LOVE, LIGHT AND VISION LIMITED
DATA PROCESSING ADDENDUM
Love, Light and Vision Limited (the “Service Provider”) and the counterparty agreeing to these terms (the “Member”) have entered into a Service Agreement or other written or electronic agreement (collectively, the “Service”) provided by Love, Light and Vision Limited (the “Main Agreement”). This Data Processing Addendum, including, the appendices (the “DPA”), forms part of the Main Agreement.
This Data Processing Addendum will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment, agreement or addendum relating to the Service), from
the date on which the Member clicked to accept or the parties otherwise agreed to this Data Processing Addendum (“DPA Effective Date”).
If you are accepting this Data Processing Addendum on behalf of the Member, you warrant that: (a) you have full legal authority to bind the Member to this Data Processing Addendum; (b) you have read and understand this Data Processing Addendum; and (c) you agree, on behalf of the Member, to this Data Processing Addendum. If you do not have the legal authority to bind the Member, please do not accept this Data Processing Addendum.
DATA PROCESSING TERMS
The parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with
respect to the protection of such Personal Data as required by UK Data Protection Laws. Accordingly, the Service Provider agrees to comply with the following provisions with respect to any Personal Data submitted by or for the Member to the Service Provider or collected and processed by or for the Member using the Service.
- The following definitions are used in this DPA:
- “Adequate Country” means a country or territory that is recognized under UK Data Protection Laws as providing adequate protection for Personal Data;
- “Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists);
- “The Service Provider Group” means the Service Provider and any of its Affiliates;
- “Member Group” means the Member and any of its Affiliates established and/or doing business in the United Kingdom;
- “UK Data Protection Laws” means all laws and regulations of the United Kingdom, applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the Data Protection Act (DPA) 2018, the UK GDPR and The Privacy and Electronic Communications (EC Directive) Regulations 2003;
- “Personal Data” means all data which is defined as ‘personal data’ under UK Data Protection Laws and to which UK Data Protection Laws apply and which is provided by the Member to the Service Provider, and accessed, stored or otherwise processed by the Service Provider as a data processor as part of its provision of the Service to the Member; and
- “processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” shall have the meanings ascribed to them in UK Data Protection Laws.
- An entity “Controls” another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in “Common Control” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
- Status of the parties
2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex 1.
2.2 Each party warrants in relation to Personal Data that it will comply (and will ensure that any of its staff comply and use commercially reasonable efforts to ensure that its sub-processors comply),
with UK Data Protection Laws. As between the parties, the Member shall have sole responsibility for
the accuracy, quality, and legality of Personal Data and the means by which the Member acquired
2.3 In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties
hereby acknowledge and agree that the Member is the data controller or processor, and the Service Provider is a data processor or sub-processor, as applicable, and accordingly the Service Provider agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.
2.4 If the Member is a data processor, the Member warrants to the Service Provider that the Member’s instructions and actions with respect to the Personal Data, including its appointment of the Service Provider as another processor, have been authorised by the relevant controller.
2.5 Where and to the extent that the Service Provider processes data which is defined as ‘personal data’ under UK Data Protection Laws as a data controller as set out in the Service Provider’s Data Protection Policy, the Service Provider will comply with applicable UK Data Protection Laws in respect of that processing.
2.6 Each party shall appoint an individual within its organisation authorised to respond from time to time to enquiries regarding the Personal Data and each party shall deal with such enquiries promptly.
