Privacy Policy

Data Protection Addendum

This Data Protection Addendum forms part of the Agreement for Services provided by Eckoh and sets out the details of the processing of Personal Data

1. Eckoh shall:

1.1 process the Personal Data only to the extent, and in such a manner, as is necessary for the provision of Services under this Agreement and shall not Process the Personal Data for any other purpose;

1.2 comply with Data Protection Legislation when Processing the Personal Data;

1.3 ensure that it has appropriate technical and organizational measures in place to protect against unauthorized or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data held or Processed;

1.4 comply with, and ensure that its employees, representatives, agents or sub-contractors comply with, Eckoh’s obligations under this clause and otherwise comply with reasonable requests of the Customer with regard to the security and Processing of the Personal Data;

1.5 restrict access to the Personal Data to those individuals with a need to access for their role (and in the case of any access by any employee, ensure that access to the Personal Data is limited to such part or parts of the Personal Data as is strictly necessary for the performance of that employee's duties);

1.6 ensure that all Eckoh employees have undertaken training in the laws relating to handling personal data and are aware both of Eckoh's duties and their personal duties and obligations under such laws;

1.7 take reasonable steps to ensure the reliability of all individuals who have access to the Personal Data;

1.8 ensure that any copies of Personal Data in the possession or under the control of Eckoh are permanently destroyed when they are no longer required for the performance of the Services;

1.9 notify the Customer within 48 hours of any unauthorized, unlawful or accidental Processing, disclosure, loss of, damage to, access to or destruction of the Personal Data or if the Personal Data is or becomes corrupted or unusable, and given to the Customer assistance as reasonably required by the Customer in such respect;

1.10 except as necessary to comply with an overriding contractual, regulatory or legal obligation as permitted under the Data Protection Legislation, promptly amend, transfer, vary and/or delete any Personal Data held by or on behalf of Eckoh upon request from the Customer;

1.11 promptly notify the Customer of any request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited;

1.12 promptly notify the Customer of any request of a Regulatory Body in relation to the Personal Data and co-operate and comply with the directions or decisions of any Regulatory Body in relation to the Personal Data, and in each case within such timescale as would enable the Customer to meet any time limit imposed by any Regulatory Body (as applicable);

1.13 promptly notify the Customer of any request from a Data Subject for access to that person's Personal Data and provide the Customer with reasonable co-operation and assistance in complying with any such request; and

1.14 promptly on request, provide to the Customer a copy of all Personal Data held or controlled by it in the format and on the media deemed reasonable by Eckoh.

1.15 Eckoh will abide by the data protection laws of the United Kingdom and United States. To ensure that Personal Data can be transferred from the UK or EEA in the provision of Services, Eckoh shall, where necessary, reasonably agree to sign standard contractual clauses for the transfer of Personal Data to processors in a third country as set out in a decision of the ICO or European Commission, as applicable.

2. If Eckoh receives any complaint, notice or communication which relates to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation, it will immediately notify the Customer and it shall provide the Customer with reasonable cooperation and assistance in relation to any such complaint, notice or communication.

3. The Customer undertakes to Eckoh that it shall:

3.1 comply with the Data Protection Legislation;

3.2 not knowingly do or omit to do, permit anything to be done, or instruct Eckoh to do, anything which causes Eckoh to breach the Data Protection Legislation or any relevant enactments, regulations, orders, standards and other similar instruments;

3.3 for any Personal Data transferred to Eckoh, have sole responsibility for the accuracy, quality and legality of Personal Data, and the means by which the Customer acquired Personal Data and shall ensure that it has recorded the necessary legal basis for Eckoh to lawfully and fairly Process Personal Data in connection with the provision of the Services and as otherwise contemplated by this Agreement;

3.4 notify Eckoh upon becoming aware that Personal Data has become inaccurate or out of date;

3.5 be responsible for the security of any systems provided by the Customer to Eckoh, or requested by the Customer to be used for the provision of Services by Eckoh; and

3.6 only provide to Eckoh, or request Eckoh to obtain, Personal Data limited to that which is necessary for Eckoh to fulfill its obligations under this Agreement.

4. Customer consents to Eckoh engaging third parties to process Customer Personal Data provided that Eckoh:

4.1 gives notice of any change in sub-processors at least thirty (30) days prior to any such change;

4.2 imposes data protection obligations on any sub-processor to a standard no less stringent than as required by this Agreement; and

4.3 remains liable for any breach of this Agreement that is caused by its sub-processor, subject to the limitations of liability set out in the Agreement.

5. Customer may object to the appointment or replacement of a sub-processor prior to its appointment or replacement within 14 days of receipt of the notice from Eckoh. In such an event, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution, Eckoh will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the Agreement without cause.

6. Where Personal Data is transferred outside of the UK by Eckoh, Eckoh will, at its sole discretion, ensure that such transfer is carried out on the basis of an adequacy decision by the Data Protection Legislation.

7. Definitions

7.1 ‘Agreement’ means the Order Form signed by the Customer incorporating the Standard Terms and Conditions and this Data Protection Addendum;

7.2 ‘Customer’ means the entity who has agreed to receive Services from Eckoh under an Order Form;

7.3 ‘Data Protection Legislation’ means

7.4 ‘Personal Data’ shall have the meaning as defined in the Data Protection Legislation;

7.5 ‘Process’ shall have the meaning as defined in the Data Protection Legislation;

7.6 ‘Regulatory Body’ means the Information Commissioner’s Office in the UK;

7.7 ‘Services’ means the Services provided to the Customer in accordance with the Agreement.