Data Protection Addendum

This Data Protection Addendum (“DPA”) shall be deemed incorporated into each Customer Agreement for Cloud Services (“ACS”) between Westcoast and the relevant Customer in which a link to this DPA is included.

1. DEFINITIONS

1.1 In this DPA, the following expressions shall have the following meanings (and all other capitalised expressions shall be as defined in the ACS):

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process” and “Processing”

shall have the respective meanings given to them (and terms used for similar concepts) in Data Protection Laws, and “End User Personal Data” means the Personal Data set out in the Description of Processing where such data is Processed by Westcoast as a Processor;

“Data Protection Laws”any applicable legislation in force from time to time relating to the protection of personal data of individuals; and
“Description of Processing”the information set out in the Annex to this DPA.

 

2. DATA PROTECTION

2.1 You acknowledge and agree that:

2.1.1 as between the parties, the Customer is a Controller and that Westcoast is a Processor for the purposes of Processing the End User Personal Data; and
2.1.2 Westcoast is a Controller in relation to any Processing described in its privacy notices located at www.westcoast.co.uk/admin/downloads/westcoast-privacy-notice.pdf.

2.2 In respect of any End User Personal Data Processed by Westcoast, it shall:

2.2.1 only Process End User Personal Data in accordance with the documented instructions of the Controller of that data, as communicated in writing from time to time unless Westcoast is required by Legislation to Process that data otherwise than in accordance with those instructions (in which case it shall notify the Customer unless the law prohibits it from doing so on public interest grounds). The Customer shall ensure that it communicates all instructions to Westcoast promptly, accurately and without any omissions;
2.2.2 ensure that those of Westcoast’s staff who have access to and/or Process End User Personal Data are committed to keeping End User Personal Data confidential;
2.2.3 implement appropriate technical and organisational measures to protect against accidental, unlawful or unauthorised destruction, loss, alteration or disclosure of, or access to, End User Personal Data in accordance with Westcoast’s obligations under Data Protection Laws;
2.2.4 with the Customer’s general authorisation (which it hereby provides) engage other Processors to Process the End User Personal Data (“Sub-Processor”). Westcoast shall ensure that it enters into a written agreement with each Sub-Processor with provisions similar in effect to those in this DPA to the extent required by Data Protection Laws. Westcoast shall notify the Customer of any intended changes concerning the addition or replacement of Sub-Processor(s) and shall provide the
Customer with the opportunity to object to such changes. Any objections must be notified to Westcoast in writing within 14 days of the date of its notice to the Customer. If Westcoast does not receive an objection from the Customer within such period, it shall be deemed to have given authorisation to Westcoast to use such Sub-Processor. If the Customer objects within such period, then the parties, acting in good faith, shall discuss and use their reasonable (but commercially prudent) endeavours to resolve the objections. If Westcoast is unable to resolve the objections within fourteen (14) days of the date of the Customer’s objection, either Party may terminate the relevant Services without liability on giving seven (7) days’ written notice to the other Party;
2.2.5 not transfer any End User Personal Data outside of the United Kingdom and European Economic Area (“EEA”) if such transfer would directly cause the Controller to breach its obligations under Data Protection Law. Subject to the foregoing provisions of this paragraph 2.2.5, the Customer hereby consents to any Sub-Processors transferring End User Personal Data outside the UK and EEA. The Customer shall promptly enter into any standard contractual clauses issued by a competent body as Westcoast reasonably requires for either Party and/or any relevant Controller of the End User Personal Data to comply with this DPA and/or Data Protection Laws;
2.2.6 provide such assistance to the Customer as it reasonably requires (at the Customer’s sole cost) to comply with any request from a Data Subject validly exercising its rights under Data Protection Laws or with the Customer’s obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with any data protection regulators;
2.2.7 for the sole purpose of demonstrating its compliance with this DPA, provide such information as the Customer reasonably requires, or where, in Westcoast’s reasonable opinion, the provision of information alone is not reasonably sufficient for that purpose, allow for and contribute to an audit (including inspection) of the relevant parts of Westcoast’s business by up to two (2) of the Customer’s representatives (in each case, at the Customer’s sole cost, including any auditors’ or administrative fees). The Customer shall give not less than one (1) month’s prior written notice prior to the date it wishes to conduct the audit and shall conduct any such audit no more than once per calendar year at such time and date that is convenient to Westcoast (except where required otherwise by a data protection regulator with competent jurisdiction). The Customer shall promptly notify Westcoast in writing of any non-compliance discovered by such audit. The Customer shall not disclose to any third party (other than, where applicable, the relevant Controller and/or the external auditor performing the audit) any information or reports obtained or produced in connect with any such audit and shall use such information and reports solely for the purposes of meeting its regulatory audit requirements and/or confirming our compliance with the requirements of this DPA. The Customer shall ensure that it takes reasonable steps and any steps Westcoast requests to minimise any interruption to Westcoast’s business when exercising its rights under this paragraph 2.2.7. If a third party conducts the audit, Westcoast may object to the auditor if the auditor is, in its reasonable opinion, not suitably qualified or independent, Westcoast’s competitor or a competitor of its shareholders, or otherwise manifestly unsuitable. If Westcoast does object, it may require the Customer to appoint another auditor; and
2.2.8 notify the Customer without undue delay after becoming aware of any Personal Data Breach affecting the End User Personal Data and provide relevant information about such breach to the Customer. Any notification by Westcoast under this paragraph 2.2.8 shall be made without any admission of liability.