- The Service Provider’s obligations
3.1 With respect to all Personal Data, the Service Provider warrants that it shall:
- only process Personal Data in order to provide the Service, and shall act only in accordance with:
(i) this DPA, (ii) the Member’s written instructions as represented by the Main Agreement and this DPA, and (iii) as required by applicable laws;
- upon becoming aware, inform the Member if, in the Service Provider’s opinion, any instructions provided by the Member under clause 3.1(a) infringe the UK GDPR;
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out in Annex 2;
- take reasonable steps to ensure that only authorised staff have access to such Personal Data and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality;
- without undue delay after becoming aware, notify the Member of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Service Provider, its sub-processors, or any other identified or unidentified third party (a “Security Breach”);
- promptly provide the Member with reasonable cooperation and assistance in respect of a Security Breach and all reasonable information in the Service Provider’s possession concerning such Security Breach insofar as it affects the Member, including the following to the extent then known:
(i) the possible cause and consequences for the Data Subjects of the Security Breach;
(ii) the categories of Personal Data involved;
(iii) a summary of the possible consequences for the relevant data subjects;
(iv) a summary of the unauthorised recipients of the Personal Data; and
(v) the measures taken by The Service Provider to mitigate any damage;
- not make any public announcement about a Security Breach (a “Breach Notice”) without the prior written consent of the Member, unless required by applicable law;
- promptly notify the Member if it receives a request from a data subject to access, rectify or erase that individual’s Personal Data, or if a data subject objects to the processing of, or makes a data portability request in respect of, such Personal Data (each a “Data Subject Request”). The Service Provider shall not respond to a Data Subject Request without the Member’s prior written consent except to confirm that such request relates to the Member, to which the Member hereby agrees. To the extent that the Member does not have the ability to address a Data Subject Request, then upon Customer’s request the Service Provider shall provide reasonable assistance to the Member to facilitate such Data Subject Request to the extent able and in line with applicable law. The Member shall cover all costs incurred by the Service Provider in connection with its provision of such assistance;
- other than to the extent required to comply with applicable law, following termination or expiry of the Main Agreement or completion of the Service, at the choice of the Member, the Service Provider will delete or return all Personal Data (and delete copies thereof) processed pursuant to this DPA;
- taking into account the nature of processing and the information available to the Service Provider, provide such assistance to the Member as the Member reasonably requests in relation to the Service Provider’s obligations under UK Data Protection Laws with respect to:
(i) data protection impact assessments (as such term is defined in the UK GDPR);
(ii) notifications to the supervisory authority under UK Data Protection Laws and/or communications to data subjects by the Member in response to any Security Breach; and
(iii) the Member’s compliance with its obligations under the UK GDPR with respect to the security of processing;
provided that the Member shall cover all costs incurred by the Service Provider in connection with its provision of such assistance.
4.1 The Member grants a general authorisation: (a) to the Service Provider to appoint other members of the Service Provider Group as sub-processors, and (b) to the Service Provider and other members of the Service Provider Group to appoint
third party data centre operators, and outsourced marketing, business, engineering and customer support providers as sub-processors to support the performance of the Service.
4.2 The Service Provider will inform the Member of any intended changes concerning the addition or replacement of other processors prior to them starting sub-processing of Personal Data. If the Member has a reasonable objection to any new or replacement sub-processor, it shall notify the Service Provider of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. If the Service Provider is reasonably able to provide the Service to the Member in accordance with the Main Agreement without using the sub-processor and decides in its discretion to do so, then the Member will have no further rights under this clause 4.2 in respect of the proposed use of the sub-processor. If the Service Provider requires use of the sub-processor in its discretion and is unable to satisfy the Member as to the suitability of the sub-processor or the documentation and protections in place between the Service Provider and the sub-processor within ninety (90) days from the Member’s notification of objections, the Member may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the applicable Order Form and/or Insertion Orders with at least thirty (30) days written notice, solely with respect to the service(s) to which the proposed new sub-processor’s processing of Personal Data relates. If the Member does not provide a timely objection to any new or replacement sub-processor in accordance with this clause 4.2, The Member will be deemed to have consented to the sub-processor and waived its right to object. The Service Provider may use a new or replacement sub-processor whilst the objection procedure in this clause 4.2 is in process.
4.3 The Service Provider will ensure that any sub-processor it engages to provide an aspect of the Service on its behalf in connection with this DPA does so only on the basis of a written contract which imposes on such sub-processor terms substantially no less protective of Personal Data than those imposed on the Service Provider in this DPA (the “Relevant Terms“). The Service Provider shall procure the performance by such sub-processor of the Relevant Terms and shall be liable to the Member for any breach by such person of any of the Relevant Terms.
- Audit and records
5.1 The Service Provider shall, in accordance with UK Data Protection Laws, make available to the Member all information in the Service Provider’s possession or control as the Member may reasonably request that is necessary to demonstrate the Service Provider’s compliance with the obligations of data processors under UK Data Protection Law in relation to its processing of Personal Data, including inspections, conducted by the controller or another auditor mandated by the controller.
- Data transfers
6.1 The Member acknowledges and accepts that the provision of the Service under the Main Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA.
6.2 If, in the performance of this DPA, the Service Provider transfers any Personal Data to a sub-processor located outside of the EEA (without prejudice to clause 4), the Service Provider shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place, such as:
(a) the requirement for the Service Provider to execute or procure that the sub-processor execute to the benefit of the Member standard contractual clauses approved by the UK authorities under UK Data Protection Laws; or
(b) the existence of any other specifically approved safeguard for data transfers (as recognised under UK Data Protection Laws)
7.1 This DPA is without prejudice to the rights and obligations of the parties under the Main Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
7.2 The Service Provider’s liability under or in connection with this DPA (including under the standard
contractual clauses set out in Annex 2) is subject to the limitations on liability contained in the Main Agreement.
7.3 This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties
hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may
any provision hereof be enforced by, any other person.
7.4 This DPA and any action related thereto shall be governed by and will be construed in accordance with the laws of England and Wales.
7.5 This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless in writing and signed by an authorised signatory of each party. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. Each person signing below represents and warrants that he or she is duly authorised and has legal capacity to execute and deliver this DPA. Each party represents and warrants to the other that the execution and delivery of this DPA, and the performance of such party’s obligations hereunder, have been duly authorised and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.
Details of the Personal Data and processing activities
(a) The personal data will comprise: directly personally identifiable information including but not limited to name, mailing address, telephone number, email address, and indirectly identifying data, such as online identifiers and IP addresses shared by video uploads to the Service Providers’ website made by the Member. The Member and/or other partners may provide content to the Service Provider which may include personal data and special categories of data, the extent of which is determined and controlled by the Member in its sole discretion. Such special categories of data include, but may not be limited to, information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning an individual’s health or sex life.
(b) The duration of the processing will be: until the earliest of (i) expiry/termination of the Main
Agreement, or (ii) the date upon which processing is no longer necessary for the purposes of
either party performing its obligations under the Main Agreement (to the extent applicable);
(c) The processing will comprise: processing necessary to provide the Service to the Member, pursuant
to the Main Agreement;
(d) The purpose(s) of the processing is/ are: necessary for the provision of the Service;
(e) Personal data may concern the following data subjects:
- Prospective customers, customers, resellers, referrers, business partners, and vendors of the Member (who are natural persons);
- Employees or contact persons of the Member’s prospective customers, customers, resellers,
referrers, sub-processors, business partners, and vendors (who are natural persons);
- Employees, agents, advisors, and freelancers of the Member (who are natural persons); and/or
- Natural persons authorised by the Member to use the Service.
- Data importer/sub-processor has implemented and shall maintain a security program in accordance with industry standards.
- More specifically, data importer/sub-processor’s security program shall include:
Access Control of Processing Areas
Data importer/sub-processor implements suitable measures in order to prevent unauthorised persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the personal data are processed or used, including:
- establishing security areas;
- protection and restriction of access paths;
- establishing access authorizations for employees and third parties, including the respective documentation;
- all access to the data centre where personal data are hosted is logged, monitored, and tracked; and
- the data centre where personal data are hosted is secured by a security alarm system, and other appropriate security measures.
Access Control to Data Processing Systems
Data importer/sub-processor implements suitable measures to prevent their data processing systems from being
used by unauthorised persons, including:
- use of adequate encryption technologies;
- identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems;
- automatic temporary lock-out of user terminal if left idle, identification and password required to reopen;
- automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and
- all access to data content is logged, monitored, and tracked.
Access Control to Use Specific Areas of Data Processing Systems
Data importer/sub-processor commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished
by various measures including:
- employee policies and training in respect of each employee’s access rights to the personal data;
- allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
- monitoring capability in respect of individuals who delete, add or modify the personal data;
- release of data only to authorised persons, including allocation of differentiated access rights and roles;
- use of adequate encryption technologies; and
- control of files, controlled and documented destruction of data.
Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including:
- infrastructure redundancy; and
- backup is stored at an alternative site and available for restore in case of failure of the primary system.
Data importer/sub-processor implements suitable measures to prevent the personal data from being read, copied,
altered or deleted by unauthorised parties during the transmission thereof or during the transport of the data media.
This is accomplished by various measures including:
- use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels;
- certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and providing user alert upon incomplete transfer of data (end to end check); and as far as possible, all data transmissions are logged, monitored and tracked.
Data importer/sub-processor implements suitable input control measures, including:
- an authorisation policy for the input, reading, alteration and deletion of data;
- authentication of the authorised staff;
- protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;
- utilisation of unique authentication credentials or codes (passwords);
- providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked;
- automatic log-off of user ID’s that have not been used for a substantial period of time; and
- proof established within data importer/sub-processor’s organisation of the input authorization; and
- electronic recording of entries.
Separation of Processing for different Purposes
Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including:
- access to data is separated through application security for the appropriate users;
- modules within the data importer/sub-processor’s data base separate which data is used for which purpose, i.e. by functionality and function;
- at the database level, data is stored in different normalized tables, separated per module, per Controller, Member or function they support; and
- interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected
- for specific purposes is processed separately.
Data importer/sub-processor will keep documentation of technical and organisational measures in case of audits
and for the conservation of evidence. Data importer/sub-processor shall take reasonable steps to ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organisational measures set forth in this Appendix 2.
Data importer/sub-processor shall implement suitable measures to monitor access restrictions to data importer/sub-processor’s system administrators and to ensure that they act in accordance with instructions received. This is accomplished by various measures including:
- individual appointment of system administrators;
- adoption of suitable measures to register system administrators’ access logs to the infrastructure and keep them
- secure, accurate and unmodified for at least six months;
- yearly audits of system administrators’ activity to assess compliance with assigned tasks, the instructions
- received by the data importer/sub-processor and applicable laws;
- keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organisational area) and tasks assigned and providing it promptly to data exporter upon request.