Data Processing Addendum.

This Data Processing Addendum ("DPA") supplements AnswerConnect's Terms and Conditions of Supply (the "Agreement"). Any definitions used in the Agreement shall apply to this DPA. This DPA shall apply solely to the Processing of Personal Data that is regulated under Data Protection Laws and Regulations (see definitions set forth is Section 1 below).

1. Definitions.

The terms used in this DPA shall have the following meaning:

  • a. Data Protection Laws and Regulations means the UK GDPR as described in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018 as the UK version of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

  • b. the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the Data Protection Laws and Regulations.

2. Processing of Personal Data

  • a. Roles of the Parties. The parties agree that Customer is the controller solely responsible for determining the purposes and means of the processing of personal data, and AnswerConnect is Customer's processor responsible for processing personal data on behalf of the controller. As further discussed in this DPA, AnswerConnect shall only take action pursuant to instructions of Customer with regards to processing personal data. AnswerConnect may engage sub-processors to process personal data pursuant to the requirements set forth in Section 3 "Sub-Processors" below.

  • b. User's Obligations. The Customer is solely responsible for its compliance with the Data Protection Laws and Regulations, including without limitation the lawfulness of any transfer of personal data to AnswerConnect and the processing of personal data by AnswerConnect as set forth in the Agreement. The Customer shall have sole responsibility for (i) the accuracy, quality, and legality of personal data provided to AnswerConnect; (ii) the means by which the Customer acquires personal data, including providing any required notices to, and obtaining any necessary acknowledgements, authorizations or consents from, data subjects; (iii) the legality of transfers of Customer data, including without limitation data from the Customer's affiliates, partners and users of the Services from AnswerConnect. The Customer takes full responsibility to keep the amount of personal data provided to AnswerConnect to the minimum necessary in order for AnswerConnect to provide the Services. The Customer shall be solely responsible for establishing and maintaining any data processing registers or overview (including without limitation any records of processing, any records of consents, or any other required documentation) as may be required by any applicable law, including but not limited to the Data Protection Laws and Regulations.

  • c. User's Right to Issue Instructions. Except as necessary to comply with an applicable law or regulation, court order or other legal process, AnswerConnect shall only process personal data in accordance with Customer's instructions or otherwise as required in order to provide the Services. For the avoidance of doubt, but not by way of limitation, Customer's instructions for the processing of personal data must comply with Data Protection Laws and Regulations. Customer's initial instructions for the processing of personal data are defined by the Agreement including without limitation this DPA, Schedule 1 to this DPA, and any applicable order form, statement of work, or similar agreement regarding the Services. Subject to the terms of this DPA and with mutual agreement of the parties, Customer may issue additional written instructions concerning the type, extent and procedure of processing. Any changes of the subject matter of processing and of procedures shall be agreed upon by the parties in writing prior to becoming effective. The Customer is responsible for ensuring that all individuals who provide written instructions to AnswerConnect are authorised by the Customer to issue instructions to AnswerConnect. AnswerConnect will inform Customer of any instruction that it deems to be in violation of Data Protection Laws and Regulations, and AnswerConnect will not execute such instructions until the instruction has been confirmed or modified by Customer to ensure compliance. If AnswerConnect processes personal data without Customer's instructions, AnswerConnect shall promptly inform Customer to the extent permitted as required by law, regulation, court order or other legal process.

  • d. Details of Processing. Customer acknowledges and consents that certain business operations necessary for the fulfillment of the Services hereunder may be transferred in the future to one or more dedicated AnswerConnect affiliates or contractors. For sake of clarity, AnswerConnect may use Customer's employees' and other personnel's name and work contact information, including without limitation work email, phone, fax or other form of work communication, and other personal data for administrating the contractual relationship, in the capacity of controller, in accordance with AnswerConnect's Privacy Policy, a copy of which can be found here. For performing the Services under the Terms and Conditions of Supply, the initial nature and purpose of the Processing, duration of the Processing, categories of data subjects, and types of personal data are set forth in Schedule 1.

  • e. Data Breach. AnswerConnect shall investigate potential data breaches, and AnswerConnect shall notify Customer without undue delay but no less than seventy two (72) hours after becoming aware of a reportable data breach.AnswerConnect shall use commercially reasonable steps to stop any further data breach once becoming aware of a potential breach. AnswerConnect shall conduct an investigation as to the cause of the incident and shall develop commercially reasonable measures to address the security incident.

  • f. Return or Deletion of User Personal Data. Unless otherwise required by applicable Data Protection Laws and Regulations, AnswerConnect will destroy or return to Customer its personal data at Customer's request and choice upon termination or expiration of the relevant provisions of the Agreement.

