Welcome to the Data Protection Addendum to our SaaS Terms & Conditions.
This current consolidated DataProtection Addendum was published on 18 October 2022. [There are currently no previous versions].
1 Definitions
1.1 In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:
Controller
has the meaning given to that term in Data Protection Laws;
Data Protection Laws
means, as applicable to either party or the Services:
(a) the EU GDPR;
(b) the UK GDPR and the UK DPA 2018;
(c) any laws which implement or supplement any such laws; and
(d) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
Data Protection Losses
means all liabilities arising directly or indirectly from any breach or alleged breach of any of the Data Protection Laws or of this Data Protection Addendum, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage);
(b) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(c) compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and/or
(d) costs of compliance with investigations by a Supervisory Authority;
Data Subject
has the meaning given to that term in Data Protection Laws;
Data Subject Request
means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR in relation to any Protected Data;
EEA Data Protection Laws
means Data Protection Laws applicable under the laws of the European Economic Area, the European Union or any of their member states;
EEA Protected Data
means Protected Data to which any EEA Data Protection Laws apply;
EU GDPR
means the General Data Protection Regulation, Regulation (EU) 2016/679);
GDPR
means the EU GDPR and the UK GDPR (as applicable in the circumstances);
International Recipient
means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Customer’s prior written authorisation;
Lawful Safeguards
means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
List of Sub-Processors
means the latest version of the list of Sub-Processors used by Customs Plus, as Updated from time to time, which as at Order Acceptance is available at https://www.customsplus.co.uk/legal/order-acceptance;
Personal Data
has the meaning given to that term in Data Protection Laws;
Personal Data Breach
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
processing
has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);
Processing Instructions
has the meaning given to that term in paragraph 3.1.1;
Processor
has the meaning given to that term in Data Protection Laws;
Protected Data
means Personal Data in the Customer Data;
Relevant Law
means:
(a) in respect of EEA Protected Data, all applicable law(s) of the European Economic Area and European Union and of the relevant member state(s) of either; and
(b) in respect of UK Protected Data, all applicable law(s) of the United Kingdom (or of any part of the United Kingdom);
Sub-Processor
means a Processor engaged by Customs Plus or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer;
Supervisory Authority
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;
Transfer
bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings);
UK Data Protection Laws
means the Data Protection Laws applicable under the laws of the United Kingdom (or of any part of the United Kingdom), including the UK GDPR and UK DPA 2018;
UK DPA 2018
means the United Kingdom’s Data Protection Act 2018;
UK GDPR
has the meaning given to that term in the UK DPA 2018; and
UK Protected Data
means Protected Data to which any UK Data Protection Laws apply.
2 Processor and Controller
2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and Customs Plus shall be the Processor. Nothing in our Agreement relieves the Customer of any responsibilities or liabilitiesunder any Data Protection Laws.
2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct Customs Plus to process the Protected Data in accordance with our Agreement.
2.3 Customs Plus shall process Protected Data in compliance with:
2.3.1 the obligations of Processors under Data Protection Laws in respect ofthe performance of its obligations under our Agreement;and
2.3.2 the terms of our Agreement.
2.4 The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with:
2.4.1 all Data Protection Lawsin connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement,including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws;and
2.4.2 the terms of our Agreement.
2.5 The Customer warrants, represents and undertakes, thatat all times:
2.5.1 the processing of all Protected Data (if processed in accordance with our Agreement) shall comply in all respects with all DataProtection Laws, including in terms of its collection, use and storage;
2.5.2 fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by all Data Protection Laws in connection with all processing activities in respect of the Protected Data that may be undertaken by Customs Plus and its Sub-Processors inaccordance with our Agreement;
2.5.3 the Protected Data is accurate and up to date;
2.5.4 it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to Customs Plus (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by Customs Plus or any other person;
2.5.5 all instructions given by it to Customs Plus in respectof Personal Data shall at all times be inaccordance with Data Protection Laws; and
2.5.6 it has undertaken due diligence in relation to Customs Plus’s processing operations andcommitments and it is satisfied (and at all times it continues to use the Services remains satisfied) that:
(a) Customs Plus’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Customs Plus to process the Protected Data;
(b) the technical and organisational measures set out in the Information Security Addendum and our Agreement (each as Updated from time to time) shall (if CustomsPlus complies with its obligations under such Addendumand our Agreement) ensure a level ofsecurity appropriate to the risk in regards to the Protected Data as required by Data Protection Laws; and
(c) Customs Plus has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
2.6 If Customs Plus is subject to any applicable laws at any time that conflict with any of its obligations under this Data Protection Addendum it may immediately terminate our Agreement by notice unless the conflict has been resolved toCustoms Plus’s satisfaction prior to such notice of termination.
