DATA PROCESSING ADDENDUM
THIS DATA PROCESSING AGREEMENT (“DPA”) is made on the date of the agreement between HALO and the Customer.
- HALO provides the Services to the Customer.
- In the course of providing services to the Customer, HALO shall or may have access to or process personal data on behalf of the Customer.
- The parties are entering into this DPA in order to meet their obligations under Data Protection Law regarding the sharing and international transfer of personal data as part of the provision of the Services.
NOW IT IS AGREED as follows by HALO (in consideration of the agreement of the Customer to provide HALO with access to its information, and for other good and valuable consideration, the receipt and sufficiency of all of which is acknowledged by HALO):
- Defined Terms: In this Agreement (the “DPA”):
- Affiliate: means in relation to a person, any other person which controls, is controlled by or is under common control with that first person; and for this purpose “control” means possession of the power to direct or cause the direction of the management and policies of a person whether by membership, ownership, contract or otherwise;
“Appropriate Security Measures” means appropriate security measures required by Data Protection Law to protect against unauthorised access to, alteration, disclosure or destruction of Data and against its accidental loss or destruction and, in particular, where the processing involves the transmission of Data over a network, it shall mean having regard to the state of technological development and the cost of implementing the measures, and ensuring that the measures provide a level of security appropriate to:
- (i) the risks that are presented by the processing;
- (ii) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of or damage to the data concerned, and
- (iii) the nature of the Data, and shall include the measures set out in in Annex 2 to this DPA;
“Commissioner” means the Information Commissioner as defined in Article 4(A3), UK GDPR;
“Data” means the personal data processed by HALO on behalf of the Customer in connection with the Services (whether part of the Customer Data or otherwise);
“Data Protection Acts” means the Data Protection Acts 1988 to 2018 of Ireland, as amended, revised, modified or replaced from time to time and the UK Data Protection Act 2018 as amended, revised, modified or replaced from time to time;
“Data Protection Law” means all legislation and regulations relating to the protection of personal data including (without limitation) the Data Protection Acts, the GDPR, the UK GDPR, the UK Data Protection Act 2018, and all other statutory instruments, industry guidelines (whether statutory or non-statutory) or codes of practice or guidance issued by the Relevant Authority relating to the processing of personal data or privacy or any amendments and re-enactments thereof
“General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing the Data Protection Directive
“Permitted Third Party Service Provider” means third party service providers as specified at Annex 3 and required to be engaged by HALO for the purposes of providing the Services;
“Personnel” means, in relation to a person, that person’s servants, officers, employees, agents or contractors, but excludes Affiliates; and
“Relevant Authority” means the Commissioner or the Data Protection Commission of Ireland (as applicable);
“SCCs” means the standard contractual clauses approved by the EU Commission by Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries; and
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018
“Construction” In this DPA, unless the contrary intention is stated, a reference to data controller, data processor, data subject, personal data, sensitive personal data, special categories of personal data, processing and appropriate technical and organisational measures shall have the meanings given to them in the DPA, or, following the coming into force of the GDPR, in the GDPR.
- DATA PROTECTION
- Data Controller: The parties acknowledge that, in relation to Data, and for the purposes of the Data Protection Law, the Customer is the data controller and HALO is a data processor.
