Data Processing Addendum
Introduction
Emizio Limited (“Emizio”, “we”, “us”, “our”) has contracted to provide you (“you”, “your(s)”, “user”) with our cloud-based emissions management software as a service called Emizio (“Services”).
Emizio has agreed to provide Services to you in accordance with the terms of the Terms of Service. In providing these Services, we shall process Customer Personal Data (as defined below) on your behalf. From the date that you agree to the Terms of Service, we will process and protect such Customer Personal Data in accordance with the terms of this Data Protection Addendum for the duration of your subscription to the Services.
You acknowledge that we may process personal data provided by you as a controller to provide the Services. Information regarding our obligations as a controller and your rights as a data subject are set out in our Privacy Policy. For personal data that we process under your instructions, we are a processor, and you hereby confirm that you have all necessary appropriate consents and notices in place to enable lawful transfer of such personal data to us.
1 Definitions and Interpretation
The following definitions and rules of interpretation apply in this DPA.
1.1 Definitions:
"Controller, Data Subject, Personal Data, Personal Data Breach, Processor, Processing/Process/Processed and Supervisory Authority" is as defined in the UK GDPR.
"Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the EU and UK, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 ("UK GDPR"); the Data Protection Act 2018 ("DPA 2018"); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.
"Services" means the services to be provided to You by Us under the Agreement including the use or license to use our software as defined under the Agreement.
"Standard Contractual Clauses" means, together, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs ("UK Addendum").
1.2 A reference to writing or written includes email but not fax.
1.3 In the case of conflict or ambiguity between:
1.3.1 any provisions contained in the body of this DPA and any provisions contained in the Schedules, the provisions in the body of this DPA will prevail; and
1.3.2 any of the provisions of this DPA and any provisions in the Agreement, the provisions of this DPA will prevail.
2 Personal Data Types and Processing Purposes
2.1 The parties acknowledge that for the purpose of the Data Protection Legislation, You are the Controller and We are the Processor.
2.2 You retain control of the Personal Data and remain responsible for Your compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions You give to Us.
2.3 You warrant that Our expected use of the Personal Data for the provision of the Services and as specifically instructed by You will comply with the Data Protection Legislation.
2.4 The Schedules describe the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which We may process Personal Data to fulfil the Services.
3 Your Obligations
You shall:
3.1 have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, and no less than Our measures set out at paragraph 3.12 of Schedule 1;
3.2 provide clear and comprehensible written instructions to Us for the Processing of Personal Data to be carried out under the Agreement;
3.3 ensure that You have all the necessary licences, permissions and consents from Data Subjects;
3.4 ensure that You have an applicable legal basis, for the transfer of Personal Data to Us and to the processing of that Personal Data by Us; and
3.5 indemnify Us against all loss, liability, damages, costs, fees, claims and expenses which We may incur or suffer by reason of any breach of this DPA or the Data Protection Legislation by You.
4 Our Obligations
4.1 We will only process the Personal Data to the extent, and in such a manner, as is necessary for the Services in accordance with Your written instructions. We will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. We will immediately notify You if, in Our opinion, Your instruction would not comply with the Data Protection Legislation.
4.2 We will promptly comply with any request or instruction from You requiring Us to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
4.3 We will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless You or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Us to process or disclose Personal Data, We will first use reasonable endeavours to inform You of the legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless the law prohibits such notice.
4.4 We will reasonably assist You with meeting Your compliance obligations under the Data Protection Legislation, taking into account the nature of Our processing and the information available to Us, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
4.5 We will promptly notify You of any changes to Data Protection Legislation that may adversely affect Our performance of the Services.
4.6 You acknowledge that We are free to use meta-data, statistics and such other information derived from the Personal Data We receive from You which cannot be identified as originating or deriving directly from such Personal Data, and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.
5 Our Employees
5.1 We will ensure that any and all employees:
5.1.1 are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
5.1.2 have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
5.1.3 are aware both of Our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
6 Security
6.1 We will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out at paragraph 3.12 of Schedule 1.
6.2 We may update the security measures from time to time, provided they do not result in a reduction in the security over the Personal Data to which they apply. We will maintain an up-to-date written record of Our then-current security measures, which We shall provide to You on request, and review at least on an annual basis to ensure they remain current and complete.
6.3 We will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
6.3.1 the pseudonymisation and encryption of Personal Data;
6.3.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
6.3.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
6.3.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures.
7 Personal Data Breach
7.1 We will promptly and without undue delay notify You if any of Your Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. We will restore such Personal Data at Our own expense.
7.2 We will without undue delay notify You if We become aware of:
7.2.1 any accidental, unauthorised or unlawful processing of Your Personal Data; or
7.2.2 any Personal Data Breach relating to Your Personal Data.
7.3 Where We become aware of an event within the scope of clause 7.2, We shall, without undue delay, also provide You with the following information:
7.3.1 a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
7.3.2 the likely consequences of the event; and
7.3.3 a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.
7.4 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. We will reasonably co-operate with You in Your handling of the matter, including:
7.4.1 assisting with any investigation;
7.4.2 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by You; and
7.4.3 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
7.5 We will not inform any third party of any Personal Data Breach without first obtaining Your prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.
7.6 Subject to clause 7.5 You have the sole right to determine:
7.6.1 whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Your discretion, including the contents and delivery method of the notice; and
7.6.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
8 Cross-Border Transfers of Personal Data
8.1 If an adequate protection measure for the international transfer of Personal Data is required under Data Protection Legislation (and has not otherwise been arranged by the parties) the Standard Contractual Clauses shall be incorporated into this Agreement in the Schedules as if they had been set out in full.
