DATA PROTECTION ADDENDUM
This Data Protection Addendum (“DPA”) shall be deemed incorporated into the terms of use of smartsar.shoosmiths.com and any other website operated by Shoosmiths Privacy Services Limited (“Website Terms”) and into the terms applicable to any Terms of Engagement Letter between you and Shoosmiths Privacy Services Limited or Shoosmiths Europe LLP (“Shoosmiths” or “our”), as applicable, where that letter references this DPA .
- Definitions. “Data Protection Laws” means all applicable laws and regulations governing the protection of data relating to natural persons and the terms "Process", "Controller", "Processor", "Personal Data", “Personal Data Breach” and "Data Subject" shall each have the same meaning given to them (or terms used to express similar concepts) under such laws; and “Restricted Transfer” means a transfer of Personal Data by Shoosmiths Europe LLP (acting as your Processor) to you that is subject to Regulation (EU) 2016/679 and which, but for the incorporation of standard contractual clauses pursuant to paragraph 8, would breach applicable Data Protection Laws. Capitalised expressions that are not defined in this DPA shall have the meaning given to them in the applicable Terms of Engagement Letter. Any references to the Terms of Engagement Letter in this DPA shall be deemed to include the Website Terms except where the context requires otherwise.
- General Compliance. Shoosmiths and you shall each comply with all Data Protection Laws.
- Subject Matter, Nature and Purpose of Processing. Shoosmiths may collect, store or otherwise Process Personal Data on your behalf in the course of and for the purposes of the provision of the Service, as described in the applicable Terms of Engagement Letter. The nature of the Processing involves: (a) the cleansing (including de-duplication) and storage of Personal Data prior to providing a fee quotation to you and the making available and storage of such Personal Data to Data Subjects (to the extent the Service relates to our data subject access requests fulfilment service); and (b) communicating (and storing such communications) with Data Subjects (to the extent the Service relates to our appointment as your GDPR representative).
- Types of Personal Data and Data Subjects. The types of Personal Data provided to Shoosmiths by you, or otherwise Processed by Shoosmiths in connection with the performance of its obligations under the applicable Terms of Engagement Letter, may relate to any type of Data Subject (including your previous, current and prospective employees, customers and contacts and those exercising their rights as a Data Subject) and may include the following categories of Personal Data: (a) to the extent the Service relates to our appointment as your GDPR representative: name, email address, telephone number, data relating to any request, query, claim or other communication made by a Data Subject and received by Shoosmiths, and any response, analysis or other processing considerations provided by you (as relayed via Shoosmiths pursuant to the Service) concerning such request, query, claim or communication; and (b) to the extent the Service relates to our data subject access requests fulfilment service: any type of personal data that you upload to our systems, including special categories of Personal Data and criminal offence and conviction data, in connection with a data subject access request.
- Special categories of Personal Data. Except as expressly specified in paragraph 4 of this DPA, you shall not provide to Shoosmiths any special category of Personal Data (within the meaning of the Data Protection Laws), including: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health data; sex life or sexual orientation, nor any criminal offence of conviction data, in each case, without obtaining our express prior written agreement.
- Duration. The Personal Data may be Processed for the duration of our applicable engagement with you.
- Data Processing Provisions. If and to the extent that Shoosmiths is required to Process any Personal Data on your behalf when performing its obligations under the applicable Terms of Engagement Letter, then you agree that you shall be and remain the Controller and Shoosmiths shall be a Processor in respect of such Personal Data, and accordingly (and in any case):
- Shoosmiths shall Process such Personal Data only in accordance with the lawful documented instructions given by you from time to time, provided that: (a) where such instructions necessarily prevent, delay or restrict Shoosmiths from providing the Service or require modification of the nature or extent of the Service, then Shoosmiths shall not be liable in respect of such prevention, delays or restrictions and shall be entitled to make any such modifications to the Service without incurring any additional liability to you; and (b) where such instructions in our opinion would require or result in any non-compliance by Shoosmiths of any Data Protection Law or any other applicable law, Shoosmiths shall promptly notify you and you shall retract and restate such instructions. Such notification by Shoosmiths shall not constitute legal advice and you may not rely upon such notification in connection with its compliance with Data Protection Law.
- Shoosmiths shall only Process such Personal Data as strictly necessary in the provision of the Service and not for any other purpose.
- For the avoidance of doubt, the continued use by you of the Service shall constitute documented instructions for Shoosmiths to Process the Personal Data listed in paragraph 4 of this DPA, for the purpose of providing the Service, including performing the Processing activities listed in paragraph 3 of this DPA.
