Data processing agreement

1.0 Introduction

This Data Processing Agreement (DPA) is made between parties detailed on any Quote, Order Confirmation or incorporating this DPA by reference in any form. This DPA shall be in addition to any obligations set out in any Quote, Order Confirmation or standard Terms and Conditions.

2.0 Definitions

Agreement
as defined in Mediahawk’s Standard Terms and Conditions;

Anonymised Data

means any Personal Data (including “Controller” Data), which has been anonymised such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Mediahawk or any other party reasonably likely to receive or access that anonymised Personal Data.

Applicable law
means as applicable and binding on the Customer, Mediahawk and/or the Services:
(a) any law, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of, as may be specified in Terms and Conditions;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or
(d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Appropriate safeguards
means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time (including, but not limited to, EU/ EAA, Model Contract Clauses or Privacy Shield certification);

Customer
as defined in Mediahawk’s Standard Terms and Conditions;

Data controller
has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws;

Data processor
has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws;

Data protection laws
means as applicable and binding on the Customer, Mediahawk and/or the Services:
(a) in the United Kingdom:
(i) UK GDPR General Data Protection Regulation
(ii) Data Protection Act 2018
(iii) EU GDPR General Data Protection Regulation (EU) (or “GDPR”) and/or any corresponding or equivalent national laws or regulations; and/or
(iiii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 and/or any corresponding or equivalent national laws or regulations.
(b) in member states of the European Union: the Data Protection Directive or the GDPR and all relevant member laws or regulations giving effect to or corresponding with any of them;
(c) specifically in relation to the Customer, all data protection and/or privacy laws in which recipient Data Subjects are contacted through the Services are located;
(d) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;

Data protection losses
means all liabilities, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
(b) to the extent permitted by Applicable Law:
(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
(iii) the reasonable costs of compliance with investigations by a Supervisory Authority;

Data subject
has the meaning given to that term in Data Protection Laws;

Data subject request
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

International organisation
means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

International recipient
has the meaning given to that term in clause 8;

Personal data
has the meaning given to that term in Data Protection Laws and received from or on behalf of the Customer in connection with the performance of Mediahawk’s obligations under this Agreement;

Personal data breach
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data;

Processing
has the meanings given to that term in Data Protection Laws (and related Terms and Conditions such as process have corresponding meanings);

Processing instructions
has the meaning given to that term in clause 5.2.1;

Services
as defined in Mediahawk Standard Terms and Conditions

Quote and order agreement
as defined in “Order” within Mediahawk Standard Terms and Conditions

Sub-processor
means another Data Processor engaged by Mediahawk for carrying out processing activities in respect of the Personal Data on behalf of the Customer

Supervisory authority
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

References to any Applicable Laws (including to the Data Protection Laws and each of them) and to Terms and Conditions defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent Terms and Conditions defined in such Applicable Laws, once in force and applicable. A reference to a law includes all subordinate legislation made under that law.

3.0 Interaction with the agreement

3.1 This DPA will take effect from either the date on which the Customer accepts the Terms and Conditions of this DPA and shall continue until the end of Mediahawk’s provision of the Services (including data retention period, where relevant)
3.2 Except for the changes made by this DPA, the Agreement remains in full force and effect. To the extent that there is any conflict between this DPA and the Agreement, the clauses of this DPA shall prevail.
3.3 Any claims brought under or in connection with this DPA shall be subject to the Terms and Conditions agreed between the parties, including, but not limited to, the exclusions and limitations set out in the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Any penalties issued by a Supervisory Authority and incurred by Mediahawk in relation to Personal Data arising from or in connection with the Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall reduce any liability of Mediahawk under the Agreement and be considered a liability to the Customer under the Agreement.

