Causeway Data Protection Schedule
Definitions
Data Protection Legislation: any laws and regulations relating to privacy or the use or processing of data relating to natural persons applicable in the United Kingdom, including: (a) the General Data Protection Regulation ((EU) 2016/679); (b) the Data Protection Act 2018 (the DPA); and (c) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
DP Regulator: any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Legislation.
Relevant Personal Data: Personal Data other than Causeway-Controlled Data (as defined in paragraph 1.4 below).
1. DATA PROTECTION
1.1 The terms “Data Controller”, “Data Processor”, “Personal Data”, “Data Subject” and “processing” shall have the meanings set out in the Data Protection Legislation.
1.2 Both parties will comply with all applicable requirements of the Data Protection Legislation. This paragraph 1.2 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
1.3 In relation to Relevant Personal Data, the parties acknowledge that for the purposes of the Data Protection Legislation, you are the Data Controller and Causeway is the Data Processor. This processing shall be in respect of the types of Relevant Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in the Appendix 1 to this Schedule.
1.4 Causeway Technologies Limited (“Causeway”) is the Data Controller only in respect of:
(a) the login information (comprising a name, corporate email address and password) collected when issuing a user licence/user account at the outset or during the Agreement; and
(b) the details of the Customer support contacts (comprising a name, corporate email address and telephone number);
(together, the “Causeway-Controlled Data”).
Causeway shall only use the Causeway-Controlled Data for the purposes of this Agreement and in compliance with all applicable requirements of the Data Protection Legislation.
(b) the details of the Customer support contacts (comprising a name, corporate email address and telephone number);
(together, the “Causeway-Controlled Data”).
Causeway shall only use the Causeway-Controlled Data for the purposes of this Agreement and in compliance with all applicable requirements of the Data Protection Legislation.
1.5 Without prejudice to the generality of paragraph 1.2, you shall:
(a) ensure that any instructions you issue to Causeway shall comply with the Data Protection Legislation; and
(b) have sole responsibility for the accuracy, quality and legality of Relevant Personal Data and the means by which you acquired Relevant Personal Data and shall establish the legal basis for processing under Data Protection Legislation, including providing all notices and obtaining all consents to individuals as may be required under Data Protection Legislation in order for Causeway to process the Relevant Personal Data as otherwise contemplated by this Schedule.
(b) have sole responsibility for the accuracy, quality and legality of Relevant Personal Data and the means by which you acquired Relevant Personal Data and shall establish the legal basis for processing under Data Protection Legislation, including providing all notices and obtaining all consents to individuals as may be required under Data Protection Legislation in order for Causeway to process the Relevant Personal Data as otherwise contemplated by this Schedule.
1.6 Without prejudice to the generality of paragraph 1.2, Causeway shall, in relation to any Relevant Personal Data processed in connection with the performance by Causeway of its obligations under this Agreement:
(a) process that Relevant Personal Data only to the extent and in such a manner as is necessary for the purposes of providing the Software, Service, Support Services and other Services under this Agreement and on your lawful written instructions;
(b) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Relevant Personal Data and against accidental loss or destruction of, or damage to, Relevant Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Relevant Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Relevant Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) take commercially reasonable steps to ensure that all personnel who have access to and/or process Relevant Personal Data are obliged to keep the Relevant Personal Data confidential; and
(d) not transfer such Relevant Personal Data outside the UK or the European Economic Area without your prior written consent, save that transfers shall be permitted where the transfer:
(b) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Relevant Personal Data and against accidental loss or destruction of, or damage to, Relevant Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Relevant Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Relevant Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) take commercially reasonable steps to ensure that all personnel who have access to and/or process Relevant Personal Data are obliged to keep the Relevant Personal Data confidential; and
(d) not transfer such Relevant Personal Data outside the UK or the European Economic Area without your prior written consent, save that transfers shall be permitted where the transfer:
(i) is based on an adequacy decision (as per GDPR Article 45);
(ii) is subject to appropriate safeguards on condition that enforceable data subject rights and effective legal remedies for data subjects are available (as per GDPR Article 46); or
(iii) fits within one of the derogations for specific situations (as per GDPR Article 49);
(iii) fits within one of the derogations for specific situations (as per GDPR Article 49);
(e) take such steps as are reasonably required to assist you in ensuring compliance with your obligations pursuant to GDPR Articles 32 to 36 (inclusive);
(f) notify you without undue delay on becoming aware of a Relevant Personal Data breach;
(g) at your written direction, and except as required by law or in order to defend any actual or possible legal claims, take reasonable steps to delete or return Relevant Personal Data and copies thereof to you on termination or expiry of the Agreement. The Relevant Personal Data will be returned to you in a csv file format unless a different format has been agreed by the parties (in which case you will pay Causeway’s reasonable costs incurred);
(h) maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Legislation, and make such information available to you and/or any DP Regulator on request; and
(i) allow for audits by you or your designated representative on reasonable notice, subject to the following requirements:
(f) notify you without undue delay on becoming aware of a Relevant Personal Data breach;
(g) at your written direction, and except as required by law or in order to defend any actual or possible legal claims, take reasonable steps to delete or return Relevant Personal Data and copies thereof to you on termination or expiry of the Agreement. The Relevant Personal Data will be returned to you in a csv file format unless a different format has been agreed by the parties (in which case you will pay Causeway’s reasonable costs incurred);
(h) maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Legislation, and make such information available to you and/or any DP Regulator on request; and
(i) allow for audits by you or your designated representative on reasonable notice, subject to the following requirements:
(i) you may perform such audits no more than once per year or more frequently if required by Data Protection Legislation;
(ii) you may use a third party to perform the audit on your behalf, provided such third party executes a confidentiality agreement acceptable to Causeway before the audit;
(iii) audits must be conducted during regular business hours, subject to Causeway’s policies, and may not unreasonably interfere with Causeway’s business activities;
(iv) you must provide Causeway with any audit reports generated in connection with any audit at no charge unless prohibited by applicable law. You may use the audit reports only for the purposes of meeting your audit requirements under Data Protection Legislation and/or confirming compliance with the requirements of this Schedule. The audit reports shall be confidential;
(v) to request an audit, you must first submit a detailed audit plan to Causeway at least 4 (four) weeks (or as otherwise agreed between us) in advance of the proposed audit date. The audit must describe the proposed scope, duration and start date of the audit. Causeway will review the audit plan and inform you of any concerns or questions (for example, any request for information that could compromise Causeway’s confidentiality obligations or its security, privacy, employment or other relevant policies). Causeway will work cooperatively with you to agree a final audit plan;
(vi) nothing in this paragraph 1.6 shall require Causeway to breach any duties of confidentiality owed to any of its clients, employees or third party providers; and
(vii) all audits are at your sole cost and expense;
(ii) you may use a third party to perform the audit on your behalf, provided such third party executes a confidentiality agreement acceptable to Causeway before the audit;
(iii) audits must be conducted during regular business hours, subject to Causeway’s policies, and may not unreasonably interfere with Causeway’s business activities;
(iv) you must provide Causeway with any audit reports generated in connection with any audit at no charge unless prohibited by applicable law. You may use the audit reports only for the purposes of meeting your audit requirements under Data Protection Legislation and/or confirming compliance with the requirements of this Schedule. The audit reports shall be confidential;
(v) to request an audit, you must first submit a detailed audit plan to Causeway at least 4 (four) weeks (or as otherwise agreed between us) in advance of the proposed audit date. The audit must describe the proposed scope, duration and start date of the audit. Causeway will review the audit plan and inform you of any concerns or questions (for example, any request for information that could compromise Causeway’s confidentiality obligations or its security, privacy, employment or other relevant policies). Causeway will work cooperatively with you to agree a final audit plan;
(vi) nothing in this paragraph 1.6 shall require Causeway to breach any duties of confidentiality owed to any of its clients, employees or third party providers; and
(vii) all audits are at your sole cost and expense;
(j) notify you as soon as reasonably practicable if Causeway receives a request from a Data Subject to exercise its rights under the Data Protection Legislation in relation to that person's Relevant Personal Data; and
(k) provide you with reasonable co-operation and assistance in relation to any request made by a Data Subject to exercise its rights under the Data Protection Legislation in relation to that person's Relevant Personal Data provided that you shall be responsible for Causeway’s reasonable costs and expenses arising from such co-operation and assistance.
(k) provide you with reasonable co-operation and assistance in relation to any request made by a Data Subject to exercise its rights under the Data Protection Legislation in relation to that person's Relevant Personal Data provided that you shall be responsible for Causeway’s reasonable costs and expenses arising from such co-operation and assistance.
1.7 In relation to the appointment of sub-processors:
(a) you generally agree that Causeway may engage a third party including any advisers, contractors, or auditors (such third party referred to as a Sub-Processor) to process Relevant Personal Data;
(b) you agree that Causeway may appoint the Sub-Processors listed at https://www.causeway.com/subprocessors;
(c) if Causeway engages a new Sub-Processor (New Sub-Processor), Causeway shall inform you of the engagement by sending an email notification to you and you may object to the engagement of such New Sub-Processor by notifying Causeway within 3 business days of Causeway’s email, provided that such objection must be on reasonable, substantial grounds, directly related to such New Sub-Processor's ability to comply with substantially similar obligations to those set out in this Schedule. If you do not so object, the engagement of the New Sub-Processor shall be deemed accepted by you;
(d) Causeway shall ensure that its contract with each New Sub-Processor shall impose obligations on the New Sub-Processor that are materially equivalent to the obligations to which Causeway is subject to under this Schedule; and
(e) any sub-contracting by Causeway to Sub-Processors pursuant to this paragraph 1.7 shall not relieve Causeway of any of its liabilities, responsibilities and obligations to you under this Schedule, and Causeway shall remain liable for the acts and omissions of its Sub-Processors.
