1.PROCESSING ACCORDING TO THE INSTRUCTIONS OF DATA CONTROLLER
Omilia warrants and undertakes in respect of all Personal Data that it processes on behalf of Data Controller that at all times:
It shall only process such Personal Data for the purposes of providing the Services and as may subsequently be agreed by the Parties in writing and, in so doing, shall act solely on the documented instructions of Data Controller;
It shall not itself exercise control, nor shall it transfer, or purport to transfer, control of such Personal Data to a third party, except as it may be specifically instructed, in documented form, to do so by Data Controller;
It shall not process, apply or use the Personal Data for any purpose other than as required and is necessary to provide the Services;
It shall not process Personal Data for its own purposes or include Personal Data in any product or service offered to third Parties;
It shall complete a separate processing Appendix for each Service that requires the processing of Personal Data.
To ensure that Data Controller’s instructions in respect of any Personal Data can be carried out as required under this Agreement, Omilia shall have in place appropriate processes and any associated technical measures that will ensure that Data Controller ’s instructions can be complied with, including the following:
Requests by individual Data Subject to Data Controller, or any exercise of privacy rights, in respect of their Personal Data from time to time can be implemented;
Provision of appropriate interfaces or support for other processes of Data Controller in ensuring information is provided to Data Subjects as required by the GDPR and the applicable national Privacy Law;
Updating, amending or correcting the Personal Data of any individual upon request of Data Controller from time to time;
Cancelling or blocking access to any Personal Data upon receipt of instructions from Data Controller;
The flagging of Personal Data files or accounts to enable Data Controller to apply particular rules to individual Data Subject’s Personal Data, such as the suppression of marketing activity.
Omilia shall comply with the GDPR as well as with the applicable national Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Omilia is subject, and shall not perform its obligations under the Master Agreement in relation to the Personal Data in such a way as to cause Data Controller, Data Controller Group Companies to breach any of their obligations under applicable Privacy Law.
Omilia shall give Data Controller such co-operation, assistance and information as Data Controller may reasonably request to enable it to comply with its obligations under any applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, and in each case within such time as would enable that other party to meet any time limit imposed by the Privacy Authority.
Prior to commencing the processing, and any time thereafter, Omilia shall promptly inform Data Controller if, in its opinion,
An instruction from Data Controller infringes any applicable Privacy Law; or
Omilia is subject to legal requirements that would make it unlawful or otherwise impossible for Omilia to act according to Data Controller’s instructions or to comply with applicable Privacy Law.
Omilia shall not be entitled for reimbursement of any reasonable costs which Omilia may incur as a result of, or in connection with, complying with Data Controller ’s instructions for the purposes of providing the Services and/or with any of its obligations under this Agreement or any applicable Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Omilia is subject.
Omilia shall provide within 5 (five) calendar days following the receipt of Data Controller’s request a written record of the processing of Personal Data by Omilia on behalf of Data Controller, and unless otherwise specified in this Agreement (including in Schedule 2 and the processing Appendices), such record shall include:
The name and contact details of Omilia or processors and of each controller on behalf of which Omilia is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
The categories of processing carried out on behalf of each controller;
Where applicable, transfers of personal data to a third country (where third country is any country outside the EU) or an international organisation, including the identification of that third country or international organization.
The Parties shall amend the respective processing Appendix in the case of any change related to the details of the processing (as stated in the given processing Appendix) where agreed by the Parties or otherwise permitted by this Agreement.
2.PERSONAL INFORMATION SECURITY
Omilia shall keep Personal Data logically separate to data processed on behalf of any other third party.
Omilia maintains and shall continue to maintain appropriate technical and organisational security measures to protect such Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and in addition shall comply with the Data Controller Group Minimum Security Requirements.
3.SECURITY OF COMMUNICATIONS
Omilia shall undertake appropriate technical and organisational measures to safeguard the security of any electronic communications networks or services provided to Data Controller or utilised to transfer or transmit Personal Data (including measures designed to ensure the secrecy of communications and prevent unlawful surveillance or interception of communications and gaining unauthorised access to any computer or system and thus guaranteeing the security of the communications).
