This Data Processing Addendum (the “Agreement”) sets out the terms on which Folio will collect and process personal
data on the Client’s behalf in the course of providing its products and services to the Client pursuant to the Main
Agreement (as defined below). This Agreement contains the mandatory clauses required by Article 28(3) of the General
Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.
DESCRIPTION OF DATA PROCESSING
The subject-matter, nature and purpose, duration of the processing, the type(s) of personal data being processed, and
the categories of data subjects, as required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679)
are set out in the Order Form between the parties.
DEFINITIONS
“Applicable Laws”: the law of the European Union (for so long as and to the extent that they apply to the Data
Processor), the law of any member state of the European Union and/or the UK Data Protection Legislation and any
other law that applies in the UK.
“controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing”and
“appropriate technical and organisational measures”:as defined in the Data Protection Legislation.
“Data Protection Legislation”: the UK Data Protection Legislation and any other European Union legislation relating
to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party
relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the
guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.
“Main Agreement” the agreement entered into between Folio and the Client under which Folio has agreed to provide
products and/or services to the Client.
“UK Data Protection Legislation”: all applicable data protection and privacy legislation in force from time to time
in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy
and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and
Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
For the purposes of this Agreement, the Client will be referred to as the “Data Controller”, and Folio will be referred
to as the “Data Processor”.
1. Compliance with Data Protection Legislation
1.1. This Agreement is intended to ensure that the Data Controller’s appointment of the Data Processor is compliant
with Data Protection Legislation, and the Data Processor may, at any time on not less than 30 days’ notice to
the Data Controller, revise this Agreement by replacing it with any applicable controller to processor standard
clauses or similar terms approved by the relevant supervisory authority forming part of an applicable
certification scheme to which the Data Processor is subject. If the Data Controller does not agree to such review
terms, it may terminate the agreement by providing notice to the Data Processor.
1.2. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1.2 is
in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection
Legislation.
2. Roles of the parties
The parties acknowledge that for the purposes of the Data Protection Legislation, the Data Controller is the
controller and the Data Processor is the processor.
3. Data Controller’s Responsibilities
Without prejudice to the generality of clause 1.2, the Data Controller will ensure that it has all necessary appropriate
consents and notices in place to enable lawful transfer of the personal data to the Data Processor and/or lawful
collection of the personal data by the Data Processor on behalf of the Data Controller for the duration and purposes
of this Agreement.
4. Data Processor’s Responsibilities
Without prejudice to the generality of clause 1.2, the Data Processor shall, in relation to any personal data processed
in connection with the performance by the Data Processor of its obligations under this Agreement:
4.1. process that personal data only on the documented written instructions of the Data Controller unless the Data
Processor is required by Applicable Laws to otherwise process that personal data. Where the Data Processor is
relying on Applicable Laws as the basis for processing personal data, the Data Processor shall promptly notify
the Data Controller of this before performing the processing required by the Applicable Laws unless those
Applicable Laws prohibit the Data Processor from so notifying the Data Controller;
4.2. ensure that it has in place appropriate technical and organisational measures, to protect against: (i) unauthorised
or unlawful processing of personal data; and (ii) accidental loss or destruction of, or damage to, personal data,
appropriate to: the harm that might result from the unauthorised or unlawful processing or accidental loss,
destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the
state of technological development and the cost of implementing any measures (those measures may include,
where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability
and resilience of its systems and services, ensuring that availability of and access to personal data can be restored
in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical
and organisational measures adopted by it);
4.3. ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data
confidential
4.4. ensure that it makes its internal practices, books and records, including policies and procedures relating to the
use and disclosure of personal information received from, or created or received by Data Processor, on behalf
of Data Controller, available to the Data Controller;
4.5. agree to mitigate, to the extent practicable, any harmful effect that is known to Data Processor of a use or
disclosure of personal data by Data Processor or its employees, officers or agents in violation of the
requirements of this Agreement. Data Processor agrees to reasonably cooperate and coordinate with Data
Controller in the investigation of any violation of the requirements of this Agreement. Data Processor shall also
reasonably cooperate and coordinate with the Data Controller in the preparation of any notices or reports to
an individual, a regulatory body or any third party required to be made under applicable laws.
4.6. not transfer any personal data outside the European Economic Area and the United Kingdom unless either:
the Commission has decided, in accordance with Article 45 of the General Data Protection Regulation ((EU)
2016/679), that the third country, a territory or one or more specified sectors within that third country, or the
international organisation to which personal data is to be transferred, ensures an adequate level of protection;
or, the following conditions are fulfilled:
4.6.1. the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer
4.6.2. the data subject has enforceable rights and effective legal remedies,
where, in all cases, the Data Processor complies with reasonable instructions notified to it in advance by the
Data Controller with respect to the processing of the personal data;
4.7. assist the Data Controller, at the Data Controller’s cost, in responding to any request from a data subject and
in ensuring compliance with its obligations under the Data Protection Legislation with respect to security,
breach notifications, impact assessments and consultations with supervisory authorities or regulators;
4.8. notify the Data Controller without undue delay, and where practicable, within 48 hours, on becoming aware of
a personal data breach; affecting Data Controller personal data, providing Data Controller with sufficient
information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the
personal data breach under the Data Protection Laws.
