loss, destruction, alteration, disclosure or damage of Protected Data;
hacking, or unauthorised access or technical or physical disruption to its hosting, systems or services (including ensuring security, confidentiality, integrity, availability and resilience of its hosting, systems and services);
c) and shall ensure that availability of and access to Protected Data can be restored in a timely manner after an incident, and shall regularly, test, assess and evaluate the effectiveness of its systems and the technical and organisational measures adopted by it, including as set out in this clause 2.2.2.
ArtAML may during and after the termination of this Data use and disclose anonymised analytical data derived from the Protected Data (Anonymised Data) to third parties without the consent of the Client.
3) Obligations of ArtAML
3.1 ArtAML will only process the Protected Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client’s written instructions. ArtAML will not process the Protected Data in a way that does not comply with this Data Processing Agreement or Main Agreement or the Data Protection Legislation. ArtAML must promptly notify the Client if, in its opinion, the Client’s instruction would not comply with the Data Protection Legislation.
3.2 ArtAML must comply with any Client instruction requiring ArtAML to amend, transfer, delete or otherwise process the Protected Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 ArtAML will maintain the confidentiality of all Protected Data and will not disclose Protected Data to third parties unless the Client or this Data Processing Agreement, or relevant Main Agreement, specifically authorises the disclosure, or if the Protected Data is anonymised by ArtAML, or as required by law.
3.4 If a law, court, regulator or supervisory authority requires ArtAML to process or disclose Protected Data, ArtAML will use reasonable endeavours to first inform the Client of the legal or regulatory requirement and give the Client an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.5 ArtAML will reasonably assist the Client with meeting the Client’s compliance obligations under the Data Protection Legislation, taking into account the nature of ArtAML’s processing and the information available to ArtAML, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
3.6 The Client must promptly notify ArtAML of any changes to Data Protection Legislation that may adversely affect ArtAML’s performance of this Data Processing Agreement, or relevant Main Agreement.
3.8 ArtAML will only collect Protected Data for the Client using a notice or method that the Client specifically pre- approves, the purpose or purposes for which their Protected Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing.
4.1 ArtAML will implement and maintain in place appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Protected Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Protected Data.
4.2 ArtAML will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
4.2.1 the encryption of Protected Data;
4.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.2.3 the ability to restore the availability and access to Protected Data in a timely manner in the event of a physical or technical incident;
4.2.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures; and
4.2.5 the anonymisation of any Protected Data required for analytical data purposes.
5) Breach Notification
5.1 ArtAML shall:
5.1.1 notify the Client if it becomes aware of any unauthorised or unlawful processing of, loss of, damage to or destruction or corruption of, the Protected Data, or any attempts to gain unauthorised access to Protected Data, any notification must, at the very least, contain the information required by Data Protection Legislation;
5.1.2 within forty-eight (48) hours, provide the Client with sufficient information to allow the Client to meet any notification obligations to report or inform Data Subjects and/or the ICO or any other supervisory or regulatory body of any such breach under Data Protection Legislation;
5.1.3 except where required to do so by law, not notify a Data Subject, the ICO or any other supervisory or regulatory body or any other third party of an actual or suspected breach (and shall treat the existence and circumstances of such actual or suspected breach as confidential information) ;
5.1.4 following such breach or attempted breach of security, investigate and report on the cause of the breach, including proposed corrective action;
5.1.5 provide full co-operation to the Client to assist the Client with any investigation relating to security, mitigation, remediation or any other action which is carried out by or on behalf of the Client in respect of such breach; and
5.1.6 where possible, restore, re-constitute and/or reconstruct such Protected Data unless the matter arose from the Client’s specific instructions, negligence, wilful default or breach of this agreement or the Agreement, in which case the Client shall cover all reconstitution or reconstruction expenses.
6) ArtAML Personnel
6.1 ArtAML shall ensure that access to the Protected Data is strictly limited to:
6.1.1 such ArtAML Personnel who need access to the Protected Data to assist the Client in meeting the Client’s obligations under this Data Processing Agreement or relevant Main Agreement; and
6.1.2 in the case of any access by ArtAML Personnel, such part or parts of the Protected Data as is strictly necessary for performance of such person’s duties in delivering the Services.