4.OMILIA EMPLOYEES – CONFIDENTIALITY
Omilia shall ensure the reliability of any employees/personnel who access the Personal Data and ensure that such personnel have undergone appropriate training in the care, protection and handling of Personal Data and have entered into confidentiality provisions in relation to the processing of Personal Data that are no less onerous than those found in the Master Agreement.
5.PROCESSING OF PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA (EEA)
Where Personal Data originating in the European Economic Area is processed by Omilia outside the European Economic Area or in a territory that has not been designated by the European Commission as ensuring an adequate level of protection pursuant to applicable Privacy Law, the Transfer Contract Clauses shall apply to that processing. Omilia shall ensure that the processing of Personal Data does not commence until Data Controller has confirmed to Omilia that it has obtained any approvals required from relevant Privacy Authorities.
6.USE OF SUB-PROCESSORS
Omilia shall not subcontract or outsource any processing of Personal Data to any other person or entity, including Omilia Group Companies (“Sub-Processor”) unless and until:
Omilia has notified Data Controller by way of formal written notice of the full name and registered office or principal place of business of the-processor
Omilia has provided to Data Controller details (including categories) of the processing to be carried out by the Sub-Processor in relation to the Services; and such other information as may be requested by Data Controller in order for Data Controller to comply with applicable Privacy Law or for Data Controller to notify the relevant Privacy Authority;
Omilia has imposed legally binding terms no less onerous than those contained in this Agreement on such Sub-Processor;
Data Controller has not objected to the subcontracting or outsourcing within ten (10) working days from receiving processor’s written notification set forth in Clause 7.1.1 together with the information set forth in Clause 7.1.2; and
Omilia has entered into Transfer Contract Clauses with the subcontracting third party, where the scope of subcontracting involves Data Controller ’s Personal Data to be processed or stored by any means in third countries.
No Sub-Processor shall carry out processing in relation to the Services other than as previously notified to, and not objected to, by Data Controller.
If requested by Data Controller, Omilia shall procure that any third party Sub-Processor appointed by Omilia pursuant to this Clause 7 shall enter into a data processing agreement with Data Controller on substantially the same terms as this Agreement.
In all cases, Omilia shall remain fully liable to Data Controller for any act or omission performed by Sub-Processor or any other third party appointed by it as if they were the acts or omissions of the processor, irrespective of whether Omilia complied with its obligations specified in the above Clause 7.1.
Where a breach of this Agreement is caused by the actions of a Sub-Processor, Omilia shall – if requested by Data Controller – assign to Data Controller the rights of Omilia to take action under the processor’s contract with the Sub-Processor. Data Controller may take action as it deems necessary in order to protect and safeguard Personal Data.
7.PERSONAL DATA BREACH AND NOTIFICATION REQUIREMENTS
Omilia shall notify Data Controller in writing as soon as possible in the circumstances but no later than within 24 hours after becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data (“Security Breach“). Such notification shall include (i) a detailed description of the Security Breach, (ii) the type of data that was the subject of the Security Breach and (iii) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). Omilia shall communicate to Data Controller in such notification (i) the name and contact details of the processor’s data protection officer or other point of contact where more information can be obtained; (ii) a description of the likely consequences of the Security Breach; (iii) a description of the measures taken or proposed to be taken by Omilia to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and additionally in such notification or thereafter (iv) as soon as such information can be collected or otherwise becomes available, any other information Data Controller may reasonably request relating to the Security Breach.
Omilia shall immediately investigate the Security Breach and identify, prevent and make best efforts to mitigate the effects of any Security Breach in accordance with its obligations under this Agreement and, subject to Data Controller’s prior agreement, carry out any recovery or other action necessary to remedy the Security Breach. Omilia shall not release or publish any filing, communication, notice, press release, or report concerning any Security Breach in respect of Personal Data (“Publicity“) without Data Controller’s prior written approval. The actions and steps described in this Clause 8 shall, without prejudice to Data Controller’s right to seek any legal remedy (including the claim for reimbursement of Data Controller’s costs of legal action against Omilia or Sub-Processor) as a result of the breach, be undertaken at the expense of Omilia and Omilia shall pay for or reimburse Data Controller for all costs, losses and expenses relating to the cost of preparing and publishing Publicity.
