ACURIS DATA PROCESSING AGREEMENT

Unless you have entered into a data processing agreement which expressly excludes and replaces these terms and conditions, these terms (Terms) apply to and are incorporated into each contract between you and any member of the Acuris Group (such member, Acuris) under the terms of which Acuris provides you with services (including without limitation subscription access to information products and databases) (each such contract an Original Agreement).
  1. BACKGROUND
    1. The General Data Protection Regulation (EU 2016/679) came into force on 25 May 2018. These Terms explains how Acuris deals with personal data provided to it by Customer under the Original Agreement, and brings the Original Agreement into line with the requirements of the GDPR.
    2. The personal data provided by Customer usually relates to the individual user who Customer wishes to use the Acuris database to which Customer subscribes under the terms of the Original Agreement. Acuris uses the personal data as a processor on Customer’s behalf to provide each user with access to the relevant database, and to send the user updates and alerts.
    3. Acuris also uses the personal data as a controller. It does so to ensure that each subscriber’s use of the Acuris database is protected, and to check that the password provided to the user is not used by any unauthorised party.
  2. DEFINITIONS AND INTERPRETATIONS
    1. In these Terms the following definitions shall apply:
      controller shall have the meaning given in Article 4 of the GDPR.
      Data Subject means an identified or identifiable natural person who is the subject of any Personal Data.
      Data Protection Laws means the General Data Protection Regulation (EU) 2016/679 (GDPR), and the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) as amended, replaced or superseded from time to time.
      Personal Data shall have the meaning given in Article 4 of the GDPR.
      processor shall have the meaning given in Article 4 of the GDPR.
      Service means the services provided by Acuris in accordance with the terms of the Original Agreement.
      Sub-processor means a natural or legal person, public authority, agency or any other body contracted by Acuris to process Personal Data
      Supervisory Authority shall have the meaning given in Article 4 of the GDPR.
    2. In these Terms, reference to a paragraph is to a paragraph of these Terms (save to the extent expressly stated otherwise); the paragraph headings do not affect the interpretation of these Terms; words in the singular include the plural and in the plural include the singular; a reference to a particular law is a reference to it as it is in force for the time being taking account of any amendment, extension, application or re-enactment and includes any subordinate legislation for the time being in force made under it; references to including and include(s) shall be deemed to mean respectively including without limitation and include(s) without limitation.
  3. WHERE A PARTY IS A CONTROLLER
    1. Where either Acuris or Customer acts as controller in relation to any Personal Data in the course of the operation of the Original Agreement, the provisions of this paragraph 3 apply.
    2. Each party undertakes that it will:
      1. comply with Data Protection Laws when processing Personal Data;
      2. rely on a valid legal ground under Data Protection Laws for its processing, including obtaining Data Subjects’ appropriate consent if required or appropriate under Data Protection Laws;
      3. take reasonable steps to ensure that Personal Data is (a) accurate, complete and current and limited to what is necessary in relation to the processing; and (b) kept in a form which permits identification of Data Subjects for no longer than is necessary for the processing (unless a longer retention is required or allowed under applicable law);
      4. implement appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of Personal Data is performed in accordance with Data Protection Laws;
      5. not transfer any Personal Data to any Inadequate Country, unless such party ensures (a) that the transfer is at all times subject to one of the appropriate safeguards permitted by Article 46 of GDPR and (b) that in all other respects the transfer complies with GDPR. Inadequate Country means a country which is (a) outside of the European Economic Area and (b) not a country which has been determined by the European Commission as ensuring an appropriate level of protection for the purposes of Article 45 of GDPR;
      6. respond to Data Subject requests to exercise their rights of (a) access, (b) rectification, (c) erasure, (d) data portability, (e) restriction of Processing, (f) objection to the Processing, and (g) the rights related to automated decision-making and profiling, if and as required under Data Protection Laws; and
      7. cooperate with the other party to fulfil their respective data protection compliance obligations under Data Protection Laws.
  4. WHERE CUSTOMER IS CONTROLLER, AND ACURIS IS PROCESSOR
    1. Where, in relation to any Personal Data, Customer is controller and Acuris is processor under the terms of the Original Agreement, the provisions of paragraphs 4 to 8 apply.
    2. For the purposes of Article 28.3 of GDPR the subject matter of the processing is as follows:
      1. the personal data used in the processing will be the following personal data in relation to each user of Acuris’ database service properly appointed by Customer under the Original Agreement (User): forename(s), surname, email address, password, IP address, database use activity history;
      2. the duration of the processing will be the duration of the Original Agreement (as may be extended from time to time);
      3. the nature and purpose of the processing will be limited to the storing and use of the personal data to allow each User access to the relevant database, to provide a password and password recognition services to the User, and to send User updates, notificatory emails and alerts as part of the provision of access and use of the relevant database.
