This Data Processing Agreement (“DPA”), together with any other document referred to within it, is incorporated into and governed by the Terms and Conditions of service (“Customer Terms”) located at: https://www.brightbox.com/legal/terms/
All definitions set out in the Customer Terms shall also apply in this document.
Capitalised terms, unless defined within this document, shall have the meaning given to them in the Customer Terms.
“Applicable Data Protection Legislation” means the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK), the GDPR and any other directly applicable European Union regulation relating to privacy.
“Customer Personal Data” means any Personal Data which is contained within the Customer Data.
“Data Security Incident” means a breach of data security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Personal Data.
“DPA Effective Date” means either:
“EEA” means the European Economic Area.
“GDPR” means the EU General Data Protection Regulation 2016/679
“Security Features” means any security related features, functionality or controls which Brightbox may make available to the Customer as part of the Services such as firewalling, access control, public key cryptography, two factor authentication and encryption.
“Sub-processor” means a third party engaged by the Processor to carry out Processing on behalf of the Controller, as described in Applicable Data Protection Legislation.
“Term” the period of time from the DPA Effective Date until the end of the provision of the Services according to clause 8 in the Customer Terms.
“Personal data”, “Data subject”, “Processing”, “Processor”, “Controller”, “Supervisory Authority” where used within this DPA have the meanings given to them in the Applicable Data Protection Legislation.
Both parties agree that, in respect of any Processing of Customer Personal Data through the provision or use of the Services:
(3.1) Each party shall comply with the obligations that apply to it under Applicable Data Protection Legislation.
(3.2) The Customer is either:
Accordingly, Brightbox is a Processor when the Customer is Controller, or a Sub-processor when the Customer is Processor.
(3.3) Customer warrants that if the Customer is not the Controller, that the Customer’s instructions to Brightbox with respect to Customer Personal Data have been authorised by the relevant Controller.
(3.4) The subject matter of the Processing is the provision of the Services by Brightbox to the Customer and related support. The duration of Processing is the Term.
(3.5) The nature and purpose of the Processing is the provision of the Services by Brightbox to the Customer and the Customer’s use of the Services according to the Customer Terms.
(3.6) The type of Personal Data to be Processed is any personal data concerning natural persons contained within the Customer Data uploaded, stored, sent or received by, or on behalf of, the Customer or its end-users through the use or provision of the Services.
(3.7) The Categories of data subjects are the natural persons whose personal data is contained in the Customer Data and may include without limitation: staff, contractors, partners of the Customer or its end-users.
(4.1) Brightbox shall process Customer Personal Data only on the written instruction of the Customer, unless required to do so by applicable law. In such a case, Brightbox will notify the Customer of the legal requirement to process Customer Personal Data unless the law prevents such disclosure.
(4.2) By entering into this DPA, the Customer instructs Brightbox to process Customer Personal Data:
(4.3) Brightbox shall ensure that all staff and subcontractors authorised to process Customer Personal Data are bound by a contractual duty of confidentiality.
(4.4) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing Brightbox shall implement appropriate technical and organisational measures as described in Appendix 1 (“Brightbox Security Measures”) to protect Customer Personal Data against Data Security Incidents.
The measures shall include, where appropriate, the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Brightbox’s systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and processes for assessing and evaluating the effectiveness of the security measures.
(4.5) Brightbox shall, in a manner and to the extent consistent with the functionality of the Services, assist the Customer to respond to requests from Data Subjects to exercise their rights in accordance with Applicable Data Protection Legislation by:
(4.5.1) providing the ability for the Customer itself to access, rectify, delete, restrict or export Customer Personal Data;
(4.5.2) responding to any direct request from a Data Subject to exercise their rights regarding Customer Personal Data, by advising the Data Subject to submit the request to the Customer or by notifying the Customer of the request. The Customer shall be solely responsible for complying with such Data Subject requests and for the costs of such requests;
(4.5.3) providing, at the Customer’s reasonable request and expense, additional assistance to the Customer with any other enquiry, complaint or correspondence from a Data Subject or third party in relation to the Processing of Customer Personal Data.
