OCP Data Privacy Policy

1.1.

Omilia warrants and undertakes in respect of all Personal Data that it processes on behalf of the Data Controller that at all times:

1.2.

To ensure that Data Controller’s instructions in respect of any Personal Data can be carried out as required under this Agreement, Omilia has in place appropriate processes and any associated technical measures that ensures that Data Controller ’s instructions can be complied with, including the following:

1.3.

Omilia complies with applicable Privacy Legislation and any other relevant data protection laws, regulations, and other regulatory requirements, guidance, or statutory codes of practice to which Omilia is subject, and shall not perform its obligations under the Master Agreement in relation to the Personal Data in such a way as to cause Data Controller to breach any of their obligations under applicable Privacy Legislation.

Regulations / Acts regarding the protection of personal data, that Omilia complies with, are indicated below (the list is not exhaustive):

• The European (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”, hereinafter “GDPR”);
• The United Kingdom’s General Data Protection Regulation (UK GDPR), that followed UK’s departure from the EU and the end of the ‘Transition Period’ on 31 December 2020, and is broadly aligned with the GDPR in terms of its substantive requirements;
• The Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity;
• The California’s Consumer Privacy Act (CCPA), a state statute intended to enhance privacy rights and consumer protection for residents of California (amended by the California Privacy Rights Act (CPRA) of November 2020), as well as California Invasion of Privacy Act (CIPA);
• The Virginia’s Consumer Data Protection Act (VCDPA), that applies to entities that conduct business in Virginia or produce products or services that are targeted to residents of Virginia (“consumers”);
• The Colorado’s Privacy Act (CPA), which requires the protection of personal data of Colorado residents;
• Connecticut Consumer Data Protection Act (CTDPA) (along with Title 36a of the General Statutes of Connecticut which prescribes requirements for data breach notification) which protects personal data of Connecticut consumers;
• Utah Consumer Privacy Act which protects personal data of the residents of Utah;
• Brazilian General Personal Data Protection Law (LGPD);
• The South Africa’s Protection of Personal information Act (POPIA), and Promotion of Access to Information Act (PAIA), that apply to the processing of personal information by or for a responsible party domiciled or just makes use of processing means in the Republic of South Africa;
• The Germany Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), which applies to the entities that process personal data in Germany;
• The U.S. Health Insurance Portability and Accountability (HIPAA), which governs the protection of the health information of US individuals;
• The US Biometrics Privacy Framework, which includes: Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), Washington Biometric Identifiers Act (RCW), New York Biometrics regulations (New York City Administrative Code Title 22 Chapter 12)
• The US Finance Privacy Framework, which includes: Gramm-Leach-Bliley Act (GLBA), Privacy of Consumer Financial Information (Regulation P), Fair Credit Reporting Act (FCRA), Dodd-Frank Act.

1.4.

Omilia shall give the Data Controller such cooperation, assistance, and information as the Data Controller may reasonably request to enable it to comply with its obligations under any applicable Privacy Law and cooperate and comply with the directions or decisions of a relevant Privacy Authority, and in each case within such time as would enable that other party to meet any time limit imposed by the Privacy Authority.

1.5.

Prior to commencing the processing, and any time thereafter, Omilia shall promptly inform Data Controller if, in its opinion,

1.6.

Omilia shall not be entitled to reimbursement of any reasonable costs which Omilia may incur as a result of, or in connection with, complying with the Data Controller’s instructions for the purposes of providing the Services and/or with any of its obligations under this Agreement or any applicable Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Omilia is subject.

1.7.

Omilia shall provide, within five (5) calendar days following the receipt of the Data Controller’s request, a written record of Personal Data processing by Omilia on behalf of the Data Controller, and such record shall include at minimum:

2.1.

Omilia shall keep Personal Data logically separate to data processed on behalf of any other third party.

2.2.

Omilia maintains and shall continue to maintain appropriate technical and organizational security measures to protect such Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and in addition shall comply with the Data Controller Minimum Security Requirements.

6.1.

Omilia shall not subcontract or outsource any processing of Personal Data to any other person or entity, including Omilia Group Companies (“Sub-Processor”) unless and until:

6.2.

No Sub-Processor shall carry out processing in relation to the Services other than as previously notified to, and not objected to, by Data Controller.

6.3.

If requested by Data Controller, Omilia shall procure that any third party Sub-Processor appointed by Omilia pursuant to this Clause 6 shall enter into a data processing agreement with Data Controller on substantially the same terms as this Agreement.

6.4.

In all cases, Omilia shall remain fully liable to Data Controller for any act or omission performed by the Sub-Processor or any other third party appointed by it as if they were the acts or omissions of the Processor, irrespective of whether Omilia complied with its obligations specified in the above Clause 6.1.

