Data Protection

1.    Definitions

"Data Protection Legislation" means the Data Protection Act 2018, as amended and the Privacy and Electronic Communications (EC Directive) Regulations 2003 the General Data Protection Regulation (GDPR) (EU) 2016/679 and all applicable laws and regulations relating to processing of personal data and privacy.

“Personal Data” means personal data, personal information, or personally identifiable information as those terms are defined under the Data Protection Legislation.

2.     General Principles

In order for Workvivo to provide the Workvivo Services, Workvivo will need to have access to Personal Data. Workvivo agrees to comply  with the Data Protection Legislation. The parties agree that in respect of the Personal Data, the Customer is the data controller and Workvivo is the data processor.

3.     Workvivo Obligations

Workvivo undertakes that it shall:

i.    only process Personal Data as necessary to provide the Workvivo Services and in accordance with the Customer’s reasonably documented instructions that are provided by Customer to Workvivo from time to time;

ii.    keep the Personal Data confidential and take all appropriate technical and organisational measures to ensure a level of security for the Personal Data which is appropriate to the risks to individuals that may result from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data;

iii.    provide Customer with a copy of any request from a data subject that is received by Workvivo pursuant to Data Protection Legislation and related to Personal Data within five (5) working days and shall provide all reasonably necessary assistance to the Customer to enable it to deal with the request in accordance with Data Protection Legislation;

iv.    provide all reasonably necessary assistance to the Customer to enable it to deal with any communications from any Supervisory Authority relating to the Personal Data within any time frame specified by the Supervisory Authority;

v.    provide all reasonably necessary assistance to enable the Customer to comply with its obligations under Articles 32 – 36 (inclusive) of the GDPR;

vi.    not transfer any Personal Data, outside the EEA except to countries in which Subprocessors authorised in accordance with Section 5 of this Attachment 1 are located (e.g. where Customer chooses to host Personal Data outside the EEA) or with the Customer’s prior written consent;

vii.    keep records of all processing of Personal Data which it carries out as the Customer’s data processor, required under Article 30 of the GDPR, for as long as is necessary for the provision of the Services or as required by applicable law, and provide the Customer with a copy of those records upon Customer’s reasonable request;

viii.    where required by Data Protection Legislation, designate a data protection officer and promptly provide their contact details to the Customer;

ix.    retain Personal Data only for as long as is necessary for the provision of the Workvivo Services or as required by applicable law;

x.    not disclose the Personal Data to third parties (except to Subprocessors (as defined in Section 5 below) and employees and contractors as permitted by this Attachment 1) or except as instructed by the Customer from time to time;

xi.    ensure that access to the Personal Data is limited to those of its employees and contractors who need access to the Personal Data for the provision of the Services and, in the case of any access by any employee or contractor, such part or parts of the Personal Data as is strictly necessary for performance of their respective duties;

xii.    ensure that all employees that may have access to the Personal Data are informed of the confidential nature of the Personal Data and have committed themselves to keeping it confidential by signing binding confidential undertakings in relation to the Personal Data, have undertaken training in the Data Protection Legislation, and are aware of Workvivo’s duties and their personal duties and obligations under the Data Protection Legislation and this Attachment 1;

xiii.    take reasonable steps to ensure the reliability of any of Workvivo’s employees who have access to the Personal Data;

xiv.    at least annually, conduct an independent third-party review of its security policies, standards, operations, and procedures related to the Workvivo Services and provide the applicable SOC 2 Type II report to Customer upon request, which Customer shall rely on for validation of proper information security practices and Customer shall not have the right to audit, unless such right is granted under applicable law, except in the case of a Security Breach resulting in a material business impact to Customer;

xv.    promptly remedy, at its own cost, any non-compliance with this Attachment 1;

xvi.    notify the Customer without undue delay, but in no event more than seventy (72) hours after becoming aware of  a breach of Customer’s Personal Data, and provide all reasonably necessary cooperation and assistance to enable the Customer to investigate the personal data breach, comply with all Workvivo reporting and notification obligations, and take all reasonably necessary and appropriate corrective action to remedy the breach.

4.     Customer Obligations 

The Customer shall (i) ensure that it is entitled to transfer the Personal Data to Workvivo so that Workvivo may lawfully process the Personal Data in accordance with this Agreement on the Customer’s behalf; (ii) obtain all necessary consents to allow Workvivo to process the Personal Data; (iii) provide clear instructions for the processing of the Personal Data in accordance with Data Protection Legislation; and (iv) be responsible for the handling and administration related to any data subject requests in respect of the Personal Data.

5.     Subprocessors 

Customer grants Workvivo a general authorisation to use the subprocessors listed at https://www.workvivo.com/subprocessors/ (as that list is updated in accordance with this clause) (“Subprocessor List”) in the processing of Personal Data (included in Customer Data) in the provision of the Services (“Subprocessors”). Customer can subscribe for notice of updates to the Subprocessor List by emailing dpo@workvivo.com (“Subscribed Customers”). Workvivo will enter into a written agreement with Subprocessors and, to the extent that the subprocessor performs the same data processing services provided by Workvivo under this Agreement, Workvivo will impose on the Subprocessor the same data protection obligations in substance that Workvivo has under this Agreement. Workvivo remains responsible for its compliance with the obligations of this Agreement and for any acts or omissions of the Subprocessor that cause Workvivo to breach any of Workvivo’s obligations under this Agreement. At least fourteen days before Workvivo engages a new Subprocessor, Workvivo will notify Subscribed Customers of the update to the Subprocessor List. Customer may reasonably object to Workvivo’s use of a new Subprocessor by notifying Workvivo within 10 days of Workvivo issuing notice to Subscribed Customers of the change. If Customer reasonably objects, Workvivo may use commercially reasonable efforts to make available a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid use of the relevant Subprocessor.  If Workvivo does not make available such change within 60 days of the Customer’s objection, either party may, by written notice to the other, terminate with immediate effect the Agreement with respect only to those Services provided by Workvivo using the objected-to new Subprocessor. Workvivo will provide Customer a refund for any prepaid fees covering the remainder of the term for the terminated Services.

6.     Transfers 

Standard contractual clauses (processor to processor module) or other appropriate safeguards (such as binding corporate rules) recognised under Article 45 GDPR will apply for transfers of Personal Data (within Customer Data) to Subprocessors (appointed in accordance with Section 5 of this Attachment 1) located in countries or territories which are not recognised as adequate under Article 45 GDPR (e.g. where Customer chooses to host Personal Data outside the EEA).