Data Protection Addendum

This Data Protection Addendum (the “Addendum”) to Liveforce General Terms between the Customer (as defined within the General Terms) and Liveforce, together the “Parties” and each a “Party”, sets out the Parties respective obligations regarding the Processing of Personal Data.

This Addendum references Data Protection Laws, Model Clauses and the General Terms and, in the event of inconsistencies, the following hierarchy shall apply: (i) Data Protection Laws; (ii) the applicable Model Clauses; (iii) the provisions of this Addendum; and, (iv) the General Terms. Capitalised terms not otherwise defined in this Addendum shall have the meanings given to them in the General Terms.

1. Interpretation and Definitions

In this Addendum:

1.1. Affiliate: means each Party’s ultimate holding company or subsidiaries;

1.2. Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process and Processing: shall have the respective meanings given to them (and equivalent expressions) in Data Protection Laws;

1.3. Crew Personal Data: means any Personal Data relating to Crew who register a profile on Liveforce Platform and which is controlled or processed by Liveforce;

1.4. Customer Personal Data: means any Personal Data, which is owned, controlled or processed by the Customer through the use of the Services under the General Terms;

1.5. Data Production Request: means any request, communication, notice, order or anything analogous to the forgoing relating to Customer Personal Data (including but not limited to its disclosure) from any Supervisory Authority, law enforcement or other government authority or regulator;

1.6. Data Protection Laws: means: (i) the General Data Protection Regulation (EU) 2016/6879 (the “EU GDPR”); (ii) the UK General Data Protection Regulation (as defined in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) (the “UK GDPR”); (iii) the Data Protection Act 2018; and(iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003, in each case, as updated, amended, re-enacted or replaced from time to;

1.7. Data Subject Request: means any request from a Data Subject to exercise any of its rights under the Data Protection Laws;

1.8. Description of Processing: the description of Processing as set out in Annex 1 of this Addendum;

1.9. Liveforce Personnel: means all personnel who are engaged from time to time by Liveforce to supply the Services and/or perform any obligations under this Addendum or the General Terms including but not limited to employees, staff, other workers, agents, consultants, contractors, and subcontractors of Liveforce;

1.10. Liveforce Privacy Policy: means the Privacy Policy, made available here, and which sets out how Liveforce Processing Personal Data, including Crew Personal Data as amended from time to time;

1.11. Sub-processor: means a sub-contractor or Liveforce Affiliate engaged by Liveforce that will Process Personal Data in the context of Liveforce’s performance of the Services;

1.12. Supervisory Authority: means the Information Commissioner’s Office or any other supervisory authority that may be applicable under the Data Protection Laws from time to time.

2. Roles of the Parties

2.1. The Parties agree that, in respect of Customer Personal Data, Liveforce is a Processor for the purposes of Processing Customer Personal Data pursuant to this Addendum.

2.2. Liveforce shall only Process Customer Personal Data in accordance with the Customer’s written instructions, or as reasonably required: (a) under or in connection with the General Terms and/or Description of Processing; (b) in order to achieve compliance with legal or regulatory obligations applicable directly to Liveforce; (c) for Liveforce’s establishment, exercise or defense of a legal claim; (d) in order to protect the vital interests of a Data Subject or another natural person; or (e) as specifically authorized in writing by the Customer.

2.3. In respect of Crew Personal Data, Liveforce is a Controller and shall Process Crew Personal Data in accordance with Liveforce Privacy Policy.

2.4. Where the Customer receives Crew Personal Data, such data exchange shall be between independent Controllers. Where the Customer Processes Crew Personal Data, it shall: (a) only Process Crew Personal Data where it has a valid lawful basis; (b) comply with the Data Protection Laws; (c) where required or appropriate, obtains consent from Data Subjects; and, (e) makes available a suitable notice to Data Subjects about its Processing activities.

3. General Obligations of the Parties

3.1. Each Party agrees to:

3.1.1. comply with the provisions of this Addendum and Data Protection Laws when Processing Personal Data under or in connection with the General Terms;

3.1.2. immediately notify the other Party if: (a) it is unable, for any reason, to meet its obligations under this Addendum or the Data Protection Laws; or (b) it believes that any instructions received are likely to infringe the Data Protection Laws or any other applicable laws.

3.2. Each Party enters into the General Terms on the basis that it has no reason to believe that Data Protection Laws or any other applicable laws prevent it from fulfilling its obligations under the General Terms.

3.3. Each Party shall immediately notify the other if any change in Data Protection Laws or any other applicable laws is likely to have a substantial adverse effect on their ability to discharge their obligations under this Addendum and the General Terms.

3.4. Customer warrants and represents that it shall not transfer, or cause to be transferred, any Special Category Data (within the meaning of the EU GDPR) to Liveforce.

