Supplier Data Processing Terms

1. Background and Intention

The company, individual or organisation agreeing to these terms (the “Supplier”), and Quartix Holdings plc, Quartix Limited, Quartix Inc or any other entity that is directly or indirectly controlled by Quartix Holdings plc (as applicable, “Quartix”), have entered into an agreement whereby the Supplier will supply certain Services to Quartix (the “Agreement”).

As part of this Agreement, Quartix may from time to time share Data with the Supplier. Quartix may be acting as a data Controller, in which case the Supplier will be known as a Processor. Quartix may also be acting as a Processor of data on behalf of a Controller, in which case the Supplier will be known as a Sub-Processor.

These data processing and security terms, including their appendices (the “Terms”) will be effective from 25 May 2018 (the “Effective Date”) and will replace any and all data processing and security terms which were previously applicable. These Terms will take precedence should there be any conflict between these Terms and previously applicable terms, including those stipulated in the Agreement.

The intention of these Terms is to ensure there are proper arrangements in place relating to Data passing from Quartix to the Supplier. Any transfer of Data from the Supplier to Quartix is dealt with by Quartix’s Data Processing Terms, which form part of this Agreement and are available at:

In the case of the expiry this link, the Data Processing Terms are available on request or are readily available on the Quartix website.

https://www.quartix.com/en-gb/data-processing-terms/

2. Definitions and Interpretation

Within these Terms:

‘Data Protection Legislation’ means all applicable statutes, laws, secondary legislation, rules, regulations and guidance from a Supervisory Authority (or its UK equivalent) relating to privacy, confidentiality, security, direct marketing or data protection of Personal Data or corporate data (including any national laws implementing any such legislation (including Directives 95/46/EC, 2002/58/EC and 97 /66/EC)), including the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (512003/2426), the Regulation of Investigatory Powers Act 2000, the Investigatory Powers Act 2016, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) and the General Data Protection Regulation.

‘Data’ means any data which might be captured by Data Protection Legislation, which includes but is not limited to personal data and sensitive data as defined by GDPR.

‘GDPR’ means the General Data Protection Regulation

‘Services’ means the services provided by the Supplier as part of the Agreement.

‘Controller’ has the meaning given to it in Data Protection Legislation.

‘Data Subject’ has the meaning given to it in Data Protection Legislation.

‘Personal Data’ has the meaning given to it in Data Protection Legislation.

‘Processor’ has the meaning given to it in Data Protection Legislation.

‘Sub-Processor’ has the meaning given to it in Data Protection Legislation.

‘Supervisory Authority’ has the meaning given to it in Data Protection Legislation.

3. Data Processing

Quartix retains control of the Data in all cases. The Supplier will maintain the confidentiality of the Data and agrees to process the Data only in accordance with Data Protection Legislation and the following stipulations:

1. the Supplier shall process the Data(i) only in accordance with the written instructions provided by Quartix;
   (ii) only to the extent and in such a manner as is necessary for its performance of the Services;
   (iii) only in the European Economic Area or the UK, unless the transfer has been authorised in writing by Quartix or is to a country that the European Commission or, in respect of a transfer from the UK, the European Commission or an applicable Supervisory Authority, has decided from time to time ensures an adequate level of protection in accordance with Data Protection Legislation;
   (iv) where applicable, in accordance with the Standard Contractual Clauses (Processors) approved by the European Commission in Commission Decision C(2010)593;
   (v) where applicable, in accordance with the requirements of the EU-US Privacy Shield (or any successor arrangement approved by the European Commission from time to time) and shall hold a valid registration with the US Department of Commerce to that effect.
2. The Supplier shall ensure that all employees and other representatives of the Supplier accessing the Data are(i) aware of these Terms; and
   (ii) have received comprehensive training on the Data Protection Legislation and related good practice; and
   (iii) bound by confidentiality obligations;
3. Quartix and the Supplier have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Details of those measures are set out under Appendix A of these Terms and the Supplier shall implement these measures
4. the Supplier shall not involve any third party (including agents and sub-contractors) in the processing of the Data without the written consent of Quartix. Such consent may be withheld at Quartix’s absolute discretion or made subject to such terms as Quartix may in its absolute discretion require, including the need for it to approve the Data Processing Agreement between the Supplier and the third-party;
5. taking into account the nature of the processing, the Supplier shall adopt such technical and organisational measures as are necessary to enable it to, insofar as it is able, assist Quartix to fulfil its obligation to respond to requests from Data Subjects exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc;
6. the Supplier shall provide to Quartix such assistance as it is able to enable Quartix to comply with its obligations under Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to Data Subjects, data protection impact assessments and when necessary consultation with the ICO (or relevant Supervisory Authority;
7. the Supplier shall maintain a written record of all categories of processing activities carried out on behalf of Quartix, containing all information required under the Data Protection Legislation, and, upon request by Quartix, make this record available to Quartix or any relevant European Union or Member State supervisory authority (and/ or its UK equivalent);
8. the Supplier shall delete the Data as soon as the Data are no longer necessary for the performance of the Services, or otherwise if at any time instructed to do so by Quartix. Where the Supplier is to delete the Data, deletion shall include destruction of all existing copies. The Supplier shall provide certification of destruction of the Data if requested to do so by Quartix;
9. on request of Quartix, the Supplier shall adhere to any applicable code of conduct or certification method approved under the GDPR;
10. the Supplier shall if at any time requested to do so by Quartix immediately make available to Quartix all information necessary to demonstrate compliance with the obligations laid down under these Terms and allow for and contribute to any audits, inspections or other verification exercises required by Quartix;
11. the Supplier shall observe the arrangements relating to the secure transfer of the Data from Quartix to the Supplier and the safe keeping of the Data by the Supplier detailed under Appendix A of these Terms;
12. the Supplier shall maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created;
13. the Supplier shall if requested to do so by Quartix promptly return, amend, transfer, copy or delete any Data in a format and on media reasonably specified by Quartix.

