Data Processing Addendum
Version 1.6 (15 March 2022)
TAKE NOTE LTD
Data Processing Addendum
BACKGROUND:
(1) | This Data Processing Addendum (“DPA”) forms part of the Contract for the Supply of Services (the “Principal Agreement”) between the entity identified as “Client” in the Principal Agreement and Take Note Ltd (the “Service Provider”). |
(2) | The DPA is intended to ensure that the Client and the Service Provider are compliant with the requirements of Article 28(3) of the UK GDPR. |
- Definitions and Interpretation
- In this DPA, unless the context otherwise requires, the following expressions have the following meanings:
"Adequate Countries" means countries to which transfers of personal data may be made under Article 45 of the UK GDPR without specific authorisation, by virtue of adequacy regulations which are in force pursuant to Section 17A of the Data Protection Act 2018.
A full list of such countries may be found here:
"Client" means the entity identified as “Client” in the Principal Agreement; "Client Personal Data" means any personal data to be processed by a Contracted Processor on behalf of the Client pursuant to or in connection with the Principal Agreement; "Contracted Processor" means the Service Provider or any of its Sub-processors; “data controller”, “data processor”, “data subject”, “personal data”, “personal data breach” and “processing” have the same meaning as set out in the Data Protection Legislation; "Data Protection Legislation" means any data protection legislation from time to time in force in the United Kingdom including, but not limited to, the Data Protection Act 2018, any legislation which succeeds or supplements that Act, the UK GDPR and, for as long as and to the extent that the law of the European Union has legal effect in the United Kingdom, the General Data Protection Regulation (EU) 2016/679 (“the GDPR”) as well as any other directly applicable European Union data protection or privacy regulations; "Portal" means the Service Provider’s secure web portal via which the Services are provided; "Services" means the services provided to the Client by the Service Provider, as defined in the Principal Agreement; "Sub-processor" means any person or entity appointed by or on behalf of a Contracted Processor to process personal data on behalf of the Client in connection with the DPA; "Supervisory Authority" means the Information Commissioner’s Office (ICO); and "UK GDPR" means the General Data Protection Regulation (EU) 2016/679 as incorporated in United Kingdom law by virtue of Section 3 of the European Union (Withdrawal) Act 2018. - Unless the context otherwise requires, each reference in this DPA to:
- “writing”, and any cognate expression, includes a reference to any communication effected by electronic transmission or similar means;
- a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
- a Schedule is a schedule to this DPA;
- a Clause or Paragraph is a reference to a Clause of this DPA (other than the Schedules) or a Paragraph of the relevant Schedule; and
- a "Party" or the "Parties" refer to the parties to this DPA.
- The headings used in this DPA are for convenience only and have no effect upon the interpretation of the DPA.
- Words imparting the singular number include the plural and vice versa.
- References to any gender include the other gender.
- References to persons include corporations.
- In this DPA, unless the context otherwise requires, the following expressions have the following meanings:
- Scope and Roles
- The provisions of this DPA apply when personal data is processed by the Service Provider on behalf of the Client.
- In the context of this DPA:
- the Service Provider acts as a data processor; and
- the Client may act as either a data controller or a data processor.
- Processing of Client Personal Data
- Both Parties shall comply with the Data Protection Legislation in the processing of Client Personal Data.
- The Client instructs the Service Provider to process Client Personal Data in order to facilitate the provision of the Services.
- The Service Provider shall:
- not process Client Personal Data other than on the documented instructions of the Client, including in respect of international transfers, unless required to do so by law to which the Service Provider is subject;
- promptly comply with any request from the Client requiring the Service Provider to amend, transfer, delete, or otherwise dispose of Client Personal Data;
- keep complete and accurate records and information concerning all processing activities carried out on Client Personal Data in order to demonstrate its compliance with this DPA; and
- immediately inform the Client if instructions given by the Client pursuant to Clause 3.3.1, in the opinion of the Service Provider, contravene the Data Protection Legislation.
- Data Processor Personnel
- The Service Provider shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Client Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with the Data Protection Legislation in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Security
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Service Provider shall in relation to Client Personal Data implement appropriate technical and organisational measures, as set out in Schedule 3, to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the UK GDPR.
