This Data Processing Addendum (this “Addendum”) supplements and forms part of the general Terms and Conditions (the “Agreement”) between Fern Technologies Ltd (the “Provider”) and the Customer (each a "party" and collectively the "parties").
“Controller”, “Processor”, “Data Subject”, “Personal Data” and “Processing” shall have the respective meaning given to them in the “Data Protection Laws” (and related terms such as “Process”, “Processes” and “Processed” shall have corresponding meanings).
|Customer Personal Data||means the Personal Data Processed by the Provider as Processor on behalf of the Customer in connection to the services described in the Agreement|
|Sub-Processor||means another Processor engaged by the Provider for carrying out Processing activities in respect of Customer Personal Data|
|Data Protection Laws||means all laws and regulations relating to data protection and privacy as applicable to the Parties and/or to the Processing of Personal Data under this Agreement, including without limitation, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), the Data Protection Act 2018, and any associated implementing legislation and regulations, in each case, as in force and applicable, and as amended, supplemented or replaced from time to time|
|EU SCCs||means the EU Standard Contractual Clauses approved by European Commission Decision 2021/914 on 4 June 2021.|
|UK SCCs||means the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022.|
|Ex EEA Transfer||means the export of personal data to a country or territory outside the EEA other than a country or territory ensuring an adequate level of protection of personal data as determined by the European Commission.|
|Ex UK Transfer||means the export of personal data to a country or territory outside the UK and such transfer is not governed by an adequacy decision made by the Secretary of State in the UK in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.|
2. Processing of Data
- The parties agree and acknowledge that with respect to the Processing of Customer Personal Data, the Provider acts as a Processor on behalf of the Customer, which acts as a Controller.
- Customer retains control of the personal data and remains responsible for its compliance obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to us.
- The Provider shall process Data in accordance with the Controller’s instructions and shall not process Data for any other purpose.
- The Customer authorizes the Provider to engage Sub-Processors, as defined in Annex A (”Sub-Processor List”), to process Data on its behalf. The Provider shall notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors.
- The Provider shall ensure that any Sub-Processor is subject to the same data protection obligations as the Provider.
4. Data Subject Rights
- The Provider shall assist the Controller in responding to requests from Data Subjects exercising their rights under the General Data Protection Regulation (“GDPR”).
- The Provider shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and to allow the Controller to carry out data protection impact assessments and prior consultations with supervisory authorities in accordance with Articles 36, 37 and/or 57 of the GDPR.
The Provider shall not transfer Customer Personal Data to any party in a country not deemed adequate for the transfer of Personal Data by the European Commission (for transfer concerning the EEA) and the equivalent UK authority (for transfers concerning the UK), including permitting access to Customer Personal Data from any party in such countries, without the prior written consent of the Customer, unless:
the transfer/access is to a Sub-Processor as set out in Annex A or appointed in accordance with Clause 3 of this DPA; and
the transfer/access is in compliance with Data Protection Laws (including having in place appropriate transfer safeguards as applicable).
- Where the transfer involves an Ex UK Transfer, such transfer shall be governed by the UK SCCs, or such other legally recognized transfer method in force
- Where the transfer involves an Ex EEA Transfer, such transfer shall be governed by the EU SCCs
6. Security & Data Breaches
- The Provider shall take appropriate technical and organizational measures to protect Data against unauthorized or unlawful processing and against accidental loss, destruction or damage.
- The Provider will notify Customer without undue delay after becoming aware of any Data Breach and provide reasonable information in its possession to assist Customer as required under Applicable Data Protection Law.
The Provider shall, on request from the Customer, make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for audits, including inspections, by the Controller or an auditor mandated by the Controller. For the avoidance of doubt such audits shall be limited to once per calendar year. Any additional audit under this clause (in excess of the once per calendar year limitation) shall be at the cost of the Customer, and the Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this clause.
Annex A: Sub-Processor List
View our list of sub-processors