3 Instructions and details of processing
3.1 Insofar as Customs Plus processes Protected Data on behalf of the Customer, Customs Plus:
3.1.1 unless required to do otherwise by Relevant Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documentedinstructions as set out in our Agreement (including with regard to Transfers of Protected Data to any International Recipient),as Updated from time to time (Processing Instructions);
3.1.2 if Relevant Law requires it to process Protected Data other than in accordance withthe Processing Instructions, shall notify the Customer of any such requirement before processingthe Protected Data (unless Relevant Law prohibits such information on important grounds of public interest); and
3.1.3 shall promptly inform the Customer if Customs Plus becomes aware of a Processing Instruction that, in Customs Plus’s opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to paragraphs 2.4 and 2.5;and
(b) to the maximum extent permitted by applicable law, Customs Plus shall have no liability howsoever arising (whether in contract,tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data ProtectionLosses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph 3.1.3.
3.2 The Customer agrees that:
3.2.1 Customs Plus (and each Sub-Processor) is not obliged to undertake any processing of Protected Data that Customs Plus reasonably believes infringes any of the Data Protection Laws and shall not be liable (or subject to any reduction or set-off of any Fees otherwise payable to Customs Plus) to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under our Agreement as a result of not undertaking any processing in such circumstances; and
3.2.2 without prejudice to any other right or remedy of Customs Plus, in the event the Customer has not resolved any Processing Instruction notified to it underparagraph 3.1.3 such that it is lawful in Customs Plus’s reasonable opinion within 7 days of such notification then such circumstances are a material breach of our Agreement by the Customer that cannot be remedied and Customs Plus may terminate our Agreement in accordance with its terms.
3.3 The Customer shall be responsible for ensuring all Authorised Affiliates and Authorised Users read and understand the Privacy Policy (as Updated from time to time).
3.4 The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Subscribed Services by an Authorised User will be a Processing Instruction (other than to theextent such command is not fulfilled due to technical, operational or other reasons, including as set out in the User Manual).The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any ProtectedData is deleted pursuant to any such command Customs Plus is under no obligation to seek to restore it.
3.5 Subject to applicable Subscribed Service Specific Terms or the Order Form the processing of the Protected Data by Customs Plus under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in theschedule.
4 Technical and organisational measures
4.1 Customs Plus shall implement and maintain technical and organisational measures:
4.1.1 in relation to the processing of Protected Data by Customs Plus, as set out the Information Security Addendum;and
4.1.2 to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with Customs Plus’s Standard Pricing Terms. The parties have agreed that (taking into account the nature of the processing) Customs Plus’s compliance with paragraph 6.1 shall constitute Customs Plus’s sole obligations under this paragraph 4.1.2.
4.2 During the period in which Customs Plus processes any ProtectedData, the Customer shall regularly undertake a documented assessment of whether the security measures implemented in accordance with paragraph 4.1 are sufficient to protect the Protected Dataagainst accidental, unauthorised or unlawful destruction, loss, alteration,disclosure or access to the extent required by DataProtection Laws in the circumstances. The Customer shall promptly notify Customs Plus of full details of any additional measures the Customer believes are required as a result of the assessment. The Customer acknowledges thatCustoms Plus provides a commoditised one-to-many service and the needs or assessments of other customers may differ. Customs Plus shall not be obliged to implement any further or alternative security measures, but this is without prejudice to the Customer ’s right to terminate our Agreement for convenience in accordance with the express provisions of our Agreement if it concludes the measures adoptedby Customs Plus are no longer sufficient for its needs.
