Data Processing Agreement

1. Introduction

(1.1) These terms govern the transfer of Personal Data between the Company and the Service Provider and the processing of that Personal Data under a Services Agreement, pursuant to which the Service Provider provides to the Company certain Services.

(1.2) Except as modified by this DPA, the Services Agreement shall remain in full force and effect.

2. Interpretation

(2.1) In this DPA, unless the context otherwise requires, the headings shall not affect its interpretation and the following words shall have the meanings set forth below.

(a) “Company” means the legal entity of HSP Group’s customer that is party to the applicable Services Agreement and who has engaged with the Service Provider for the provision of various Services.

(b) “Company Personal Data/Personal Data” means the Personal Data processed by the Service Provider in connection with and in the provision of the Services to the Company.

(c) “Data Protection Laws” means the laws applicable to the processing of Personal Data, including but not limited to, as relevant:

The EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK General Data Protection Regulation pursuant to the UK Data Protection Act 2018 (together the “GDPR”).

All other data privacy legislation as shall be applicable in those countries whose residents have Company Personal Data that is processed by the Service Provider.

(d) “Data Subject” shall mean a natural person whose personal information/data is processed;

(e) “Effective Date” shall mean the date first above referenced;

(f) “Personal Data” shall mean the personal information of a natural person whose data is processed;

(g) “Personal Data Breach” shall mean any misappropriation or use in contradiction of this DPA of the Personal Data;

(h) “Standard Contractual Clauses” means the applicable module of the EU Standard Contractual Clauses along with any addendums to the UK International Data Transfer Agreement issued by the UK Information Commissioner relating thereto, in each case, as set forth in Schedule 2;

(i) “Services” means any services provided by the Service Provider to the Company under the Services Agreement;

(j) “Services Agreement” means any agreement signed between the parties pursuant to which the Service Provider provides Services to the Company. This includes but is not limited to the Master Services Agreement, Engagement Letter, Statements of Work, any other related agreement or a combination of the above between the parties;

(k) “Service Provider” means the HSP Group legal entity that is party to the applicable Services Agreement and who has engaged with the Company for the provision of various Services.

3. Term

(3.1) This DPA shall come into full force and effect on the Effective Date and shall continue in full force and effect during the term of the Services Agreement. Both the Service Provider’s and the Company’s obligations of confidentiality and compliance with the Data Protection Laws shall continue in full force and effect at all times and shall survive the termination of the Services Agreement for whatever reason.

4. Processing Obligations

(4.1) The Service Provider acknowledges and agrees that it will receive and process Company Personal Data only in order to provide the Services (and/or as otherwise set forth in Schedule 1) and perform its obligations under this DPA and the Services Agreement and for no other purpose other than necessarily ancillary purposes connected with the Services.

(4.2) The Service Provider shall:

(4.2.1) only process Company Personal Data in accordance with the Company’s documented instructions (which may be specific instructions or instructions of a general nature or as otherwise provided by Company to the Service Provider from time to time). The Service Provider acknowledges that the Company Personal Data is disclosed to it solely for the limited and specified purposes set out in the Services Agreement and shall at all times be processed on the basis of complete confidentiality and subject always to compliance with the Data Protection Laws.

(4.2.1) provide appropriate training to its personnel with respect to the correct handling of Company Personal Data so as to minimise the risk of Personal Data Breaches and to ensure full compliance with Data Protection Laws.

(4.2.3) not transfer Company Personal Data to a third country without the express prior consent of the Company, unless required or permitted to do so by applicable law. There must in any event be appropriate safeguards in place between the Service Provider and any permitted sub-processor and at least the equivalent level of privacy protection shall be provided by the Service Provider and any permitted sub-processor as would be required to be provided by the Company.

(4.2.4) where transfers of Personal Data are made by the Company to the Service Provider from within the EU/UK to a third country where no adequacy decision applies, such transfers shall be deemed to be validated and in accordance with the GDPR by incorporation of the Standard Contractual Clauses as set forth in Schedule 2 of this DPA, or through the operation of the EU/UK-US Data Privacy Framework (DPF) or such other validating mechanism as may be in force from time to time, as relevant and applicable.

(4.2.5) use, reproduce or otherwise process any Company Personal Data collected only in connection with providing the Services or otherwise as provided in Clause 4.1 above; and

(4.2.6) not modify, amend or alter the contents of the Company Personal Data, except as directed by the Company.

(4.3) The Service Provider agrees to allow the Company to take such steps as may be reasonable and appropriate from time to time to help ensure that the Service Provider uses the Company Personal Data in a manner consistent with its business obligations.

(4.4) The Service Provider shall immediately notify the Company should it make a determination that it can no longer meet any of its obligations to the Company whether of a contractual nature under this DPA or pursuant to the requirements of applicable Data Protection Laws. In these circumstances the Service Provider shall at the option of the Company either delete all Company Personal Data or return it to the Company immediately upon request subject at all times to the ongoing obligations of confidentiality and compliance referred to in Clause 3.1 above and   subject at all times to longer retention as required by law.

(4.5) The Service Provider shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the security of Company Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised, disclosure of or access to Company Personal Data in accordance with the Service Provider’s obligations under Data Protection Laws (the “Security Measures”).

(4.6) Without limiting the Service Provider’s other obligations under Clause 4, the Service Provider:

(4.6.1) may disclose Company Personal Data to its personnel but only those who:

(1.) need to know for the purpose of providing the Services (and only to that extent);

(2.) have been trained in accordance with Clause 4.2.2;

(3.) are subject to a legal obligation to keep the Company Personal Data confidential.

