Data Protection Addendum

This Data Protection Addendum (“DPA”) shall be deemed incorporated into each Reseller Agreement
for Cloud Services (“RACS”) between Westcoast and the relevant reseller in which a link to this DPA
is included.

1. DEFINITIONS

1.1 In this DPA, the following expressions shall have the following meanings (and all other
capitalised expressions shall be as defined in the RACS):

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process” and “Processing”

shall have the respective meanings given to them (and terms used for similar concepts) in Data Protection Laws, and “End User Personal Data” means the Personal Data set out in the Description of Processing where such data is Processed by Westcoast as a Processor;

“Data Protection Laws”any applicable legislation in force from time to time relating to the protection of personal data of individuals; and
“Description of Processing”the information set out in the Annex to this DPA.

 

2. DATA PROTECTION

2.1 You acknowledge and agree that:

2.1.1 as between the parties, the Reseller is a Processor and that Westcoast is a sub-
Processor for the purposes of Processing End User Personal Data; and
2.1.2 Westcoast is a Controller in relation to any Processing described in its privacy notices
located at www.westcoast.co.uk/admin/downloads/westcoast-privacy-notice.pdf

2.2 In respect of any End User Personal Data Processed by Westcoast, it shall:

2.2.1 only Process End User Personal Data in accordance with the documented
instructions of the Controller of that data, as communicated by the Reseller to
Westcoast in writing from time to time unless Westcoast is required by Legislation to
Process that data otherwise than in accordance with those instructions (in which case
it shall notify the Reseller unless the law prohibits it from doing so on public interest
grounds). The Reseller shall ensure that it communicates all instructions from the
relevant Controller to Westcoast promptly, accurately and without any omissions;
2.2.2 ensure that those of Westcoast’s staff who have access to and/or Process End User
Personal Data are committed to keeping End User Personal Data confidential;
2.2.3 implement appropriate technical and organisational measures to protect against
accidental, unlawful or unauthorised destruction, loss, alteration or disclosure of, or
access to, End User Personal Data in accordance with Westcoast’s obligations under
Data Protection Laws;
2.2.4 with the Reseller’s general authorisation (which it hereby provides) engage other
Processors to Process the End User Personal Data (“Sub-Processor”). Westcoast
shall ensure that it enters into a written agreement with each Sub-Processor with
provisions similar in effect to those in this DPA to the extent required by Data
Protection Laws. Westcoast shall notify the Reseller of any intended changes
concerning the addition or replacement of Sub-Processor(s) and shall provide the
Reseller with the opportunity to object to such changes. Any objections must be notified to Westcoast in writing within 14 days of the date of its notice to the Reseller. If Westcoast does not receive an objection from the Reseller within such period, it shall be deemed to have given authorisation to Westcoast to use such Sub-Processor. If the Reseller objects within such period, then the parties, acting in good faith, shall discuss and use their reasonable (but commercially prudent) endeavours to resolve the objections. If Westcoast is unable to resolve the objections within fourteen (14) days of the date of the Reseller’s objection, either Party may terminate the relevant Services without liability on giving seven (7) days’ written notice to the other Party;
2.2.5 not transfer any End User Personal Data outside of the United Kingdom and European Economic Area (“EEA”) if such transfer would directly cause the Controller to breach its obligations under Data Protection Law. Subject to the foregoing provisions of this paragraph 2.2.5, the Reseller hereby consents to any Sub-Processors transferring End User Personal Data outside the UK and EEA. The Reseller shall promptly enter into any standard contractual clauses issued by a competent body as Westcoast reasonably requires for either Party and/or any relevant Controller of the End User Personal Data to comply with this DPA and/or Data Protection Laws;
2.2.6 provide such assistance to the Reseller as it reasonably requires (at the Reseller’s sole cost) to comply with any request from a Data Subject validly exercising its rights under Data Protection Laws or with the Reseller’s obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with any data protection regulators;
2.2.7 for the sole purpose of demonstrating its compliance with this DPA, provide such information as the Reseller reasonably requires, or where, in Westcoast’s reasonable opinion, the provision of information alone is not reasonably sufficient for that purpose, allow for and contribute to an audit (including inspection) of the relevant parts of Westcoast’s business by up to two (2) of the Reseller’s representatives (in each case, at the Reseller’s sole cost, including any auditors’ or administrative fees). The Reseller shall give not less than one (1) month’s prior written notice prior to the date it wishes to conduct the audit and shall conduct any such audit no more than once per calendar year at such time and date that is convenient to Westcoast (except where required otherwise by a data protection regulator with competent jurisdiction). The Reseller shall promptly notify Westcoast in writing of any non-compliance discovered by such audit. The Reseller shall not disclose to any third party (other than, where applicable, the relevant Controller and/or the external auditor performing the audit) any information or reports obtained or produced in connect with any such audit and shall use such information and reports solely for the purposes of meeting its regulatory audit requirements and/or confirming our compliance with the requirements of this DPA. The Reseller shall ensure that it takes reasonable steps and any steps Westcoast requests to minimise any interruption to Westcoast’s business when exercising its rights under this paragraph 2.2.7. If a third party conducts the audit, Westcoast may object to the auditor if the auditor is, in its reasonable opinion, not suitably qualified or independent, Westcoast’s competitor or a competitor of its shareholders, or otherwise manifestly unsuitable. If Westcoast does object, it may require the Reseller to appoint another auditor; and
2.2.8 notify the Reseller or the relevant Controller without undue delay after becoming aware of any Personal Data Breach affecting the End User Personal Data and provide relevant information about such breach to the Reseller or Controller. Any notification by Westcoast under this paragraph 2.2.8 shall be made without any admission of liability.