- Data Processor’s Obligations: HALO agrees with the Customer that:
- it shall only process:
- Data in accordance with the instructions of the Customer, which instructions shall be documented in writing by way of this DPA or such other manner as may be agreed between the Customer and HALO from time to time; and
- it shall ensure that any processing of Data by it shall be carried out in compliance with the Data Protection Law;
- it shall inform the Customer as soon as practicable if, in its opinion, it receives an instruction from the Customer which infringes Data Protection Law;
- it shall disclose Data only to those members of its Personnel to whom such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this DPA, and shall procure that such persons are made aware of, and agree in writing to observe the obligations of confidentiality under this DPA and security in Clause 3;
- subject to the other provisions of this DPA, it shall not sell, transfer, disclose or otherwise allow access to any Data to any party other than its Personnel, save where the prior written approval of the Customer has been obtained;
- it shall not copy or maintain any Data on any other systems, application or other medium other than required for the provision of the Services;
- subject to Clause 9 below, it shall not transfer any Data outside the United Kingdom or European Economic Area without the Customer’s prior written consent;
- without prejudice to Clause 7 of this DPA, it shall not sub-contract or delegate or purport to transfer any of its obligations to the Customer from time to time to any third party without the prior written consent of the Customer and, any consent if given by the Customer shall, be subject to the pre-condition that HALO shall have in place a contract with the proposed third party providing the same or a higher level of protection of Data as is set out in this DPA;
- it shall not perform the Services in such a way as to cause the Customer to breach any of its obligations under Data Protection Law;
- it shall, at the Customer’s cost, make available to the Customer all information necessary to demonstrate its compliance with the obligations set out in Data Protection Law and shall allow and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer to the extent necessary to enable it to verify HALO’s compliance with Data Protection Law and its obligations under this DPA; and
- at the Customer’s cost, promptly assist the Customer in complying with its obligations under Articles 32 to 36 of the GDPR;
- without prejudice to Clauses 2.2(g) and 7, with respect to any transfer of Data pursuant to the SCCs it shall:
- notify the Customer promptly if, during the Term, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph 14(a) of the SCCs, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in that paragraph 14(a);
- notify the Customer if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of a country of destination for the disclosure of Data transferred pursuant to the SCCs; such notification shall include information about the Data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to Data transferred pursuant to the SCCs in accordance with the laws of the country of destination; such notification shall include all information available to HALO;
- where permissible under the laws of a country of destination, provide the Customer, at regular intervals for the Term, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.);
- document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of a country of destination, make the documentation available to the Customer and to the Relevant Authority on request;
- inform any public authority ordering disclosure of Data of the incompatibility of the order with the safeguards contained in the SCCs and the resulting conflict of obligations for HALO;
- notify simultaneously and as soon as possible HALO and/or the Relevant Authority insofar as possible under the order referred to at (v) above;
- to the extent possible, assist any data subject whose personal data forms part of the Data in exercising his or her rights in the third country jurisdiction; and
- ensure that responsibility for handling formal or informal requests from public authorities to access the Data shall be assigned to identified individuals within HALO.
- Processing Details: Each of the parties acknowledges and agrees that Annex 1 is an accurate description of the Data.
HALO shall implement Appropriate Security Measures to prevent accidental or unauthorised, loss, destruction, damage, alteration, disclosure or unlawful or unauthorised access to any Data in the custody of HALO, and HALO shall ensure that its Personnel are aware of and comply with those measures.
- DATA BREACH
- Notification: HALO shall, without undue delay upon becoming aware of it notify the Customer of any unauthorised access to, or unauthorised use, alteration, disclosure, accidental loss or destruction of, any Data in the custody of HALO (each a “data breach”).
- Actions: In the event of any data breach, HALO shall:
- take action to mitigate any potential damage and remedy the cause of the data breach;
- take action to investigate said data breach and, upon the Customer’s request, share the results of such investigation and its remediation plan with the Customer; and
- upon the Customer’s request, provide the Customer with all information required to fulfil its obligations, as data controller, under all Data Protection Law.
- DATA SUBJECT REQUESTS AND COMPLAINTS
- Notification: HALO shall notify the Customer of any request from a data subject to exercise any of his or her rights under Data Protection Law or any complaint from any data subject.
- Accession: HALO shall not accede to any such request or deal with any complaint except on the written instructions of the Customer.
