Terms of business for Kennedys suppliers

Addendum means this document and its annexures.

Appropriate Security Measures means any technical and organisational measures to protect the Personal Data that are necessary to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Associates means the officers, employees, agents and contractors of a party.

Contracted Processor means #company# or a Subprocessor.

Data Protection Laws means any privacy or data protection laws (including any statutes, regulations, by-laws, ordinances, mandatory codes of conduct or rules of common law or equity), including the EU Data Protection Laws and the UK Data Protection Laws, which applies to the relevant party.

EU means the European Union.

EU Data Protection Laws means the GDPR, and any EU member state law which modifies the application of the GDPR, as amended, replaced, or superseded from time to time.

GDPR means EU General Data Protection Regulation 2016/679.

Kennedys Group Firms means Kennedys or any firm authorised by Kennedys to use the name “Kennedys”. A full list of Kennedys Group Firms is available at www.kennedyslaw.com/regulatory.

Kennedys Group means Kennedys and the Kennedys Group Firms.

Personal Data means any personal data processed by a Contracted Processor on behalf of a Kennedys Group Firm pursuant to or in connection with the Principal Agreement.

Regulator means any government authority or regulator which is responsible for administering and enforcing a Data Protection Law, and includes a supervisory authority under the GDPR.

Restricted Transfer means a cross-border transfer of Personal Data:

(a)    from a Kennedys Group Firm to a Contracted Processor; or

(b)    from one Contracted Processor to another Contracted Processor or between two establishments of a Contracted Processor,

where such transfer would be prohibited by a Data Protection Law unless the parties to that transfer agree to the Standard Contractual Clauses.

Standard Contractual Clauses means the standard contractual clauses (controller to processor) approved by EC Decision 2010/87/EU, as amended, replaced, or superseded from time to time, including by an equivalent decision under the GDPR or the UK GDPR (as applicable).

Subprocessor means any person appointed by #company# to process the Personal Data on behalf of a Kennedys Group Firm (including any third party or any related company of #company# but excluding employees or individual contractors of #company#).

UK Data Protection Laws means the UK GDPR, and any UK law which modifies the application of the UK GDPR, as amended, replaced, or superseded from time to time.

UK GDPR means the GDPR as incorporated into the law of the United Kingdom by the European Union (Withdrawal) Bill 2018 (UK) and as amended, replaced, or superseded from time to time.

(a) Capitalised terms used in this Addendum which are not defined in this Addendum but which have a defined meaning in the Principal Agreement will have that meaning unless the context otherwise requires.

(b) Terms used in this Addendum which are not defined in this Addendum or the Principal Agreement but which have a defined meaning in the GDPR will have that meaning unless the context otherwise requires.

(c) Any references to legislation under this Agreement includes any subordinate legislation under those legislation, and includes that legislation and subordinate legislation as modified or replaced.

(d) Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

The parties acknowledge and agree that a Kennedys Group Firm may provide Personal Data to #company# under this agreement, and that #company# will process that Personal Data on behalf of that Kennedys Group Firm. As such, the parties acknowledge and agree that the relevant Kennedys Group Firm will be the “controller” and #company# will be the “processor” of the Personal Data for the purposes of the GDPR and the UK GDPR (as applicable).

(a) Subject to clause 2.4, #company# must (and must ensure that its Associates do):

(i) process the Personal Data only in accordance with documented instructions from Kennedys Group;

(ii) ensure that the Personal Data is only accessed and processed by those of its Associates who require access to the Personal Data for the purpose of performing its obligations under the Principal Agreement and ensure those Associates are subject to an appropriate contractual, professional or statutory obligation of confidentiality; and

(iii) not transfer the Personal Data to any other country, except in accordance with documented instructions from Kennedys Group.

(b) Kennedys Group hereby instructs #company# (and authorises #company# to instruct each Subprocessor) to process the Personal Data, and transfer the Personal Data to any place, as reasonably necessary to perform #company#’s obligations under the Principal Agreement.

(a) #company# must not:

(i) engage a Subprocessor for any part of the processing of the Personal Data; or

(ii) replace an existing Subprocessor,

unless Kennedys Group has given its prior written authorisation to the proposed Subprocessor and the proposed processing to be performed by the Subprocessor.

(b) Before engaging a Subprocessor, #company# must carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for the Personal Data required by the Principal Agreement and this Addendum.

(c) If Kennedys Group authorises #company# to engage or replace a Subprocessor, before the Subprocessor first processes Personal Data, #company# must ensure that the agreement between that Subprocessor and the #company# (or the relevant intermediate Subprocessor) complies with article 28(3) of the GDPR or the UK GDPR (as applicable).

(d) If Kennedys Group authorises #company# to engage or replace a Subprocessor, and that arrangement involves a Restricted Transfer, then before the Subprocessor first processes Personal Data, #company# must:

(i) ensure that the agreement between that Subprocessor and the #company# (or the relevant intermediate Subprocessor) incorporates the Standard Contractual Clauses; or

(ii) procure that the Subprocessor enter into an agreement with a Kennedys Group Firm incorporating the Standard Contractual Clauses.

(e) On request by Kennedys Group, #company# must provide Kennedys Group with a copy of any agreement between a Subprocessor and the #company# (or the relevant intermediate Subprocessor). This copy may be redacted to remove any information not relevant to the requirements of this Addendum.

(f) #company# will not be relieved of any of its liabilities or obligations under this Agreement by virtue of any subcontract, or any authorisation to a Subprocessor given by Kennedys Group, and #company# acknowledges that it will be liable to Kennedys Group for all acts and omissions of a Subprocessor, or any employee or agent of a Subprocessor, as fully as if they were the acts or omissions of #company#.

(a) Subject to clause 2.6(b), if any transfer of Personal Data from a Kennedys Group Firm to a Contracted Processor is a Restricted Transfer, the relevant Kennedys Group Firm (as “data exporter”) and the relevant Contracted Processor (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of that Restricted Transfer. The Standard Contractual Clauses shall come into effect on the later of:

(i) the data exporter becoming a party to them;

(ii) the data importer becoming a party to them; and

(iii) commencement of the relevant Restricted Transfer.

(b) Clause 2.6(a) shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, to avoid doubt, do not include obtaining consents from data subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Laws.

#company# must (and must ensure that its Associates do):

(a) take all Appropriate Security Measures to keep that Personal Data secure from accidental or unlawful destruction, loss or alteration or unauthorised disclosure or access;

(b) provide reasonable assistance to Kennedys Group to take all Appropriate Security Measures to keep that Personal Data secure from accidental or unlawful destruction, loss or alteration or unauthorised disclosure or access; and

(c) when it no longer requires the Personal Data for the purpose of performing its obligations under the Principal Agreement, promptly delete or destroy all copies of the Personal Data in its possession or control, so that the Personal Data cannot be recovered or reconstructed, and certify such deletion or destruction to Kennedys Group.

#company# must:

(a) provide (and must ensure that its Associates provide) reasonable assistance to Kennedys Group to:

(i) conduct any data protection impact assessment;

(ii) consult the supervisory authority in relation to any high risk data processing activity; and

(iii) participate in any investigation conducted by any Regulator regarding the Personal Data,

in accordance with Kennedys Group’s obligations under Data Protection Laws and otherwise as Kennedys Group sees fit; and

(b) on request by Kennedys Group, provide a complete copy of the Personal Data to Kennedys Group by secure file transfer in a format reasonably requested by Kennedys Group.

#company# must:

(a) immediately pass on to Kennedys Group any notice or communication it receives from a data subject or a Regulator regarding the Personal Data;

(b) not respond to any notice or communication it receives from a data subject or a Regulator regarding the Personal Data, except:

(i) in accordance with Kennedys Group’s documented instructions; or

(ii) as required by applicable law; provided that #company# must notify Kennedys Group of the legal requirement prior to such processing, unless the legal requirement prohibits #company# from providing such notice;

(c) provide (and must ensure that its Associates provide) reasonable assistance to Kennedys to respond to any request made by a data subject under the GDPR received by Kennedys or #company# or any other enquiry or complaint received by Kennedys or #company# from a data subject; and

(d) provide (and must ensure that its Associates provide) reasonable assistance to Kennedys to respond to any notice or communication received by Kennedys or #company# from any Regulator regarding the Personal Data.

If #company# becomes aware of any suspected or actual personal data breach which involves or is suspected to involve the Personal Data, #company# must:

(a) immediately notify Kennedys Group of the details of the personal data breach;

(b) provide Kennedys Group with regular updates on its progress in investigating and remedying the personal data breach;

(c) permit Kennedys Group technical personnel to assist #company# in investigating and remedying the personal data breach;

(d) provide reasonable assistance to Kennedys Group to notify any personal data breach to Regulators and to affected data subjects; and

(e) reimburse Kennedys Group for any reasonable costs it incurs in notifying the personal data breach to Regulators and to affected data subjects.

(a) #company# must:

(i) make available to Kennedys Group all information; and

(ii) permit Kennedys Group and its authorised agents to conduct an audit or inspection of its premises, records and information systems,

as reasonably necessary to demonstrate compliance with its obligations under this clause 2 in accordance with this clause 2.11.

(b) #company# must provide reasonable access and assistance to Kennedys and its authorised agents to assist it in carrying out an audit or inspection under this clause 2.11. #company# may require that Kennedys Group limit such access to normal business hours and Kennedys Group must use reasonable care to ensure an audit or inspection does not interfere with #company#’s business operations.

(c) Kennedys Group will bear its own costs of any audit or inspection carried out under this clause 2.11. #company# will not be entitled to any reimbursement by Kennedys Group for any costs or expenses incurred as a result of compliance with this clause 2.11.

(a) Kennedys Group may:

(i) by at least 30 days’ written notice to #company#, make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under clause 2.6), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a Regulator under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and

(ii) propose any other variations to this Addendum which Kennedys Group reasonably considers to be necessary to address the requirements of any Data Protection Law.

(b) If Kennedys Group gives notice under clause 2.12(a)(i):

(i) #company# must promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under clause 2.5(d); and

(ii) Kennedys Group will not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by #company# to protect the Contracted Processors against additional risks associated with the variations made under clauses 2.12(a)(i) or 2.12(b)(i).

(c) If Kennedys Group gives notice under clause 2.12(a)(ii), the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Kennedys Group’s notice as soon as is reasonably practicable.

Without prejudice to clauses 7 and 9 of the Standard Contractual Clauses:

(a) this Addendum is governed by and is to be construed in accordance with the laws of the place specified for this purpose in the Principal Agreement;

(b) the parties irrevocably and unconditionally submit to the non exclusive jurisdiction of the courts exercising jurisdiction in the place specified for this purpose in the Principal Agreement and waives any right to object to any proceedings being brought in those courts.

(a) Nothing in this Addendum reduces #company#’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits #company# to process (or permit the processing of) Personal Data in a manner which is prohibited by the Principal Agreement.

(b) Subject to clause 2.14(a), with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

(c) In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.