(4.6) If Brightbox becomes aware of a confirmed Data Security Incident, Brightbox shall:
(4.6.1) Notify the Customer without undue delay;
(4.6.2) Provide reasonable information (to the extent that such information is known or available to Brightbox) to the Customer to assist the Customer to fulfil any reporting obligations it may have itself; and
(4.6.3) Take commercially reasonable measures to remedy, mitigate or limit the effects of such Data Security Incident and protect Customer Personal Data.
(4.6.4) Brightbox’s remediation and mitigation obligations shall be limited to Data Security Incidents resulting from a failure by Brightbox of its own security obligations under this DPA and the Customer Terms.
(4.6.5) The notification of, or response to, a Data Security Incident by Brightbox shall not be construed as an acknowledgement by Brightbox of any fault or liability with respect to the Data Security Incident.
(4.6.6) Brightbox will not assess the content of Customer Personal Data in order to identify information subject to any specific legal requirements. The Customer is solely responsible for complying with data breach notification laws applicable to the Customer and fulfilling any third party notification obligations related to Data Security Incidents.
(4.6.7) Brightbox shall not be required to notify the Customer of any routine security incidents which is not a Data Security Incident. This includes, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or other unauthorised access to traffic data that does not result in access beyond IP addresses or headers.
(4.7) Brightbox may provide Security Features as part of the Services. Customer acknowledges that:
(4.7.1) such Security Features are subject to change or removal during the Term
(4.7.2) use of such Security Features by the Customer is at the risk of the Customer and is governed by the Customer Terms
(4.7.2) Brightbox shall use commercially reasonable endeavours to assist the Customer in the use of Security Features by:
(4.8) The Customer acknowledges that Brightbox has no knowledge of Customer Personal Data which is uploaded, stored, sent or received in the course of the Customer’s use of the Services. Brightbox shall not be required to actively monitor Customer Data for compliance with Applicable Data Protection Legislation. If however, Brightbox believes or becomes aware that the Processing of Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall notify the Customer.
(4.9) Brightbox shall, taking into account the nature of the Processing, the information available to Brightbox and in a manner consistent with the functionality of the Services, assist the Customer in ensuring compliance with the Customer’s obligations under Applicable Data Protection Legislation by:
(4.9.1) Providing security features within the functionality of the Services; and
(4.9.2) Providing commercially reasonable assistance, at the Customer’s expense, regarding any data protection impact assessments or prior consultation that may be required under the Applicable Data Protection Legislation
(4.10) Brightbox shall, during the Term, enable the Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services. The Customer acknowledges that:
(4.10.1) It is solely responsible for exporting or retrieving any Customer Personal Data it wishes to, or is required to, retain before the applicable Term expires.
(4.10.2) On expiry of the applicable Term, Brightbox shall delete all Customer Personal Data from its systems. This requirement shall not apply if Brightbox is required by Applicable Data Protection Legislation to retain all or some of the Customer Personal Data.
(4.11) Brightbox shall, at the written request of the Customer, provide information reasonably requested by the Customer to assist in demonstrating compliance with the obligations contained within this DPA.
(4.12) Brightbox shall, subject to reasonable written notice, permit an audit or inspection by the Customer to verify its compliance with the obligations contained within this DPA.
(4.12.1) The Customer acknowledges that any such audit or inspection:
(4.12.2) On completion, a copy of the audit or inspection report shall be provided to Brightbox without undue delay. Any such report shall be bound by the Confidentiality provisions contained herein and within the Customer Terms.
Customer acknowledges and agrees that (without prejudice to Brightbox obligations contained within this DPA):
(5.1) Customer is solely responsible for evaluating whether the Services provided by Brightbox and the security measures and obligations described in this DPA will meet the Customer’s needs in respect of the Applicable Data Protection Legislation or any other applicable law.
(5.2) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of Data Subjects, that the Services provided by Brightbox and the Security Measures described in this DPA provide an appropriate level of security in respect of Customer Personal Data.
(5.3) Customer is solely responsible for its use of the Services for Processing Customer Personal Data during the Term, including:
(5.3.1) taking all necessary measures to secure Customer Personal Data including, without limitation, the use of available security features provided by Brightbox;
(5.3.2) securing account and authentication credentials to prevent unauthorised access; and
(5.3.3) retaining back-ups of Customer Personal Data where appropriate
(5.4) In respect of any data which the Customer uploads, stores, sends or receives in connection with its use of the Services, the Customer is responsible for the integrity, security, maintenance and appropriate protection of Customer Personal Data and ensuring compliance with any Applicable Data Protection Legislation relating to its own Processing and use of the Services.
(5.5) Customer controls how Customer Personal Data is stored, classified, exchanged or otherwise Processed when using the Services and taking into account the nature, scope, context and purposes of Processing that Brightbox has no knowledge of Customer Personal Data.
(5.6) Customer will not cause Brightbox to infringe any Applicable Data Protection Legislation and will ensure it has all necessary consents, notices and other requirements in place to enable lawful Processing of Customer Personal Data using the Services.
(6.1) Customer agrees that Brightbox may appoint third parties in the course of provision of the Services to the Customer.
(6.2) If subcontractors are appointed by Brightbox to Process Customer Personal Data as Sub-processors, the parties agree:
(6.2.1) Brightbox shall maintain and make available to the customer an up-to-date list of its Sub-processors;
(6.2.2) Brightbox shall give notice to the Customer of the appointment of any new or replacement Sub-processors by updating the list of Sub-processors accordingly;
(6.2.3) Brightbox shall impose appropriate written terms on any Sub-processor it appoints that:
(6.2.4) Brightbox shall remain liable for any breach of this DPA caused by an act or omission by a Sub-processor
(6.2.5) Customer may object to the appointment or replacement of a Sub-processor by terminating the Customer Terms within 14 days of Brightbox’s notice of appointment. Termination shall be the Customers sole and exclusive remedy if Customer objects to the appointment of a new Sub-processor, without prejudice to to any fees incurred by the Customer by its use of the Services before Termination.
(6.3) Both parties agree that third party data centres used by Brightbox to securely house its Systems, for provision of the Services to the Customer, shall not Process any Customer Personal Data and accordingly shall not be considered Sub-processors under this DPA.
(7.1) Brightbox will not transfer Customer Personal Data outside of the EEA, unless withdrawal of the UK from the EU (“Brexit”) results in the withdrawal of the UK from the EEA. In such a case, Customer Personal Data provided by the Customer will be transferred outside of the EEA, to the UK, subject to the following conditions:
(7.1.1) Brightbox shall comply with its obligations under the Applicable Data Protection Legislation and this DPA to ensure an adequate level of protection for any Customer Personal Data transferred; and
(7.1.2) The Data Subjects whose personal data is contained within Customer Personal Data shall have enforceable rights and effective legal remedies;
(7.2) In the event that a withdrawal of the UK from the EU results in the UK being considered a “third country” without an adequate level of data protection, the Standard Contractual Clauses included in Attachment 1 shall come into force, until such a time as an “adequacy decision” in respect of the UK (according to Article 45 of EU Regulation 2016/679) or other similar agreement between the EU and the UK is adopted.
This DPA shall terminate automatically upon termination or expiry of the Customer Terms.
Brightbox will implement and maintain the Security Measures described in this Appendix.
Brightbox may update or modify these Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Brightbox uses multiple physically secure and geographically diverse data centres to house infrastructure and systems to deliver services.
Infrastructure and systems are designed to avoid single points of failure by using redundancy. We use multiple (N+1) network devices, circuits, power and environmental control systems and other equipment to provide this. Systems are designed so that we perform routine maintenance without interruption.
Data center power systems are redundant and designed to allow maintenance without interruption to continuous operations. Data centre facilities are connected to the grid using multiple geographically diverse feeds. Equipment in the data centres is connected to multiple feeds from redundant (N+1) UPS systems, which supply power protection during brownouts, blackouts, over- voltage, under-voltage, and out-of-tolerance frequency conditions. In the event of a prolonged interruption to grid power, on-site diesel generators capable of handling the full load are used to provide backup power. Sufficient on-site fuel reserves are maintained to run the generators for several days.
Data centre facilities are purpose built in areas at low risk of flooding, water ingress or other natural disasters. The facilities use redundant environmental control systems to manage temperature and humidity.
Automatic fire detection and suppression systems with VESDA (Very Early Smoke Detection) are used in all data centre facilities.
Critical systems and data are replicated across multiple, geographically diverse data centres to provide fault tolerance, disaster recovery and protection against accidental destruction or loss of data.
Data centres are connected via high-speed private interconnects with a minimum of two (N+1) geographically diverse and resilient paths between any two sites. Data is transferred across our network using widely-adopted industry standard protocols.
Where appropriate, encryption is used to protect Customer Personal Data during transmission across networks operated by Brightbox. Protocols and ciphers used to encrypt data during transmission are based on widely accepted industry standards.
Access to Brightbox networks is controlled using multiple layers of firewalling to protect both external and internal attack surfaces. Incoming connections from untrusted networks are denied by default and permitted services are limited in scope as tightly as possible.
Monitoring systems are used to collect network performance and security data to ensure the network is performing within expected parameters, allowing us to identify and respond to any abnormal conditions.
Brightbox maintains strict access control and security procedures to protect access to physical equipment, networks, systems and data.
Data centre environments are protected by 24/7 on-site security operations. Security personnel monitor CCTV surveillance and conduct regular patrols. CCTV cameras are recorded on-site and recordings are retained for at least 30 days. External and internal access is controlled using Access Controlled locks (key locks, digital locks, biometrics or access tokens) linked to alarm and logging systems. All activity is recorded so unauthorised or failed access attempts can be investigated.
Data centre access is restricted to authorised personnel and is controlled by formal access procedures. Personnel without access authorisation must be accompanied all times when accessing secure environments. Access is granted only when necessary and to the minimum level necessary for authorised personnel to perform the tasks required.
Access requests must be made in advance by authorised personnel. All visitors are required to provide either biometric or government-issued photographic proof of identification to security staff before entering. Visitors are issued with an electronic keycard which permits access only to the areas required.
Brightbox maintains formal procedures to control access to networks, systems, applications and data. Procedures are designed to prevent unauthorised use of systems and to ensure that Customer Personal Data cannot be read, copied, altered or removed without authorisation during storage, transmission, processing or use.
Access is restricted to the minimum level necessary for authorised personnel to perform their function and granted on a “need to know” basis. Authentication is performed using encrypted methods (key-based or strong, single-use passwords) and remote administrative access is via encrypted channels (VPN, SSH2) utilising strong ciphers. Administration access logs are recorded to separate logging servers to provide an audit trail. Where passwords are employed for authentication, password policies that follow industry standard practices are implemented.
All systems processing or storing Customer Personal Data are registered in our internal documentation system. Configuration changes to all systems follow the appropriate change management procedures and are recorded in the documentation system. Unused services and applications are disabled or removed from all systems. All systems are kept up to date with the latest security updates as soon as practical.
Customer Personal Data is stored in a multi-tenant environment running on systems owned by Brightbox and located in secure data centres. Data is logically isolated while being stored (at rest), held in memory and processed.
Hardware assisted virtualisation technology is used to logically isolate the processing and storage of data in memory between tenants. Stored data (at rest) is logically isolated using virtualisation and access controls.
Where appropriate, encryption is used to protect Customer Personal Data while at rest. Ciphers used to encrypt data at rest are based on widely accepted industry standards.
Physical media containing Customer Personal Data is only stored in secure environments protected by the physical security measures and access controls described in this appendix. Removable media (e.g. USB keys) is not used for storing or transporting any Customer Personal Data.
Brightbox maintains a formal data disposal procedure which specifies the required standards for destruction of sensitive data. All media containing sensitive data is disposed of securely.
Brightbox tracks and records the use, decommissioning and destruction of all media by serial number across the device lifecycle.
All Brightbox personnel and subcontractors are bound by contracts which include confidentiality clauses and enforce adherence to our Information Security policies and procedures. Staff and contractors are vetted according to BS7858. All personnel are provided with suitable security training appropriate to their role.
Brightbox maintains formal onboarding and exit procedures for all personnel to ensure access to systems processing Customer Personal Data is granted according to our policies and revoked in a timely manner.
Brightbox maintains a formal incident management procedure. In the event of a confirmed Data Security Incident Brightbox will notify all affected customers without delay, provide reasonable information (to the extent that such information is known or available to Brightbox) to assist the customer in fulfilling any legal obligations it may have and will take commercially reasonable measures to remedy, mitigate or limit the effects of such Data Security Incident and protect Customer Personal Data.
European Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The entity accepting these Clauses (the “Data Exporter”)
And
Brightbox Systems Ltd, a company registered in England and Wales, whose company registration number is 6359729 (the “Data Importer”)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the personal data specified in Appendix 1 to these Clauses.
These Clauses (including Appendices 1 and 2) shall become effective automatically according to section 7.2 of the DPA
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘Data Subject’ and ‘Supervisory Authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the Data Exporter’ means the controller who transfers the personal data;
(c) ‘the Data Importer’ means the processor who agrees to receive from the Data Exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25 (1) of Directive 95/46/EC;
(d) ‘the Subprocessor’ means any processor engaged by the Data Importer or by any other subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other subprocessor of the Data Importer personal data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the Data Exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The Data Subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity.
3. The Data Subject can enforce against the Subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.
Obligations of the Data Exporter
The Data Exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the Data Exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation.
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any Subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the Data Exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the Data Subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the personal data and the rights of Data Subject as the Data Importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the Data Importer
The Data Importer agrees and warrants:
(a) to process the personal data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the Data Exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the Data Exporter relating to its processing of the personal Data Subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the Data Exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;
(h) that, in the event of sub-processing, it has previously informed the Data Exporter and obtained its prior written consent;
(i) that the processing services by the Subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any Subprocessor agreement it concludes under the Clauses to the Data Exporter.
Liability
1. The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered.
2. If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity.The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.
3. If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the Data Subject may issue a claim against the data Subprocessor with regard to its own processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject;
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the Data Exporter is established.
2. The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the Data Importer, and of any Subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.
3. The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5(b).
Governing Law
The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Sub-Processing
1. The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor’s obligations under such agreement.
2. The prior written contract between the Data Importer and the Subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.
4. The Data Exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the personal data transferred and the copies thereof to the Data Exporter or shall destroy all the personal data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
This Appendix forms part of the Clauses
Terms used in this Appendix 1 to the EU Standard Contractual Clauses have the meaning given to them in the DPA (and Customer Terms) to which these Standard Contractual Clauses have been attached.
The “Data Exporter” is the entity identified as the Customer in the Customer Terms.
The “Data Importer” is Brightbox Systems Ltd, a company registered in England and Wales, whose company registration number is 6359729.
“Data Subjects”, “Categories of data”, and “Processing operations” are as set out in section 3 (“Data Processing General”) of the DPA.
This Appendix forms part of the Clauses
Description of the technical and organisational security measures implemented by the Data Importer in accordance with Clauses 4(c) and 5(c) (or document/legislation attached):
Brightbox shall implement security measures at least equivalent to those described in Appendix 1 of the DPA “Brightbox Security Measures”.
Last updated: 26 Apr 2021 at 16:58 UTC