4. Notice Obligations etc

The Supplier shall notify Quartix and shall procure that its agents and sub-contractors notify Quartix:

1. promptly of any requests received from a Data Subject exercising his or her rights under Data Protection Legislation and if required by Quartix to do so respond to any such requests;
2. immediately on becoming aware of any actual, suspected or threatened loss, leak or unauthorised processing or disclosure of any Data. The Supplier accepts and acknowledges that Quartix shall direct, in its absolute discretion, any and all steps and measures taken to remedy any breach by the Supplier of the Data Protection Legislation, including but not limited to any communications with regulatory bodies. The Supplier agrees not to act in any way upon such disclosure without the prior written consent of Quartix;
3. immediately upon receipt of a notice from any Supervisory Authority, which relates directly or indirectly to the processing of Personal Data and shall cooperate with that Supervisory Authority;
4. promptly if any Personal Data in the possession and/or control of the Supplier is lost, corrupted or rendered unusable for any reason, and shall restore such Personal Data including by using its back up and/ or disaster recovery procedures, at no cost to Quartix.

5. Termination

On the expiry or termination of these Terms or the Agreement (whichever is the earlier), the Supplier shall immediately cease to use, and shall procure that its agents and sub-contractors cease to use, the Data and shall arrange for its safe return or destruction (at Quartix’s option) at the relevant time (unless European Union, Member State and/ or UK law requires storage of the Personal Data).

6. Rights in Personal Data

Neither the Supplier nor its agents or sub-contractors shall acquire rights in or to the Data and the Supplier shall make no use of the Data other than as permitted by these Terms.

7. Liability

The Supplier agrees to indemnify and hold harmless Quartix against any actions, costs, proceedings, liabilities, losses, damages and expenses which Quartix or any company which is in relation to Quartix, its holding company, subsidiary or indirect affiliate of its holding company may suffer or incur as a result of any breach of these Terms by the Supplier and/ or its agents and/ or its sub-contractors.

8. General

1. Subject to Clause 8c, these Terms shall remain in force even after the Supplier has finished providing the Services as part of the Agreement and may be terminated only by written consent of both parties.
2. The Supplier consents to their business name (whether in the form of a Limited Company, Sole Trader, Limited Liability Partnership, Public Limited Company or any other form of organization) being referenced on the Quartix website as a Processor or Sub-Processor of Data.
3. These Terms may be varied only with the written consent of both parties.
4. These Terms represent the entire understanding of the parties relating to necessary legal protections arising out of their relationship under Data Protection Legislation.
5. Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with these Terms or its subject matter or formation.
6. The headings and sub-headings within these Terms are for convenience of reference and shall not form part of, or affect the interpretation of, these Terms.
7. If any provision within the Terms is held to be unenforceable or unreasonable it shall, to the extent of such illegality, invalidity, voidness, voidability, unenforceability or unreasonableness, be deemed severable. The remaining provisions of the Terms and the remainder of such provision shall therefore continue in full force and effect.

APPENDIX A

Compliance with Article 32, para 1 of GDPR

1. Consideration of anonymisation, pseudonymisation and encryption.

2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and related services.

3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

4. A process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing.

Compliance with Article 32, para 2 of GDPR

5. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to data transmitted, stored or otherwise processed.

Compliance with Article 32, para 3 of GDPR

6. Adherence to an approved code of conduct referred to in Article 40 (GDPR) or an approved certification mechanism as referred to in Article 42 (GDPR) may be used as an element by which to demonstrate compliance with the requirements set out in para 1 of GDPR – see above.

Compliance with Article 32, para 4 of GDPR

7. The Supplier to ensure that anyone acting on their behalf does not process any of the Data unless following instructions from Quartix or unless they are required to do so under English law.