- Assistance: HALO shall, on request of the Customer and at the Customer’s expense, taking into account the nature of the processing, and at the Customer’s cost, assist the Customer by appropriate technical and organisational measures, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law. The Customer shall indemnify and keep indemnified HALO and its Affiliates, and their respective agents, members, shareholders, officers, directors, employees, and contractors from time to time on demand from and against any and all third party actions, suits, proceedings, claims, demands, orders, damages, dues, penalties, fines, costs, liabilities, obligations, losses, expenses and fees (including, without limitation, reasonable attorneys’ fees and costs) directly or indirectly suffered, incurred or payable by the indemnified party arising out of or in connection with any of the following events:
The Customer shall indemnify and keep indemnified HALO and its Affiliates, and their respective agents, members, shareholders, officers, directors, employees, and contractors (the “Indemnified Party”) from time to time on demand from and against any and all third party actions, suits, proceedings, claims, demands, orders, damages, dues, penalties, fines, costs, liabilities, obligations, losses, expenses and fees (including, without limitation, reasonable attorneys’ fees and costs) directly or indirectly suffered, incurred or payable by the Indemnified Party arising out of or in connection with any of the following events:
- any breach by the Customer of its obligations under this DPA;
- all claims, proceedings or actions brought by a competent public authority or a data subject against the Customer with respect to the processing of Protected Data by the Customer; and/or
(c) The Customer’s failure to comply with Data Protection Law.
- DESTRUCTION AND DELIVERY OF DATA
- At any time during the course of the provision of the Services, or upon termination of this DPA, HALO shall, upon the request of the Customer, immediately securely deliver to the Customer or destroy all Data in its possession or control, as may be requested by the Customer and shall certify such destruction or delivery in writing to the Customer on request from time to time and, shall instruct each Permitted Third Party Service Provider to destroy all Data in their possession or control.
HALO shall only be permitted to transfer Data outside the United Kingdom and the European Economic Area in accordance with European or national law to which it is subject and with Customer’s prior written consent. Any such transfer shall be made in accordance with the requirements of Data Protection Law, in particular with respect to the requirements of Chapter V of the GDPR regarding transfers of personal data to third countries, and any decisions, guidance or recommendations issued by the European Commission, Relevant Authority and/or supervisory authority.
- PERMITTED THIRD PARTY SERVICE PROVIDER
- Consent: Without prejudice to the generality of the pre-conditions specified in Clause 2.2(g) and clause 8 of this DPA, HALO shall be permitted to sub-contract processing of Personal Data to a Permitted Third Party Service Provider provided that:
- the same data protection obligations as set out in this DPA shall be imposed on that Permitted Third Party Service Provider by way of a data sub-processing agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR; and
- HALO shall remain responsible for all acts and omissions of Permitted Third Party Service Provider and the acts and omissions of those employed or engaged by the Permitted Third Party Service Provider as if they were its own. An obligation on HALO to do, or to refrain from doing, any act or thing shall include an obligation on HALO to procure that its Personnel and the Personnel of each Permitted Third Party Service Provider also do, or refrain from doing, such act or thing.
- Consent to Transfer to Third Countries: Further to Clauses 2.2(g) and 8 above, the Customer hereby consents to the transfer of Data to such Permitted Third Party Service Provider as may be located outside of the European Economic Area.
TERM AND TERMINATION
Retrospective EffectIt is agreed, notwithstanding the date of execution of this DPA, that the relationship between the parties regarding the processing of personal data shall be deemed to have been governed by this DPA since the earlier of (i) the entry into force of the GDPR or (ii) the start date of the provision of services by HALO to the Customer, as if this Agreement had been executed on or before, and had come into force on, that date.
Term & TerminationThis DPA shall continue in full force and effect until the termination or expiry of the services agreement whereupon HALO’s authority to process Data in accordance with this DPA shall terminate automatically, unless otherwise agreed between the parties in writing.
The Client represents and warrants to HALO, on a continuing basis for the duration of the Agreement that:
- all consents, if required, for the processing of all the Data by HALO in the manner contemplated by this DPA have been validly obtained and are in full force and effect; and
- the Customer has complied with all of its obligations (however arising) in respect of all the Data.