(b) you agree that Causeway may appoint the Sub-Processors listed at https://www.causeway.com/subprocessors;
(c) if Causeway engages a new Sub-Processor (New Sub-Processor), Causeway shall inform you of the engagement by sending an email notification to you and you may object to the engagement of such New Sub-Processor by notifying Causeway within 3 business days of Causeway’s email, provided that such objection must be on reasonable, substantial grounds, directly related to such New Sub-Processor's ability to comply with substantially similar obligations to those set out in this Schedule. If you do not so object, the engagement of the New Sub-Processor shall be deemed accepted by you;
(d) Causeway shall ensure that its contract with each New Sub-Processor shall impose obligations on the New Sub-Processor that are materially equivalent to the obligations to which Causeway is subject to under this Schedule; and
(e) any sub-contracting by Causeway to Sub-Processors pursuant to this paragraph 1.7 shall not relieve Causeway of any of its liabilities, responsibilities and obligations to you under this Schedule, and Causeway shall remain liable for the acts and omissions of its Sub-Processors.
1.8 If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of Relevant Personal Data by the other party or to either party's compliance with the Data Protection Legislation, it shall as soon as reasonably practicable notify the other party and it shall provide the other party with commercially reasonable co-operation and assistance in relation to any such complaint, notice or communication.
Appendix 1 to Schedule (Data Protection)
The Relevant Personal Data processing activities carried out by Causeway under this Agreement may be described as follows:
1. Subject matter of processing
Causeway shall process the Relevant Personal Data supplied by you for the purposes of the provision of the Service or Software as described in the Order Form.
Causeway shall process the Relevant Personal Data supplied by you for the purposes of the provision of the Service or Software as described in the Order Form.
2. Nature and purpose of processing
(a) The Service (hosted)
Where Causeway provides a hosted environment to deliver the Service, you as Data Controller are responsible for deployment of Relevant Personal Data within the Service. Causeway will act as a Data Processor as set out in this Schedule where you provide any Relevant Personal Data to Causeway as part of:
Where Causeway provides a hosted environment to deliver the Service, you as Data Controller are responsible for deployment of Relevant Personal Data within the Service. Causeway will act as a Data Processor as set out in this Schedule where you provide any Relevant Personal Data to Causeway as part of:
i. Your deployment of Relevant Personal Data within the Service; and/or
ii. Causeway’s Support Services or other Services such as consultancy and training.
ii. Causeway’s Support Services or other Services such as consultancy and training.
(b) The Software (on-premise)
Where Causeway licences Software which you are responsible for hosting, you as Data Controller are responsible for deployment, security and confidentiality of Relevant Personal Data within the Software. Causeway will only act as a Data Processor as set out in this Schedule where you provide any Relevant Personal Data to Causeway as part of Causeway’s Support Services or other Services such as consultancy and training.
In both situations, Causeway may also use Relevant Personal Data to generate anonymous statistical data for general commercial use by Causeway.
Where Causeway licences Software which you are responsible for hosting, you as Data Controller are responsible for deployment, security and confidentiality of Relevant Personal Data within the Software. Causeway will only act as a Data Processor as set out in this Schedule where you provide any Relevant Personal Data to Causeway as part of Causeway’s Support Services or other Services such as consultancy and training.
In both situations, Causeway may also use Relevant Personal Data to generate anonymous statistical data for general commercial use by Causeway.
3. Categories of Relevant Personal Data
[Customer to specify categories of Relevant Personal Data (e.g. name, telephone number, email address) based on what information Customer intends to provide]
[Customer to specify categories of Relevant Personal Data (e.g. name, telephone number, email address) based on what information Customer intends to provide]
4. Categories of Data Subjects
[Customer to specify categories of Data Subjects (e.g. Customer’s employees, Customer’s suppliers, Customer’s clients) based on what information Customer intends to provide]
[Customer to specify categories of Data Subjects (e.g. Customer’s employees, Customer’s suppliers, Customer’s clients) based on what information Customer intends to provide]
5. Duration
The Relevant Personal Data will be processed for the duration of this Agreement.
The Relevant Personal Data will be processed for the duration of this Agreement.