    3. Acuris shall:
      1. process the Personal Data only in accordance with Customer’s documented instructions, including where relevant for transfers of Personal Data outside the European Economic Area (EEA) (unless required to do so by European Union, Member State and/or UK law to which Acuris is subject, in which case Acuris shall inform Customer of that legal requirement before processing unless prohibited by that law);
      2. ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      3. take all measures required pursuant to Article 32 of the GDPR;
      4. appoint Sub-processors only in accordance with paragraph 6 below;
      5. taking into account the nature of the processing, assist Customer by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising a Data Subject’s rights laid down in Chapter III of the GDPR;
      6. taking into account the nature of the processing and the information available to Acuris, assist Customer in ensuring compliance with Customer’s obligations to:
        1. keep Personal Data secure (Article 32 GDPR);
        2. notify Personal Data breaches to the Supervisory Authority (Article 33 GDPR);
        3. advise Data Subjects when there has been a Personal Data breach (Article 34 GDPR);
        4. carry out data protection impact assessments (Article 35 GDPR); and
        5. consult with the Supervisory Authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR);
      7. at the choice of Customer, delete or return all Personal Data to Customer upon termination of the Original Agreement, save to the extent that European Union or EU member state law requires retention of the Personal Data;
      8. make available to Customer all information necessary to demonstrate compliance with the obligations laid down in these Terms and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer as set out in paragraph 5 below
      9. comply with Article 30 of the GDPR;
      10. co-operate on request, with the Information Commissioner’s Office (or any successor body thereto) in the performance of its tasks; and
      11. notify the Customer without undue delay after becoming aware of a personal data breach.
  5. AUDIT RIGHTS
    1. Upon Customer’s reasonable request, Acuris agrees to provide Customer with any documentation or records (which may be redacted to remove confidential commercial information not relevant to the requirements of these Terms) which will enable it to verify and monitor Acuris’ compliance with these Terms, within 14 days of receipt of such request.
    2. Where, in the reasonable opinion of Customer, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR, Customer will be entitled, upon reasonable prior written notice to Acuris and upon reasonable grounds, to conduct an on-site audit of Acuris’ premises used in connection with the Service, solely to confirm compliance with its data protection and security obligations under these Terms. Any audit carried out by Customer will be conducted in a manner that does not disrupt, delay or interfere with Acuris’ performance of its business. Customer shall ensure that the individuals carrying out the audit are under the same confidentiality obligations as set out in the Original Agreement.
  6. USE OF SUB-PROCESSORS
    1. Customer provides its consent for Acuris to use Sub-processors in the delivery of the Services. Where Acuris uses any other third party Acuris shall:
      1. enter into a legally binding written agreement that places the equivalent data protection obligations as those set out in these Terms to the extent applicable to the nature of the services provided by such Sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR;
      2. remain liable for the performance of the Sub-processor; and
      3. inform Customer of any intended changes concerning the addition or replacement of a Sub-processor and give Customer the opportunity to object to such changes.
  7. TRANSFERS OF PERSONAL DATA TO NON-EEA COUNTRIES
    1. Where a transfer to an end user whose organisation is established outside of the EEA is necessary for the purposes of the Original Agreement, the Parties acknowledge and accept that the end user shall either provide adequate safeguards as set out in Article 46 GDPR or rely on one of the derogations for specific situations set out in Article 49 GDPR to transfer Personal Data to a third country or an international organisation.
  8. CUSTOMER OBLIGATIONS
    1. Customer warrants and represents to Acuris that:
      1. all instructions provided to Acuris in relation to the processing of Personal Data are lawful and are provided in accordance with the Data Protection Laws;
      2. it shall only provide instructions to Acuris that are in accordance with the terms of the Original Agreement and these Terms; and
      3. all Personal Data is sourced lawfully and that it is solely responsible for determining the purpose for which Personal Data may be processed by Acuris.
    2. Customer acknowledges and agrees that Acuris is reliant on Customer for direction as to the extent to which Acuris is entitled to use and process Personal Data. Consequently, Acuris shall not be liable for any claim brought by a subject of Personal Data and arising from any breach by Acuris of the Data Protection Laws to the extent that such action or omission resulted from Customer’s instructions.
  9. MISCELLANEOUS
    1. Where applicable, the Parties agree that if, upon review following GDPR coming into force, the provisions of these Terms do not comply with GDPR then both Parties agree to cooperate in good faith to re-negotiate the terms of these Terms to ensure compliance with GDPR.