Data Processing Agreement
Updated: 1 June 2019
This Data Processing Agreement applies to: (i) KLDiscovery Ontrack Limited (company number 02669766) having its registered office address at Global House, 1 Ashley Avenue, Epsom Surrey, KT18 5AD (“Ontrack”); and (ii) the applicable Customer placing an order for Ontrack’s services pursuant to the applicable service terms of business (“Terms”).
The Parties have agreed that the terms of this Data Processing Agreement shall apply to the Processing of Personal Data (as defined below) that is required to enable Ontrack to provide the services to the applicable Customer.
In this Data Processing Agreement:
|Protected Data||means all Personal Data provided to Ontrack by the Customer;|
|Data Controller||has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws;|
|Data Processor||has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws;|
|Data Protection Laws||means all applicable data protection law binding on the Customer, Ontrack and/or in relation to the services including: (i) the GDPR and/or any corresponding or equivalent national laws or regulations; and (ii) in member states of the European Union, all relevant laws or regulations giving effect to or corresponding with the GDPR.|
|Data Subject||has the meaning given to that term in Data Protection Laws;|
|Data Subject Request||means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;|
|GDPR||means the General Data Protection Regulation (EU) 2016/679;|
|Personal Data||has the meaning given to that term in Data Protection Laws;|
|Personal Data Breach||means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data;|
|Personnel||means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel;|
|Processing||has the meaning given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);|
|Sub-Processor||means another Data Processor engaged by Ontrack on behalf of the Client for carrying out Processing activities in respect of the Protected Data; and|
|Supervisory Authority||means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.|
Data Processing provisions
- Data Processor and Data Controller
- The Parties agree that, in respect of Protected Data, the Customer shall be the Data Controller and Ontrack shall be the Data Processor. It is acknowledged that the Customer shall have sole responsibility for the accuracy, quality, integrity and reliability of any Protected Data and of the means by which it acquired such Protected Data.
- The Customer warrants, represents and undertakes, that: (i) all Protected Data used in connection with the services pursuant to the Terms shall comply in all respects with Data Protection Laws; (ii) all instructions given by it to Ontrack in respect of Protected Data shall at all times be in accordance with Data Protection Laws; (iii) it has obtained all necessary consents from any Data Subject whose Personal Data is included within the Protected Data or otherwise has the appropriate legal permission to provide the Protected Data to Ontrack; and (iv) it will comply with the terms of this Data Processing Agreement.
- Ontrack warrants, represents and undertakes, that it shall: (i) process the Protected Data only to the extent necessary in connection with the Terms; and (ii) process the Protected Data in accordance with the Customer’s documented instructions and the requirements of Data Protection Laws; (iii) promptly inform the Customer if Ontrack considers that the Customer’s instructions infringe Data Protection Laws, or if Ontrack becomes unable to comply with Customer's instructions regarding the Processing of Protected Data (whether as a result of a change in applicable law, or a change in Customer’s instructions); and (iv) comply with the terms of this Data Processing Agreement.
- Instructions and details of Processing
- The Processing of Protected Data to be carried out by Ontrack under this Data Processing Agreement shall comprise the Processing as required for Ontrack to provide the services.
- Technical and organisational measures
- Ontrack shall implement and maintain, at its cost and expense, appropriate technical and organisational measures in relation to the Processing and security of Protected Data in accordance with Data Protection Laws and in accordance with Articles 32-34 of the GDPR in particular. Ontrack shall ensure that such technical and organisational measures are appropriate to the particular risks that are presented by its Processing activities, in particular to protect Protected Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access.
- Using Personnel and Sub-Processors
- Save as set out in clause 4.2, Ontrack shall not engage any sub-processor for carrying out any processing activities in respect of the Client Data without the Client’s prior written authorisation. In the event that authorisation is provided, prior to making any disclosure to any approved sub-processor, Ontrack shall put in place written terms with the sub-processor which are equivalent to those set out in this Data Processing Agreement. It is acknowledged and accepted that, notwithstanding anything to the contrary in this Agreement, Ontrack shall remain fully liable to the Client for the performance of each sub-processor’s obligations. Ontrack shall inform the Client of any intended changes concerning the addition or replacement of such sub-processors and allow Client a reasonable opportunity to object, on reasonable grounds, to any such changes or replacements.
- Approved sub-processors at the date of this Data Processing Agreement are set out at Annex 1.
- Ontrack shall ensure the reliability of its Personnel who have access to Protected Data and ensure that they process it only where strictly necessary for the services, ensure that they are fully aware of the measures to be put in place and the steps to be taken when Processing the Protected Data having regard to Data Protection Laws, and ensure that they have committed themselves to protect the confidentiality of the Protected Data including by way of an appropriate obligation of confidentiality (whether by written contract or otherwise) in respect of the Protected Data.