5 Using staff and other Processors
5.1 Subject to paragraph 5.2,Customs Plus shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data in connection with our Agreement without the Customer’s prior written authorisation. The Customer shall not unreasonably object to any new Sub-Processor(or any change to any of the Sub-Processors).
5.2 The Customer:
5.2.1 authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as at Order Acceptance; and
5.2.2 authorises the appointment of each Sub-Processor (or any change to any of the Sub-Processors) identified on the List of Sub-Processors as Updated from time to time. The Customer’s right to object to the appointment of a new Sub-Processor(or any change to any of the Sub-Processors) following the relevant Update Notice introducing that change may be exclusively exercised by terminating our Agreement in accordance its rights following the Update Notification introducing the change before that Update takes effect inaccordance with our Agreement.
5.3 Customs Plus shall:
5.3.1 prior to the relevant Sub-Processor carrying out any processing activities inr espect of the Protected Data, ensure (subject to clause 8.4) that each Sub-Processor is appointed under a written contract containing materially the same obligations as underparagraphs 2to 12 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures);
5.3.2 ensure each new Sub-Processor identified on the List of Sub-Processors further to paragraph 5.2.2 meets the following criteria at the time the addition of that Sub-Processor is first made: has not been sanctioned by any Supervisory Authority in relation to any breach of any Data Protection Laws in the previous three years; and
5.3.3 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
5.4 Customs Plus shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the ProtectedData confidential in a manner consistent with Customs Plus’sconfidentiality obligations under our Agreement.
6 Assistance with compliance and Data Subject rights
6.1 Customs Plus shall refer all Data Subject Requests it receives to theCustomer without undue delay. The Customer shall pay Customs Plus for all work,time, costs and expenses incurred by Customs Plus or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at Customs Plus’s rates set out in Customs Plus’s Standard Pricing Terms.
6.2 Customs Plus shall provide such assistance as theCustomer reasonably requires (taking into account the nature of processing and the information available to Customs Plus) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
6.2.1 security of processing;
6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4 notifications to the Supervisory Authority and/or communications to DataSubjects by the Customer in response to any Personal Data Breach,
provided the Customer shall pay Customs Plus for all work, time, costs and expenses incurred Customs Plus or any Sub-Processor(s) in connection with providing the assistance in this paragraph 6.2,calculated on a time and materials basis at Customs Plus’s rates set out in Customs Plus’s Standard Pricing Terms.
7 International data transfers
7.1 Subject to paragraphs 7.2and 7.5,Customs Plus shall not Transfer any Protected Data:
7.1.1 in or to any country or territory; and/or
7.1.2 to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, oron the basis of, an agreement between two or more countries,
without the Customer’s prior written authorisation except where required by Relevant Law (in which case the provisions of paragraph 3.1 shall apply).
7.2 The Customer hereby authorises Customs Plus (or any Sub-Processor) to Transfer any ProtectedData for to any International Recipient(s)in accordance with paragraph 7.3,provided all such Transfers of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Lawsand our Agreement. The provisions of our Agreement (including this Data ProtectionAddendum) shall constitute the Customer’s instructions with respect to Transfers in accordance with paragraph 3.1.1.
7.3 Customs Plus (and its Sub-Processors) may only Transfer the Protected Data to (or process Protected Data in) the following countries: United Kingdom and the European Economic Area.
7.4 The Lawful Safeguards employed in connection with Transfers pursuant to paragraph 7.2 shall be as follows: Standard Contractual Clauses.
7.5 The Customer acknowledges that due to the nature of cloud services, the Protected Data may beTransferred to recipients or other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users.The Customer acknowledges that Customs Plus does not control such processing and the Customer shall ensure that Authorised Users (and all others acting on itsbehalf) only initiate the Transfer of Protected Data to recipients or other geographical locations if Lawful Safeguards are in place and that such Transfer is incompliance with all Relevant Laws.