3. Sub-Processors

  • a. Use of Sub-processors. Customer agrees that AnswerConnect may engage sub-processors who in turn may engage sub-processors to process personal data in accordance with this DPA. A list of sub-processors including their addresses is available upon request. When engaging sub-processors, AnswerConnect shall enter into agreements with the sub-processors to bind them to obligations which are substantially similar or more stringent than those set out in this DPA. To the extent required, Customer explicitly mandates AnswerConnect to sign such agreements directly with the sub-processors. Customer will not directly communicate with AnswerConnect's sub-processors about the Services, unless agreed to by AnswerConnect in AnswerConnect's sole discretion.

  • b. AnswerConnect Sub-processors Added After Effective Date. AnswerConnect will notify Customer in advance of any changes to sub-processors. If Customer reasonably objects to the addition of a new sub-processors (e.g., such change causes Customer to be noncompliant with applicable with Data Protection Laws and Regulations), Customer shall notify AnswerConnect in writing of its specific objections within ten (10) days of receiving such notification. If Customer does not object within such period, the addition of the new sub-processor and, if applicable, the accession to this DPA shall be considered accepted.

4. Representations and Warranties.

Customer represents, warrants, and covenants the following:

  • a. The personal data has been collected and transferred to AnswerConnect in accordance with the Data Protection Laws and Regulations, and Customer has documented its lawful basis in its public notification to data subjects for processing of personal data, including without limitation AnswerConnect's affiliate's and partner's processing of personal data in accordance with the Agreement.

  • b. Customer will respond to inquiries from data subjects and from applicable regulatory authorities concerning the processing of the personal data in accordance with Data Protection Laws and Regulations, and will promptly alert AnswerConnect of any inquiries from data subjects or from applicable regulatory authorities that relate to AnswerConnect's processing of the personal data.

  • c. Customer will make available a copy of this DPA to any data subject or regulatory authorities as required by the Data Protection Laws and Regulations.

  • d. Customer shall be solely responsible and liable for its compliance with the Data Protection Laws and Regulations.

5. Rights of Data Subjects.

AnswerConnect shall, to the extent legally permitted, promptly notify Customer if it receives a request from a data subject for access to, correction, amendment or deletion of such data subject's personal data and, to the extent applicable, AnswerConnect shall provide Customer with commercially reasonable cooperation and assistance in relation to any complaint, notice, or communication from a data subject. Customer shall respond to and resolve promptly all requests from data subjects which AnswerConnect provides to Customer. If Data Protection Laws and Regulations require AnswerConnect to comply with the rights of data subjects or otherwise take any corrective actions without the involvement of Customer, AnswerConnect shall take such corrective actions and inform Customer. To the extent legally permitted, Customer shall be responsible for any costs arising from AnswerConnect's provision of such assistance.

6. AnswerConnect Personnel.

  • a. Confidentiality. AnswerConnect shall train personnel engaged in the processing of personal data of the confidential nature of the personal data and provide appropriate training based on their responsibilities. AnswerConnect shall execute written agreements with its personnel to maintain the confidentiality of personal data.

  • b. Limitation of Access. AnswerConnect shall use commercially reasonable efforts to limit access to personal data to personnel who require such access to perform the Agreement.

  • c. Data Protection Officer. If required by Data Protection Laws and Regulations, AnswerConnect shall appoint a data protection officer. Upon request, AnswerConnect will provide the contact details of the appointed person.

7. Security.

AnswerConnect will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by the processing of personal data, taking into account the costs of implementation; the nature, scope, context, and purposes of the processing; and the risk of varying likelihood and severity of harm to the data subjects. In assessing the appropriate level of security, AnswerConnect shall weigh the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

8. Audit Rights

  • a. Audit Requests. Subject to Section 8.c, upon Customer's written request, AnswerConnect will provide Customer with the most recent summary audit report(s) concerning the compliance and undertakings in this Agreement. AnswerConnect's policy is to share methodology, and executive summary information, but not raw data or private information, other individuals personal data or information not applicable to the Services provided pursuant to the Agreement. AnswerConnect will reasonably cooperate with Customer by providing available additional information to help Customer better understand such compliance and undertakings. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable Data Protection Laws and Regulations and subject to Section 8.c only the legally mandated entity (such as a governmental regulatory agency having oversight of Customer's operations),a third party auditor mutually agreed to by the parties (as well as a sub-processor subject to a confidentiality agreement, if applicable to the information or facilities being audited), or legally mandated functions within Customer (such as the internal controls function), also subject to a confidentiality agreement, may conduct an onsite visit of the facilities used to deliver the Services. Unless mandated by Data Protection Laws and Regulations or otherwise mandated by law or court order, no audits are allowed within a data centre for security and compliance reasons. After conducting an audit under this Section 8 or after receiving a AnswerConnect report under this Section 8, Customer must notify AnswerConnect of the specific manner, if any, in which AnswerConnect does not comply with any of the security, confidentiality, or data protection obligations in this DPA, if applicable. Any such information will be deemed confidential information of AnswerConnect. AnswerConnect shall in no circumstances provide Customer with the ability to audit any portion of the Services which would be reasonably expected to compromise the confidentiality of the information or personal data AnswerConnect processes for its other customers.

  • b. Sub-Processors. Customer may not audit AnswerConnect's sub-processors unless required by Data Protection Laws and Regulations. If an audit is required, Customer agrees its requests to audit sub-processors may be satisfied by AnswerConnect or AnswerConnect's sub-processors presenting up-to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, AnswerConnect's data protection officer, the IT security department, data protection or quality auditors or other mutually agreed to third parties, or certification by way of an IT security or data protection audit.

  • c. Audit Process. Unless required by Data Protection Laws and Regulations, Customer may request a summary audit report(s) or audit AnswerConnect no more than once annually. Customer must provide at least fourteen (14) days prior written notice to AnswerConnect of a request for summary audit report(s) or request to audit. The scope of any audit will be limited to AnswerConnect's policies, procedures and controls relevant to the protection of Customer's Personal Data as defined in Schedule 1 of this Agreement. Any audit performed under this DPA will be conducted during normal business hours, at AnswerConnect's principal place of business or other AnswerConnect location(s) where Personal Data is accessed, processed or administered, and will not unreasonably interfere with AnswerConnect's day-to-day operations. An audit will be conducted at Customer's sole cost and by a mutually agreed upon third party, and such party must enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement, obligating it to maintain the confidentiality of all AnswerConnect's confidential information and all audit findings. Before the commencement of any such on-site audit, AnswerConnect and Customer shall mutually agree upon the timing, and duration of the audit.. Customer shall, at no charge, provide to AnswerConnect a full copy of all findings of the audit.

9. Transfers of Personal Data.

Customer acknowledges and agrees that AnswerConnect may transfer Customer personal data outside of the UK as reasonably required (at the sole discretion of AnswerConnect) in order to provide the Services, provided that AnswerConnect shall ensure that all such transfers are effected in accordance with the applicable Data Protection Laws and Regulations. The relevant Standard Contractual Clauses will apply to Customer personal data that is transferred outside United Kingdom, either directly or via onward transfer, to any country not recognised by the United Kingdom as providing an adequate level of protection for personal data. Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply if AnswerConnect has adopted Binding Corporate Rules for Processors or an alternative recognised compliance standard for the lawful transfer of personal data outside the United Kingdom.

10. Limitation of Liability; Third Party Beneficiaries.

Each party's and all of its affiliate's liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the "Limitation of Liability" section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and this DPA. For the avoidance of doubt, AnswerConnect's and its affiliate's total liability for all claims from the Customer arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and this DPA. Subject to Section 9, affiliates, partners and users of Customer are not third party beneficiaries under this Agreement.

11. Data Protection Impact Assessment and Prior Consultation.

AnswerConnect shall provide commercially reasonable assistance about its Processing of Personal Data to Customer as necessary for Customer to comply under the Data Protection Laws and Regulations with conducting any data protection impact assessments or engaging in required prior consultations with Supervising Authorities (as such term is defined in GDPR).

12. Governing Law.

The governing law of this DPA, and the forum for all disputes in respect of this DPA, shall be the same as set out in the Agreement, unless otherwise required by applicable Data Protection Laws and Regulations.

Schedule 1 to AnswerConnect Data Processing Addendum

Processing Details

Nature and Purpose of Processing

AnswerConnect will process personal data as necessary to perform under the Agreement as amended by the DPA and as further instructed by Customer.

Duration of Processing

AnswerConnect will process personal data for the duration of the Agreement, unless otherwise agreed upon in writing. AnswerConnect will retain personal data as set forth in the Agreement and AnswerConnect's Privacy Policy.

Categories of Data Subjects

May include, but is not limited to, personal data relating to the following categories of data subjects: the Customer's representatives and end-users including employees, contractors, business partners, collaborators, and customers of the Customer.

Types of Personal Data

May include, but is not limited to, the following categories of personal data: First and last name; Title; Position; Employer; Personal Contact information (email, phone, physical address); login credentials; Connection data; Localization data; profile images, call recordings and voicemails, bank card details and other data in an electronic form used by Customer in the context of the services. Furthermore, AnswerConnect may process sensitive personal data in respect of customers of the Customer, particularly where AnswerConnect is providing services to healthcare clients under the Agreement. This includes medical history.