- In assessing the appropriate level of security, the Service Provider shall take account of the risks that are presented by processing, in particular from a personal data breach.
- Sub-processing
- By virtue of this DPA, the Service Provider has the Client’s general written authorisation for the engagement of Sub-processors. The list of Sub-processors already authorised by the Client can be found in Schedule 1. The Service Provider shall inform the Client of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Client the opportunity to object to such changes prior to the engagement of the concerned Sub-processor(s).
- The Service Provider shall comply with the requirements of Article 28(2) and (4) of the UK GDPR when engaging a Sub-processor.
- Data Subject Rights
- Taking into account the nature of the processing, and to the extent practicable, the Service Provider shall assist the Client by implementing appropriate technical and organisational measures, for the fulfilment of Client obligations as reasonably understood by the Client, to respond to requests from data subjects to exercise their rights under the Data Protection Legislation.
- The Service Provider shall:
- notify the Client promptly, and in any event within 72 hours, if it receives a request from a data subject under any Data Protection Legislation in respect of Client Personal Data; and
- ensure that it does not respond to that request except on the documented instructions of the Client or as required by applicable laws to which the Service Provider is subject, in which case the Service Provider shall, to the extent permitted by law, inform the Client of that legal requirement before the responding to the request.
- Personal Data Breach
- The Service Provider shall notify the Client without undue delay, and in any event within 24 hours, upon becoming aware of a personal data breach affecting Client Personal Data, providing the Client with sufficient information to allow the Client to meet any obligations to report, or inform data subjects of, the personal data breach under the Data Protection Legislation.
- The Service Provider shall cooperate with the Client and take reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such personal data breach.
- Data Protection Impact Assessment and Prior Consultation
- The Service Provider shall provide reasonable assistance to the Client with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Client reasonably considers to be required by Article 35 or 36 of the UK GDPR or equivalent provisions of any other Data Protection Legislation, in each case solely in relation to processing of Client Personal Data by, and taking into account the nature of the processing and information available to, the Contracted Processors
- Deletion of Client Personal Data
- Unless agreed otherwise by the Parties, following the end of the provision of Services under the Principal Agreement and subject to Clause 10.2, the Service Provider shall delete and procure the deletion of all Client Personal Data, including copies, according to the Data Retention Plan in Schedule 2.
- In the event that retention of Client Personal Data is required by law, the Service Provider shall not delete the Client Personal Data but shall inform the Client of such requirements in writing.
- Audit Rights
- Subject to this Clause 11, the Service Provider shall make available to the Client upon written request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the processing of Client Personal Data by the Contracted Processors.
- The information and audit rights of the Client only arise under this Clause 11 to the extent that the DPA does not otherwise give the Client information and audit rights meeting the relevant requirements of the Data Protection Legislation.
- Data Transfer
- The Service Provider shall not transfer or authorise the transfer of Client Personal Data to countries outside the United Kingdom and the Adequate Countries without the prior written consent of the Client.
- In the event that adequacy regulations pursuant to Section 17A of the Data Protection Act 2018 cease to be in force in respect of any of the Adequate Countries, the Service Provider shall immediately halt any transfer of Client Personal Data to such countries and shall inform the Client. The Service Provider shall not resume any transfer of Client Personal Data to such countries without the prior written consent of the Client.
- In the event that personal data processed under this DPA is transferred to a country outside the United Kingdom and Adequate Countries, the Parties shall ensure that such personal data is adequately protected according to Chapter V of the UK GDPR.
- General Terms
- Confidentiality. Each Party shall keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential, and shall not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
- disclosure is required by law to which the disclosing Party is subject; or
- the relevant information is already in the public domain through no fault of the disclosing Party.
- Notices. All notices and communications given under this DPA must be in writing and in accordance with the provisions of Clause 19 of the Principal Agreement.
- Confidentiality. Each Party shall keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential, and shall not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
SCHEDULE 1: Sub-processors
- Approved Sub-processors
The Client agrees that the Service Provider may engage the following sub-processors with respect to the processing of Client Personal Data:
Name Description Location Appropriate Safeguards Amazon Web Services (AWS) Hosting services for the Portal UK N/A MongoDB Atlas Database services for the Portal UK N/A
SCHEDULE 2: Nature and Purpose of Processing
- Subject Matter
- The subject matter of Client Personal Data is determined solely by the Client.
