Data processing agreement
This Data Processing Agreement:
(i) is supplemental to the Contract entered into between Teledyne Valeport Water and Supplier for the supply of certain Services and specifies Teledyne Valeport Water requirements for processing of Personal Data by the Supplier in performance of the Services; and
(ii) shall remain in force for the longer of either (a) the duration of the Contract; or (b) until such time as all processing of Personal Data by the Supplier has ceased.
1. Definitions
The rules of interpretation and defined terms in the Contract apply to this Data Processing Agreement together with and including the following definitions:
Contract | means the agreement between the Supplier and Valeport Water for the sale and purchase of the Services incorporating Teledyne Valeport Water’s Data Protection Requirements namely this Data Processing Agreement; |
Controller | shall have the meaning given in applicable Data Protection Laws from time to time; |
Data Protection Laws | means any applicable law relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including:
(a) the GDPR; (b) the Data Protection Act 2018; (c) any laws which implement any such laws; (d) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; and (e) all guidance, guidelines, codes of practice and codes of conduct issued by any relevant Supervisory Authority relating to such Data Protection Laws (in each case whether or not legally binding); |
Data Subject | shall have the meaning given in applicable Data Protection Laws from time to time; |
GDPR | means the General Data Protection Regulation, Regulation (EU) 2016/679; |
International Organisation | shall have the meaning given in applicable Data Protection Laws from time to time; |
Personal Data | shall have the meaning given in applicable Data Protection Laws from time to time; |
Personal Data Breach | shall have the meaning given in applicable Data Protection Laws from time to time; |
Processing | has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processing, processed, and processes shall be construed accordingly); |
Processor | shall have the meaning given in applicable Data Protection Laws from time to time; |
Protected Data | means Personal Data received from or on behalf of Teledyne Valeport Water, or otherwise obtained in connection with the performance of the Supplier’s obligations under the Contract; |
Services | means the Services which are the subject matter of the Contract of which this Data Processing Agreement forms part; |
Sub-Processor | means any agent, subcontractor or other third party engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data; |
Supervisory Authority | means any regulator, authority or body responsible for administering Data Protection Laws; |
Supplier | means the person (legal or natural) who supplies the Services to Teledyne Valeport Water. |
2. Data Processing Relationship
The parties agree that Teledyne Valeport Water is a Controller and that the Supplier is a Processor for the purposes of processing Protected Data pursuant to the Contract. The Supplier shall, and shall ensure its Sub-Processors and each of the Supplier Personnel shall, at all times comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Services. Nothing in the Contract relieves the Supplier of any responsibilities or liabilities under Data Protection Laws.
3. Only Process to the Extent Permitted
The Supplier shall only process (and shall ensure Supplier Personnel only process) the Protected Data in accordance with this Data Processing Agreement, the standard terms and conditions of the Contract and Teledyne Valeport Water’s written instructions from time to time (including when making any transfer) except where otherwise required by applicable law (and in such a case shall inform Teledyne Valeport Water of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). The Supplier shall immediately inform Teledyne Valeport Water if any instruction relating to the Protected Data infringes or may infringe any Data Protection Law.
4. Implement Technical and Organisational Measures
The Supplier shall at all times implement and maintain appropriate technical and organisational measures to protect Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Such technical and organisational measures shall be at least equivalent to the technical and organisational measures set out in the Schedule to this Data Processing Agreement and shall reflect the nature of the Protected Data.
5. Controls over Sub-Processing
5.1. The Supplier shall:
5.1.1. not permit any processing of Protected Data by any agent, subcontractor or other third party (except its own employees that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior specific written authorisation of that Sub-Processor by Teledyne Valeport Water and only then subject to such conditions as Teledyne Valeport Water may require;
5.1.2. ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services;
5.1.3. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a binding written contract containing the same obligations as under this Data Processing Agreement in respect of Protected Data that (without prejudice to, or limitation of, the above):
5.1.3.1. includes providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Protected Data will meet the requirements of all Data Protection Laws; and
5.1.3.2. is enforceable by the Supplier,
and ensure each such Sub-Processor complies with all such obligations.
5.1.4. remain fully liable to Teledyne Valeport under the Contract for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own; and
5.1.5. ensure that all persons authorised by the Supplier or any Sub-Processor to process Protected Data are reliable and:
5.1.5.1. adequately trained on compliance with this Data Processing Agreement as applicable to the processing;
5.1.5.2. informed of the confidential nature of the Protected Data and that they must not disclose Protected Data;
5.1.5.3. subject to a binding and enforceable written contractual obligation to keep the Protected Data confidential; and
5.1.5.4. provide relevant details and a copy of each agreement with a Sub-Processor to Teledyne Valeport Water on request.
