The Client and Modica Group Limited (“Modica”) have executed a Service Agreement and associated Schedules, (together the “Service Agreement” or the “Agreement”). It is the intention of the Parties that, where relevant, this Data Processing Schedule forms part of the Service Agreement and is integrated into the Service Agreement by reference.
This Schedule becomes effective on the 25th May 2018 or on the acceptance of the Service Agreement, whichever is later.
The Parties agree that in the event of any conflict between the Service Agreement and this Schedule, the provisions of this Schedule shall take precedence.
For the purpose of this Schedule:
Applicable Laws means (i) European Union or Member State laws with respect to any Personal Data in respect of which the Client is subject to EU Data Protection Laws; and (ii) any other applicable law with respect to any Personal Data in respect of which the Client is subject to any other Data Protection Laws;
Client means the Client, as defined in the Service Agreement, including all affiliates of that entity, if any;
Personal Data means any Personal Data Processed by Modica or a Sub-processor on behalf of the Client pursuant to or in connection with the Service Agreement;
Contracted Processor means Modica, a Sub-processor, or both collectively;
Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
GDPR means EU General Data Protection Regulation 2016/679;
Services means the services and other activities to be supplied to or carried out by or on behalf of Modica for the Client pursuant to the Service Agreement; and
Sub-processor means any entity or person (including any third party, but excluding an employee of Modica or an employee of any of its sub-contractors) appointed by or on behalf of Modica to Process Personal Data on behalf of the Client in connection with the Service Agreement.
The terms, "Controller", "Data Subject", "Rights of the Data Subject(s)", "Member State", "Personal Data", "Personal Data Breach", all forms of the verb "Process", “Processor”, "Supervisory Authority", and "Third Country", whether capitalized or not, shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2.1. This Schedule will not apply to the processing of Personal Data, where such processing is not regulated by EU Data Protection Laws. Except where the context requires otherwise, references in this Schedule to the Service Agreement are to the Service Agreement as amended or supplemented by, and including, this Schedule.
3. Role of the Parties
3.1. In the context of this Schedule, the Client acts as a data controller and Modica acts as a data processor with regard to the Processing of Personal Data.
3.2. Modica warrants that it will:
a. comply with all applicable Data Protection Laws in the Processing of Personal Data;
b. not Process Personal Data other than on the Client’s relevant documented instructions, including with regard to transfers of personal data to a third country or an international organization, unless such Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Modica shall to the extent permitted by Applicable Laws inform the Client of that legal requirement before the respective act of Processing of that Personal Data; and
c. only transfer Personal Data outside the European Economic Area (EEA), where such transfers are regulated by EU Data Protection Laws, in compliance with EU Data Protection Laws.
3.3. The Client instructs Modica (and authorises Modica to instruct each Sub-processor) to Process Personal Data, and to transfer Personal Data to those countries or territories where those Sub processors are located, consistent with the Service Agreement and the present Schedule. In the event that in Modica’s opinion a Processing instruction given by the Client may infringe Applicable Laws, Modica shall immediately inform the Client upon becoming aware of such a Processing instruction.
4. Information to be provided by Client to Modica
4.1. The Client shall provide to Modica and also promptly update, when necessary, the information indicated below:
a. identity and contact information of the Data Protection Officer of the Client, if applicable;
b. identity and contact information of the EU representative of the Client, if applicable;
c. description of the categories of Processing carried out by Client in the Modica Service;
d. types of Personal Data to be Processed; and
e. categories of Data Subjects to whom the Personal Data relates.
5.1 The processing of Personal Data will be carried out by Modica for the duration of the Agreement unless otherwise agreed upon in writing.
6. Modica Personnel
6.1. Modica shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Personal Data, as strictly necessary for the purposes of the Service Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to formal confidentiality undertakings or professional or statutory obligations of confidentiality.
7. Security of Processing
7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Modica shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
7.2. In assessing the appropriate level of security, Modica shall take account in particular of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.
8.1 The Client agrees that Modica may engage Sub-processors. Modica has or will enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Schedule to the extent applicable to the nature of the Services provided by such Sub-processor. If the Sub-processor processes the Services outside the EU/EEA, Modica shall ensure that the transfer is made pursuant to European Commission approved standard contractual clauses for the transfer of Personal Data which the Client authorizes Modica to enter into on its behalf, or that other appropriate legal data transfer mechanisms are used.