- The source material provided by the Client to the Service Provider will be:
- in the case of the Service Provider’s Live Notetaking service, a live meeting or other similar event captured in real time by the Service Provider; or
- in the case of any other of the Service Provider’s transcription services, recorded audio or video files uploaded to the Portal (“Media Files”).
- Duration
The processing of Client Personal Data will continue for the term of the Principal Agreement, subject to the Data Retention Plan set out in Paragraph 7. - Nature of the Processing
The nature of the processing is as required in order for the Service Provider to provide the Services to the Client, and may include (without limitation):- collection;
- recording;
- storage;
- adaption or alteration;
- transcription;
- pseudonymisation;
- anonymisation; and
- erasure.
- Purpose of the Processing
The purpose of the processing is to produce typed transcripts (“Transcripts”) from the source material described in Paragraph 1.2. - Categories of Personal Data
The categories of personal data are determined solely by the Client, and may include (without limitation):- personally identifiable information, such as name, address, telephone number, email address, National Insurance number, or any other identifiers;
- information relating to data subjects’ gender and physical characteristics;
- information relating to data subjects’ employment;
- information relating to data subjects’ activities and interests; and
- special categories of personal data, including (without limitation):
- information relating to data subjects’ racial or ethnic origin;
- information relating to data subjects’ health; and
- information relating to data subjects’ political opinions, religious beliefs, or philosophical beliefs.
- Categories of Data Subject
The categories of data subject are determined solely by the Client, and may include (without limitation):- employees of the Client;
- sub-contractors of the Client;
- customers of the Client;
- interested parties related to the Client’s projects or work; and
- members of the public involved in the Client’s projects or work.
- Data Retention Plan
- The Service Provider shall automatically delete Client Personal Data according to the following schedule:
- for Media Files, 60 days after upload to the Portal; and
- for Transcripts, 12 months after the delivery of the completed Transcript.
- Notwithstanding Paragraph 7.1, the Client may delete Client Personal Data manually via the Portal at any time after the delivery of the completed Transcript.
- The Service Provider shall automatically delete Client Personal Data according to the following schedule:
SCHEDULE 3: Technical and Organisational Data Protection Measures
- The Service Provider shall ensure that, in respect of all Client Personal Data, it maintains security measures to a standard appropriate to:
- the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Client Personal Data; and
- the nature of the Client Personal Data.
- In particular, the Service Provider shall:
- have in place, and comply with, a security policy which:
- defines security needs based on a risk assessment;
- allocates responsibility for implementing the policy to a specific individual or personnel;
- is provided to the Client on or before the commencement of the Principal Agreement;
- is disseminated to all relevant staff; and
- provides a mechanism for feedback and review;
- ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Client Personal Data in accordance with best industry practice;
- prevent unauthorised access to the Client Personal Data;
- protect the Client Personal Data using pseudonymisation, where it is practicable to do so;
- ensure that its storage of Client Personal Data conforms with best industry practice such that the media on which Client Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Client Personal Data is strictly monitored and controlled;
- have secure methods in place for the transfer of Client Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using TLS 1.3 protocols for transfer of Client Personal Data via the Portal);
- password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure (following the latest guidance issued by the National Cyber Security Centre), and that passwords are not shared under any circumstances;
- take reasonable steps to ensure the reliability of personnel who have access to the Client Personal Data;
- have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Client Personal Data) including:
- the ability to identify which individuals have worked with specific Client Personal Data;
- having a proper procedure in place for investigating and remedying breaches of the Data Protection Legislation; and
- notifying the Client as soon as any such security breach occurs;
- have a secure procedure for backing up all electronic Client Personal Data and storing back-ups separately from originals;
- have a secure method of disposal of unwanted Client Personal Data including for back-ups, disks, print-outs, and redundant equipment; and
- adopt such organisational, operational, and technological processes and procedures as are required to comply with the requirements of ISO/IEC 27001:2013, as appropriate to the Services provided to the Client.
- have in place, and comply with, a security policy which: