OCP Data Privacy Policy

1.1.

Omilia warrants and undertakes in respect of all Personal Data that it processes on behalf of Data Controller that at all times:

1.2.

To ensure that Data Controller’s instructions in respect of any Personal Data can be carried out as required under this Agreement, Omilia shall have in place appropriate processes and any associated technical measures that will ensure that Data Controller ’s instructions can be complied with, including the following:

1.3.

Omilia shall comply with the GDPR as well as with the applicable national Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Omilia is subject, and shall not perform its obligations under the Master Agreement in relation to the Personal Data in such a way as to cause Data Controller, Data Controller Group Companies to breach any of their obligations under applicable Privacy Law.

1.4.

Omilia shall give Data Controller such co-operation, assistance and information as Data Controller may reasonably request to enable it to comply with its obligations under any applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, and in each case within such time as would enable that other party to meet any time limit imposed by the Privacy Authority.

1.5.

Prior to commencing the processing, and any time thereafter, Omilia shall promptly inform Data Controller if, in its opinion,

1.6.

Omilia shall not be entitled for reimbursement of any reasonable costs which Omilia may incur as a result of, or in connection with, complying with Data Controller ’s instructions for the purposes of providing the Services and/or with any of its obligations under this Agreement or any applicable Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Omilia is subject.

1.7.

Omilia shall provide within 5 (five) calendar days following the receipt of Data Controller’s request a written record of the processing of Personal Data by Omilia on behalf of Data Controller, and unless otherwise specified in this Agreement (including in Schedule 2 and the processing Appendices), such record shall include:

1.8.

The Parties shall amend the respective processing Appendix in the case of any change related to the details of the processing (as stated in the given processing Appendix) where agreed by the Parties or otherwise permitted by this Agreement.

2.1.

Omilia shall keep Personal Data logically separate to data processed on behalf of any other third party.

2.2.

Omilia maintains and shall continue to maintain appropriate technical and organisational security measures to protect such Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and in addition shall comply with the Data Controller Group Minimum Security Requirements.

6.1.

Omilia shall not subcontract or outsource any processing of Personal Data to any other person or entity, including Omilia Group Companies (“Sub-Processor”) unless and until:

6.2.

No Sub-Processor shall carry out processing in relation to the Services other than as previously notified to, and not objected to, by Data Controller.

6.3.

If requested by Data Controller, Omilia shall procure that any third party Sub-Processor appointed by Omilia pursuant to this Clause 7 shall enter into a data processing agreement with Data Controller on substantially the same terms as this Agreement.

6.4.

In all cases, Omilia shall remain fully liable to Data Controller for any act or omission performed by Sub-Processor or any other third party appointed by it as if they were the acts or omissions of the processor, irrespective of whether Omilia complied with its obligations specified in the above Clause 7.1.

6.5.

Where a breach of this Agreement is caused by the actions of a Sub-Processor, Omilia shall – if requested by Data Controller – assign to Data Controller the rights of Omilia to take action under the processor’s contract with the Sub-Processor. Data Controller may take action as it deems necessary in order to protect and safeguard Personal Data.

7.1.

Omilia shall notify Data Controller in writing as soon as possible in the circumstances but no later than within 24 hours after becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data (“Security Breach“). Such notification shall include (i) a detailed description of the Security Breach, (ii) the type of data that was the subject of the Security Breach and (iii) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). Omilia shall communicate to Data Controller in such notification (i) the name and contact details of the processor’s data protection officer or other point of contact where more information can be obtained; (ii) a description of the likely consequences of the Security Breach; (iii) a description of the measures taken or proposed to be taken by Omilia to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and additionally in such notification or thereafter (iv) as soon as such information can be collected or otherwise becomes available, any other information Data Controller may reasonably request relating to the Security Breach.

7.2.

Omilia shall immediately investigate the Security Breach and identify, prevent and make best efforts to mitigate the effects of any Security Breach in accordance with its obligations under this Agreement and, subject to Data Controller’s prior agreement, carry out any recovery or other action necessary to remedy the Security Breach. Omilia shall not release or publish any filing, communication, notice, press release, or report concerning any Security Breach in respect of Personal Data (“Publicity“) without Data Controller’s prior written approval. The actions and steps described in this Clause 8 shall, without prejudice to Data Controller’s right to seek any legal remedy (including the claim for reimbursement of Data Controller’s costs of legal action against Omilia or Sub-Processor) as a result of the breach, be undertaken at the expense of Omilia and Omilia shall pay for or reimburse Data Controller for all costs, losses and expenses relating to the cost of preparing and publishing Publicity.

9.1.

Omilia shall, and shall procure that any Sub-Processor shall, permit Data Controller access to its premises, computer and other information systems, records, documents and agreements as reasonably required by the Sub-Processor to check that Omilia and/or its Sub-Processors are complying with their obligations under the Master Agreement (or any subsequent sub-processing contract) or any applicable Privacy Law. Any review in accordance with clause 10.1 shall not require the review of any third party data and that such reviewing entity enters into such confidentiality obligations with Omilia or with the relevant Sub-Processor as may be reasonably necessary to respect the confidentiality of the Processor’s or Sub-Processor’s business interests and third party data and information of which the reviewing entity may become aware in the course of undertaking the review. The Auditing Party shall bear its own costs in relation to such audit, unless the audit reveals any non-compliance with processor’s or Sub-Processor’s obligations under any applicable Privacy Law or this Agreement or any subsequent sub-processing contract, in which case the costs of the audit shall be borne by the processor.

9.2.

Omilia shall, and shall procure that any Sub-Processor shall permit at its own costs the Privacy Authorities to conduct a data protection audit with regards to the Processing carried out by Omilia or Sub-Processor in accordance with the applicable Privacy Law.

10.1.

Omilia shall delete Personal Data from the Service(s) in accordance with the retention policies set out in the relevant processing Appendix for the Service(s) and at such other times as may be required from time to time by Data Controller.

10.2.

Upon termination or expiry of any of the relevant Services, in respect of such Services any remaining Personal Data shall, at Data Controller’s option, be destroyed or returned to Data Controller, along with any medium or document containing Personal Data.

10.3.

Upon termination or expiry of the Agreement, any remaining Personal Data shall, at Data Controller’s option, be destroyed or returned to Data Controller, along with any medium or document containing Personal Data.

11.1.

Formal written notices to be given under, or in connection with, this Agreement shall be made in writing in English and shall be deemed to have been duly given: (i) when delivered, if delivered by messenger during the hours of 9.00am to 5.00pm EEST; (ii) when sent, if transmitted by facsimile transmission (transmission confirmed) during the hours of 9.00am to 5.00pm EEST; and (iii) on the fifth business day following posting, if posted by signed for (postage prepaid) mail or the equivalent in the country of posting. The addresses for services shall be set out in the relevant processing Appendix.

11.2.

Communications not requiring formal written notices may be conducted by email.

12.1.

Requests from governmental authorities or Data Controllers: Omilia shall, and shall procure that the Sub-Processor shall inform Data Controller promptly (and in any event within one (1) business day of receipt or sooner if required to meet with any earlier time-limit) of any inquiry, communication, request or complaint from: