GDPR provisions

General data protection regulation provisions 

Unless otherwise defined, capitalised words and expressions have the same meaning as set out in the Agreement.

1       Definitions

1.1    “Controller” means the entity that alone or jointly with others determines the purposes and means of the processing of Personal Data.

1.2    “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by HighQ.

1.3  “Data Protection Laws” means all applicable laws, rules, regulation, directives and governmental requirements relating in any way to the privacy, confidentiality, security, integrity and protection of Personal Data, including without limitation, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as amended or superseded from time to time, and any national implementing legislation.

1.4    “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.5   “Personal Data” means any information provided to HighQ relating to an identified or identifiable natural person and in relation to which HighQ is providing the Services under the Agreement; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.6    “Processor” means the entity that processes Personal Data on behalf of the Controller.

1.7    “Subprocessor” means any Processor engaged by HighQ or any member of the HighQ group company.

1.8  “Supervisory Authority” means any regulatory, supervisory, governmental or other competent authority with jurisdiction or oversight over the Data Protection Laws.

2       Description of Processing

2.1     Personal Data shall be processed under the Agreement as set out below:

(a)     Subject-matter and duration of the processing:

The subject matter is the provision of the services and related technical support by HighQ to Licensee under the Agreement. The duration will be for the Term and following the termination or the expiry of the Term until all Licensee Data is deleted by HighQ.

(b)      Nature and purpose of the data processing:

HighQ will process Personal Data submitted, stored, sent or received by Licensee, its Affiliates, Authorised Users or Designated External Users via the services for the purposes of providing the services and related technical support to Licensee in accordance with the Agreement.

(c)      Type of personal data:

Personal data submitted, stored, sent or received by Licensee, its Affiliates, Authorised Users or Designated External Users via the services may include the following categories of data: user IDs, email, documents, presentations, images, calendar entries, tasks and other data.

(d)       Categories of Data Subjects:

Personal data submitted, stored, sent or received via the Services may concern the following categories of Data Subjects: (i) Authorised Users and Designated End Users including Licensee’s employees and contractors, (ii) the personnel of Licensee’s customers, suppliers and subcontractors, (iii)and any other person who transmits data via the Services, including individuals collaborating and communicating with Authorised Users Designated and End Users.

3       General Processing Obligations of HighQ

3.1   The parties acknowledge and agree that Licensee is the Controller and HighQ is the Processor with regard to the processing of Personal Data.

3.2   HighQ shall process Personal Data only on documented instructions of Licensee as set out in this Agreement, and not for any other purpose, or in any other manner, unless specifically instructed by Licensee in writing to do so, or as required by the Data Protection Laws. In the event that HighQ is required by the Data Protection Laws to process Personal data for any other purpose or in any other manner, HighQ shall inform Licensee of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.3   HighQ shall ensure that its employees, agents and/or Subprocessors authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4       Data Security

HighQ shall implement appropriate technical and organisational measures to safeguard Personal Data, which shall meet the requirements of the GDPR (Article 32). Licensee acknowledges and agrees that it has knowledge of and has reviewed these measures and is responsible for ensuring that they provide an appropriate level of protection to the risks of Personal Data to be processed. HighQ may update or modify these measures from time to time provided that such updates or modifications do not result in any material degradation of the security of Personal Data.

5       Subprocessing

General consent

HighQ shall be permitted to appoint a Subprocessor to process Personal Data provided that:

i.      HighQ enters into a written contract with the Subprocessor on the same terms as those set out in these GDPR Provisions;

ii.   HighQ shall inform Licensee of any intended changes concerning the addition or replacement of any Subprocessor and give Licensee the opportunity to object to such changes; and

iii.     where a Subprocessor fails to fulfil its data protection obligations, HighQ shall remain fully liable to Licensee for the performance of the Subprocessor’s obligations.

6       Data Subject Requests

Taking into account the nature of the processing, HighQ shall provide commercially reasonable assistance to Licensee by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Licensee’s obligation to respond to a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing or his/her rights not to be subject to an automated individual decision making. To the extent legally permitted, Licensee shall be responsible for any costs arising from HighQ’s provision of such assistance.

7      Personal Data Breach

7.1    HighQ shall notify Licensee without undue delay after becoming aware of a Personal Data Breach and provide commercially reasonable assistance to Licensee in connection with its third party notification and communication obligations under the GDPR, taking into account the nature of the Personal Data processing and the information available to HighQ. To the extent legally permitted, Licensee shall be responsible for any costs arising from HighQ’s provision of such assistance.

7.2   Licensee acknowledges and agrees that it is solely responsible for the fulfilment of any third party notification and communication obligations under the GDPR.

8       Data Protection Impact Assessments

HighQ shall provide commercially reasonable assistance to Licensee in connection with its obligations under the GDPR to carry out a data protection impact assessment (and, where required by the Data Protection Laws, consulting with the relevant Supervisory Authority in respect of any such data protection impact assessment). To the extent legally permitted, Licensee shall be responsible for any costs arising from HighQ’s provision of such assistance.

9        Audit

9.1    Upon Licensee’s written request, HighQ shall make available to Licensee the information necessary to demonstrate compliance with the obligations set out in these GDPR Provisions.

9.2   Upon reasonable written notice to HighQ, Licensee may request an audit or an inspection to verify HighQ’s compliance with the obligations set out in these GDPR Provisions. HighQ agrees to facilitate, and contribute (and by doing so the parties acknowledge that it shall not breach HighQ’s obligations of confidentiality to any other third party), to, such audit or inspection, which may be carried out by Licensee or a third party auditor, at the selection and expense of Licensee. Licensee agrees that any audit or inspection shall be carried out (i) during normal working hours; (ii) in manner that avoids or minimises any disruption to HighQ’s business; and (iv) in each case no more frequently than once per calendar year, unless mandated by a Supervisory Authority.  The Licensee’s or third party auditor’s report shall be provided to HighQ upon HighQ’s written request and any such report shall be bound by the Confidentiality provisions in the Agreement.

9.3    HighQ shall immediately notify Licensee if, in its opinion, an instruction from Licensee on the processing of Personal Data infringes the Data Protection Laws. HighQ, shall however, shall not be obliged to actively monitor such instructions for infringements of the Data Protection Laws.

10      Data Transfers

10.1   Except where HighQ is required to do so in accordance with the Data Protection Laws, HighQ shall not transfer any Personal Data out of the European Economic Area to any country that has not been identified by the European Commission or a Supervisory Authority under the Data Protection Laws as a country that provides an adequate level of data protection except:

(a)     on Licensee’s prior written approval, and
(b)    where HighQ has ensured adequate protection for such Personal Data, as required by the Data Protection Laws, such as by ensuring that any such transfer of Personal Data is governed by the EU Standard Contractual Clauses.

10.2  Where HighQ is required to transfer Personal Data out of the European Economic Area to any country that has not been identified by the European Commission or a Supervisory Authority under the Data Protection Laws as a country that provides an adequate level of data protection, HighQ shall inform Licensee of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

11     Return or Deletion of Personal Data

At the choice of Licensee, HighQ shall delete or return all Personal Data to Licensee after the end of the provision of Services relating to Personal Data, and delete existing copies of Personal Data unless the Data Protection Laws requires storage of Personal Data by HighQ.

Last Updated 22 November 2017