6. Assistance with Data Subject Access Requests
6.1. The Supplier shall (at its own cost and expense):
6.1.1. promptly provide such information and assistance (including by taking all appropriate technical and organisational measures) as Teledyne Valeport Water may require in relation to the fulfilment of Teledyne Valeport Water’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws); and
6.1.2. provide such information, co-operation and other assistance to Teledyne Valeport Water as Teledyne Valeport Water reasonably requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with Teledyne Valeport Water’s obligations under Data Protection Laws, including with respect to:
6.1.2.1. security of processing;
6.1.2.2. data protection impact assessments (as such term is defined in Data Protection Laws);
6.1.2.3. prior consultation with a Supervisory Authority regarding high-risk processing; and
6.1.2.4. any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or any complaint or request relating to either party’s obligations under Data Protection Laws relevant to the Contract, including (subject in each case to Teledyne Valeport’s prior written authorisation) regarding any notification of the Personal Data Breach to supervisory authorities and/or communication to any affected Data Subjects.
6.2. The Supplier shall (at no cost to Teledyne Valeport Water) record and refer all requests and communications received from Data Subjects or any Supervisory Authority to Teledyne Valeport which relate (or which may relate) to any Protected Data promptly (and in any event within three days of receipt) and shall not respond to any without Teledyne Valeport Water’s express written approval and strictly in accordance with Teledyne Valeport Water’s instructions unless and to the extent required by law.
7. No Data Processing outside of the EEA
The Supplier shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the European Economic Area or to any International Organisation without the prior written authorisation of Teledyne Valeport Water (which may be refused or granted subject to such conditions as Teledyne Valeport Water deems necessary).
8. Accurate Record Keeping
The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of Teledyne Valeport Water. Such records shall include all information necessary to demonstrate its and Teledyne Valeport Water’s compliance with this Data Processing Agreement the information referred to in Articles 30(1) and 30(2) of the GDPR and such other information as Teledyne Valeport may reasonably require from time to time. The Supplier shall make copies of such records available to Teledyne Valeport Water promptly (and in any event within 3 Business Days) on request from time to time.
9. Compliance Audit Right
The Supplier shall (and shall ensure all Sub-Processors shall) promptly make available to Teledyne Valeport Water (at the Supplier’s cost) such information as is reasonably required to demonstrate the Supplier’s and Teledyne Valeport Water’s compliance with their respective obligations under Data Processing Agreement and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by Teledyne Valeport (or another auditor mandated by Teledyne Valeport Water) for this purpose at Teledyne Valeport Water’s request from time to time. The Supplier shall provide (or procure) access to all relevant premises, systems, personnel and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice (not being more than two Business Days) and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection.
10. Notification of Personal Data Breach
The Supplier shall promptly (and in any event within 24 hours) notify Teledyne Valeport if it (or any of its Sub-Processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data and provide all information as Teledyne Valeport Water requires to report such circumstances to a Supervisory Authority and to notify affected Data Subjects under Data Protection Laws.
11. No Retention of Protected Data
The Supplier shall (and shall ensure that each of the Sub-Processors and Supplier Personnel shall) without delay (and in any event within 3 days), at Teledyne Valeport Water’s written request, either securely delete or securely return all the Protected Data to Teledyne Valeport in such form as Teledyne Valeport reasonably requests after the earlier of:
11.1. the end of the provision of the relevant Services related to processing of such Protected Data; or
11.2. once processing by the Supplier of any Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under the Contract,
and securely delete existing copies (except to the extent that storage of any such data is required by applicable law and, if so, the Supplier shall inform Teledyne Valeport of any such requirement).
12. Indemnity
The Supplier shall indemnify and keep indemnified Teledyne Valeport Water against:
12.1. all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a Supervisory Authority) arising out of or in connection with any breach by the Supplier of its obligations under this clause
12.2. all amounts paid or payable by Teledyne Valeport Water to a third party which would not have been paid or payable if the Supplier’s breach of this Data Processing Agreement had not occurred.
13. Survival of Terms
The obligations in this Data Processing Agreement shall survive termination or expiry of the Contract for any reason.