- Assistance with the Customer’s compliance and Data Subject rights
- Ontrack shall promptly refer all Data Subject Requests it receives to the Customer. Ontrack shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of Processing and the information available to Ontrack) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to: (i) the security of Processing; (ii) data protection impact assessments (as such term is defined in Data Protection Laws); (iii) prior consultation with a Supervisory Authority regarding high risk Processing; and (iv) notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach, provided that, in the event that such assistance is disproportionate in time and resources to Ontrack, Customer shall pay Ontrack’s fees for providing such assistance.
- International data transfers
- In general, Protected Data is hosted and processed by Ontrack within the European Economic Area (“EEA”). Notwithstanding this, Ontrack is part of a corporate group that has been accredited by the US Chamber of Commerce under the EU-US and Swiss-US Privacy Shield frameworks. Accordingly, from time to time, Ontrack may require the transfer of Protected Data outside the EEA in order for Ontrack to effectively provide the services, for example if a specialised service is required. Such transfers shall be performed in accordance with the requirements of all applicable laws and regulations. Customer acknowledges and agrees to such transfers.
- Records, information and audit
- Ontrack shall: (i) create; (ii) keep up-to-date; and (ii) maintain, full and accurate records relating to all Processing of Protected Data.
- Ontrack shall grant to Customer the right of audit, no more than once per calendar year and on a minimum of 30 (thirty) days written notice, during normal business hours and subject to reasonable confidentiality undertakings being given, to access and take copies of such records relating to Processing of Protected Data and shall provide all reasonable assistance to Customer in exercising its audit rights. This audit right shall not extend to any third party data centre or other third party facility housing any server equipment where only visual and accompanied inspection is permitted.
- Ontrack shall at Customer’s request and expense promptly provide Customer with all information necessary to enable Customer to demonstrate compliance with its obligations under the GDPR, to the extent that Ontrack is able to provide such information.
- Breach notification
- In respect of any Personal Data Breach involving Protected Data , Ontrack shall, without undue delay: (i) notify the Customer of the Personal Data Breach; and (ii) provide the Customer with details of the Personal Data Breach.
- Deletion or return of Personal Data and copies
- Ontrack shall, at the Customer’s written request, either delete or return all the Protected Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the earlier of: (i) the end of the provision of the relevant data recovery services pursuant to the Terms related to Processing; or (ii) once Processing by Ontrack of any Protected Data is no longer required for the purpose of Ontrack’s performance of its relevant obligations under this Data Processing Agreement, and delete existing copies (unless storage of any Protected Data is required by applicable law and, if so, Ontrack shall inform the Customer of any such requirement). Ontrack shall procure that its Sub-Processors shall undertake the same actions with regard to Protected Data.
- In the event that Protected Data remains within Ontrack’s possession or control for any period longer than 12 (twelve) months without any active instructions from the Customer, Ontrack shall delete such Protected Data.
- Each Party (the “Indemnifying Party”) shall indemnify and keep indemnified the other Party (the “Indemnified Party”) in respect of all claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages suffered or incurred by, awarded against or agreed to be paid by, the Indemnified Party arising from or in connection with the Indemnifying Party’s non-compliance with this Data Processing Agreement and/or breach of Data Protection Laws.
- The total liabilities of either Party under this Data Processing Agreement shall in no event exceed the contractual limits set out and agreed in the Terms.
- Term and Termination
- Unless terminated by agreement of the Parties, this Data Processing Agreement shall commence on the date an order is placed for services pursuant to the Terms and continue in force for so long as Ontrack continues to process Protected Data.
- Choice of Law
- This Data Processing Agreement shall be subject to the terms of the choice of law provision set out in the Terms.
Date: 1 June 2019
Annex 1 – Sub-Processors and Transfers
|Ontrack Product/Business System||Mandatory use of Sub-processor||Name of Sub-Processor||Location of Sub-Processor||Transfers outside EEA||Data|
|Courier services||No||DHL||UK||No||Original client media, encrypted hard-drive for data return|
|Courier services||No||Guardian||UK||No||Original client media, encrypted hard-drive for data return|
|Customer Management systems (internal)||Yes||Nobile (support VISMA system)||Norway||No||Client contact data and work history|
|Out of hours calls||No||Message Direct||UK||No||Customer name, contact details, data recovery requirements|
|Call tracking||Yes||Infinity||UK||No||Customer IP address, name, user statistics|