This Data Processing Addendum, including the Standard Contractual Clauses where applicable (“DPA”), is entered into between NGENIUS Ltd. (“NGENIUS”) and the entity identified in the Agreement (the “Customer”) (each referred to as a “Party” and collectively as the “Parties”). This DPA is incorporated by reference into the Master Service Agreement governing the use of the Service (the “Agreement”) between the Parties. All capitalized terms used in this DPA but not defined will have the meaning set out in the Agreement. To the extent of any conflict or inconsistency between this DPA, any previously executed data processing agreement, and the remaining terms of the Agreement, this DPA will govern.
1 Definitions
1.1
Capitalized terms in the Agreement have the definitions provided here, or elsewhere in the Agreement
- Addendum
- means this Data Processing Addendum.
- Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing
- shall have the meaning as defined in the Data Protection Legislation and the phrase “appropriate technical and organisational measures” shall be interpreted similiarly.
- Customer Personal Data
- means Personal Data that the Customer uploads, transfers, streams, or otherwise inputs into the Platform and which is processed in connection with the provision of the Service under the Agreement by NGENIUS on behalf of the Customer.
- Data Protection Legislation
- means all applicable privacy and data protection laws, including the EU General Data Protection Regulation (Regulation 2016/679) (the “GDPR”), the Data Protection Act 2018, the UK GDPR, and any applicable national implementing laws, regulations and secondary legislation relating to the processing of personal data pursuant to this Agreement, as amended, replaced or updated from time to time.
- Standard Contractual Clauses
- means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR including the standard data protection clauses issued by the commissioner under s119A(1) of the UK DPA 2018 as revised from time to time (“UK Addendum”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”), in each case as completed as described in Section 9 (Data Transfers) below.
- UK GDPR
- means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
2 Relationship of the Parties
2.1 Compliance with the Data Protection Legislation
The Parties hereby agree to comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.
2.2 NGENIUS as Processor
The Parties acknowledge and agree that with regard to the Customer Personal Data, the Customer is the controller and NGENIUS a processor of the Personal Data.
2.3 NGENIUS as Subprocessor
In circumstances in which the Customer may be a processor, the Customer appoints NGENIUS as the Customer’s subprocessor, which will not change the obligations of either the Customer or NGENIUS under this DPA.
2.4 Lawful Basis
It is the Customer’s responsibility to ensure that it has all necessary consents or notices in place to enable lawful collection and processing of Personal Data on behalf of the Customer by NGENIUS for the duration and purposes of this Agreement. NGENIUS shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation.
3 Nature of the Processing
3.1 Limitations of Processing
NGENIUS shall not under any circumstances except as required by law, process the data, or permit the data to be processed, except according to the following:
- in order to provide the Service in accordance with this Agreement and the Customer’s lawful instructions as set forth under Section 3.2; or
- as necessary to comply with the Data Protection Legislation or as directed by a competent authority; or
- as otherwise instructed by the Customer in writing.
3.2 Customers Instruction
NGENIUS shall, in relation to any Personal Data processed in connection with the performance by NGENIUS of its obligations under this Agreement, process that Personal Data according to the Customer’s instruction. The Agreement, including this DPA, along with the Customer’s use and configuration of the Service (as the Customer may be able to modify from time to time), constitutes the Customer’s complete and final instructions to NGENIUS regarding the processing of Customer Personal Data, unless otherwise agreed in writing.
4 Destruction of Personal Data
On the termination of the Agreement or the receipt of written instruction from the Customer, and unless otherwise required by the Data Protection Legislation, NGENIUS will delete or return the Personal Data and any copies to the Customer (and for these purposes the term “delete” shall mean to put such data beyond use). The Customer acknowledges that, in the case of CCTV footage, that NGENIUS will delete the original footage containing the Personal Data immediately following the anonymization process as described in clause 6.4 and as such, this data will not be returned.
5 Data Transfers and subprocessors
The Customer approves:
- NGENIUS transferring Personal Data outside of the United Kingdom and European Economic Area in accordance with clause 6.3; and
- NGENIUS appointing the subprocessors in accordance with section 8 and as detailed at https://ngenius.ai/legal/subprocessors.html as sub-processors of the Customer Personal Data under this Agreement.
6 Security of Personal Data
6.1 Appropriate security measures
In relation to the processing of Personal Data in accordance with this DPA, NGENIUS shall implement and maintain throughout the term of this Agreement appropriate technical and organisational measures intended to protect Personal Data against accidental, unauthorised or unlawful access, disclosure, alternation, loss, damage or destruction. Such measures may include, but are not limited to, anonymisation, encryption, resilience testing and restoration measures (including backup plans and business continuity arrangements) and organisational measures around personnel access, confidentiality, and training. When considering what measures to put in place, NGENIUS will take into account:
- the nature of the data; and
- the harm that might result from a security breach; and
- technological developments; and
- the cost of implementing any measures.
6.2 Restriction on Personnel
NGENIUS shall ensure that its staff, officers and those of any subcontractor or sub-processor do not process Personal Data other than in accordance with this Agreement, and are obligated to maintain the security and confidentiality of any Personal Data to which they have access.
6.3 Data Transfers
NGENIUS shall not transfer any Personal Data outside of the United Kingdom and European Economic Area unless:
- the Customer or NGENIUS has provided appropriate safeguards in relation to the transfer, including the Standard Contractual Clauses (if required); and
- the Data Subject has enforceable rights and effective legal remedies; and
- NGENIUS complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
- NGENIUS conducts transfer risk assessments as required by the Data Protection Legislation.
6.4 Anonymisation of Video footage
In the case that the Customer Personal Data is comprised of video footage that was recorded in the public realm, NGENIUS shall process the footage to remove the Personal Data by:
- reducing the resolution and/or frame rate (preferably at source if possible) such that individual identification is impossible; and
- deleting the original footage as soon as is practical following the anonymization process.
7 Assistance and Cooperation
7.1 Data Breach Notification and Response
NGENIUS will comply with the Personal Data Breach-related obligations directly applicable to it under Data Protection Legislation. Taking into account the nature of processing and the information available to NGENIUS, NGENIUS will assist the Customer by notifying it of a confirmed Personal Data Breach without undue delay or within the time period required under Data Protection legislation, and in any event no later than seventy-two (72) hours following such confirmation. To the extent available, this notification will include NGENIUS’s then-current assessment of the following:
- the nature of the Personal Data Breach, including, where possible, the categories and the approximate number of data subjects concerned and the categories and the approximate number of personal data records concerned;
- the likely consequences of the Personal Data Breach; and
- measures taken or proposed to be taken by NGENIUS to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.
NGENIUS will provide timely and periodic updates to the Customer as additional information regarding the Personal Data Breach becomes available. The Customer acknowledges that any updates may be based on incomplete information. NGENIUS will not assess the contents of Customer Data for the purpose of determining if such Customer Data is subject to any requirements under Applicable Law. Nothing in this DPA will be construed to require NGENIUS to violate or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
7.2 Responding to Individual Rights
To the extent legally permitted, NGENIUS will promptly notify the Customer, or refer the individual back to the Customer, if NGENIUS receives any requests from an individual seeking to exercise any rights afforded to them under Applicable Law regarding their personal data, which may include: access, rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). In the event that the Customer is unable to address a Data Subject Request in its use of the Service, NGENIUS will, upon the Customer’s request, provide commercially reasonable efforts to assist the Customer in responding to such Data Subject Request, to the extent NGENIUS is legally permitted to do so and the response to such Data Subject Request is required under the Data Protection Legislation. To the extent legally permitted, the Customer will be responsible for any costs arising from NGENIUS’s provision of additional functionality to assist with a Data Subject Request.
7.3 Demonstrating Compliance
NGENIUS shall maintain and make available to the Customer all information and records that are reasonably necessary to demonstrate its compliance with this DPA and with the Data Protection Legislation, and to permit and assist the Customer on reasonable prior notice to inspect and audit the facilities and systems used by NGENIUS to Process the Personal Data, the technical and organizational measures used by NGENIUS to ensure the security of the Personal Data and any and all records maintained by NGENIUS relating to that Processing. The Customer may only exercise the right to audit as set out in this clause once per calendar year and all costs shall be borne by the Customer. The Customer and NGENIUS will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit and the Customer shall take all necessary steps to minimize the disruption to NGENIUS’s business. NGENIUS may elect to provide the Customer with documents and records demonstrating its compliance with the obligations of this DPA and the Customer shall refrain from exercising its audit right if the records are sufficient to demonstrate compliance. The Customer acknowledges that in cases where NGENIUS does not have on-premise audit rights with its sub-processors, then NGENIUS using its reasonable endeavors to exercise its contractual audit rights with its sub-processors shall be sufficient for NGENIUS to comply with its sub-processor auditing obligations under this clause.
8 Subprocessing
8.1 Subprocessors
The Customer acknowledges and agrees that NGENIUS’s Affiliates and certain third parties may be retained as subprocessors (“Subprocessors”) to process Customer Personal Data on NGENIUS’s behalf in order to provide the Service. NGENIUS’s Subprocessors are listed at https://ngenius.ai/legal/subprocessors.html. NGENIUS will impose contractual obligations on any Subprocessor NGENIUS appoints requiring it to protect Customer Personal Data to standards that are no less protective than those set forth under this DPA. NGENIUS remains liable for its Subprocessors’ performance under this DPA to the same extent NGENIUS is liable for its own performance.
8.2 Notice of changes to NGENIUS Subprocessors
NGENIUS shall inform the customer of any subprocessors it wishes to allow to process the Customer Personal Data when acting as a Processor in accordance with this Addendum, and any intended changes concerning the addition or replacement of current sub-processors not less than ten (10) business days before NGENIUS authorises such Subprocessor to process the Personal Data.
8.3 Right to Object
Customer may reasonably object to NGENIUS’s use of a new Subprocessor by notifying NGENIUS promptly in writing at dpa@ngenius.ai (with its reasonable grounds for objection) within ten (10) business days after receipt of notice as described in clause 8.2. In the event that the Customer objects to a new Subprocessor, NGENIUS will use commercially reasonable efforts to make available to Customer a change in the Service or Customer’s configuration or use of the Service to avoid processing of Customer Personal Data by the objected-to new Subprocessor. If NGENIUS is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may upon written notice terminate without penalty the applicable Order Form(s) or this Agreement.
9 General
9.1 Amendments
The Parties agree to negotiate in good faith any reasonable amendments to the Agreement or this Addendum which are required as a result of any change in, or decision of a competent authority under, any applicable law, or to allow NGENIUS’s processing of the Customer Footage under this Agreement to be made (or continue to be made) without breach of Data Protection Legislation.