Schedule 2: Data Processing Addendum
1. Definitions
The following definitions will apply in this Schedule and the Agreement:
Applicable Data Protection Law: means as relevant, a) the UK GDPR, Data Protection Act 2018 and the GDPR, or b) the Gramm Leach Bliley Act
Controller: shall have the meaning given in the UK GDPR and the GDPR.
Data: as defined in paragraph 2 of this Schedule 2.
Data Subject: shall have the meaning given in the UK GDPR and the GDPR.
EEA: the European Economic Area.
EU Model Clauses: the controller-to-processor standard contractual clauses approved by the European Commission under Decision 2021/914.
GDPR: EU General Data Protection Regulation (Regulation 2016/679).
Permitted Purpose: has the meaning given to it paragraph 2 of this Schedule 2.
Personal Data: shall have the meaning given in Applicable Data Protection Law and for the purposes of this Agreement shall refer to Personal Data only Processed in relation to this Agreement.
Process / Processing / Processor: shall have the meaning given in the UK GDPR the GDPR.
Security Incident: as defined in paragraph 5 to this Schedule 2.
Special Categories of Personal Data: shall have the meaning given in the UK GDPR and the GDPR.
UK GDPR: as defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
2. Appointment
Client (the Controller) appoints Codat as a Processor to Process Personal Data (specifically, limited business contact details and business financial and transactional information that is contained in the Company Data) (the “Data“) for the purposes described in this Agreement (or as otherwise agreed in writing by the parties), which shall include instructing Codat to aggregate and anonymise the Data as required to produce non-Personal Data that Codat can use to provide support to the Client and for generic product development purposes (the “Permitted Purpose“). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. If Codat becomes aware that Processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform the Client.
3. Special Categories of Personal Data
Client shall not disclose (and shall not permit any Data Subject to disclose) any Special Categories of Personal Data to Codat for Processing.
4. Transfers outside of the EEA
In relation to Personal Data governed by the GDPR or UK GDPR, Codat shall not transfer the Data outside of the UK or European Economic Area unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Where so required to ensure that the transfer occurs in compliance with Applicable Data Protection Law, the parties agree that they shall enter into the relevant EU Model Clauses.
5. Confidentiality of Personal Data
Codat shall ensure that any person it authorises to Process the Data shall protect the Data in accordance with Codat’s confidentiality obligations under these Conditions.
6. Technical and Organisational Measures
Codat shall implement technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident“).
7. Third Party Processors
Client consents to Codat engaging third party subprocessors to Process the Data for the Permitted Purpose provided that: (i) Codat maintains an up-to-date list of its subprocessors at https://www.codat.io/privacy-policy/, which it shall update with details of any change in subprocessors at least 10 days’ prior to any such change; (ii) Codat imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) Codat remains liable for any breach of this clause that is caused by an act, error or omission of its subprocessor. Client may object to Codat’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Codat will either not appoint or replace the subprocessor or, if this is not possible, Codat may suspend or terminate this Agreement (without prejudice to any fees incurred by Client prior to suspension or termination).
8. Data Subject Access Request
Codat shall provide reasonable and timely assistance to Client (at Client’s expense) to enable Client to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Codat, Codat shall promptly inform Client providing full details of the same.
9. Data Protection Impact Assessments
Codat shall provide reasonable cooperation to Client (at Client’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
10. Security Incidents
If it becomes aware of a confirmed Security Incident, Codat shall inform Client without undue delay and shall provide reasonable information and cooperation to Client so that Client can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Codat shall further take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Client informed of all material developments in connection with the Security Incident.
11. Approvals
Client warrants that the Client has obtained all necessary approvals or consents required by Applicable Data Protection Law to permit the disclosure to, or use of any Personal Data or by Codat for the purposes set out in this Agreement.