- Shoosmiths shall implement and maintain appropriate technical and organisational measures, to ensure an appropriate level of security in respect such Personal Data, against accidental, or unlawful loss, destruction, alteration, unauthorized disclosure of or access to such Personal Data; such measures shall be implemented with regard to: (a) encryption of Personal Data; (b) back-up and disaster recovery arrangements; (c) the ability to ensure ongoing confidentiality, integrity, availability and resilience of the IT infrastructure and environment; and (d) the regular testing and evaluation of the effectiveness of such measures.
- Shoosmiths shall limit access to such Personal Data to authorised personnel who need access to it in order to meet our obligations under the applicable Terms of Engagement Letter and shall ensure that all such personnel are bound by appropriate obligations of confidentiality.
- Except in relation to any Personal Data for which Shoosmiths is a Controller, when each applicable engagement between you and Shoosmiths ends or if you do not proceed with a quotation we provide to you, Shoosmiths shall delete all such Personal Data for which it is a Processor within a reasonable time and in any event within 60 days of the applicable date unless it expressly agrees otherwise with you in writing.
- Shoosmiths shall notify you without undue delay: (a) after becoming aware of any accidental, or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to such Personal Data; and (b) if it receives any communication by a Data Subject whose Personal Data is Processed in connection with our Service seeking to exercise rights conferred on the Data Subject by the Data Protection Law in relation to such Personal Data.
- Shoosmiths shall, at your cost and expense of, assist you in respect of (a) your security obligations under applicable Data Protection Laws in relation to such Personal Data, including any requirement on you to notify any Personal Data Breach affecting such Personal Data that we Process to the relevant data protection supervisory authority or to affected Data Subjects, (b) any data protection impact assessment (including any consultation with the applicable data protection supervisory authority in respect of such assessment) which you may from time to time be required to undertake in accordance with Data Protection Law and that relates to our Processing of such Personal Data, and/or (c) (where appropriate, taking into account the nature of the Processing) in respect of your obligation to respond to requests of any Data Subject (exercising their rights as such) whose Personal Data is Processed by Shoosmiths.
- Shoosmiths shall, upon reasonable notice in writing, make available to you or grant to you and its auditors and agents, a right to access, inspect and take copies of any information or records kept by Shoosmiths pursuant to this DPA, solely to the extent necessary to demonstrate our compliance with the Data Protection Law and provided always that this clause shall not oblige Shoosmiths to disclose any confidential information including information relating to any other customer or contact.
- You hereby provide Shoosmiths with general authorisation to appoint, and disclose Personal Data to, sub-processors of Shoosmiths as required to provide the Service, including (where applicable) sub-processors in countries outside the United Kingdom or European Economic Area. Shoosmiths shall: (a) notify you of any additional or replacement sub-processors it appoints (and may do so by including a hyperlink in this DPA to a webpage setting out such information); (b) provide you with a reasonable opportunity to object to the Processing of such Personal Data by such new sub-processor (provided that in circumstances of such objection by you, Shoosmiths and you shall discuss and endeavour to agree upon any alternative measures to enable such Processing, and that if no alternative measures can be reasonably agreed, Shoosmiths may terminate the affected engagement with you upon giving at least 7 days’ notice in writing to you), and (d) ensure that such sub-processor is bound by equivalent contractual terms as those set out in this paragraph 7.
- Data export. In relation to any Restricted Transfer, the provisions of the standard contractual clauses issued by the European Commission on 4 June 2021 to the extent they relate or are required to give effect to processor to controller transfers (module 4) shall be deemed incorporated into this DPA and: (a) the governing law and jurisdiction shall be the Republic of Ireland; and (b) Annex 1 to those clauses shall be deemed populated by the information in the relevant Terms of Engagement Letter (in respect of Part A) and by the information in this DPA including paragraphs 3 to 6 above (in respect of Part B), and the frequency of transfers for the purposes of Part B of that Annex shall be periodical (corresponding to each engagement), or otherwise as described in the Terms of Engagement Letter.
- Website Terms. To the extent the terms of this DPA is incorporated into any Website Terms, and subject to paragraph 10, our total aggregate liability under those incorporated terms shall be limited to one thousand pound sterling unless we expressly agree with you otherwise in writing, specifically referencing this paragraph 9. The terms of this DPA do not apply to any visitor or user that is accessing it in connection with a data subject access request that it (or someone on its behalf) has made.
- Liability. Nothing in this DPA shall limit or exclude our or your liability for death or personal injury arising from our or your negligence respectively, for fraud or fraudulent misrepresentation, or for any other liability that cannot be limited or excluded by applicable law.
- Your obligations. You shall ensure:
- you are entitled to transfer any relevant Personal Data to Shoosmiths, such that Shoosmiths may lawfully use, Process and transfer such Personal Data in accordance with the Terms of Engagement Letter on your behalf; and
- all relevant Data Subjects have been informed of such use, Processing, and transfer as required by all applicable Data Protection Laws.