Data protection addendum

1. Interpretation

1.1 Unless the context otherwise requires, definitions used in the Terms and Conditions have the same meaning in this Data Protection Addendum.

1.2 In this Data Protection Addendum,

(a) unless the context requires otherwise, the following terms shall have the following meanings:

"Approved Processor": has the meaning give to it in Paragraph 2.7;

"Controller": has the meaning set out in GDPR;

"Data Subject": has the meaning set out in GDPR;

"Data Protection Laws": in relation to any personal data which is processed in the performance of this Agreement, the Data Protection Act 2018 and GDPR, in each case together with any national implementing laws, regulations, secondary legislation and any other applicable or equivalent data protection or privacy laws, as amended or updated from time to time, in the UK, and any successor legislation to such laws

"GDPR": the General Data Protection Regulation (EU) 2016/679;

"Personal Data": has the meaning set out in GDPR, and relates only to personal data, or any part of such personal data, of which BLINK is the Controller and in relation to which the Referrer is the Processor;

"Personal Breach": has the meaning set out in GDPR;

"Process/Processing": has the meaning set out in GDPR;

"Processor": has the meaning set out in GDPR; and

"Supervisory Authority": (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;

and(b) references to "Paragraphs" are to the paragraphs of this Data Protection Addendum.

2. Obligations of the Processor

2.1 The parties acknowledge that, for the purposes of Data Protection Laws, BLINK is the Controller and the Referrer is the Processor of any Personal Data.

2.2 The Referrer must only process Personal Data on BLINK's behalf as is described in, and for the purposes set out in, this Agreement and in any other express written instructions that BLINK provides to the Referrer. The Referrer must not Process any Personal Data for any other purpose without BLINK's prior written consent. If the Referrer needs to access, or identifies that the Referrer needs to Process, any other personal data to provide services to BLINK, the Referrer must notify BLINK and obtain BLINK's prior written consent (which may be withheld or conditional, at BLINK's absolute discretion).

2.3 The Referrer warrants that it will:
(a) in connection with the Processing of Personal Data, comply with Data Protection Laws and not do (or omit to do) anything which causes (or might reasonably be expected to cause) BLINK to breach any of BLINK's obligations under Data Protection Laws;
(b) notify BLINK immediately in writing if there are any changes to the types of Personal Data that the Referrer will Process or the Referrer's methods of Processing;
(c) Process Personal Data only to the extent, and in such a manner, as is necessary for the Referrer's performance of the Agreement, and not Process the Personal Data for any other purpose;
(d) if the Referrer collects Personal Data for BLINK, only do so with BLINK's prior written consent, and so as to ensure that all necessary fair processing information is provided to Data Subjects in accordance with Data Protection Laws;
(e) if the Referrer collects Personal Data for BLINK, ensure that any and all consents as are required under Data Protection Laws are obtained from Data Subjects, in such a manner as BLINK approves in writing;
(f) Process the Personal Data strictly in accordance with this Agreement, and BLINK's written instructions from time to time, unless otherwise required by Data Protection Laws or any Supervisory Authority (in which case the Referrer must inform BLINK of that legal requirement before Processing, unless prohibited under any applicable law);
(g) ensure that Personal Data is kept separate from the personal data of the Referrer's own business, and from personal data belonging to the Referrer's other customers or clients;
(h) immediately notify BLINK in writing if the Referrer believes, acting reasonably, the Referrer has been provided with any instruction to Process Personal Data in breach of Data Protection Laws;
(i) promptly comply with any request from BLINK requiring the Referrer to amend, transfer or delete Personal Data;
(j) maintain, and on BLINK's request provide to BLINK, full details in writing of the Referrer's Processing activities in respect of Personal Data as BLINK requires to evidence the Referrer's compliance with Data Protection Laws and this Data Protection Addendum, and allow the Referrer's Processing facilities, procedures and documentation which relate to Personal Data to be inspected or audited by BLINK, BLINK's representatives or any Supervisory Authority, and cooperate and assist with such audit or inspection;
(k) if the Referrer becomes aware of any breach or potential breach of this Data Protection Addendum or if the Referrer otherwise has reason to consider that there has been a Personal Data Breach, notify BLINK within twelve hours of becoming so aware, and the Referrer must:
(i) provide BLINK with all details of the breach as BLINK may require;
(ii) fully cooperate with BLINK and take all action as BLINK may deem necessary in respect of any breach or potential breach and all measures to be taken in response to it, including providing such assistance as BLINK may require to allow BLINK to inform a Supervisory Authority or Data Subject of a Personal Data Breach, to conduct any data protection impact assessment (as defined in GDPR), or to consult with any such Supervisory Authority regarding the Processing of Personal Data; and
(iii) not make any announcement or publish or broadcast any notice or information about the breach or potential breach, or authorise or permit the same;
(l) notify BLINK immediately if the Referrer receives:
(i) any request or objection from a Data Subject relating to any Personal Data pursuant to the Data Protection Laws (including requests for access to Personal Data; rectification or erasure of Personal Data; restrictions of Processing Personal Data; and portability of Personal Data); the Referrer must not respond directly to a Data Subject in respect of any such request or objection without BLINK's prior written consent, and must provide such assistance as BLINK may require, and have appropriate technical and organisational measures in place, to allow BLINK to respond to and facilitate any such request or objection; and
(ii) any complaint, notice or communication which relates directly or indirectly to the Processing of any Personal Data or to either party's compliance with Data Protection Laws, including from any Supervisory Authority, and provide full cooperation to BLINK in connection with any such complaint, notice or communication;
(m) not transfer or allow the transfer of Personal Data outside the United Kingdom;
(n) not disclose the Personal Data to any Data Subject or to any other person other than at BLINK's request or as provided for within this Data Protection Addendum;
(o) implement appropriate technical and organisational measures to ensure the security of Personal Data against unauthorised or unlawful processing and accidental loss, destruction, or damage, and a level of security appropriate to the data security risks presented by processing such Personal Data;
(p) taking into account the data protection by design and data protection by default principles under the GDPR, ensure that the Processing of such Personal Data will meet the requirements of Data Protection Laws and protect the rights of Data Subjects; and
(q) regularly review, test, assess, analyse and update the technical and organisational measures implemented pursuant to Paragraph 2.3(o) in order to demonstrate that Processing of Personal Data is performed in accordance with the Data Protection Laws.

2.4 If BLINK authorises the Referrer to transfer any Personal Data outside the United Kingdom, before such transfer the Referrer must put in place:

(a) appropriate safeguards to protect such Personal Data to BLINK's satisfaction, which may include executing with BLINK the European Union's model contract for exporting Personal Data to a Processor or Controller located outside the United Kingdom in the form BLINK require, as such model contract may be amended from time to time; and

(b)enforceable Data Subject rights and effective legal remedies for Data Subjects as required by Data Protection

2.5 The Referrer must ensure that:

(a) access to Personal Data by the Referrer's employees is limited to those employees who need access to the Personal Data to meet the Referrer's obligations under this Agreement, and in the case of any access by any employee, to such parts of the Personal Data as is strictly necessary for performance of that employee's duties;

(b)each such employee has entered into a written confidentiality undertaking covering the Personal Data and has received appropriate and recent training in data protection and security; and

(c) any such access is revoked once no longer required.

2.6 The Referrer must take reasonable steps to ensure the reliability of employees who have access to Personal Data, and ensure such employees comply with the Referrer's obligations under this Data Protection Addendum, and the Referrer shall be liable for any breach of this Data Protection Addendum by any such employee.