7.6 Customs Plus and each Sub-Processor is not obliged to undertake any unlawful Transferof Protected Data and shall not be liable to the extent that it (or any Sub-Processor)is delayed in or fails to perform any obligation under our Agreement due to it (or any Sub-Processor) being unable (or believing it is unable) to undertake any Transfer in a lawful manner. The Fees payable toCustoms Plus shall not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this paragraph 7.6.
8 Information and audit
8.1 Customs Plus shall maintain, in accordance with Data Protection Laws binding on Customs Plus,written records of all categories of processing activities carried out on behalf of the Customer.
8.2 On request, CustomsPlus may, at its discretion, provide the Customer (or auditors mandated by the Customer) with a copy of the third party certifications and audits to the extent made generally available to its customers calculated on a time and materials basis at Customs Plus’s rates set out in Customs Plus’s Standard Pricing Terms.
8.3 Such information shall be confidential to CustomsPlus and shall be Customs Plus Confidential Information as defined in our Agreement, and shall be treated in accordance with applicable terms.
8.4 The Customer acknowledges and accepts that relevant contractual terms agreed with Sub-Processor(s) may mean that Customs Plus or Customer may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors pursuant to paragraph 8.3 and:
8.4.1 the Customer’s rights under paragraph 8.3 shall not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s);
8.4.2 to the extent any information request, audit or inspection of any Sub-Processor are permitted in accordance with this paragraph 8.4,equivalent restrictions and obligations on the Customer to those in paragraphs 8.3.1to 8.3.10 (inclusive) shall apply together with any additional or more extensive restrictions and obligations applicable in the circumstances; and
8.4.3 paragraphs 5.3.1and 8.3 shall be construed accordingly.
8.5 Notwithstanding paragraph 8.3, Customs Plus shall ensure that it has appropriate mechanisms in place to ensure its Sub-Processors meet their obligations under Data Protection Laws. The Customer accepts thatthe provisions of paragraph 8.4shall satisfy Customs Plus’s obligations in that regard.
9 Breach notification
9.1 In respect of any PersonalData Breach, Customs Plus shall, without undue delay (and in any event within 72 hours):
9.1.1 notify the Customer of the Personal Data Breach; and
9.1.2 provide the Customer with details of the Personal Data Breach.
10 Deletion of protected data and copies
Following the end of the provision of the Services (or any part) relating to the processing of ProtectedData Customs Plus shall dispose of ProtectedData in accordance with its obligations under our Agreement. CustomsPlus shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such ProtectedData undertaken in accordance with our Agreement.
11 Compensation and claims
11.1 Customs Plus shall be liable for Data Protection Losses (howsoever arising,whether in contract, tort (including negligence) or otherwise) under or inconnection with our Agreement:
11.1.1 only to the extent caused by the processing of ProtectedData under our Agreement and directly resulting from Customs Plus’sbreach of our Agreement; and
11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by the Customer (including in accordance with paragraph 3.1.3(b)).
11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Agreement or the Services, it shall promptly provide the other party with notice and full details of such claim.
11.3 The parties agree that the Customer shall not be entitled to claim back from Customs Plus any part of any compensation paid bythe Customer to the extent that the Customer is liable to indemnify or otherwise compensate Customs Plus in accordance with our Agreement.
11.4 This paragraph 11is intended to apply to the allocation of liability for Data Protection Losses as between the parties,including with respect to compensation to DataSubjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
11.4.1 to the extent not permitted by Relevant Law (including Data Protection Laws); and
11.4.2 that it does not affect the liability of either partyto any Data Subject.
12 Survival
This Data Protection Addendum(as Updated from time to time) shall survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in the possession or control of Customs Plus or any Sub-Processor,except that paragraphs 10to 12 (inclusive) shall continue indefinitely.
13 Data protection contact
Customs Plus’s data protection manager is Sally McGough who may be contacted at Admin@customsplus.co.uk , tel+441515289344
.svg)
.svg)
