Last Updated: March 2022
If OpusXenta processes personal data on behalf of a Client that qualifies as a controller with respect to that personal data under the EU General Data Protection Regulation (Regulation 2016/679), then this Addendum will form a part of the Purchase and Services Agreement.
Definitions: In this Addendum, the following terms shall have the following meanings:
- “controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“) and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law; and
- “Applicable Data Protection Law” shall mean: (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); and (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679)
Relationship of the parties: Client (the controller) appoints OpusXenta as a processor to process the Client Data described in the Purchase and Services Agreement (the “Data“) for the purposes described, and the terms set out, in the Purchase and Services Agreement, including, for the avoidance of doubt, to provide you with, and update and improve, our services (or as otherwise agreed in writing by the parties) (the “Permitted Purpose“). Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.
Prohibited data: Unless explicitly requested by OpusXenta to do so, Client shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to OpusXenta for processing.
International transfers: OpusXenta shall not transfer the Data outside of the European Economic Area (“EEA“) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., New Zealand), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
Confidentiality of processing: OpusXenta shall ensure that any person it authorises to process the Data (an “Authorised Person“) shall protect the Data in accordance with OpusXenta’s confidentiality obligations under the Purchase and Services Agreement.
Security: OpusXenta shall implement technical and organisational measures, as set out in the Purchase and Services Agreement, which may be amended and updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii) Loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident“).
Subcontracting: Client consents to OpusXenta engaging third Party sub-processors to process the Data for the Permitted Purpose provided that: (i) OpusXenta maintains an up-to-date list of its sub-processors, which shall be available on its website, which it shall update with details of any change in sub-processors at least 30 days prior to the change; (ii) OpusXenta imposes data protection terms on any sub-processor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) OpusXenta remains liable for any breach of this Addendum that is caused by an act, error or omission of its sub-processor. Client may object to OpusXenta’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, OpusXenta will either not appoint or replace the sub-processor or, if this is not reasonably possible, in OpusXenta’s sole discretion, Client may suspend or terminate the Purchase and Services Agreement without penalty (without prejudice to any fees incurred by Client up to and including the date of suspension or termination).
Cooperation and data subjects’ rights: OpusXenta shall provide reasonable and timely assistance to Client (at Client’s expense) to enable Client to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third Party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to OpusXenta, OpusXenta shall promptly inform Client providing full details of the same.
Data Protection Impact Assessment: If OpusXenta believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Client and provide reasonable cooperation to Client in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
Security incidents: If it becomes aware of a confirmed Security Incident, OpusXenta shall inform Client without undue delay and shall provide reasonable information and cooperation to Client so that Client can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. OpusXenta shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep Client informed of all material developments in connection with the Security Incident
Deletion or return of Data: Upon termination or expiry of the Purchase and Services Agreement, OpusXenta will, on Client’s explicit request, delete or return the Data in its possession or control (in a manner and form decided by OpusXenta, acting reasonably). This requirement shall not apply to the extent that OpusXenta is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data OpusXenta shall securely isolate and protect from any further processing.
Sub-Processors: The following is a list of the OpusXenta sub-processors: