Drax Technology

Data Protection

Last updated: June 21st, 2024

1 Definitions

  • 1.1 In this Schedule 2 the following terms have the following meanings.

“Data Controller” has the meaning given to ‘controller’ as appropriate, in the Data Protection Laws.

“Data Processor” has the meaning given to ‘processor’ as appropriate, in the Data Protection Laws.

“Data Protection Laws” means all applicable privacy and data protection laws relating to the processing of Personal Data and the privacy of electronic communications including the EU GDPR, the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.

“EU” means the European Union.

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC as updated, superseded or repealed from time to time.

“Member State” means a country which is a member state of the EU.

“Personal Data” has the meaning given in the Data Protection Laws.

“Personal Data Breach” has the meaning given in the Data Protection Laws.

“Processing” has the meaning given in the Data Protection Laws and “Process”, “Processes” and “Processed” shall be construed accordingly.

“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

2 General

  • 2.1 The Supplier (“Processor”) shall carry out Processing activities as Data Processor on behalf of the Customer (“Controller”) who shall be the Data Controller.

  • 2.2 The Parties shall each comply with their respective obligations under the Data Protection Laws.

3 Data Processing Obligations

  • 3.1 In respect of any Personal Data to be Processed by the Processor pursuant to this Agreement or a Contract for which the Controller is Data Controller (“Controller Personal Data”), the Processor shall:

    • 3.1.1 taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures in such a manner as is designed to ensure a level of security appropriate to the risk, the determination of such appropriate measures to be made solely by the Processor;

    • 3.1.2 ensure that any sub-processor that is engaged to process such Controller Personal Data by the Processor is subject to data protection obligations that are similar to those applicable to the Processor under this Schedule;

    • 3.1.3 process that Controller Personal Data only to perform its obligations under this Schedule and on the documented instructions of the Controller, and for no other purpose, unless required to do so by EU or Member State law and/or UK law, as applicable, to which Processor is subject, in which case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so by law;

    • 3.1.4 on termination of this Schedule, at the Controller’s option either return or destroy the Controller Personal Data (including all copies of it) immediately, unless required to continue to store that Controller Personal Data under EU or Member State law and/or UK law, as applicable;

    • 3.1.5 ensure that all persons authorised to access the Controller Personal Data are subject to obligations of confidentiality;

    • 3.1.6 make available to the Controller a statement of all information necessary to demonstrate compliance with the obligations laid out in this Schedule and, subject to paragraph 4.1, allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller; provided that, in respect of this provision the Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws;

    • 3.1.7 taking into account the nature of the processing, provide assistance to the Controller, insofar as possible, in connection with the fulfilment of the Controller’s obligation to respond to requests for the exercise of data subjects’ rights pursuant to the Data Protection Laws to the extent applicable;

    • 3.1.8 provide the Controller with assistance in ensuring compliance with its obligations concerning security of processing, data breach notification, communication of a Personal Data Breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities) to the extent applicable to the Controller, taking into account the nature of the processing and the information available to the Processor; and

    • 3.1.9 notify the Controller without undue delay on becoming aware of a Personal Data Breach in respect of Controller Personal Data that it processes on behalf of the Controller.

4 Data Controller Obligations

  • 4.1 In relation to exercising its right of audit, including inspections, set out in paragraph 3.1.6 above, the Controller shall:

    • 4.1.1 only be entitled to carry out such an audit once every year;

    • 4.1.2 provide at least 14 days’ notice of any intended audit;

    • 4.1.3 carry out such an audit only during business hours as set by the Processor;

    • 4.1.4 only carry out such an audit to evaluate a specific suspected deficiency after exhausting all other reasonable means as determined by the Processor;

    • 4.1.5 only audit the business areas and activities of the Processor which relate directly to the processing of Controller Personal Data under this Schedule; and

    • 4.1.6 at the Processor’s request, require that any auditor enters into a confidentiality agreement with the Processor.

  • 4.2 In relation to the exercise of the Processor’s obligations under paragraphs 3.1.6, 3.1.7 and 3.1.8 of this Schedule 2, the Processor shall be entitled to charge, and the Controller shall be bound to pay, a fee to cover the administrative costs incurred by the Processor in carrying out those obligations. Such fee is to be determined by the Processor and payment by the Controller is not to be unreasonably withheld.

  • 4.3 The Controller shall indemnify the Processor in full and on demand against all claims, losses damages or fines received by or paid by the Processor in respect of any use of the Controller Personal Data by the Processor in accordance with the Controller’s instructions howsoever arising and the Controller shall ensure that it has and shall maintain at all times appropriate insurance in respect of this obligation.

5 International Data Transfers

  • 5.1 The Processor shall not transfer any Controller Personal Data outside of the area consisting of both the UK and the European Economic Area unless it has in place appropriate safeguards in respect of such transfer, as set out in the Data Protection Laws.

6 Sub-processors

  • 6.1 The Controller agrees that the Processor has general authorisation to appoint sub-processors under this Schedule 2.

  • 6.2 The Processor shall notify the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.