6.2 ArtAML shall ensure that all ArtAML Personnel who have access to and/or process Protected Data:
6.2.1 are informed of the confidential nature of the Protected Data and have signed written confidentiality undertakings in respect of the Protected Data;
6.2.2 have undertaken adequate training on compliance with Data Protection Legislation; and
6.2.3 are aware both of ArtAML’s duties and their personal duties and obligations under such laws and this Data Processing Agreement.
7) Rights of the Data Subject
7.1 At all times whilst it is engaged to provide the Services, ArtAML shall implement and maintain in place appropriate technical and organisational measures to assist the Client in the fulfilment of the Client’s obligation to respond to Data Subject Requests under Data Protection Legislation. ArtAML shall notify the Client promptly (and in any event within twenty-four (48) hours) if it receives a Data Subject Request.
7.2 ArtAML shall provide the Client with full co-operation, information and assistance in relation to any Data Subject Request.
7.3 Except where required to do so by law, ArtAML shall not disclose any Protected Data to any Data Subject or to a third party other than at the request of, with the prior written consent of, and on the documented instructions of the Client or as provided for in this Data Processing Agreement.
8) Rights of the Client
ArtAML shall promptly make available to the Client on request all information necessary to demonstrate compliance with this Data Processing Agreement and with Data Protection Legislation. The Client is entitled, on giving at least ten (10) working days’ notice to ArtAML, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Protected Data by ArtAML.
9.2 ArtAML undertakes not engage any Sub-processor without procuring that there are adequate measures in place to establish the legality of data transfers in compliance with the Data Protection Legislation and ArtAML shall make known those measures to the Client in the table above, as may be amended from time to time.
10.1 ArtAML will indemnify the Client against loss or damage suffered or incurred by the Client as a result of or arising out of a breach of ArtAML’s obligations under this Data Processing Agreement but ArtAML’s liability, howsoever arising, shall not exceed the limitation of liability as set out in the Main Agreement.
10.2 Neither party shall be liable to the other for loss of profits, sales or business, agreements or contracts; anticipated savings; loss of or damage to goodwill; loss of use or corruption of software, data or information; loss or damage to premises, installation or reinstallation costs, or any indirect or consequential loss.
11.1 Nothing in this Data Processing Agreement shall be construed as preventing a party from taking such steps as are necessary to comply with its own obligations under any Data Protection Legislation or any other applicable law.
11.2 Nothing in this Data Processing Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, nor authorise any party to make or enter into any commitments for or on behalf of any other party.
11.3 This Data Processing Agreement shall continue in full force and effect for so long as ArtAML is processing Protected Data on behalf of Client (including without limitation during the time ArtAML is providing the Services). Except as set forth above under “Compliance with Data Security and Privacy Law,” ArtAML’s obligations under this Agreement shall continue throughout the term of the Engagement and for a period of three (3) years thereafter.
11.4 A person who is not a party to this Data Processing Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Data Processing Agreement, but this does not affect any right or remedy of a third party which exists, or is available, other than in that Act.
11.5 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.
11.6 In the event of any inconsistency between the terms of the Main Agreement and the terms of this Data Processing Agreement, the terms of this Data Processing Agreement shall prevail.
11.7 This Data Processing Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales and the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Data Processing Agreement.
11.8 The parties agree to the enactment of the adoption of standard contractual clauses (SCCs) if required as a result of the UK’s exit from the EU or other circumstances in which the parties agree they are required to ensure the continued flow, safeguarding and processing of the Protected Data outside the UK or EU under the Main Agreement by ArtAML. The terms of the SCCs shall prevail only so far as the applicable law demands that they do so and cannot otherwise be superseded by the terms of this Data Processing Agreement.
THIS DATA PROCESSING AGREEMENT IS AGREED AND ENTERED INTO BY ARTAML AND THE CLIENT ON THE DATE OF THE MAIN AGREEMENT.
APPENDIX 1: ARTAML DETAILS OF PROCESSING
This Appendix includes certain details of the processing of the Protected Data as required by Article 28(3) of the General Data Protection Regulation (GDPR):