4.9. Data Processor shall co-operate with the Data Controller and take reasonable commercial steps as are directed
by Data Controller to assist in the investigation, mitigation and remediation of each such personal data breach.
4.10. at the written direction of the Data Controller, and without cost to the Data Controller, delete or return
personal data and copies thereof to the Data Controller promptly and in any event within 10 business days of
the date of cessation of any Services involving the processing of Data Controller personal data (the “Cessation
Date”) unless required by Applicable Law to store the personal data; and
4.11. maintain complete and accurate records and information to demonstrate its compliance with this clause
4 and allow for audits by the Data Controller or the Data Controller’s designated auditor, only so far as is
necessary in order to demonstrate compliance, provided that the Data Controller: provides the Data Processor
with no less than 30 days’ notice of such audit or inspection; and the parties agree the scope, duration, and
purpose of such audit or inspection in advance. If the Data Controller becomes privy to any confidential
information of the Data Processor as a result of this clause 4.8, the Data Controller shall hold such confidential
information in confidence and, unless required by law, not make the confidential information available to any
third party, or use it for any other purpose. The Data Controller acknowledges that the Data Processor shall
only be required to use reasonable endeavours to assist the Data Controller in procuring access to any third
party assets, records or information as part of any audit.
4.12. promptly notify Data Controller if it receives a request from a Data Subject under any Data Protection
Law in respect of personal data; and
4.13. ensure that it does not respond to that request except on the documented instructions of Data
Controller or as required by Applicable Laws to which the Data Processor is subject, in which case Data
Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement
before the Contracted Processor responds to the request.
5. Third party processors
5.1. The Data Controller acknowledges and consents generally to the appointment by the Data Processor of third
parties as sub-processors of the personal data being processed under this Agreement.
5.2. The Data Processor confirms that:
5.2.1. it shall impose on all sub-processors the same data protection obligations as set out in clauses 1, 4, and 5;
and
5.2.2. the Data Processor shall remain fully liable for the actions of its sub-processors at all times.
5.3. The Data Processor shall give the Data Controller prior notice of the appointment of any new sub-processors
and provide the Data Controller with full details of the processing to be undertaken by the sub-processor,
thereby giving the Data Controller the opportunity to object to such appointment. If the Data Processor so
notifies the Data Controller of any changes to sub-processors and the Data Controller objects to such changes,
the Data Controller will be entitled to terminate this Agreement (without liability for either party, and such
termination will be deemed to be a no-fault termination) if the Data Controller has reasonable grounds for
objecting to such changes by reason of the changes causing or being likely to cause the Data Controller to be
in breach of the Data Protection Legislation.
6. Audit rights
6.1. Subject to this section 6, Data Processor shall, subject to the Data Controller giving the Data Processor no less
than 30 days’ advance notice, and on no more than 2 occasions in any contract year (except in the case of any
emergency or data breach when such notice shall not be required), make available to the Data Controller on
request all information necessary to demonstrate compliance with this Agreement, and shall allow for and
contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Company in
relation to the Processing of the Company Personal Data by the Contracted Processors.
6.2. Information and audit rights of the Data Controller only arise under section 6.1 to the extent that the Agreement
does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection
Law.
7. General
7.1. Subject to the provisions regarding liability under the Main Agreement, and the Data Controller taking all
reasonable steps to mitigate against the same, Data Processor shall, to the fullest extent permitted by law,
protect, defend and indemnify Data Controller and its respective employees, directors, and agents from and
against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and
expenses of every kind (including reasonable attorney’s fees, including at trial and on appeal) asserted or
imposed against the Data Controller arising out of a data breach directly caused by the acts or omissions of
Data Processor or any of its employees, directors, or agents.
7.2. This Agreement is subject to the terms of the Main Agreement and is incorporated into the Main Agreement.
Except where otherwise stated herein, interpretations and defined terms set forth in the Main Agreement apply
to the interpretation of this Agreement. In the case of conflict or ambiguity between any of the provisions of
this Agreement and the provisions of the Main Agreement, the provisions of this Agreement will prevail. Any
limitation of liability set forth in the Main Agreement will apply to this Agreement.
7.3. This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in
connection with it or its subject matter or formation shall be governed by and construed in accordance with the
law of England and Wales.
7.4. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle
any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this
Agreement or its subject matter or formation.