- Agreement: This DPA forms part of the services agreement between the Customer and HALO. In the event of any conflict between this DPA and any other term of the services agreement relating to data protection or Data Protection Law, the terms of this DPA shall prevail.
- Severability: If the whole or any part of a provision of this DPA is or becomes illegal, invalid or unenforceable, that will not affect the legality, validity or enforceability of the remainder of the provision in question or any other provision of this DPA.
- Binding on Successors: This DPA and all of its provisions shall be binding upon and inure to the benefit of the parties and their respective heirs, executors, administrators, successors and permitted assigns.
- Survival of Obligations: The provisions of this DPA shall, as necessary, survive the termination of the provision of Services by HALO however it arises, and shall continue to bind the parties or the relevant party (as applicable) without limit in time.
- Electronic Signatures: The parties consent to the execution of this DPA by or on behalf of each other party by electronic signature, provided that such manner of execution is permitted by law. The parties:
- (a) agree that an executed copy of this Agreement may be retained in electronic form; and
- (b) acknowledge that such electronic form shall constitute an original of this Agreement and may be relied upon as evidence of this Agreement.
- Counterparts: This Agreement may be executed in two or more counterparts, each of which shall be deemed to be an original, but all of which together shall constitute one and the same instrument. The expression “counterpart” shall include electronic counterparts and any executed copy of this Agreement transmitted electronically in Portable Document Format (PDF) or equivalent. Transmission of an executed counterpart of this Agreement (or of the executed signature page of a counterpart of this Agreement), whether executed by wet ink or electronic signature, by physical delivery or email, constitutes effective delivery of this Agreement for all purposes.
- Amazon Web Services
- Affiliates of HALO (for purposes of implementation, support and maintenance of the Services)
Types of personal data to be processed
(i) audio and video recording data.
Categories of data subjects
(i) site visitors;
Nature of the processing
Any operation or set of operations which may be performed on personal data or sets of personal data, whether or not by automated means, to include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).
Purpose of the processing
Provision of the Services under the MSA
ANNEX 2 – SECURITY MEASURES
In Halo, security is an ongoing process, not a one-time task. We regularly reassess our security measures to adapt to evolving threats and technology changes. We have recently achieved ISO 27001 certification which demonstrates our commitment to securing our customer’s data. We have an Information Security Policy and a set of other policies which outline our approach to information security. Protecting customer information is crucial, and we have implemented a range of security controls to achieve this:
Data Encryption & Backups
Sensitive customer data is encrypted, both in transit and at rest. This ensures that even if unauthorised access occurs, the data remains unreadable without the proper decryption keys. Regular backups of customer data are taken and these backups are kept secure. This helps in the event of data loss due to system failures, cyber attacks, or other emergencies.
Access to customer information is on a need-to-know basis. Strong authentication methods are used, like multi-factor authentication, to ensure only authorised personnel can access sensitive data.
Regular Software Updates
Software is kept updated, including security software, to patch vulnerabilities. Systems are regularly updated and patched to protect against known exploits.
We have secure physical access in place for our offices. This includes access controls, and environmental controls to protect against physical theft or damage.
We clearly communicate our privacy policies to customers. We are transparent about how their information is collected, stored, and used. We obtain explicit consent for collecting and processing personal data.
BCP & Incident Response
We have a comprehensive Business Continuity Plan in place which has been approved by all areas of our business and is tested regularly.
An incident response plan has been developed and maintained to quickly and effectively address security incidents. This includes steps for identifying, containing, eradicating, recovering, and lessons learned from security breaches.
Staff receive regular training on security best practices. This ensures they understand the importance of safeguarding customer information and are educated on how to recognise and respond to security threats.
Auditing & Penetration Testing
Regular security audits and reviews are conducted to identify and address potential vulnerabilities. This includes reviewing access logs, monitoring for unusual activity, and ensuring compliance with security policies.
Our Halo Vault is tested on an annual basis and any high or medium risk findings are investigated and resolved.
ANNEX 3 - PERMITTED THIRD PARTY SERVICE PROVIDERS