2.3 The Customer shall:

2.3.1 ensure that all documented instructions it issues to Westcoast comply with Data Protection Laws;
2.3.2 be solely responsible for the content of the Description of Processing; and
2.3.3 not seek Westcoast’s assistance in respect of any activities or tasks that can be performed by the Customer or a third party. The Customer shall immediately notify Westcoast in writing if the Description of Processing is inaccurate or incomplete at any time together with full details of the relevant updates.

2.4 To the extent permitted by Legislation, Westcoast shall not be liable for any inaccurate data (including Personal Data) provided to the Customer or relevant Controller as part of the Services to the extent that such inaccuracy arises from inaccurate or otherwise incorrect data received by Westcoast.

2.5 Westcoast shall notify the Customer if, in its opinion, any documented instructions the Customer provides to Westcoast breach Data Protection Laws. The Customer shall not rely on such notice, which it acknowledges and agrees does not constitute legal advice.

2.6 Following expiry or termination of the Agreement (at the Customer’s option and sole cost) Westcoast shall either return to the Customer and/or delete any End User Personal Data Processed by Westcoast solely as a Processor, in each case, in accordance with the Agreement, except where Westcoast is required to store it pursuant to Legislation.

2.7 All data-protection related terms and expressions used herein, shall have the meanings given to them in applicable data protection legislation.

2.8 In respect of any Personal Data that the Customer (or its End Users) Processes as a Controller, including any Personal Data provided to Westcoast as a Controller, the Customer shall (and shall procure that its End Users) ensure that it shall and shall procure that its employees, agents and sub-contractors shall at all times comply with all Data Protection Laws;

2.9 The Customer shall ensure that if the End User intends to save or in any way process personal data via the Cloud Services, then the End User shall acknowledge and accept all risks associated with usage of such services and the Customer shall ensure that it (or the End User) as the Controller obtains and maintains all appropriate consents and permissions (where relevant) from Data Subjects in relation to any Processing of their Personal Data as may be necessary for the use of the Cloud Services.

Annex: Description of Processing

Processing of Personal Data

Subject matter: Processing in connection with the provision of the Support Services.

Nature: Collection, communication, transmission, storage, retrieval, alteration, deletion and destruction.

Duration: The duration for which Support Services is provided to the relevant End User by Westcoast.

Purposes of the Processing

The Processing is necessary for the following purposes: 

To provide Support Services to End Users.

Data Subjects

The Personal Data relates to the following categories of data subjects: 

Users (that are natural persons) authorised by the End User.

Categories of Personal Data

The Personal Data processed falls within the following categories:
Contact details, user account information and any Personal Data contained in messages relating to support requests or resolution or attempted resolution of the same.

Special categories of Personal Data and/or criminal offence/conviction data

The Personal Data Processed falls within the following special categories of Personal Data/criminal offence/conviction data:
None.

Rights and obligations of the Controller

The rights and obligations of the Controller of the End User Personal Data are as set out in this DPA and Data Protection Laws.