Data Processing Agreement
Background
Xtrata is providing services to the Customer where Xtrata is required to process Customer Personal Data to fulfil the Purpose (as defined in the Contract Details).
This Agreement sets out the terms on which Xtrata will process the Customer Personal Data, in accordance with Data Protection Laws.
1. Definitions and Interpretation
In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:
Agreement: refers to this data processing agreement and includes the Contract Details and any Schedules attached to it.
Customer Personal Data: the personal data processed by Xtrata on behalf of the Customer under this Agreement.
Data Protection Laws: all applicable data protection and privacy legislation in force in the United Kingdom, including but not limited to the UK GDPR as defined in section 3(10) of the Data Protection Act 2018, and the Data Protection Act 2018.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Sub-Processor(s): any processor, including any agent, sub-contractor or other third party, engaged by Xtrata (or by any other Sub-Processor) for carrying out any processing activities in respect of the Customer Personal Data.
2. Data Protection Roles and Relationship
The Parties acknowledge that the Customer is the data controller of the Customer Personal Data provided by the Customer to Xtrata and Xtrata is the data processor of the Customer Personal Data.
Both Parties will comply with all applicable requirements of Data Protection Laws in relation to personal data that is shared or processed under this Agreement. This Agreement does not relieve, remove or replace, a Party's obligations or rights under applicable Data Protection Laws.
3. Data Processing Obligations
Each Party shall maintain records which indicate how that Party processes personal data under its responsibility. These records will contain at least the minimum information required by the Data Protection Laws and each Party shall make that information available to any DP Regulator on request.
To the extent that Xtrata processes Customer Personal Data on behalf of the Customer, Xtrata shall:
- process that Customer Personal Data only on the documented instructions of the Customer, which shall include processing the Customer Personal Data to the extent necessary for the Purpose, unless Xtrata is otherwise required by applicable laws;
- implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data;
- maintain the confidentiality of the Customer Personal Data, not disclose the Customer Personal Data to any third party other than as authorised to do so under this Agreement;
- assist the Customer in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under applicable Data Protection Laws;
- promptly (and in any event within 24 hours) notify the Customer if it becomes aware of any actual occurrence of any Personal Data Breach in respect of any Customer Personal Data.
4. Sub-Processors
The Customer hereby provides its prior, general authorisation for Xtrata to appoint Sub-Processors to process the Customer Personal Data, provided that Xtrata:
- shall ensure any Sub-Processors will comply with applicable Data Protection Laws, and will comply with terms that are materially similar to those imposed on Xtrata;
- shall remain responsible for the acts and omissions of any such Sub-Processor as if they were the acts and omissions of Xtrata;
- shall inform the Customer of any intended changes concerning the addition or replacement of the Sub-Processors; giving the Customer the opportunity to object to such changes.
5. International Transfers
Xtrata may transfer Customer Personal Data outside of the United Kingdom and European Economic Area as required to process the Customer Personal Data for the Purpose under this Agreement, provided that Xtrata shall ensure that all such transfers are made in accordance with applicable Data Protection Laws.
6. Audit
Xtrata shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer.
Such records shall include all information necessary to demonstrate its compliance with this Agreement and the information referred to in Articles 30(1) and 30(2) of the UK GDPR.
Xtrata shall make copies of such records available to the Customer promptly on written request by the Customer.
7. Return or Deletion of Personal Data
Upon termination of this Agreement, Xtrata shall, at the Customer's choice, return or delete all Customer Personal Data in its possession or control, unless applicable law requires storage of the Customer Personal Data.
8. Data Protection Impact Assessments
Where the Customer is required to carry out a data protection impact assessment under Data Protection Laws, Xtrata shall provide reasonable assistance to the Customer in carrying out such assessment.
9. Liability and Indemnity
Each Party shall be liable for its own acts and omissions and shall not be liable for the acts and omissions of the other Party.
Each Party shall indemnify the other Party against all claims, costs, damages, losses, liabilities and expenses (including reasonable legal fees) arising out of or in connection with any breach of this Agreement by the indemnifying Party.
10. Term and Termination
This Agreement shall commence on the date it is signed by both Parties and shall continue until terminated in accordance with its terms or until the termination of the main service agreement between the Parties.
11. General
This Agreement shall be governed by and construed in accordance with English law and the parties submit to the exclusive jurisdiction of the English courts.
For any questions regarding this Data Processing Agreement, please contact us at contact@xtrata.ai.