4. Sub-processing

4.1. Liveforce uses various third-party Sub-processors and Affiliates in connection with its provision of the Services.

4.2. Customer hereby authorizes Liveforce to appoint any of the Sub-processors set out in the List of Sub-processors, made available on Liveforce’s website and as amended from time to time.

4.3. Liveforce maintains appropriate written agreements with each Sub-processor which contain equivalent obligations to those set out in this Addendum.

4.4. Where Liveforce makes a material change to any Sub-processors, it shall notify the Customer via email or via a prominent banner within the Liveforce Platform.

5. Data Security

5.1. Liveforce shall implement and maintain appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage.

5.2. Liveforce shall maintain appropriate security controls to safeguard Customer data as set out in the Liveforce Security Policy. When considering what technical and organisational measures to implement, Liveforce shall ensure the level of security is appropriate to the risk and shall have due regard to techniques such as: (a) the pseudonymisation and encryption of Personal Data; (b) measures which ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

5.3. Liveforce shall ensure that all Liveforce Personnel who have access to and/or Process Customer Personal Data are subject to legally binding and enforceable obligations to keep the Personal Data confidential. Liveforce Personnel are properly trained prior to engagement in the provision of the Services.

5.4. Liveforce shall promptly notify the Customer in writing on becoming aware of any Personal Data Breach and, as soon as the full particulars become available, shall provide the Customer with:

5.4.1. a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the approximate number of Personal Data records concerned;

5.4.2. the name and contact details of a representative of Liveforce from whom more information can be obtained;

5.4.3. a description of the likely consequences of the Personal Data Breach; and

5.4.4. a description of the measures Liveforce has taken or proposes to take to remedy the Personal Data Breach.

5.5. Liveforce shall provide all necessary assistance to the Customer in its communications with the Supervisory Authority in connection with a Personal Data Breach.

6. Overseas transfers of Personal Data

6.1. Customers acknowledges that the Processing carried out by Liveforce and its Processors shall involve the transfer of Customer Personal Data to a recipient, whether an Affiliate or not, located outside of the European Economic Area (“EEA”) or United Kingdom (“UK”), including in respect of any Sub-processor.

6.2. Customer provides their authorized for Liveforce to transfer Customer Personal Data outside of the EEA or UK, subject to the terms of Annex 2.

7. Data Subject and Third-Party Requests

7.1. Where Liveforce shall notify the Customer upon Liveforce’s receipt of: (a) a Data Subject Request; (b) any complaint or request relating to the Customer’s obligations under Data Protection Laws; or, (c) an enquiry from the Supervisory Authority or any other government authority which relates to the Processing of Customer Personal Data.

7.2. Unless and to the extent required by Data Protection Laws, Liveforce shall not respond directly to any request on the Customer’s behalf.

7.3. Liveforce shall render reasonable information and assistance to assist the Customer in responding to any request. Liveforce reserves the right to charge a fee where, in its opinion, the level of assistance would place a burden on its operations, including in respect with assisting the Customer on data protection impact assessments, audits and consultations with Supervisory Authorities and/or regulators.

7.4. Where Liveforce receives a Data Production Request, it shall not disclose Customer Personal Data in response to that Data Production Request unless either (i) it is under a compelling legal obligation to make such disclosure; or (ii) taking into account the circumstances and the privacy rights of any affected individuals, there is an imminent risk of serious harm that merits disclosure in any event (for example, in order to protect individuals’ vital interests).

8. Consequences of Expiry or Termination of the Addendum or Services

8.1. On the termination or expiry of this Addendum or the Services, Liveforce shall make available a copy of the Customer’s Personal Data via the Liveforce Platform.

8.2. Liveforce shall delete (so that it is not recoverable) the Customer Personal Data and copies of that data at the end of the Services, unless Liveforce is required to retain the Customer Personal Data under Data Protection Laws.

8.3. Termination of this Addendum for any reason shall not exclude the Customer’s responsibility to pay for the Services pursuant to the General Terms.

9. General

9.1. Each Party’s liability arising out of, or in connection with, this Addendum shall be as set out in Clause 16 (LIMITATION OF LIABILITY) of the General Terms.

9.2. No one other than a Party to this Addendum, their successors and permitted assignees, shall have any right to enforce any of its terms.

9.3. This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England. Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Addendum or its subject matter or formation (including non-contractual disputes or claims).