8.PRIVACY IMPACT ASSESSMENTS
Where requested to do so by Data Controller, Omilia shall make available to Data Controller all information necessary to demonstrate Data Controller compliance with the applicable Privacy Law and shall assist Data Controller to carry out a privacy impact assessment of the Services and work with Data Controller to implement agreed mitigation actions to address privacy risks so identified.
9.RIGHT TO AUDIT
Omilia shall, and shall procure that any Sub-Processor shall, permit Data Controller access to its premises, computer and other information systems, records, documents and agreements as reasonably required by the Sub-Processor to check that Omilia and/or its Sub-Processors are complying with their obligations under the Master Agreement (or any subsequent sub-processing contract) or any applicable Privacy Law. Any review in accordance with clause 10.1 shall not require the review of any third party data and that such reviewing entity enters into such confidentiality obligations with Omilia or with the relevant Sub-Processor as may be reasonably necessary to respect the confidentiality of the Processor’s or Sub-Processor’s business interests and third party data and information of which the reviewing entity may become aware in the course of undertaking the review. The Auditing Party shall bear its own costs in relation to such audit, unless the audit reveals any non-compliance with processor’s or Sub-Processor’s obligations under any applicable Privacy Law or this Agreement or any subsequent sub-processing contract, in which case the costs of the audit shall be borne by the processor.
Omilia shall, and shall procure that any Sub-Processor shall permit at its own costs the Privacy Authorities to conduct a data protection audit with regards to the Processing carried out by Omilia or Sub-Processor in accordance with the applicable Privacy Law.
10.DELETION OF PERSONAL DATA
Omilia shall delete Personal Data from the Service(s) in accordance with the retention policies set out in the relevant processing Appendix for the Service(s) and at such other times as may be required from time to time by Data Controller.
Upon termination or expiry of any of the relevant Services, in respect of such Services any remaining Personal Data shall, at Data Controller’s option, be destroyed or returned to Data Controller, along with any medium or document containing Personal Data.
Upon termination or expiry of the Agreement, any remaining Personal Data shall, at Data Controller’s option, be destroyed or returned to Data Controller, along with any medium or document containing Personal Data.
Formal written notices to be given under, or in connection with, this Agreement shall be made in writing in English and shall be deemed to have been duly given: (i) when delivered, if delivered by messenger during the hours of 9.00am to 5.00pm EEST; (ii) when sent, if transmitted by facsimile transmission (transmission confirmed) during the hours of 9.00am to 5.00pm EEST; and (iii) on the fifth business day following posting, if posted by signed for (postage prepaid) mail or the equivalent in the country of posting. The addresses for services shall be set out in the relevant processing Appendix.
Communications not requiring formal written notices may be conducted by email.
12.THIRD PARTY REQUESTS FOR DISCLOSURE OF PERSONAL DATA
Requests from governmental authorities or Data Controllers: Omilia shall, and shall procure that the Sub-Processor shall inform Data Controller promptly (and in any event within one (1) business day of receipt or sooner if required to meet with any earlier time-limit) of any inquiry, communication, request or complaint from:
Any governmental, regulatory or supervisory authority, including Privacy Authorities and/or
Any Data Controller; relating to the Services, any Personal Data or any obligations under applicable PrivacyLaw and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Omilia is subject, and shall provide all reasonable assistance to Data Controller free of costs to enable Data Controller to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. Omilia shall not, and it shall procure that any Sub-Processor shall not disclose Personal Data to any of the persons or entities in 12.1.1 or 12.1.2 above, unless it is obliged by law or a valid and binding order of a court or other legal judicial process to disclose Personal Data and has otherwise complied with the obligations in this clause 12.1.
Requests at law:
Where Omilia or any Sub-Processor is required by law, court order, warrant, subpoena, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Data Controller, Omilia shall, and shall procure that any Sub-Processor shall, notify Data Controller promptly (and in any event within one (1) business day of receipt or sooner if required to meet with any time-limit in the Legal Request) and shall provide all reasonable assistance to Data Controller to enable Data Controller to respond or object to, or challenge, any such demands, requests, inquiries or complaints and to meet applicable statutory or regulatory deadlines. Omilia shall not, and it shall procure that any Sub-Processor shall not, disclose Personal Data pursuant to a Legal Request unless it is obliged by law or a valid and binding order of a court or other legal judicial process to disclose Personal Data and has otherwise complied with the obligations in this clause 12.2.