DATA PROCESSING

Personal Data

Data Processing Agreement

1. INTRODUCTION

1.1 Port-P Limited (registered in England and Wales with company number 02959142)

1.2 In the course of providing IT services, Port-P may process personal data on behalf of its Customer (a person who has placed an order for IT services with Port-P which has been accepted by Port-P).

1.3 Port-P takes the protection of personal data very seriously. To ensure the protection of any personal data which it processes on behalf of the Customer, and to ensure compliance with Port-P’s and the Customer’s respective legal obligations, Port-P has prepared this data processing agreement.

1.4 This data processing agreement forms part of the legal agreement between Port-P and the Customer, and should be read in conjunction with Port-P’s general terms and conditions or hosting terms and conditions (as applicable).

2. EFFECT OF THIS DATA PROCESSING AGREEMENT

2.1 This data processing agreement comes into effect if at any time Port-P starts processing personal data on behalf of the Customer, and remains in effect until the later of:

2.1.1 the date on which the relevant services are completed or terminated; and

2.1.2 the date on which Port-P ceases to have in its possession or control or otherwise to have access to any of the Customer’s personal data.

2.2 This data processing agreement supplements Cloud-P’s terms and conditions. It does not replace any provisions contained in the terms and conditions, but if there is any conflict between the two documents this data processing agreement will have priority.

2.3 This data processing agreement is subject to all of the terms set out in the terms and conditions, as if it formed part of those terms, including as to termination, liability, contractual notices and general contractual provisions.

3. COMPLIANCE WITH DATA PROTECTION LEGISLATION

3.1 Each party agrees that, in the performance of its respective obligations under the terms, it will comply all law applicable to the protection of personal data in effect from time to time (Data Protection Legislation) to the extent it applies to each of them, including:

3.1.1 the UK General Data Protection Regulation and, where applicable, the EU General Data Protection Regulation (together, the GDPR); and

3.1.2 the Data Protection Act 2018.

3.2 Where used in this data processing agreement, the expressions data subject, personal data, personal data breach, and process will have the meaning given to them in Data Protection Legislation.

3.3 For the avoidance of doubt, nothing in this data processing agreement or the terms and conditions relieves either party of its own direct responsibilities and liabilities under Data Protection Legislation.

4. DESCRIPTION OF PROCESSING

4.1 The nature of the personal data processing which Port-P may perform will vary depending on the services being provided:

4.1.1 Where Port-P provides hosting services, the Customer may choose to store personal data on Port-P’s servers, and Port-P may also incidentally access this personal data in the course of managing the servers and providing support.

4.1.2 In any other case, any access to personal data is likely to be incidental to the provision of the services, for example, Port-P’s employees gaining access to personal data held on the Customer’s systems when providing implementation or support services.

4.2 Port-P will process personal data on the Customer’s behalf solely for the purposes of providing the services and will not use that personal data for any other purposes.

4.3 The type of personal data processed and the nature of the individuals to whom that personal data relates will vary depending on the nature of the services and the nature of the personal data which the Customer holds and makes available to Port-P:

4.3.1 Where Port-P provides hosting services, it will depend on the nature of the information which the Customer chooses to store on Port-P’s servers, and could include any type of personal data relating to any type of individual.

4.3.2 In any other case, it will depend on the nature of the information which the Customer stores on systems which it grants Port-P access to, and is likely to include personal data relating to the Customer’s employees, customers and other contacts and may include details such as names, email addresses, job titles and customer records.

5. CONDITIONS OF PROCESSING

5.1 Where Port-P is processing personal data on the Customer’s behalf in connection with the provision of services to the Customer, it will do so only in accordance with the terms and conditions, this data processing agreement, and the Customer’s documented instructions (unless otherwise required by law, in which case Port-P will, where permitted, inform the Customer of that legal requirement before processing).

5.2 By appointing Port-P to provide services, the Customer has authorized Port-P to engage sub-processors from time to time, provided that Port-P must:

5.2.1 notify the Customer of any intended changes concerning the addition or replacement of other sub-processors;

5.2.2 impose upon any sub-processor (and ensure any sub-processor’s compliance with) the terms of this data processing agreement as if the processing being carried out by the sub-processor was being carried out by Port-P; and

5.2.3 remain liable for the acts and omissions of its sub-processors as if they were Port-P’s own acts and omissions.

6. CUSTOMER RESPONSIBILITIES

6.1 The Customer must:

6.1.1 only provide (or allow the provision of) personal data to Port-P where that personal data has been lawfully obtained and where the Customer is lawfully entitled to provide (or allow the provision of) that personal data to Port-P for the intended purpose and means of processing; and

6.1.2 ensure that any instructions given to Port-P in connection with the processing are compliant with applicable Data Protection Legislation, within the scope of Port-P’s obligations under the terms and conditions and will not (if properly performed) place either Port-P or Customer in breach of their respective obligations under Data Protection Legislation.

6.2 The Customer must indemnify, keep indemnified and hold Port-P harmless against all claims, demands, penalties, fines, actions, costs, expenses, losses and damages suffered or incurred by or awarded against Port-P arising from or in connection with any breach by the Customer of the above warranty.

7. CLOUD-P RESPONSIBILITIES

7.1 Where Port-P processes any personal data on the Customer’s behalf in connection with the provision of services to the Customer it must:

7.1.1 not transfer or allow the transfer of that personal data outside the United Kingdom or European Economic Area without the Customer’s written consent (except as permitted by Chapter V of the GDPR);

7.1.2 ensure that any persons authorised to process the personal data are subject to a duty of confidence in respect of that processing;

7.1.3 implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in compliance with the obligations imposed on Port-P by article 32 of the GDPR;

7.1.4 notify the Customer without undue delay on becoming aware of a personal data breach and cooperate with the Customer to resolve such issue; and

7.1.5 at the Customer’s expense, provide such assistance as the Customer may reasonably require to assist it to comply with its obligations to keep that personal data secure, allow it to inform a regulatory authority or data subject of a personal data breach, conduct a data protection impact assessment, consult with a supervisory authority regarding the relevant processing activities and/or respond to requests made by data subjects pursuant to Data Protection Legislation.

7.2 At any time whilst this data processing agreement remains in effect, the Customer may require Port-P to:

7.2.1 provide details in writing of its data processing activities carried out on the Customer’s behalf; and

7.2.2 on reasonable notice allow the Customer (or its appointed auditor) to audit its compliance with the terms of this data processing agreement, subject to any reasonable requirements or restrictions that Port-P may impose to safeguard the personal data it holds on behalf of other customers and/or avoid unreasonable disruption to Port-P’s business.

7.3 Port-P will process personal data on the Customer’s behalf only whilst providing the services to the Customer (except where it is necessary to process the personal data to perform any post-completion or post-termination obligations, in which case it may process the personal data to the extent required to perform those obligations).

7.4 On completion or termination of the services (and any applicable post-termination or post-completion obligations), Port-P will either delete or return all personal data processed on the Customer’s behalf in connection with the applicable services, and will delete any copies (except to the extent retention is required by law or for record-keeping purposes).