DATA PROCESSING ADDENDUM

 

THIS DATA PROCESSING ADDENDUM (THE “DPA”) FORMS PART OF THE MASTER SERVICES AGREEMENT BETWEEN HALO AND THE CUSTOMER. TERMS USED IN TH DPA HAVE THE SAME MEANING AS THOSE USED IN THE MASTER SERVICES AGREEMENT, UNLES SPECIFICALLY PROVIDED OTHERWISE. TO THE EXTENT THAT THERE ARE ANY CONFLICTS OR INCONSISTENCIES BETWEEN THIS DPA AND OTHER PROVISIONS OF THE MASTER SERVICES AGREEMENT, THE PROVISIONS OF THIS DPA SHALL PREVAIL.

THIS DPA SHALL BECOME EFFECTIVE ON THE EFFECTIVE DATE AND SHALL CONTINUE IN FULL FORCE AND EFFECT FOR THE DURATION OF THE MASTER SERVICES AGREEMENT.
1. Interpretation

1.1 Defined Terms: In this DPA:

Appropriate Security Measures” means appropriate security measures required by Data Protection Law to protect against unauthorised access to, alteration, disclosure or destruction of Data and against its accidental loss or destruction and, in particular, where the processing involves the transmission of Data over a network, it shall mean having regard to the state of technological development and the cost of implementing the measures, and ensuring that the measures provide a level of security appropriate to:

(i) the risks that are presented by the processing;

(ii) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of or damage to the data concerned, and
(iii) the nature of the Data, and shall include the measures set out in in Annex 2 to this DPA;

Commissioner” means the Information Commissioner as defined in Article 4(A3), UK GDPR;

Data” means the personal data processed by HALO on behalf of the Customer in connection with the Services (whether part of the Customer Data or otherwise);

Data Protection Acts” means the Data Protection Acts 1988 to 2018 of Ireland, as amended, revised, modified or replaced from time to time and the UK Data Protection Act 2018 as amended, revised, modified or replaced from time to time;

Data Protection Law” means all legislation and regulations relating to the protection of personal data including (without limitation) the Data Protection Acts, the GDPR, the UK GDPR, the UK Data Protection Act 2018, and all other statutory instruments, industry guidelines (whether statutory or non-statutory) or codes of practice or guidance issued by the Relevant Authority relating to the processing of personal data or privacy or any amendments and re-enactments thereof

General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing the Data Protection Directive

Permitted Third Party Service Provider” means third party service providers as specified at Annex 3 and required to be engaged by HALO for the purposes of providing the Services;

Personnel” means, in relation to a person, that person’s servants, officers, employees, agents or contractors, but excludes Affiliates; and

Relevant Authority” means the Commissioner or the Data Protection Commission of Ireland (as applicable);

SCCs” means the standard contractual clauses approved by the EU Commission by Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries; and

UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018

1.2 Construction In this DPA, unless the contrary intention is stated, a reference to data controller, data processor, data subject, personal data, sensitive personal data, special categories of personal data, processing and appropriate technical and organisational measures shall have the meanings given to them in the DPA, or, following the coming into force of the GDPR, in the GDPR.

 
2. DATA PROTECTION

2.1 Data Controller: The parties acknowledge that, in relation to Data, and for the purposes of the Data Protection Law, the Customer is the data controller and HALO is a data processor.


2.2 Data Processor’s Obligations: HALO agrees with the Customer that:
(a) it shall only process:
(i) Data in accordance with the instructions of the Customer, which instructions shall be documented in writing by way of this DPA or such other manner as may be agreed between the Customer and HALO from time to time; and

(b) it shall ensure that any processing of Data by it shall be carried out in compliance with the Data Protection Law;

(c) it shall inform the Customer as soon as practicable if, in its opinion, it receives an instruction from the Customer which infringes Data Protection Law;

(d) it shall disclose Data only to those members of its Personnel to whom such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this DPA, and shall procure that such persons are made aware of, and agree in writing to observe the obligations of confidentiality under this DPA and security in Clause 3;

(e) subject to the other provisions of this DPA, it shall not sell, transfer, disclose or otherwise allow access to any Data to any party other than its Personnel, save where the prior written approval of the Customer has been obtained;

(f) it shall not copy or maintain any Data on any other systems, application or other medium other than required for the provision of the Services;

(g) subject to Clause 9 below, it shall not transfer any Data outside the United Kingdom or European Economic Area without the Customer’s prior written consent;

(h) without prejudice to Clause 7 of this DPA, it shall not sub-contract or delegate or purport to transfer any of its obligations to the Customer from time to time to any third party without the prior written consent of the Customer and, any consent if given by the Customer shall, be subject to the pre-condition that HALO shall have in place a contract with the proposed third party providing the same or a higher level of protection of Data as is set out in this DPA;


(i) it shall not perform the Services in such a way as to cause the Customer to breach any of its obligations under Data Protection Law;


(j) it shall, at the Customer’s cost, make available to the Customer all information necessary to demonstrate its compliance with the obligations set out in Data Protection Law and shall allow and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer  to the extent necessary to enable it to verify HALO’s compliance with Data Protection Law and its obligations under this DPA; and

(k) at the Customer’s cost, promptly assist the Customer in complying with its obligations under Articles 32 to 36 of the GDPR;

(l) without prejudice to Clauses 2.2(g) and 7, with respect to any transfer of Data pursuant to the SCCs it shall:

(i) notify the Customer promptly if, during the Term, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph 14(a) of the SCCs, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in that paragraph 14(a);

(ii) notify the Customer if it:

(A) receives a legally binding request from a public authority, including judicial authorities, under the laws of a country of destination for the disclosure of Data transferred pursuant to the SCCs; such notification shall include information about the Data requested, the requesting authority, the legal basis for the request and the response provided; or

(B) becomes aware of any direct access by public authorities to Data transferred pursuant to the SCCs in accordance with the laws of the country of destination; such notification shall include all information available to HALO;

(iii) where permissible under the laws of a country of destination, provide the Customer, at regular intervals for the Term, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.);

(iv) document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of a country of destination, make the documentation available to the Customer and to the Relevant Authority on request;

(v) inform any public authority ordering disclosure of Data of the incompatibility of the order with the safeguards contained in the SCCs and the resulting conflict of obligations for HALO;

(vi) notify simultaneously and as soon as possible HALO and/or the Relevant Authority insofar as possible under the order referred to at (v) above;

(vii) to the extent possible, assist any data subject whose personal data forms part of the Data in exercising his or her rights in the third country jurisdiction; and

(viii) ensure that responsibility for handling formal or informal requests from public authorities to access the Data shall be assigned to identified individuals within HALO.

2.3 Processing Details: Each of the parties acknowledges and agrees that Annex 1 is an accurate description of the Data.

 
3. SECURITY

HALO shall implement Appropriate Security Measures to prevent accidental or unauthorised, loss, destruction, damage, alteration, disclosure or unlawful or unauthorised access to any Data in the custody of HALO, and HALO shall ensure that its Personnel are aware of and comply with those measures.

 
4.DATA BREACH

4.1 Notification: HALO shall, without undue delay upon becoming aware of it notify the Customer of any unauthorised access to, or unauthorised use, alteration, disclosure, accidental loss or destruction of, any Data in the custody of HALO (each a “data breach”).

4.2 Actions: In the event of any data breach, HALO shall:

(a) take action to mitigate any potential damage and remedy the cause of the data breach;

(b) take action to investigate said data breach and, upon the Customer’s request, share the results of such investigation and its remediation plan with the Customer; and

(c) upon the Customer’s request, provide the Customer with all information required to fulfil its obligations, as data controller, under all Data Protection Law.

 
5. DATA SUBJECT REQUESTS AND COMPLAINTS

5.1 Notification: HALO shall notify the Customer of any request from a data subject to exercise any of his or her rights under Data Protection Law or any complaint from any data subject.

5.2 Accession: HALO shall not accede to any such request or deal with any complaint except on the written instructions of the Customer.

5.3 Assistance: HALO shall, on request of the Customer and at the Customer’s expense, taking into account the nature of the processing, and at the Customer’s cost, assist the Customer by appropriate technical and organisational measures, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law. The Customer shall indemnify and keep indemnified HALO and its Affiliates, and their respective agents, members, shareholders, officers, directors, employees, and contractors from time to time on demand from and against any and all third party actions, suits, proceedings, claims, demands, orders, damages, dues, penalties, fines, costs, liabilities, obligations, losses, expenses and fees (including, without limitation, reasonable attorneys’ fees and costs) directly or indirectly suffered, incurred or payable by the indemnified party arising out of or in connection with any of the following events:

 
6. INDEMNITY

The Customer shall indemnify and keep indemnified HALO and its Affiliates, and their respective agents, members, shareholders, officers, directors, employees, and contractors (the “Indemnified Party”) from time to time on demand from and against any and all third party actions, suits, proceedings, claims, demands, orders, damages, dues, penalties, fines, costs, liabilities, obligations, losses, expenses and fees (including, without limitation, reasonable attorneys’ fees and costs) directly or indirectly suffered, incurred or payable by the Indemnified Party arising out of or in connection with any of the following events:

(a) any breach by the Customer of its obligations under this DPA;

(b) all claims, proceedings or actions brought by a competent public authority or a data subject against the Customer with respect to the processing of Protected Data by the Customer; and/or (c)

(c) The Customer’s failure to comply with Data Protection Law.

 

7. DESTRUCTION AND DELIVERY OF DATA

At any time during the course of the provision of the Services, or upon termination of this DPA, HALO shall, upon the request of the Customer, immediately securely deliver to the Customer or destroy all Data in its possession or control, as may be requested by the Customer and shall certify such destruction or delivery in writing to the Customer on request from time to time and, shall instruct each Permitted Third Party Service Provider to destroy all Data in their possession or control.

 

8. INTERNATIONAL TRANSFERS

HALO shall only be permitted to transfer Data outside the United Kingdom and the European Economic Area in accordance with European or national law to which it is subject and with Customer’s prior written consent. Any such transfer shall be made in accordance with the requirements of Data Protection Law, in particular with respect to the requirements of Chapter V of the GDPR regarding transfers of personal data to third countries, and any decisions, guidance or recommendations issued by the European Commission, Relevant Authority and/or supervisory authority.

 
9. PERMITTED THIRD PARTY SERVICE PROVIDER

9.1 Consent: Without prejudice to the generality of the pre-conditions specified in Clause 2.2(g) and clause 8 of this DPA, HALO shall be permitted to sub-contract processing of Personal Data to a Permitted Third Party Service Provider provided that:
(a) equivalent data protection obligations as set out in this DPA shall apply to that Permitted Third Party Service in such a manner that the processing will meet the requirements of the GDPR; and

(b) HALO shall remain responsible for all acts and omissions of Permitted Third Party Service Provider and the acts and omissions of those employed or engaged by the Permitted Third Party Service Provider as if they were its own. An obligation on HALO to do, or to refrain from doing, any act or thing shall include an obligation on HALO to procure that its Personnel and the Personnel of each Permitted Third Party Service Provider also do, or refrain from doing, such act or thing.

9.2 Consent to Transfer to Third Countries: Further to Clauses 2.2(g) and 8 above, the Customer hereby consents to the transfer of Data to such Permitted Third Party Service Provider as may be located outside of the European Economic Area.


10. CLIENT CONFIRMATIONS

The Client represents and warrants to HALO, on a continuing basis for the duration of the Agreement that:

(a) all consents, if required, for the processing of all the Data by HALO in the manner contemplated by this DPA have been validly obtained and are in full force and effect; and

(b) the Customer has complied with all of its obligations (however arising) in respect of all the Data.

 

ANNEX 1 - PERSONAL DATA

 

Description

Details

 

Types of personal data to be processed

(i) audio and video recording data.

 

Categories of data subjects

 

(i) site visitors;

(ii) customers;

(iv) employees.

 

 

Nature of the processing

Any operation or set of operations which may be performed on personal data or sets of personal data, whether or not by automated means, to include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).

 

 

Purpose of the processing

Provision of the Services under the MSA

 

ANNEX 2 – SECURITY MEASURES

In HALO, security is an ongoing process, not a one-time task. We regularly reassess our security measures to adapt to evolving threats and technology changes. We have recently achieved ISO 27001 certification which demonstrates our commitment to securing our customer’s data. We have an Information Security Policy and a set of other policies which outline our approach to information security. Protecting customer information is crucial, and we have implemented a range of security controls to achieve this:

1. Data Encryption & Backups

Sensitive customer data is encrypted, both in transit and at rest. This ensures that even if unauthorised access occurs, the data remains unreadable without the proper decryption keys. Regular backups of customer data are taken and these backups are kept secure. This helps in the event of data loss due to system failures, cyber attacks, or other emergencies.

2. Access Controls

Access to customer information is on a need-to-know basis. Strong authentication methods are used, like multi-factor authentication, to ensure only authorised personnel can access sensitive data.

3. Regular Software Updates

Software is kept updated, including security software, to patch vulnerabilities. Systems are regularly updated and patched to protect against known exploits.

4. Physical Security

We have secure physical access in place for our offices. This includes access controls, and environmental controls to protect against physical theft or damage.

5. Data Privacy

We clearly communicate our privacy policies to customers. We are transparent about how their information is collected, stored, and used. We obtain explicit consent for collecting and processing personal data.

6. BCP & Incident Response

We have a comprehensive Business Continuity Plan in place which has been approved by all areas of our business and is tested regularly.

An incident response plan has been developed and maintained to quickly and effectively address security incidents. This includes steps for identifying, containing, eradicating, recovering, and lessons learned from security breaches.

7. Security Training

Staff receive regular training on security best practices. This ensures they understand the importance of safeguarding customer information and are educated on how to recognise and respond to security threats.

8. Auditing & Penetration Testing

Regular security audits and reviews are conducted to identify and address potential vulnerabilities. This includes reviewing access logs, monitoring for unusual activity, and ensuring compliance with security policies.

Our Halo Vault is tested on an annual basis and any high or medium risk findings are investigated and resolved.

 

ANNEX 3 - PERMITTED THIRD PARTY SERVICE PROVIDERS