8.2 The parties shall ensure that whenever Personal Data is transferred outside the European Economic Area and the United Kingdom ("GDPR Territories") they:
8.2.1 are Processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;
8.2.2 participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the parties can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or
8.2.3 otherwise ensure that the transfer complies with the Data Protection Legislation.
8.3 In the case of any Processing of Personal Data outside of the GDPR Territories as at the date of this DPA, We have identified in the Schedules the relevant transfer mechanism. We will promptly inform You of any change to such mechanisms.
8.4 You authorise Us to enter into the Standard Contractual Clauses with the sub-Processor on Your behalf, if required to ensure the relevant Processing of Personal Data complies with Data Protection Legislation. We will make the executed Standard Contractual Clauses available to You on written request.
9 Complaints, Data Subject Requests and Third-Party Rights
9.1 We will take such technical and organisational measures as may be appropriate, and promptly provide such information to You as You may reasonably require, to enable You to comply with:
9.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
9.1.2 information or assessment notices served on You by any supervisory authority under the Data Protection Legislation.
9.2 We will notify You immediately if We receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
9.3 We will notify You without undue delay if We receive a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
9.4 We will give You Our full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.5 We will not disclose the Personal Data to any Data Subject or to a third party other than at Your request or instruction, as provided for in this DPA or as required by law.
10 Liability
10.1 Our total liability pursuant to this DPA shall be limited to (1) the liability cap in the Agreement or (2) £[5,000], whichever is lower.
11 Term and Termination
11.1 This DPA will remain in full force and effect for so long as We retain any of Your Personal Data related to the Services in Our possession or control.
11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Services in order to protect Personal Data will remain in full force and effect.
11.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Services, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements.
12 Data Return and Destruction
12.1 At Your request, We will give You a copy of or access to all or part of Your Personal Data in Our possession or control in a commonly accessible and electronic format determined by Us.
12.2 On termination of the Services for any reason or expiry of its term, We will promptly securely delete or destroy or, if directed in writing by You, return and not retain, all or any Personal Data related to this DPA in Our possession or control. This requirement shall not apply to Personal Data which We have archived on Our backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by Us using those backups to restore Our systems).
12.3 Clause 13.2 shall not apply to the extent any law, regulation, or government or regulatory body requires Us to retain any documents or materials that We would otherwise be required to return or destroy.
13 Records
13.1 We will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data We carry out for You ("Records") and provide You with copies of the Records upon request.
14 Audit
14.1 No more than once during any consecutive 12-month period, on Your request We will provide You with the relevant information from Our ISO 27001 audit (which may have been carried out internally or by third-party representatives) to evidence Our compliance with this DPA and provide the summary results to You. You shall be entitled to ask questions of Us related to compliance with Data Protection Legislation in advance of the audit, We shall use Our reasonable endeavours to respond adequately when providing the audit results.
14.2 On Your written request, We will exercise relevant audit rights We have in connection with Our sub-Processors’ compliance with their obligations regarding Your Personal Data, and provide You with a summary of the audit results.
14.3 The audit rights set out at clauses 15.1 – 15.2 are Your only contractual rights (and Our only contractual obligations) in connection with the auditing of Our Processing of Personal Data. Save that nothing in this DPA shall prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly We shall submit to any audits required by a Supervisory Authority or Data Protection Legislation.
SCHEDULE 1
EU SCCs
1 Incorporation of the EU SCCs
1.1 To the extent clause 8.1 applies and the transfer is made pursuant to the GDPR, this Schedule 1 and the following terms shall apply:
1.1.1 Module 4 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Schedule 1 as if they had been set out in full in the case where the exporter is a Processor, the importer is a Controller and the transfer requires such additional protection.
2 Clarifications to the EU SCCs
2.1 Module 4 clarifications. To the extent Module 4 of the EU SCCs: (i) paragraphs 3.1 and 3.2 of this Schedule 1 shall be modified to reflect that the exporter is a Processor and the importer is a Controller; (ii) for the purposes of clause 8.1(d) of the EU SCCs, at the end of the provision of the processing services the importer shall delete all Personal Data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing; and (iii) for the purposes of clauses 17 and 18 of the EU SCCs, the laws and courts of the UK shall apply.
3 Processing Particulars for the EU SCCs
The Parties
3.1 Exporter: Emizio Limited
3.2 Importer: You
Description Of Data Processing
3.3 Categories of data subjects: Employee and Business Partner Data
3.4 Categories of personal data transferred: Employee and Business Partner Data
3.5 Sensitive data transferred: None
3.6 Frequency of the transfer: At least annually
3.7 Nature of the processing: Collection
3.8 Purpose of the processing: Carbon accounting reporting
3.9 Duration of the processing: To be determined
3.10 Sub-Processor Transfers: No sub processors involved
3.11 Competent Supervisory Authority: as set out at paragraph 2.8.
3.12 Technical and Organisational Measures: ISO 27001
SCHEDULE 2
UK ADDENDUM
1. Parties
As set out in Schedule 1.
2. Selected SCCs, Modules and Clauses
2.1. Module 4 only: Personal data received from the importer is combined with personal data collected by the exporter.
3. Appendix Information
The processing details required by the UK Addendum are as set out in Schedule 1, paragraph 3.
4. Termination of the UK Addendum
In the event the template UK Addendum issued by the Information Commissioner's Office and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section 18 is amended, either party may terminate this Schedule 2 on written notice to the other in accordance with Table 4 and paragraph 19 of the UK Addendum and replace it with a mutually acceptable alternative.
