Schedule 1: Data Processing Schedule
This Schedule forms part of and should be read in conjunction with Leads5050’s Terms of Service. To the extent that Leads5050 is processing Customer Personal Data (as defined below) as part of the Service, the terms contained in this Schedule will apply.
In respect of all processing of Customer Personal Data carried out pursuant to this Schedule the parties agree that Leads5050 is the processor and that you (as the customer) are the controller.
The parties shall comply with and process all Customer Personal Data in accordance with applicable Data Protection Legislation.
2. Relevant Definitions
Under this Schedule, capitalized terms shall have the meanings given below:
“Applicable Law” means (i) any and all laws, statutes and regulations that apply to the performance and supply of the Service or the processing of Customer Personal Data, and (ii) the terms and conditions of any applicable approvals, consents, exemptions, filings, licences, authorities, permits, registrations or waivers issued or granted by, or any binding requirement, instruction, direction or order of, any applicable government department, authority or agency having jurisdiction in that matter.
“Customer Personal Data” means personal data provided or made available by you to Leads5050, or collected or created for you, in connection with the Service.
“Data Protection Legislation” means all Applicable Laws and binding codes of practice applicable to the processing of personal data including the GDPR.
“DP Losses” means all liabilities, including all:
- costs (including legal costs), claims, demands, actions, settlements, ex-gratia payments, charges, procedures, expenses, losses and damages (including relating to material and non-material damage); and
- to the extent permitted by Applicable Law:
- administrative fines, penalties, sanctions, liabilities or other remedies imposed by a court or regulatory authority;
- compensation to a data subject ordered by a court or regulatory authority; and
- the costs of compliance with investigations by a regulatory authority.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as applicable as of 25 May 2018, as may be amended from time to time.
“Permitted Data Transfers” means transmission of data through a network, or any communication, copying or transmission of Personal Data from one medium to another, irrespective of the type of support, where the Personal Data are intended to be processed and/or stored in a Third Country.
“Processing Instructions” has the meaning set out in clause 3(a) of this Schedule.
“Security Incident” means the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, Customer Personal Data while in the custody of Leads5050 or a Sub-Processor.
“Sub-Processor” means another processor engaged by Leads5050 for carrying out processing activities in respect of the Customer Personal Data on your behalf.
“Third Country” means all states that are not members of the European Economic Area (EEA) or which have not been recognized by the European Commission as providing an adequate level of protection for Personal Data.
“controller”, “data subject”, “personal data”, “processing” and “processor” have the meanings set out in the GDPR (and related terms such as “process” have corresponding meanings).
3. Leads5050’s obligations as processor
3.1 In relation to your use of the Service, Leads5050 shall:
- unless Applicable Law requires otherwise, only process the Customer Personal Data on and in accordance with your documented instructions as set out under or in connection with these Terms of Service (“Processing Instructions”);
- unless prohibited by Applicable Law, notify you if Applicable Law requires us to process Customer Personal Data other than in accordance with Processing Instructions (such notification to be given before such processing commences); and
- notify you if, in our opinion, the processing of Customer Personal Data in accordance with Processing Instructions infringes Data Protection Legislation.
3.2 Leads5050 may engage a Sub-Processor to carry out processing activities in the provision of the Service or to fulfil certain obligations of Leads5050 under the Terms of Service. In the event of the addition of a new Sub-Processor or replacement of an existing Sub-Processor in respect of such processing activities, and where Leads5050 is required by Data Protection Legislation to inform you of those changes Leads5050 will give you at least ten (10) working days’ prior notice, in order to give you the opportunity to reasonably object to such changes during such notice period. You may object to Leads5050 appointment or replacement of a Sub-Processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Leads5050 will either not appoint or replace the Sub-Processor or, if this is not reasonably possible, in Leads5050’s sole discretion, you may suspend or terminate your subscription without penalty (without prejudice to any fees incurred by you up to and including the date of suspension or termination).
