1. THE SERVICE
In consideration of the fees stated in the Details Form (and conditional upon continued receipt of those fees), PCH shall provide Customer with access to and a non exclusive licence:
- to use the Privacy Compliance Hub (including to stream the PCH Video Content); and
- to use the Customisable Documents;
in accordance with the licence terms contained in this Agreement.
2. DEFINITIONS
“Agreement” means these terms and conditions including Appendix A.
“Customer” means the organisation stated on the Details Form.
“Customisable Documents” means the templates (including any updates to them made generally available by PCH) which can be downloaded from the Privacy Compliance Hub.
“Details Form” means the online details form for subscription to the Privacy Compliance Hub.
“Effective Date” means the later of the dates the Customer receives confirmation of its order and sets up payment such as a direct debit mandate.
“Intellectual Property Rights” means all copyright and rights in the nature of copyright, database rights, design rights, patents and trade marks (including all goodwill in them), applications for any of the above, moral rights, know-how, confidential information, and/or any other intellectual or industrial property rights whether or not registered or capable of registration and whether subsisting in the United Kingdom or any other part of the world.
“Minimum Subscription Period” means twelve calendar months.
“PCH” means The Privacy Compliance Hub Limited a company registered in England and Wales with company number 10807555 whose registered office is at Camburgh House, 27 New Dover Road, Canterbury, CT1 3DN
“Privacy Compliance Hub” means the product developed by PCH (including any updates to it made generally available by PCH) which is accessible from www.privacycompliancehub.com (or such URL as replaces it) and which is designed to assist companies achieve and maintain data protection compliance, including the software, the functionality, the PCH Video Content, all hard coded content (including the privacy promises, the route map and the glossary). It does not include the Customisable Documents.
“PCH Video Content” means the video content produced and made available by PCH.
“User Account” means each invitation made by Customer which results in a set of login credentials being sent to an individual for the purpose of accessing the Privacy Compliance Hub.
3. FEES & PAYMENT
a. From the Effective Date, PCH shall invoice Customer and Customer shall pay PCH the sum stated on the Details Form monthly in advance (“Monthly Subscription”). Each Monthly Subscription shall be paid monthly in advance by direct debit.
b. If at any time Customer ceases to pay the Monthly Subscription, PCH shall in its discretion either:
(i) suspend Customer’s access to the Privacy Compliance Hub until payment of Monthly Subscriptions is made up to date; or
(ii) give Customer thirty days’ written notice (email shall suffice) of termination of the Agreement.
c. The sums payable in accordance with clause 3(a) above entitle Customer to up to the maximum number of User Accounts for the number of employees stated on the Details Form. If Customer accesses more than this number of User Accounts then the sums payable by Customer shall increase in accordance with PCH’s standard published pricing from the date Customer exceeds the maximum number of User Accounts.
4. DURATION
a. This Agreement shall commence on the Effective Date and shall continue for the period of the Minimum Subscription Period and, if renewed in accordance with this clause 4, for the applicable renewal period, unless terminated earlier in accordance with its terms.
b. Unless at least 30 days’ prior written notice is given by Customer to PCH that this Agreement shall expire at the end of the Minimum Subscription Period or any renewal period, this Agreement shall automatically renew for a period of equal duration to the Minimum Subscription Period, unless terminated earlier in accordance with its terms.
5. INTELLECTUAL PROPERTY RIGHTS
a. The Privacy Compliance Hub (including all Intellectual Property Rights in it) is owned by PCH. PCH grants Customer a non exclusive, personal licence for the duration of this Agreement to access and use the Privacy Compliance Hub (including to stream the PCH Video Content) for up to the number of User Accounts for the number of employees stated on the Details Form.
b. The Privacy Compliance Hub allows Customer to upload and/or link to content (including video content) created by Customer. This content (and all Intellectual Property Rights in it) is owned by Customer. Customer grants PCH a non exclusive, personal licence for the duration of the Agreement to use such content solely to the extent necessary for PCH to comply with its obligations under this Agreement.
c. The Customisable Documents and all Intellectual Property Rights in them are owned by PCH. PCH grants Customer a perpetual, non exclusive, personal licence to use the Customisable Documents for its internal business purposes only.
d. Except to the extent expressly stated otherwise in this Agreement, neither party shall acquire any right, title, or interest in any Intellectual Property Rights belonging to the other party, or the other party’s licensors.
6. DATA PROCESSING
PCH shall comply with the data processing obligations contained in Appendix A to this Agreement.
7. CONFIDENTIAL INFORMATION
During the course of the Agreement, one party (the “discloser”) may disclose Confidential Information to the other party (the “recipient”). “Confidential Information” means information that is marked as confidential or, from its nature, content or the circumstances in which it is disclosed, might reasonably be supposed to be confidential. It does not include information that: (a) the recipient already knew; (b) becomes public through no fault of the recipient; (c) the recipient independently developed; or (d) that was lawfully given to the recipient by a third party. It includes (without limitation): (i) trade secrets; (ii) product prototypes, methodologies and other technical and design information; and (iii) business information including plans, customers and products. Neither party shall disclose Confidential Information to any third party unless authorised in writing by the discloser. On termination or expiry of this Agreement, each party shall promptly return all Confidential Information belonging to the other, or certify in writing that all such Confidential Information has been destroyed.
8. RESTRICTIONS
Customer shall not and shall not attempt to, copy, reproduce, alter, modify, reverse engineer, disassemble, decompile, translate, or attempt to discover any prototypes, software, algorithms, or underlying ideas which embody the Privacy Compliance Hub (except to the extent allowed by law). Customer shall not rent, lease, sub-licence, loan, translate, merge, adapt, vary or modify the Privacy Compliance Hub. Customer shall not copy any ideas, features, functions or graphics which are proprietary to PCH. Customer shall not use the Privacy Compliance Hub in a way that could damage, disable, overburden, impair or compromise PCH’s systems or security or interfere with other users.
9. ATTRIBUTION
PCH shall be entitled to use Customer’s name and logo in its sales, marketing and PR material (including its website) and Customer grants PCH a non exclusive licence solely for this purpose. This licence may be terminated immediately upon notice by Customer at any time.
10. TERMINATION RIGHTS
a. Either party may, on giving written notice to the other, terminate this Agreement with immediate effect if: (i) the other party is in material breach of the Agreement and such breach is incapable of remedy; (ii) the other party is in breach of the Agreement and, where such breach is capable of remedy, fails to remedy such breach within 30 days of being so requested; (iii) regardless of whether the breach could be regarded as material or is capable of remedy, the other party is in breach of clause 7 or 8; or (iv) any force majeure event continues for a period of 30 consecutive days or more.
b. Either party shall be entitled, on giving written notice to the other, to terminate this Agreement with immediate effect if the other party ceases, or threatens to cease to carry on business, or is or becomes unable to pay its debts as they fall due.
c. Prior to termination or expiry of this Agreement, Customer may at any time download any Customisable Documents hosted within the Privacy Compliance Hub (and any other content uploaded into the Privacy Compliance Hub by Customer). After the date of termination or expiry, PCH shall have no obligations in relation to the Customisable Documents or any other content uploaded into the Privacy Compliance Hub by Customer (other than as required by applicable law).
d. On termination of this Agreement the accrued rights and liabilities of the parties as at termination and the continuation of any provision expressly stated to survive or implicitly surviving termination, shall not be affected.
11. WARRANTIES
a. Each party warrants to the other that it has the power to enter into this Agreement and perform its respective obligations under this Agreement.
b. The Privacy Compliance Hub is made available for use “as is”. No condition, warranty or other term is given or entered into to the effect that the Privacy Compliance Hub shall be of satisfactory (or any other) quality or that the Privacy Compliance Hub shall be fit for any particular purpose. All other warranties, conditions or terms implied by law, or by custom are excluded.
c. Customer acknowledges and agrees that the Privacy Compliance Hub is designed to assist Customer with its data protection compliance obligations. It is no guarantee of data protection compliance. PCH accepts no responsibility for Customer’s actual compliance with its data protection obligations. Customer assumes sole responsibility and entire risk for any decisions made or actions taken based on the information contained in or generated by the Privacy Compliance Hub. Customer is solely responsible for the finalised documents prepared by it and uploaded or linked to the Privacy Compliance Hub, whether or not based upon the Customisable Documents. Customer further understands and agrees that:
(i) Statements made by PCH and all recommendations and opinions within the Privacy Compliance Hub are made in good faith on the basis of information available at the time they are given. They are not a representation, undertaking or warranty as to outcome, achievable results or compliance.
(ii) PCH may, within the Privacy Compliance Hub, make statements about or recommendations of third party software, equipment or services (including consultants’ services). No warranty shall be attributable to PCH with respect to such software, equipment or services and Customer shall rely solely upon any contract with such a third party.
12. INDEMNITY
PCH shall indemnify Customer from and against any losses, liability, damages, and expenses (including all reasonable legal fees) that Customer incurs or are awarded against Customer as a result of any claim against Customer by a third party that its use of the Privacy Compliance Hub and/or the Customisable Documents infringes that third party’s Intellectual Property Rights provided that:
(a) PCH is given prompt notice of such claim;
(b) PCH is given sole authority to defend or settle the claim; and
(c) Customer provides reasonable co-operation to PCH in the defence and settlement of such claim, at PCH’s expense.
13. LIABILITY
a. Nothing in this Agreement shall exclude or limit either party’s liability for: (i) death or personal injury resulting from its negligence or the negligence of its agents or employees; (ii) fraud or fraudulent misrepresentation; (iii) breach of clauses 7 or 8; or (iv) any other liability which cannot be excluded by law.
b. PCH shall not be liable (whether in contract, tort or otherwise) for any loss suffered by Customer which arises as a result of the failure by Customer to keep its password for The Privacy Compliance Hub secure.
c. Subject to clause 13(a), neither party shall be liable (whether in contract, tort or otherwise) for any special, indirect or consequential loss, or for loss of profits, or loss of goodwill (whether or not such losses were within the contemplation of the parties at the date of this Agreement) suffered or incurred by the other party.
d. Subject to clauses 13(a) and 13(b), each party’s total aggregate liability to the other arising from or in connection with this Agreement (whether in contract, tort or otherwise) shall be limited to 125% of the total amounts paid by Customer to PCH under this Agreement.
14. GENERAL
a. This Agreement does not create any agency or partnership relationship between PCH and Customer.
b. Neither party can assign or transfer this Agreement without the prior written consent of the other party (which consent shall not be unreasonably withheld or denied) except that either party shall be entitled to assign or transfer this Agreement to a purchaser of all or a substantial part of its assets without such consent.
c. This Agreement sets out all the terms between PCH and Customer with respect to its subject matter, and supersedes any prior oral or written agreements.
d. Nothing in this Agreement shall create or confer any rights or other benefits in favour of any person other than the parties to this Agreement.
e. If any provision of this Agreement is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of the Agreement and (a) the parties shall immediately commence good faith negotiations to remedy such invalidity; and (b) the validity and enforceability of the other provisions of the Agreement shall not be affected.
f. This Agreement shall be governed by and construed in accordance with English law. The parties agree that any dispute or claim arising out of or in connection with this Agreement shall be brought exclusively in the courts of England and Wales.
Issue Date: June 2022
APPENDIX A
DATA PROCESSING
1. DETAILS OF PROCESSING OF PERSONAL DATA
CONTROLLER | Customer |
PROCESSOR | PCH |
SUBJECT MATTER OF THE PROCESSING | Compliance documentation |
DURATION OF THE PROCESSING | For the duration of the Agreement and for no more than three months after its expiry or termination |
NATURE OF THE PROCESSING | Hosting of content which may include personal data |
PURPOSE OF THE PROCESSING | To assist Controller in compliance with its obligations under the GDPR |
TYPE OF PERSONAL DATA | Digital |
CATEGORIES OF DATA SUBJECTS | Employees and, possibly, some customers |
2. INTERPRETATION
2.1. The following definitions and meanings apply to the Agreement:
“Applicable Law” means the law of the European Union, the applicable law of a member state of the European Union or (if the UK is outside the European Union), the applicable law of England and Wales, Scotland or Northern Ireland.
“Data Subject”, “Personal Data” and “Processing” shall have the meanings set out in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation or GDPR”).
“Privacy Laws” means the GDPR, Directive 95/46/EC, the Data Protection Act 1998 and the Electronic Communications (EC Directive) Regulations 2003, as applicable.
3. RIGHTS AND OBLIGATIONS
3.1. Controller and Processor shall each comply with the Privacy Laws.
3.2. Processor shall process Personal Data only on documented instructions from Controller, unless required to do so by Applicable Law.
3.3. Processor shall ensure that persons authorised by it to process the Personal Data are bound by enforceable confidentiality obligations not to disclose it.
3.4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, Processor shall implement appropriate technical and organisational measures (to ensure a level of security appropriate to the risk) in such a manner that the Processing of Personal Data will meet the requirements of the Privacy Laws and ensure the protection of the rights of each Data Subject. Such measures shall include, if appropriate:
3.4.1. the pseudonymisation and encryption of Personal Data;
3.4.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3.4.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and/or
3.4.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
3.5. Processor shall take account of the risks that are presented by Processing the Personal Data in assessing the level of security required for Personal Data.
3.6. Processor shall ensure that any natural person acting under the authority of the Processor who has access to the Personal Data does not process them except on instructions from the Controller (unless required by Applicable Law).
3.7. If Processor engages another processor for carrying out specific Processing activities on behalf of Controller, Processor shall procure (including by entering into a binding contract with that other processor) that the other processor complies with the same obligations as Processor assumes under this Appendix.
3.8. Processor shall, taking into account the nature of the Processing, assist Controller by appropriate technical and organisational measures (insofar as this is possible) in Controller’s compliance with its obligations to respond to requests from Data Subjects under the Privacy Laws.
3.9. Processor shall (taking into account the nature of processing and the information available to the Processor) assist Controller in ensuring compliance with Controller’s obligations under Privacy Laws in respect of security of Processing, notification of Personal Data breaches, data protection impact assessments and prior consultation with supervisory authorities.
3.10. Processor shall upon termination or expiry of the Agreement (at the choice of Controller) delete or return to Controller all Personal Data processed under the Agreement (including any copies of it) unless required to retain it under Applicable Law.
3.11. Processor shall make available to Controller all information necessary to demonstrate compliance with this Appendix and shall allow for and contribute to audits, including inspections, conducted by Controller, or another auditor mandated by Controller.
3.12. Processor shall immediately inform Controller if, in its opinion, an instruction from Controller infringes Privacy Laws.
3.13. If Processor engages another processor for carrying out specific processing activities on behalf of Controller, the same data protection obligations as set out in this Appendix shall be imposed on that other processor in a contract which, in particular, provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Privacy Laws. Where that other processor fails to fulfil its data protection obligations, Processor shall remain fully liable to Controller for the performance of that other processor’s obligations.
Issue date: June 2022