6.5.

Where a breach of this Agreement is caused by the actions of a Sub-Processor, Omilia shall – if requested by Data Controller – assign to Data Controller the rights of Omilia to take action under the Processor’s contract with the Sub-Processor. Data Controller may take action as it deems necessary in order to protect and safeguard Personal Data.

7.1.

Omilia shall notify Data Controller in writing as soon as possible in the circumstances but no later than within fourty-eight (48) hours after becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data (“Security Breach“). Such notification shall include (i) a detailed description of the Security Breach, (ii) the type of data that was the subject of the Security Breach, and (iii) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). Omilia shall communicate to Data Controller in such notification (i) the name and contact details of Omilia’s and/or any involved Sub-Processor’s data protection officer or another point of contact where more information can be obtained; (ii) a description of the likely consequences of the Security Breach; (iii) a description of the measures taken or proposed to be taken by Omilia to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and additionally in such notification or thereafter (iv) as soon as such information can be collected or otherwise becomes available, any other information Data Controller may reasonably request relating to the Security Breach.

7.2.

Omilia shall immediately investigate the Security Breach and identify, prevent and make best efforts to mitigate the effects of any Security Breach in accordance with its obligations under this Agreement and, subject to the Data Controller’s prior agreement, carry out any recovery or other action necessary to remedy the Security Breach. Omilia shall not release or publish any filing, communication, notice, press release, or report concerning any Security Breach in respect of Personal Data (“Publicity“) without Data Controller’s prior written approval. The actions and steps described in this Clause 7 shall, without prejudice to the Data Controller’s right to seek any legal remedy (including the claim for reimbursement of Data Controller’s costs of legal action against Omilia or Sub-Processor) as a result of the breach, be undertaken at the expense of Omilia, and Omilia shall pay for or reimburse Data Controller for all costs, losses, and expenses relating to the cost of preparing and publishing Publicity.

9.1.

Omilia shall, and shall procure that any Sub-Processor shall, permit Data Controller access to its premises, computer, and other information systems, records, documents, and agreements as reasonably required by the Sub-Processor to check that Omilia and/or its Sub-Processors are complying with their obligations under the Master Agreement (or any subsequent sub-processing contract) or any applicable Privacy Law. Any review in accordance with Clause 9.1 shall not require the review of any third-party data and that such reviewing entity enters into such confidentiality obligations with Omilia or with the relevant Sub-Processor as may be reasonably necessary to respect the confidentiality of the Processor’s or Sub-Processor’s business interests and third party data and information of which the reviewing entity may become aware in the course of undertaking the review. The Auditing Party shall bear its own costs in relation to such audit unless the audit reveals any non-compliance with the Processor’s or Sub-Processor’s obligations under any applicable Privacy Law or this Agreement or any subsequent sub-processing contract, in which case the costs of the audit shall be borne by the Processor.

9.2.

Omilia shall, and shall procure that any Sub-Processor shall, permit at its own costs the Privacy Authorities to conduct a data protection audit with regards to the Processing carried out by Omilia or Sub-Processor in accordance with the applicable Privacy Law.

10.1.

Omilia shall delete Personal Data from the Service(s) in accordance with the Omilia’s retention policy and at such other times as may be required from time to time by Data Controller. In the normal course of data retention, the following timeframes apply:

• 60 days for live data;
• 2 years for security logs;
• 5 years for aggregated data.

10.2.

Upon termination or expiry of any of the relevant Services, in respect of such Services any remaining Personal Data shall, at Data Controller’s option, be destroyed or returned to Data Controller, along with any medium or document containing Personal Data.

10.3.

Upon termination or expiry of the Agreement, any remaining Personal Data shall, at Data Controller’s option, be destroyed or returned to Data Controller, along with any medium or document containing Personal Data.

11.1.

Formal written notices to be given under, or in connection with, this Agreement shall be made in writing in English and shall be deemed to have been duly given: (i) when delivered, if delivered by messenger during the hours of 9.00am to 5.00pm EET; (ii) when sent, if transmitted by facsimile transmission (transmission confirmed) during the hours of 9.00am to 5.00pm EET; and (iii) on the fifth business day following posting, if posted by signed for (postage prepaid) mail or the equivalent in the country of posting

11.2.

Communications not requiring formal written notices may be conducted by email.

12.1.

Requests from governmental authorities or Data Controllers: Omilia shall, and shall procure that the Sub-Processor shall, inform Data Controller promptly (and in any event within two (2) business days of receipt or sooner if required to meet with any earlier time-limit) of any inquiry, communication, request or complaint from: