Data Processing Agreement

THIS AGREEMENT is made as of the 29th day of May, 2018.

  1. Data Protection
    1. Definitions: In this agreement (the "Agreement"), the following terms shall have the following meanings:
      (a) "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and
      (b) "Applicable Data Protection Law" shall mean: (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679); and (iii) in the case of both (i) and (ii) together with any transposing, implementing or supplemental legislation.
    2. Relationship of the parties: Party listed below, the controller, (the "Counterparty") appoints Digital Trip Limited ("Digital Trip") as a processor to process the personal data (the "Data") described in the Agreement between the parties (the "Master Services Agreement") for the purposes described in the Master Services Agreement or as otherwise agreed in writing by the parties (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
    3. International transfers: Counterparty understands that Digital Trip is part of a global corporation, and as such, may need to transfer the Data outside of the European Economic Area ("EEA"). Counterparty agrees to such transfers by Digital Trip provided Digital Trip has taken such measures as are necessary to ensure the transfer will be in accordance with the Applicable Data Protection Law.
    4. Confidentiality of processing: Digital Trip shall ensure that any person, including its employees, agents, consultants, and subcontractors, that it authorises to process the Data (an "Authorised Person") shall protect the Data in accordance with Digital Trip's confidentiality obligations under the Master Services Agreement.
    5. Security: Digital Trip shall implement such technical and organisational measures, as set out in the Annex, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").
    6. Subcontracting: Counterparty consents to Digital Trip engaging third party subprocessors to process the Data for the Permitted Purpose provided that: (i) Digital Trip maintains an up-to-date list of its subprocessors at https://secure.digital-trip.co.uk/GDPR/SubProcessors.pdf, which it shall update with details of any change in subprocessors at least 10 days' prior to any such change; (ii) Digital Trip imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) Digital Trip remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor. Counterparty may object to Digital Trip's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Digital Trip will either not appoint or replace the subprocessor or, if this is not possible, Counterparty may suspend or terminate the Master Services Agreement. This section shall not apply to the extent Digital Trip engages a subprocessor with whom Counterparty has its own contract terms relating to the services of the Master Services Agreement.
    7. Cooperation and data subjects' rights: Digital Trip shall provide reasonable and timely assistance to Counterparty, at Counterparty expense, to enable Counterparty to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Digital Trip, Digital Trip shall promptly inform Counterparty providing full details of the same.
    8. Data Protection Impact Assessment: If Digital Trip believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Counterparty and provide reasonable cooperation to Counterparty, at Counterparty's expense, in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
    9. Security incidents: If it becomes aware of a confirmed Security Incident, Digital Trip shall inform Counterparty without undue delay and shall provide reasonable information and cooperation to Counterparty so that Counterparty can fulfil any data breach reporting obligations it may have under Applicable Data Protection Law. Digital Trip shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Counterparty informed of all material developments in connection with the Security Incident.
    10. Deletion or return of Data: Upon termination or expiry of the Master Services Agreement, Digital Trip shall, at Counterparty 's election, destroy or return to Counterparty all Data in its possession or control. This requirement shall not apply to the extent that Digital Trip is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Digital Trip shall securely isolate and protect from any further processing except to the extent required by such law until deletion is possible.
    11. Audit: Digital Trip shall, at the reasonable request of Counterparty, provide the Counterparty with summaries of Digital Trip's annual audit report(s) and co-operate with the Counterparty in any reasonable written enquiries (to be made not more than once a year following receipt of such summary) as to Digital Trip's technical and organizational measures in relation to the protection of the Data for which cooperation the Counterparty will pay Digital Trip's reasonable fees.
    12. Aggregated, anonymized data: Digital Trip may aggregate anonymized data and information collected through the technology provided by Digital Trip, and Counterparty hereby grants Digital Trip the perpetual and irrevocable right to use, collect and aggregate such anonymized data and information for the purpose of performing analyses, providing benchmarking performance data and insights, preparing industry studies, and preparing and distributing products and services with anonymized aggregate data and information, provided that at all times Digital Trip complies with its obligations under Applicable Data Protection Law.
    13. Further assurances: For greater certainty, all other terms and conditions of the Master Services Agreement shall remain in full force and effect, but to the extent there is any conflict or inconsistency between the terms of the Master Services Agreement and this Agreement, the terms of this Agreement shall prevail. This Agreement shall be governed and interpreted in accordance with the jurisdiction as set out in the Master Services Agreement.
    14. Execution: This Agreement may be executed in one or more counterparts by original or electronic signature (via PDF), all of which shall be treated as original documents and shall be equally valid and binding on the parties and their respective affiliates.
    15. Continued use: For the avoidance of doubt, if this Agreement is not executed by 25 May 2018, Counterparty's continued use of the services pursuant to the Master Services Agreement will be deemed acceptance of this Agreement.

IN WITNESS WHEREOF the parties hereto have executed this Agreement on the day and year first written above.

Digital Trip Ltd

Full name: Andrew Speight

Position: Managing Director

Electronic Signature: 29-May-2018 10:41

na

Full name: na

Position: na

Electronic Signature: 29-May-2018 10:41 / 92.17.83.156


Annex

Security Measures

  1. Encryption of data where necessary;
  2. Preventing unauthorized access to data processing systems and information;
  3. Ensuring the confidentiality, integrity, availability and stability of processing systems and services;
  4. Backing-up relevant data as necessary;
  5. Implementation of a data recovery plan; and
  6. Conducting systematic testing and evaluations of the effectiveness of the aforementioned technical and organisational measures.