OMNEA DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “Addendum”) supplements and forms part of the terms and conditions between the Customer and Omnea (the “Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is effective as at the Effective Date of the Agreement and will remain in effect until termination of the Agreement; or the last Processing of Customer Personal Data carried out by or on behalf of the Customer under the Agreement.
- Definitions
In this Addendum, the following words and expressions have the following meanings:
“Customer Personal Data” means Personal Data Processed by Omnea as Processor on behalf of the Customer pursuant to the performance of the Agreement.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Supervisory Authority” and “Processing” all have the meanings given to those terms in Data Protection Laws (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings); and
“Data Protection Laws” means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under the Agreement, including without limitation, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the Data Protection Act 2018, and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time.
“Sub-Processor” means another Processor engaged by Omnea for carrying out Processing activities in respect of Customer Personal Data.
- Data Processing Details and Compliance
- The Parties acknowledge that in respect of Customer Personal Data, Omnea is a Processor Processing Personal Data on behalf of the Customer as Controller. Each Party shall comply with its obligations under Data Protection Laws as relates to Customer Personal Data.
- Details of Customer Personal Data Processed by Omnea under the Agreement are as follows:
- Subject Matter, Nature and Purpose of Processing. Omnea’s provision of the Services under the Agreement.
- Duration of Processing. Processing of Customer Personal Data by Omnea shall be for the term of the Agreement and in accordance with Omnea’s retention obligations under the Agreement and Addendum, provided that Customer Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).
- Personal Data in Scope. This could include data such as Name, Supplier Name, Contact Details, Supplier Business Address, together with any other data inputted or collected by the Customer.
- Category of Data Subjects. Customer personnel (employee, contractors, etc.) and Customer associated parties and suppliers.
- Data Processing Instructions
- Omnea shall Process Customer Personal Data only on the written instructions of the Customer (including as set out in the Agreement) unless Omnea is required to otherwise Process Customer Personal Data by applicable laws. Omnea is hereby instructed to Process Customer Personal Data for the purposes of providing the Services. In the event Omnea is required by applicable laws to Process Customer Personal Data other than in accordance with the Customer’s instructions, prior to any such Processing and to the extent permitted by applicable laws, Omnea shall notify the Customer in writing of that legal requirement prior to Processing Customer Personal Data.
- Omnea shall promptly inform the Customer if Omnea becomes aware of a written instruction given by the Customer under this Clause 3 that, in Omnea’s reasonable opinion, infringes Data Protection Laws.
- Omnea Personnel and Sub-Processors
- Omnea shall ensure that all Omnea personnel authorised to Process Customer Personal Data are either subject to binding written contractual obligations or statutory obligations to keep Customer Personal Data confidential.
- The Customer authorises Omnea to engage (including the disclosure of Customer Personal Data under the Agreement to such Sub-Processors):
- the Sub-Processors included in the Sub-Processor list made available to the Customer online at https://trust.omnea.co or will be made available at another online location as advised to the Customer from time to time (“Sub-Processor List”); and
- the Sub-Processors engaged in accordance with Clause 4.3 of this Addendum.
- Omnea will maintain an up to date Sub-Processor list, ensuring any Sub-Processor is added within 10 business days of being selected. The Customer can object to any Sub-Processor and if the Customer does not make a reasonable objection to the proposed engagement within 10 days of Omnea updating its Sub-Processor list at https://trust.omnea.co or at another online location as advised to the Customer from time to time, the Customer is deemed to have authorised the engagement of such Sub-Processor. The Customer may subscribe to receive email alerts when Omnea updates its Sub-Processor list by visiting https://trust.omnea.co.
- Where the Customer raises a reasonable objection to the proposed engagement of a Sub-Processor in accordance with Clause 4.3 of this Addendum, Omnea may, at its option:
- use its reasonable endeavours to remedy the situation giving rise to the reasonable objection; or
- propose an alternative Sub-Processor to conduct the relevant Processing in accordance with Clause 4.3 of this Addendum, provided that, in the event that Omnea is unable to remedy the situation in accordance with Clause 4.4(1) of this Addendum and no alternative Sub-Processor is proposed in accordance with clause 4.4(2) of this Addendum, then Omnea shall be entitled to terminate the Agreement without penalty or liability effective immediately on written notice to the Customer and the Customer shall pay Omnea any fees due for the Services performed prior to termination.
- Omnea shall ensure that prior to permitting any Sub-Processor to Process Customer Personal Data, the Sub-Processor has entered into a binding written agreement with Omnea that imposes obligations substantially equivalent to the obligations imposed on Omnea as a Processor under this Addendum. Omnea shall remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations concerning Customer Personal Data in the event the Sub-Processor fails to fulfil those obligations.
- Transfers
- Omnea shall not transfer Customer Personal Data to any party in a country not deemed adequate for the transfer of Personal Data by the European Commission (for transfer concerning the EEA) and the equivalent UK authority (for transfers concerning the UK), including permitting access to Customer Personal Data from any party in such countries, without the prior written consent of the Customer, unless:
- the transfer/access is to a Sub-Processor included in the Sub-Processor List or appointed in accordance with Clause 4 of this Addendum; and
- the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).
- Security and Personal Data Breach Notification
- Omnea shall implement and maintain appropriate technical and organisational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
- Omnea shall notify the Customer without undue delay on becoming aware of a Personal Data Breach and provide the Customer with details of the Personal Data Breach as required under Data Protection Laws. To the extent available, these details shall include:
- the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned;
- the name and contact details of the data protection officer or other contact point of Omnea, where more information can be obtained;
- description of the likely consequences of the Personal Data Breach; and
- description of the remedial actions taken or proposed to be taken to mitigate the effects and minimise any damage resulting from the Personal Data Breach.
- Assistance
- To the extent related to its Processing of Customer Personal Data (taking into account the nature of Processing and the information available to Omnea), Omnea shall promptly provide the Customer with reasonable assistance:
- using appropriate technical and organisational measures, in complying with any requests received from Data Subjects of Customer Personal Data exercising Data Subject rights under Data Protection Laws;
- to enable the Customer to conduct data protection impact assessments and consultations with (or notifications to) a relevant Supervisory Authority where the Customer is required to do so under Data Protection Laws, in connection with data protection impact assessments;
- in complying with its obligation to implement and maintain appropriate technical and organisational security measures to protect Customer Personal Data; and
- in complying with its obligation to notify a Personal Data Breach to a Supervisory Authority or to a Data Subject as appropriate.
- Deletion or Return of Data
- Omnea shall, at the choice of the Customer, delete or return all Customer Personal Data to the Customer once Processing by Omnea of any Customer Personal Data is no longer required for the purposes of the Agreement, and delete all existing copies unless required by applicable laws to store Customer Personal Data.
- Information Requests and Audits
- Omnea shall, on request from the Customer, make available to the Customer all information necessary to demonstrate Omnea’s compliance with its obligations under this Addendum. Omnea shall allow for audits (including inspections) conducted by the Customer or the Customer’s designated auditor on reasonable prior written notice, for the purpose of demonstrating Omnea’s compliance with its obligations under this Addendum. For the avoidance of doubt such audits shall be limited to once per calendar year. Any additional audit under this Clause 9.1 (in excess of the once per calendar year limitation) shall be at the cost of the Customer.
- Omnea’s obligations under Clause 9.1 of this Addendum are subject to the Customer:
- giving Omnea reasonable prior notice of such information requests, audits and/or inspections being required by the Customer;
- ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable laws); and
- ensuring that such audit or inspection is undertaken during normal business hours, with, so far as reasonably practicable, minimal disruption to Omnea’s business and the business of other customers of Omnea.