8.2 Modica shall give the Client prior written notice of the appointment of any new Sub-processor, by way of sending notice e-mails to the Client, including full details of the Processing to be undertaken by that respective Sub-processor. If within 10 days of receipt of each such notice e-mail, the Client does not explicitly notify Modica in writing of any objections (on reasonable grounds) to the proposed appointment, it shall be deemed that the Client has consented to the proposed appointment.
8.3. Modica shall notify the Client, in accordance with the mechanism set out in clause 8.2, thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor during which period the Client may raise objections to the Sub-processor’s appointment. Any objections must be raised promptly (and in any event no later than fourteen (14) days following Modica’s notification of the intended changes). Should Modica choose to retain the objected to Sub-processor, Modica will notify the Client at least fourteen (14) days before authorising the Sub-processor to process personal data and then the Client may immediately discontinue using the relevant portion of the Services and may terminate the relevant portion of the Services. Modica will refund the Client any prepaid fees covering the remainder of the term of such relevant portion of the Service following the effective date of termination and there will be no penalty on either party.
8.4 For the avoidance of doubt, where any Sub-processor fails to fulfil its obligations under any sub-processing agreement or under applicable law Modica will remain fully liable to the Client for the fulfilment of its obligations under this Schedule.
8.5 Before the Sub-processor first Processes Personal Data (or, where relevant, in accordance with Section 8.1), Modica shall carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by the present Schedule, the Service Agreement, and EU Data Protection Laws.
9. Rights of the Data Subjects
9.1 Taking into account the nature of the Processing, Modica shall assist the Client by implementing appropriate technical and organizational measures, insofar as this is possible,at the Client’s expense, for the fulfilment of the Client's obligations, as reasonably understood by the Client, to respond to requests to exercise Rights of the Data Subjects under the Data Protection Laws.
9.2 With regard to Rights of the Data Subjects within the scope of this Section 9, Modica shall:
a. promptly notify the Client if Modica receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
b. not respond to that request except on the documented instructions of the Client, or as required by Applicable Laws to which Modica is subject, in which case Modica shall, to the extent permitted by Applicable Laws, inform the Client of that legal requirement before Modica responds to the request.
10. Notification of a Data Breach
10.1 Modica shall notify the Client and/or supervisory authorities within 72 hours of Modica becoming aware of a Personal Data Breach that results in the accidental, unauthorised or unlawful destruction or unauthorised disclosure of or access to personal data, providing the Client with sufficient information to allow the Client to meet any obligations pursuant to the Data Protection Laws to report to the Supervisory Authorities and/or inform the Data Subjects of the Personal Data Breach.
10.2 Modica shall co-operate with the Client and take all reasonable commercial steps to assist the Client in the investigation, mitigation, and remediation of each such Personal Data Breach.
10.3 Modica’s notification of or response to a Personal Data Breach under this Section 10 will not be construed as an acknowledgement by Modica of any fault or liability with respect to the Personal Data Breach.
10.4 To the extent legally possible Modica may claim compensation for support services under this Clause 10 which are not attributable to failures on the part of Modica.
11. Deletion or Return of Personal Data
11.1 Modica shall provide the Client with the means to request the deletion of Personal Data within the term of this Schedule and the Service Agreement, unless Applicable Laws require retention of any such Personal Data.
12. Audit Rights
12.1 Modica shall provide the Client with relevant documentation, such as an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, when the Client reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Article 35 or 36 of the GDPR or pursuant to the equivalent provisions of any other Data Protection Law, but in each such case solely with regard to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the respective Contracted Processors. Such audits shall be carried out at the Client’s cost and expense.
13. Client’s obligations
13.1 The Client shall comply at all times with applicable Privacy Laws in relation to the processing of personal data in connection with the Agreement and the Services.
14. Limitation of liability
14.1 Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Schedule whether in contract, tort or under any other theory of liability, is subject to the limitation of liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this Schedule.
15. General Terms
15.1 All clauses of the Service Agreement, that are not explicitly amended or supplemented by the clauses of this Schedule, and as long as this does not contradict with compulsory requirements of Applicable Laws under this Schedule, remain in full force and effect and shall apply, including, but not limited to: Governing Law and Dispute Resolution, Jurisdiction, Limitation of Liability (to the maximum extent permitted by Applicable Laws).
15.2 Should any provision of this Schedule be found invalid or unenforceable pursuant to any applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Schedule will continue in effect.
15.3 If Modica makes a determination that it can no longer meet its obligations in accordance with this Schedule, it shall promptly notify the Client of that determination, and cease the Processing or take other reasonable and appropriate steps to remediate.
Modica’s technical and organisational data security measures will be available to all our Clients in due course and we will notify you when this is available on our Privacy Updates URL.