4.0 Data processor and data controller

4.1 The parties agree that, for the Personal Data, the Customer shall be the Data Controller and Mediahawk shall be the Data Processor.
4.2 Mediahawk shall process Personal Data in compliance with:
4.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and
4.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and
4.3 The Customer shall comply with:
4.3.1 all Data Protection Laws in connection with the processing of Personal Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
4.3.2 the Terms and Conditions of this DPA.
4.4 The Customer warrants, represents and undertakes, that:
4.4.1 all data sourced by the Customer for use in connection with the Services shall comply in all respects, including in Terms and Conditions of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
4.4.2 all instructions given by it to Mediahawk in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
4.5 The Customer shall not unreasonably withhold, delay or condition its agreement to any change or amendment requested by Mediahawk in order to ensure the Services and Mediahawk (and each Sub-Processor) can comply with Data Protection Laws.

5.0 Instructions and details of processing

5.1 By entering into this DPA, Customer instructs Mediahawk to process Customer Personal Data only in accordance with Applicable Law:
5.1.1 To provide the Services;
5.1.2 As further specified by Customer’s use of the Services or the Software;
5.1.3 As documented in the form of the Terms and Conditions and this DPA; and
5.1.4 As further documented in any other written instructions provided by the Customer and acknowledged by Mediahawk as being instructions for the purposes of this DPA.
5.2 Insofar as Mediahawk processes Personal Data on behalf of the Customer, Mediahawk:
5.2.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Personal Data only on and in accordance with the Customer’s documented instructions as set out in this clause, as updated from time to time as agreed between the parties (Processing Instructions);
5.2.2 if Applicable Law requires it to process Personal Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Personal Data (unless Applicable Law prohibits such information on important grounds of public interest); and
5.2.3 shall inform the Customer if Mediahawk becomes aware of a Processing Instruction that, in Mediahawks opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to clauses 4.3 and 4.4; and
(b) to the maximum extent permitted by mandatory law, Mediahawk shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer’s Processing Instructions following the Customer’s receipt of that information; and
5.3 Customer acknowledges and agrees that Mediahawk shall be freely able to use and disclose Anonymized Data for Mediahawk’s own business purposes without restriction.
5.4 The subject matter and details of the processing of Personal Data to be carried out by Mediahawk under this DPA shall comprise the processing set out in Schedule 1 (Data processing details), as may be updated from time to time as agreed between the parties.

6.0 Technical and organisational measures

6.1 Mediahawk shall implement and maintain, at its cost and expense and in relation to the processing of Personal Data by Mediahawk, technical and organisational measures taking into account the nature of the processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Personal Data.

7.0 Using sub-processors

7.1 Subject to the below, the Customer authorises Mediahawk to appoint Sub-Processors such as, data centres, telecommunications providers, cloud-based systems and storage to carry out any processing activities in respect of the Personal Data without the Customer’s written authorisation.
7.2 Mediahawk shall ensure:
7.2.1 via a written contract that the Sub-Processor only accesses and processes Personal Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this DPA that is enforceable by Mediahawk; and
7.2.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
7.3 details of which Sub-Processor are being used are available on request to a Customer. The Customer acknowledges that such information is strictly confidential.
7.4 Mediahawk will notify the Customer of any intended changes or replacements to any of the Sub-Processors, the Customer may object (on reasonable grounds and only relating to data protection) to any Sub-Processor within 30 days of this notification. If the Customer has not objected to any such changes within the 30 days of notification of the change, the Customer shall be deemed to have accepted the changes.
If the Customer notifies Mediahawk in writing of any objections to the appointment:
7.4.1 Mediahawk shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and
7.4.2 where such a change cannot be made Customer may by written notice to Mediahawk with immediate effect terminate the Service Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor. This termination right is Customer’s sole and exclusive remedy to Customer’s objection of any Sub-Processor appointed by Mediahawk during the Term.

8.0 International data transfers

8.1 The Customer agrees that Mediahawk may transfer any Personal Data to countries outside the UK, including the European Economic Area (EEA) or to any International Organisation(s) (an International Recipient), provided all transfers by Mediahawk of Personal Data to an International Recipient shall (to the extent required under Data Protection Laws) be affected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this Agreement shall constitute the Customer’s instructions with respect to transfers in accordance with clause 5.1.