2.3 The Reseller shall:

2.3.1 ensure that all documented instructions it issues to Westcoast comply with Data Protection Laws;
2.3.2 be solely responsible for the content of the Description of Processing; and
2.3.3 not seek Westcoast’s assistance in respect of any activities or tasks that can be performed by the Reseller or a third party. The Reseller shall immediately notify Westcoast in writing if the Description of Processing is inaccurate or incomplete at any time together with full details of the relevant updates.

2.4 To the extent permitted by Legislation, Westcoast shall not be liable for any inaccurate data (including Personal Data) provided to the Reseller or relevant Controller as part of the Services to the extent that such inaccuracy arises from inaccurate or otherwise incorrect data received by Westcoast.

2.5 Westcoast shall notify the Reseller or the relevant Controller if, in its opinion, any documented instructions the Reseller provides to Westcoast breach Data Protection Laws. The Reseller shall not (and shall procure that the relevant Controller shall not) rely on such notice, which it acknowledges and agrees does not constitute legal advice.

2.6 Following expiry or termination of the Agreement (at the Reseller’s option and sole cost) Westcoast shall either return to the Reseller and/or delete any End User Personal Data Processed by Westcoast solely as a Processor, in each case, in accordance with the Agreement, except where Westcoast is required to store it pursuant to Legislation.

2.7 All data-protection related terms and expressions used herein, shall have the meanings given to them in applicable data protection legislation.

2.8 In respect of any Personal Data that the Reseller (or its End Users) Processes as a Controller, including any Personal Data provided to Westcoast as a Controller, the Reseller shall (and shall procure that its End Users) ensure that it shall and shall procure that its employees, agents and sub-contractors shall at all times comply with all Data Protection Laws;

2.9 The Reseller shall ensure that if the End User intends to save or in any way process personal data via the Cloud Services, then the End User shall acknowledge and accept all risks associated with usage of such services and the Reseller shall ensure that it (or the End User) as the Controller obtains and maintains all appropriate consents and permissions (where relevant) from Data Subjects in relation to any Processing of their Personal Data as may be necessary for the use of the Cloud Services.

Annex: Description of Processing

Processing of Personal Data

Subject matter: Processing in connection with the provision of the Support Services.

Nature: Collection, communication, transmission, storage, retrieval, alteration, deletion and destruction.

Duration: The duration for which Support Services is provided to the relevant End User by Westcoast.

Purposes of the Processing

The Processing is necessary for the following purposes: 

To provide Support Services to End Users.

Data Subjects

The Personal Data relates to the following categories of data subjects: 

Users (that are natural persons) authorised by the End User.

Categories of Personal Data

The Personal Data processed falls within the following categories:
Contact details, user account information and any Personal Data contained in messages relating to support requests or resolution or attempted resolution of the same.

Special categories of Personal Data and/or criminal offence/conviction data

The Personal Data Processed falls within the following special categories of Personal Data/criminal offence/conviction data:
None.

Rights and obligations of the Controller

The rights and obligations of the Controller of the End User Personal Data are as set out in this DPA and Data Protection Laws.