Data Processing Agreement (as the processor)

THIS AGREEMENT is BETWEEN the company set out in the Pricing Agreement and Terms & Conditions (hereinafter referred to as the “Company“);

AND Speakserve Limited trading as babl, a company incorporated in England with registered number 07640707, whose registered office is at 85 Fleet Street, London, EC4Y 1AE (hereinafter referred to as “babl“),

the Company and babl jointly referred to as the “Parties”.

WHEREAS:

Now, therefore, the Parties agree as follows:

1. Definitions

1.1.   In this DPA, the following terms shall have the meanings set out below:

1.2    The terms, “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Supervisory Authority” and “processing” shall have the same meanings as in Data Protection Laws, and “process” shall be construed in accordance with the definition of processing.

2. Subject Matter

2.1. babl agrees to be appointed as a Data Processor, according to Section 28 of the GDPR and agrees to act on behalf of Company in the Processing of the Relevant Personal Data.

2.2. The following Relevant Personal Data may be processed under this DPA:

2.3. babl shall:

2.4. Company shall provide instructions in accordance with all applicable laws, duly informing babl about any relevant information or issue concerning the processing by babl under this DPA (e.g. data retention periods).

3. Security Measures

3.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, babl shall, in relation to its obligation to process the Relevant Personal Data under the Principal Agreement, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Section 32(1) of the GDPR. The above obligations are without prejudice to Company’s overarching data security obligations pursuant to the GDPR.

4. Sub-processing

4.1. Company authorises babl to appoint (and permit each Sub-processor to appoint) Sub-processors in accordance with this Clause 4 and without prejudice to any restrictions in the Principal Agreement.

4.2. babl may continue to use those Sub-processors already engaged by babl as at the date of this DPA, provided that in each case babl, as soon as practicable, meets the obligations set out in Clause 4.3.

4.3 With respect to each Sub-processor, babl shall:

4.4 The Company acknowledges and agrees that the Sub-processor shall be directly responsible towards the Company for its breach of this DPA or of the Data Protection Laws.

4.5 In case a Sub-processor is established in a country outside EEA which has not received an adequacy decision in terms of data protection safeguards by the European Commission, Company expressly authorises babl, who accepts, to conclude a data transfer agreement with such Sub-processors containing Binding Corporate Rules or the Standard Contractual Clauses (as may be amended) adopted by the European Commission

5. Data Subject Rights

5.1. Taking into account the nature of the processing, babl shall assist Company by implementing appropriate technical and organisational measures for the fulfilment of Company’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6. Personal Data Breach

6.1  babl shall notify Company without undue delay upon becoming aware of a Personal Data Breach affecting Relevant Personal Data, in accordance with Section 33 of the GDPR.

6.2   babl shall cooperate with Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of any such Personal Data Breach. Such activities shall be carried out at Company’s cost, unless the Personal Data Breach is due to babl breach of this DPA.

7. Data Protection Impact Assessment and Prior Consultation

7.1 babl shall provide reasonable assistance to Company with the performance of data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, that are necessary for Company to comply with Section 35 or 36 of the GDPR, in each case solely in relation to the processing of Relevant Personal Data by babl, and taking into account the nature of the Processing and information available to babl.

8. Duration and Deletion or Return of Relevant Personal Data

8.1 This DPA shall become effective upon execution of the Principal Agreement and shall apply as long as babl processes Relevant Personal Data on behalf of Company and the Principal Agreement has neither been terminated nor expired.

8.2  Except in case of different written instructions from Company, upon termination or expiration of the Principal Agreement (and consequently this DPA) babl shall stop processing Relevant Personal Data and shall destroy or return to Company, according to its instruction, the Relevant Personal Data. This provision shall not affect babl statutory duties to preserve records as may be required by applicable law or relevant authorities.

9. Audit Rights

9.1 babl shall make available to Company all information reasonably requested by Company which is necessary to demonstrate compliance with this DPA. babl shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company (provided that such auditor does not provide services in direct competition with babl and/or a Sub-processor) in relation to the Processing of the Relevant Personal Data by babl, provided that (i) babl is given reasonable notice of any audit or inspection to be conducted under this Clause 9.1, identifying in writing its concerns, relevant requirements and legal basis; and (ii) Company shall (and shall ensure that each of its mandated auditors shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to babl activities, premises, equipment, personnel and business. babl needs not to give access to its premises for the purposes of such an audit or inspection:

10. Company’s Responsibilities

10.1 Company represents, undertakes and warrants that the Relevant Personal Data:

10.2  Company remains responsible for the data processing method implemented by means of applicative procedures developed according to its specifications and/or through its electronic instruments or telecommunications.

11. General Terms

11.1  The Parties hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.

11.2 In case of conflict between this DPA and the Principal Agreement, the former should prevail with regard to any issue relating to Personal Data Processing.

11.3  Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the Parties’ intentions as closely as possible or, if this is not possible, or (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

11.4  Unless otherwise established in the Principal Agreement, the transmission of any communication between Company should be performed by certified E-mail using the following addresses:

Company (Data Controller): As set out in the Principal Agreement

babl (Data Processor):

To the attention of Jonathan Grant, CEO and Data Protection Officer

Certified E-mail: jonathan.grant@bablglobal.com