9.0 Staff

9.1 Mediahawk shall ensure that all persons authorised by it (or by any Sub-Processor) to process Personal Data are subject to a binding written contractual obligation to keep the Personal Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Mediahawk shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).

10.0 Assistance with the customer’s compliance and data subject rights

10.1 Mediahawk shall refer all Data Subject Requests it receives to the Customer within three Business Days of receipt of the request.
10.2 Further to the above and notwithstanding anything to the contrary in the Terms and Conditions, Mediahawk reserves the right to disclose the identity of the Customer to any relevant Data Subject following any such request from a Data Subject.
10.3 Mediahawk shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Mediahawk) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
10.3.1 security of processing;
10.3.2 data protection impact assessments (as such term is defined in Data Protection Laws);
10.3.3 prior consultation with a Supervisory Authority regarding high risk processing; and
10.3.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach.

11.0 Records, information and audit

11.1 Mediahawk shall maintain, in accordance with Data Protection Laws binding on Mediahawk, written records of all categories of processing activities carried out on behalf of the Customer.
11.2 Mediahawk shall, in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Mediahawk’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer:
11.2.1 giving Mediahawk reasonable prior notice of such information request, audit and/or inspection being required by the Customer;
11.2.2 ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
11.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Mediahawk’s business and the business of other Customers of Mediahawk; and
11.2.4 paying Mediahawk’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.

12.0 Data retention

12.1 The Customer agrees that Mediahawk shall retain Customer Personal Data for the following “Data Retention Period”:
12.1.1 for a maximum of 5 (five) years for an active Customer;
12.1.2 for a maximum of 180 days after the termination of the Agreement.
12.2 Mediahawk shall, in accordance with Data Protection Laws, allow deletion of data upon receipt of request (including when responding to a request for the Data Subject to be “forgotten”)
12.3 Customers may request amendments to the Data Retention Period for their account at any time during their Agreement.
12.3 Personal Data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, financial, regulatory requirements, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR.

13.0 Breach notification

13.1 In respect of any Personal Data Breach involving Personal Data, Mediahawk shall, without undue delay (but in any event within 72 hours) from when Mediahawk becomes aware of the same:
13.1.1 notify the Customer of the Personal Data Breach; and
13.1.2 provide the Customer, where possible, with details of the Personal Data Breach.
13.2 Notice of a Personal Data Breach as contemplated under 13.1.1 above shall include:
13.2.1 the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
13.2.2 the likely consequences of the Personal Data Breach; and
13.2.3 the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

14.0 Deletion or return of personal data and copies

14.1 Mediahawk shall, at the Customer’s written request, or provide facilities for the Customer to either delete or return all the Personal Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the earlier of:
14.1.1 the end of the provision of the relevant Services related to processing; or
14.1.2 once processing by Mediahawk of any Personal Data is no longer required for the purpose of Mediahawk’s performance of its relevant obligations under this Agreement and delete existing copies (unless storage of any data is required by for commercial reasons or Applicable Law and, if so, Mediahawk shall inform the Customer of any such requirement).

15.0 Cooperation

15.1 If a party receives a compensation claim from a person relating to processing of Personal Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
15.1.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
15.1.2 consult fully with the other party in relation to any such action.

SCHEDULE 1

DATA PROCESSING DETAILS

    1. Subject-matter of processing:

Mediahawk’s provision of the Services to the Customer.

    1. Duration of the processing:

The term as advised on any relevant Quote or Order Confirmation until deletion of all Personal Data by Mediahawk in accordance with the Data Retention (Section 12)

    1. Nature and purpose of the processing:

Mediahawk will process Personal Data for the purposes of providing the Services to the Customer in accordance with the DPA and the Mediahawk standard Terms and Conditions.

    1. Type of personal data:

Data relating to individuals provided to Mediahawk via the provision of the Services by or at the direction of the Customer or end-users of the Customer.

    1. Categories of data subjects:

Data Subjects include the individuals about whom data is provided to Mediahawk via the Services by or at the direction of the Customer or end-users of the Customer.