3.3 Where Leads5050 authorizes a Sub-Processor as described in Clause 3.2 above, Leads5050 will enter into a contract or other legal act with the Sub-Processor and will impose upon the Sub-Processor substantially the same legal obligations as under this Schedule to the extent required by Data Protection Legislation and that the Sub-Processor is carrying out the relevant processing activities. Where the Sub-Processor fails to fulfil its data protection obligations under such contract or legal act, Leads5050 shall remain liable to you for the performance of that Sub-Processor’s obligations.
3.4 After the business purposes for which the Customer Personal Data was processed have been fulfilled (or earlier upon your written request) we shall, at your option, either delete or return all Customer Personal Data and delete any existing copies of the same (unless storage of such copies is required by Applicable Law).
You warrant and represent to Leads5050 that:
- we are entitled to process the Customer Personal Data pursuant to these Terms of Service for the purpose of providing the Service and such use will comply with Data Protection Legislation;
- all Customer Personal Data provided by you to us is necessary, accurate and up-to-date;
- all Processing Instructions shall at all times be in accordance with Data Protection Legislation; and
- you are satisfied that:
- our processing operations are suitable for the purposes for which you propose to use the Services and engage us to process the Customer Personal Data; and
- we have sufficient expertise, reliability, and resources to implement technical and organizational measures that meet the requirements of Data Protection Legislation.
- implement and maintain for the duration of your subscription to the Service appropriate technical and organizational measures intended to protect the Customer Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, damage or destruction; and
- take reasonable steps to ensure that its personnel do not process the Customer Personal Data other than in accordance with Processing Instructions (unless required to do so by Applicable Law) and are obligated to maintain the security and confidentiality of the Customer Personal Data to which they have access.
We shall, without undue delay, notify you if we become aware of a Security Incident and shall (at your expense) provide such further information and assistance as you reasonably require in handling and responding to such notifications in accordance with our obligations under Data Protection Legislation.
7. Inspections and Assistance with Regulators
Subject to reasonable written advance notice from you or as may otherwise be required by law we shall:
- permit you to conduct (and shall contribute to) audits and inspections of its systems and processes in relation to the processing of the Customer Personal Data subject to you ensuring:
- that such audit or inspection is undertaken during normal business hours and with minimal disruption to our business; and
- that all information obtained or generated by you or your auditor(s) in connection with such audits and inspections is kept strictly confidential (save for disclosure to a regulatory authority or as otherwise required by Applicable Law);
- give you such information as is reasonably necessary to verify that we are in compliance with our obligations under Data Protection Legislation; and
- co-operate and assist you with any data protection impact assessments and consultations with or investigations by any regulatory authority that you reasonably consider are relevant pursuant to Data Protection Legislation in relation to the Customer Personal Data.
The cost of such audit, inspection, provision of information or data protection impact assessment shall be borne by you. You may require us to conduct an audit or inspection of the Sub-Processor’s systems and processes in relation to the processing of the Customer Personal Data. The cost of such an audit or inspection shall be borne by you.
Furthermore, should there be any disruption to our standard operation as a result of an audit, then the cost of such disruption will be borne by you.
8. Indemnity and Limitation of Liability
- Subject to the limitation in clause 8(b) of this Schedule, you shall indemnify and keep us indemnified in respect of all DP Losses suffered or incurred by, awarded against or agreed to be paid by, us and any Sub-Processor arising from or in connection with any:
- non-compliance by you with Data Protection Legislation;
- processing carried out by us or any Sub-Processor pursuant to any Processing Instruction that infringes Data Protection Legislation; or
- breach by you of any of your obligations under this Schedule and/or the Terms of Service, except to the extent that Leads5050 is liable under clause 8(b) of this Schedule.
- To the maximum extent permitted by Applicable Law, Leads5050’s total aggregate liability to you in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this Schedule and/or the Terms of Service or any collateral contract shall in all circumstances be limited to 100% of the fees paid or payable during the 12 months preceding the event triggering clause 8(a) of this Schedule.