"This Data Processing Addendum ("DPA") forms part of the Agreement between Revgentic Ltd ("Revgentic") and the Customer, and governs Revgentic's processing of Personal Data on behalf of the Customer."
THIS DATA PROCESSING ADDENDUM will take effect as of the Effective Date of the Order Form.
For the purposes of this DPA:
"Data Protection Laws" means all applicable data protection and privacy laws, including the UK GDPR and the EU GDPR.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Revgentic on behalf of the Customer under the Agreement.
"Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the UK GDPR.
The Customer is the data controller and Revgentic is the data processor in relation to Personal Data processed under the Agreement. Revgentic will process Personal Data only on the Customer's documented instructions and in compliance with Data Protection Laws.
Each party will notify the other without undue delay if it can no longer meet its obligations under this DPA
Each party will identify a contact for data protection matters
With respect to all Personal Data, Revgentic agrees that it will:
only process Personal Data as necessary to provide the Services and only on the Customer's documented instructions
If Revgentic is required by law to process Personal Data outside the Customer's instructions, Revgentic will notify the Customer unless legally prohibited.
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular, protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in Revgentic's possession or under its control. Such measures include the security measures specified in Revgentic's information security policies;
ensure that its personnel have access to such Personal Data only as necessary to perform the Services in accordance with the Agreement and this DPA, and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality and will adhere with the Agreement and this DPA;
Revgentic will notify the Customer without undue delay (and within 48 hours where feasible) upon becoming aware of a Personal Data Breach
Revgentic agrees that it will:
Revgentic will promptly notify the Customer if it believes an instruction infringes Data Protection Laws, and will maintain records of processing activities as required by law.
The Customer authorises Revgentic to use sub-processors. Revgentic will notify the Customer of any material changes to its sub-processor list, and the Customer may object on reasonable data protection grounds. Revgentic remains responsible for the performance of its sub-processors.
Revgentic uses the EU Standard Contractual Clauses and the UK International Data Transfer Addendum for international transfers of Personal Data. These transfer mechanisms are incorporated by reference into this DPA.
If Revgentic receives a request from a Data Subject relating to Personal Data processed on behalf of the Customer, Revgentic will notify the Customer and provide reasonable assistance.
This DPA forms part of the Agreement. If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict.