1. Interpretation
1.1 For the purpose of this Schedule:
“Customer” means the person, firm or company who purchases the services from Majenta.
“Data Protection Legislation” means Data Protection Act 2018, the EU Data Protection Directive 95/46/EC, the GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to the processing of personal data and privacy, as amended, extended or re-enacted from time to time, including where applicable, any guidance notes and codes of practice issued by the European Commission and applicable national Regulators including the United Kingdom Information Commissioner;
“Majenta” means Majenta Solutions Limited (company number 03056978), a company registered in England with its registered office and main trading address at 3 Argosy Court, Scimitar Way, Whitley Business Park, Whitley , Coventry, CV3 4GA, England;
“GDPR” means the EC Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Regulator” means any regulatory body with responsibility for ensuring compliance with Data Protection Legislation; and
“Security Breach” means accidental or deliberate, unauthorised or unlawful acquisition, destruction, loss, alteration, corruption, access, use or disclosure of personal data processed under this agreement or breach of Majenta’s security obligations under this Agreement.
1.2 In this agreement, references to “data controller”, data processor”, “processing”, “data protection officer” and “personal data” and “personal data breach” shall have the same meaning as defined in Data Protection Legislation.
1.3 Annex 1 sets out the subject matter and duration of the processing; nature and purpose of the processing; the type of personal data being processed; and the categories of data subject.
1.4 The parties agree that in respect of any personal data processed in connection with this agreement that Customer shall be the “data controller” and Majenta shall be the “data processor”.
2. Obligations
2.1 Each party shall, in respect of the personal data, comply with those obligations applicable to it under the Data Protection Legislation.
2.2 Majenta shall, at its own expense (except where otherwise expressly stated in this agreement) and without prejudice to its other rights or obligations, in respect of its processing of such personal data:
a) process the personal data only to the extent, and in such a manner, as is necessary for the purposes of this agreement and in accordance with the Customer’s written instructions from time to time. Majenta shall not process or permit the processing of the personal data for any other purpose unless such processing is required by the European Union or a law of a Member State to which Majenta is subject, in which case Majenta shall notify the Customer in advance of its intention to carry out such processing and allow the Customer the opportunity to object (unless that law prohibits such information on important grounds of public interest).;
b) only make copies of the personal data to the extent reasonably necessary (which may include back-up, mirroring (and similar availability enhancement techniques), security, disaster recovery and/or testing of the data);
c) not extract, re-utilise, use, exploit, redistribute, re-disseminate, copy, store or otherwise process the personal data other than as permitted under the terms of this agreement;
d) only permit access to the personal data to those of Majenta’s personnel who require such access in order to carry out their roles in the performance of Majenta’s obligations under this agreement, and ensure the reliability of all such personnel who have access to the personal data and shall in particular ensure that any person authorised to process the personal data in connection with this agreement is subject to a duty of confidentiality that at a minimum is materially equivalent to the duty of confidentiality imposed on Majenta under or in connection with this agreement;
e) comply with the obligations applicable to data processors under Data Protection Legislation, including where applicable, the obligation to maintain records of processing activities, appointing a data protection officer, and the provisions of the Customer’s IT and data security policies as notified to Majenta in advance;
f) not do anything or omit to do anything that may put the Customer in breach of its obligations under Data Protection Legislation and take such steps and provide the Customer with such cooperation and assistance as the Customer may reasonably request from time to time to enable the Customer to comply with Data Protection Legislation;
g) having regard to the state of technological development and the cost of implementing any measures, take appropriate technical and organisational measures against the unauthorised or unlawful processing of data and against the accidental loss or destruction of, or damage to data, to ensure a level of security appropriate to: (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage of the data; and (b) the nature of the data to be protected. Such measures shall include: (i) pseudonymisation and anonymisation of the personal data, where possible; (ii) having the ability to ensure the on-going confidentiality, integrity, availability and resilience of Majenta’s systems; (iii) having the ability to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident; (iv) having a process of regularly testing, assessing, and evaluating the effectiveness of the technical and organisational measures referred to in this agreement; and (v) the measures set out in the Customer’s security policies notified to Majenta from time to time and any code of conduct and/or certification mechanism approved by the Regulator relating to security measures, in each case as may be amended from time to time;
h) assist the Customer by using appropriate technical and organisational measures in responding to, and complying with, requests from data subject. In particular, Majenta shall immediately comply with any request from the Customer requiring Majenta at its cost to amend, transfer or delete the personal data, either during or after the term of this agreement;
i) provide the Customer with full co-operation and assistance in relation to the Customer’s obligations and rights under Data Protection Legislation, including its obligations to keep personal data secure, providing the Customer and Regulators (as applicable) with all information and assistance necessary to investigate Security Breaches and where relevant notify the relevant Regulators and/or affected data subjects of the relevant Security Breach, carry out data privacy impact assessments (“DPIA”), consult with the relevant Regulator where a DPIA indicates there is a high risk that cannot be mitigated, or otherwise to assess or demonstrate compliance by the parties with Data Protection Legislation;
j) without undue delay and in any event within 24 hours of becoming aware notify the Customer in writing, and provide such co-operation, assistance and information as the Customer may reasonably require, if Majenta:
(i) receives any complaint, notice or communication which relates directly or indirectly to the processing of the personal data under this agreement or to either party’s or any member of the Customer’s group compliance with Data Protection Legislation;
(ii) becomes aware of any Security Breach or personal data breach relating to the processing of personal data under this agreement.;
k) keep a written record of data processing carried out in the course of the services and of its compliance with its obligations set out in this agreement (“Records”);
l) permit the Customer, its third-party representatives or a Regulator or its third party representatives, on reasonable notice during normal business hours, but without notice in case of any reasonably suspected breach of this agreement by Majenta, access to inspect, and take copies of, the Records and any other information held at Majenta’s or on Majenta’s systems relating to this agreement, for the purpose of auditing Majenta’s compliance with its obligations under this agreement. Majenta shall give all necessary assistance to the conduct of such audits;
m) not engage any processor to process data (or otherwise sub-contract or outsource the processing of any data to a third party) without the prior written consent of the Customer acting in its sole discretion.
n) return or destroy (as directed in writing by the Customer) all personal data in relation to this agreement that it has in its possession and promptly delete existing copies unless applicable law requires storage of the personal data. If the Customer elects for destruction rather than return of the personal data, the Customer shall as soon as reasonably practicable ensure that all of the personal data is destroyed and deleted from Majenta’s systems and provide written confirmation of compliance with this clause within 14 days of the Customer’s election; and
o) not transfer the personal data outside the United Kingdom (as relevant) without the prior written consent of the Customer, which can be withheld at the sole discretion of Customer, and subject to any additional Customer requirements.
ANNEX 1
Data Processing Services
1. Subject Matter and Duration of Processing
Details of:
– the subject matter and duration of the processing: it is necessary for Majenta to process personal data in order to provide Services under this agreement for the duration of this agreement.
– the type of personal data being processed: names, business addresses, emails, telephone numbers, job roles/functions).
– the categories of data subject: personnel of Customer, personnel of Customer’s clients
– processing restrictions: only make copies of the data to the extent reasonably necessary (which, for clarity, includes back-up, mirroring (and similar availability enhancement techniques), security, disaster recovery and testing of the data) and not extract, re-utilise, use, exploit, redistribute, re-disseminate, copy or store the Data other than permitted under the terms of this agreement.
2. Nature and Purpose of the Processing
Details of the nature and purpose of the processing: Majenta may be required to access, receive, generate, store or otherwise process personal data in order to provide the Services, and for communicating with the Customer.
3. Location of the Processing
The data is held on Majenta’s CRM and the MX Portal.