ANNEX 1: DESCRIPTION OF PROCESSING

ANNEX 2: OVERSEAS TRANSFERS

1. Definitions

In this Annex 2:

1.1. “C2C SCCs” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) for the transfer of Personal Data to third countries including the text from module one of such clauses and incorporating/excluding the optional and selectable clauses set out in this Annex 2;

1.2. “C2P SCCs” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) for the transfer of Personal Data to third countries including the text from module two of such clauses and incorporating/excluding the optional and selectable clauses set out in this Annex 2;

1.3. “Data Exporter” means a Party that transfers, or otherwise makes available, Personal Data to a Data Importer;

1.4. “Data Importer” means a Party that receives, or otherwise accesses, Personal Data from a Data Exporter;

1.5. “Model Clauses” or “SCCs” means, depending on the context, one or both of the following: the C2C SCCs and C2P SCCs;

1.6. “Receiving Territory” means a country that receives Customer Personal Data from a third country;

1.7. “Restricted Transfer” means a transfer of Customer Personal Data which, absent of the provisions set out in this Annex 2, would be unlawful under Chapter V of the EU GDPR or UK GDPR; and,

1.8. “UK Addendum” means SCCs in conjunction with the UK’s International Data Transfer Addendum available at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx,

2. General Provisions on International Transfers

2.1. Prior to undertaking a Restricted Transfer, Liveforce, in assessing the specific circumstances of the Receiving Territory, shall have due regard to the laws and practices of the Receiving Territory relevant to the Processing activities contemplated, in particular, whether such laws and practices may undermine the protections afforded by the SCCs and/or UK Addendum (as applicable).

2.2. Where the provisions of this Addendum are not sufficient to achieve compliance with applicable Data Protection Laws, the Parties shall fully cooperate in good faith to implement any supplementary terms necessary for such international transfers to continue.

2.3. In the event that any updated or alternative international transfer mechanism is implemented into UK or EEA law, the Parties shall discuss in good faith any required variations to this Annex 2 to incorporate the updated or alternative transfer international provisions. If the Parties fail to agree the required changes (both acting reasonably), either Party may terminate this Agreement by providing not less than thirty (30) days’ notice (in writing) to the other.

3. Permitted Territories

Liveforce shall only undertake transfers of Customer Personal Data overseas as follows:
– To any EEA Member State and Switzerland;

4. EEA Restricted Transfers

4.1. Where there is a Restricted Transfer between the Parties and the Processing of Personal Data is subject to Chapter V of the EU GDPR, the following provisions of this Clause 4 shall apply.

4.2. Where there is a Restricted Transfer between the Parties and the Processing of Personal Data is subject to Chapter V of the EU GDPR, the Data Exporter and Data Importer agree to be bound by and comply with the: (a) C2C SCCs where both the Data Exporter and Data Importer act as Controllers of the transferred Personal Data; and (b) C2P SCCs where the Data Exporter, acting as the Controller of the Data Importer, transfers Personal Data to the Data Importer, acting as the Data Exporter’s Processor.

4.3. The information required by Annex I and II to the SCCs is set out in Annex 1 of this Addendum.

4.4. Clause 7 (docking clause) of the SCCs is not included.

4.5. For the purposes of Clause 9(a) of the C2P SCCs, option 2 (general authorisation)] is selected. 60 days shall be the specified time period for notifying any changes to the agreed list of Sub-Processors. A list of Suppliers’ Sub-Processors, current as of the Effective Date, is found in the List of Sub-processors.

4.6. Where the Restricted Transfer concerns those categories of sensitive or special category data as indicated in Schedule 3, then the specific written authorization within the meaning of clause 9(a) of the C2P SCCs shall be required.

4.7. For the information required by Clause 17 of the SCCs, the SCCs shall be governed by the laws of the Member State of the Data Subject.

4.8. For the information required by Clause 18 of the SCCs, the courts of the Member State in which the Data Subject is located shall have jurisdiction.

4.9. In agreeing to be bound by the SCCs, the Data Exporter and Data Importer agree to be bound by the SCCs completed as set out in this Schedule, as though they were written out in full in this Schedule and agree that the execution of the General Terms shall be deemed to constitute all required signatures and dates for the SCCs.

5. UK Restricted Transfers

5.1. Where there is a Restricted Transfer between the Parties and the Processing of Personal Data is subject to Chapter V of UK GDPR, the Data Exporter and Data Importer shall be subject to the UK Addendum which is hereby incorporated with the following clarifications:

5.1.1. The terms agreed for the SCCs as set out above are agreed for the UK Addendum and deemed to be prepopulated into the UK Addendum;

5.1.2. The information required by Table 1 and 3 of the UK Addendum is as set out in this Addendum and Annex 1. For the purpose of Table 2 of the UK Addendum, the UK Addendum shall be appended to the relevant SCCs;

5.1.3. The UK Addendum shall be governed by the laws of England and Wales; and,

5.1.4. The mandatory clauses of the UK Addendum shall automatically be incorporated into this Addendum.