(4.7) If the Service Provider or its respective personnel are required by law and / or an order of any court of competent jurisdiction or any applicable regulatory, judicial or governmental body to disclose the Company Personal Data, the Service Provider shall, except were prohibited by law, first:

(4.7.1) give the Company notice of the details of the proposed disclosure;

(4.7.1) give the Company a reasonable opportunity to take any steps it considers necessary to protect the confidentiality of the Company Personal Data including but not limited to seeking such judicial redress as the Company may see fit in the circumstances;

(4.7.3) give any assistance reasonably required by the Company to protect the confidentiality of the Company Personal Data; and

(4.7.4) inform the proposed recipient that the information is confidential Company Personal Data.

(4.8) Without limiting the Service Provider’s other obligations under this DPA and/or the Service Agreement, the Service Provider may subject to notification to the Company appoint a third party acting on behalf of the Service Provider (each a “Permitted Sub-processor”) to process Company Personal Data provided that:

(4.8.1) any Permitted Sub-processors are bound by terms which are the same as or equivalent to the terms of this DPA by which the Service Provider is bound.

(4.9) Where the Service Provider engages a Permitted Sub-processor in accordance with Clause 4.8 to carry out a specific processing activity on behalf of the Company, the Service Provider shall ensure that its obligations under this DPA where relevant shall also apply to that Permitted Sub-processor and be included in the written legal agreement appointing that Permitted Sub-processor.

(4.10) The Company hereby approves the use of those third party Permitted Sub-processors identified in Service Provider’s External Data Protection Policy.

(4.11) The Service Provider shall remain strictly liable to the Company for processing by any Sub-Processors as if the processing was being conducted by the Service Provider.

5. Assistance

(5.1) The Service Provider shall co-operate with the Company to the extent necessary to enable the Company to comply with any requests of any relevant national data protection authority or any other competent supervisory or other regulatory authority in respect of the Company Personal Data.

(5.2) In particular, the Service Provider shall at no additional cost to the Company (unless unreasonable in scope or unreasonably incurred):

(5.2.1) make available to the Company all information reasonably necessary to demonstrate compliance with the obligations set out in applicable Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company during normal working hours;

(5.2.2) immediately inform the Company upon becoming aware if, in its reasonable opinion, an instruction given or request made by the Company infringes Data Protection Laws;

(5.2.3) taking into account the nature of the processing, provide such reasonable assistance (including by using appropriate technical and organisational measures) as the Company may require for the fulfilment of the Company’s obligations to respond to requests for exercising a Data Subject’s rights under the Data Protection Laws;

(5.2.4) provide such reasonable co-operation and assistance as the Company may require to enable the Company to comply with its obligations under Data Protection Laws;

(5.2.5) provide such reasonable support to the Company as appropriate regarding the Company’s obligations to provide information about the collection, processing or usage of Company Personal Data to a Data Subject; and,

(5.2.6) deal promptly and properly with all enquiries from the Company reasonably made relating to its processing of the Company Personal Data.

6. Information Obligations

(6.1) The Service Provider will without undue delay notify the Company about any request received directly from Data Subjects relating to Company Personal Data, providing full details of the request.

7. Personal Data Breach

(7.1) If the Service Provider becomes aware of any Personal Data Breach including that it or any person is accessing, using, disclosing or otherwise processing any Company Personal Data in contravention of this DPA or Data Protection Laws (or has done so), the Service Provider shall without undue delay give the Company notice of the full details of the breach, including the relevant facts, its effects and any remedial action taken by the Service Provider and shall respond promptly with any further information the Company may require.

(7.2) In the event that it is not possible to provide the Company with the full details of the Personal Data Breach as required under Clause 7.1 the Service Provider shall supply to the Company the full information required under Clause 7.1 above as soon as reasonably possible thereafter.

8. Return or Destruction of Personal Data

(8.1) The Service Provider, upon reasonable request by the Company upon termination of Services or any part of the Services (or otherwise for good reason as requested by the Company) shall:

(8.1.1) cease using, copying disclosing or otherwise in any way processing any Company Personal Data relating to the Service or Services terminated and promptly return all such Company Personal Data to the Company; and/or

(8.1.2) if requested by the Company, securely destroy all copies of the Company Personal Data received and / or processed by it under this DPA unless applicable law or regulation require the storage of the Company Personal Data for a longer period.

9. Termination

(9.1) This DPA shall automatically terminate in the event that the Services Agreement is terminated or otherwise expires, for whatever reason.

10. Entire agreement

(10.1) This DPA and the Services Agreement constitute the whole agreement between the parties relating to data protection and supersedes any previous agreements arrangements or understandings between them relating to their subject matter.

(10.2) In the event of any inconsistency or ambiguity between the terms of this DPA and the terms of the Services Agreement in relation to the processing of Personal Data, the terms of this DPA shall prevail, unless the Services Agreement states otherwise.

11. Modifications to this Agreement

The Service Provider reserves the right to update and/or modify this DPA from time to time without notice, provided that such changes are not adverse in any material aspect with respect to the Company’s rights or Service Provider’s obligations. Except as stated above, any supplementary agreements or amendments to this DPA must be made in writing and signed by both parties.

12. Waiver

No failure or delay by a party to exercise any right or remedy provided under this DPA or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

13. Invalidity and severability

Each and every obligation under this DPA shall be treated as a separate obligation and shall be severally enforceable as such, and in the event of any obligation or obligations being found by any authority of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions or parts of such provisions of this DPA, all of which shall remain in full force and effect.

14. Governing Law / Jurisdiction

This DPA shall in all respects be governed by and construed in accordance with the governing law and jurisdiction set out in the applicable Services Agreement.