2.7 The Referrer must not sub-contract any Processing of Personal Data or appoint any Processors in respect of the Personal Data save where and strictly to the extent that the Referrer has provided BLINK with full details of such Processor and BLINK has expressly consented to such Processor in writing (an "Approved Processor''}, and then only for such purposes as BLINK has expressly authorised. Any authorisation shall be subject to:(a) the Referrer entering a written agreement with each Approved Processor which imposes upon the Approved Processor terms equivalent to those imposed on the Referrer in this this Data Protection Addendum;(b) the Referrer notifying BLINK of any proposed changes to or replacements of such Approved Processors, to which BLINK shall have the opportunity to object; and(c) the Approved Processor's Processing of Personal Data terminating automatically on termination or expiry of the Referrer's right to Process such Personal Data for any reason.

2.8 The Referrer must procure the Approved Processor's compliance with such agreement, shall enforce the terms of such agreement against the Approved Processor, and shall be liable for the acts and omissions of such Approved Processors (including any breach of this this Data Protection Addendum) as if they were the Referrer's acts and omissions.

2.9 The Personal Data and all rights subsisting therein shall be owned by BLINK or BLINK's licensors. The Referrer must, on termination or expiry of the Agreement, and at any time upon BLINK's request and within 12 hours of such request, provide to BLINK (or any third party notified to the Referrer by BLINK in writing) a copy of any or all Personal Data held by the Referrer in the format and media BLINK request.

2.10 The Referrer must only Process the Personal Data for so long as such Processing is required under the Agreement. Upon termination of the Agreement, the Referrer warrants that the Referrer shall return all Personal Data Processed under the Agreement to BLINK (or, at BLINK's discretion, delete such Personal Data, after having provided a copy of the Personal Data to BLINK to BLINK's satisfaction), and save to the extent retention is required by applicable law or is required in order for the Referrer to comply with the Referrer's continuing obligations under the Agreement.

2.11 The Referrer must comply with the Referrer's obligations under this this Data Protection Addendum and under Data Protection Laws at no additional charge or cost to BLINK.

3. Indemnity

3.1 The Referrer agrees to indemnify and keep indemnified, and defend at the Referrer's own expense, BLINK, against all costs, claims, damages, losses, liabilities, fines, penalties, or expenses (including legal fees and expenses) howsoever arising that BLINK incur, or for which BLINK may become liable, arising from:(a) the loss, destruction or unauthorised disclosure of, or unauthorised access to, or Processing of, Personal Data Processed by the Referrer or any of the Referrer's employees or Processors; and/or(b) as a result of any failure by the Referrer or the Referrer's employees or Approved Processors to comply with any of the Referrer's obligations under this Data Protection Addendum or Data Protection Laws; including any claim made or brought by a third party in respect of the same, and any loss, damage or distress caused to a third party as a result of the same.This indemnity shall survive termination of the Agreement.

3.2 Notwithstanding anything contained in the Agreement or any amendment to it, the parties agree that no limitations or exclusions of liability set out in the Agreement shall apply to the Referrer's liability under this Data Protection Addendum.

4. Change of law

4.1 If there are any changes to any applicable law (including Data Protection Laws) or updates in applicable guidance or codes of practice, after the date of this Agreement which require:(a) any additional or alternative documentation or safeguards to be put in place regarding the transfer of Personal Data outside the United Kingdom, then the parties shall promptly put such documentation or safeguards in place; or(b) make it desirable for any other changes to be made to this Data Protection Addendum, then the parties shall discuss such changes in good faith and document any agreed changes in writing.

4.2 Each party shall bear its own costs in respect of any changes made in accordance with this Clause 4, including the costs of complying with any additonal or alternative obligations.

5. General

5.1 In the event of any conflict between a provision of this Data Protection Addendum and a provision of the rest of this Agreement, the provision of this Data Protection Addendum shall prevail.

6. Scope of Processing

6.1 For the purposes of Article 28(3) of the GDPR, the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are as follows:‍

Scope of Processing of Personal Data by the Referrer:
The referral of potential clients by the Referrer to BLINK and the management of those clients by the Referrer once the clients are contracted to BLINK.

Nature of Processing of Personal Data by the Referrer:
Communicating with potential and existing clients, and managing appropriate databases.

Purpose of Processing of Personal Data by the Referrer:
The provision of the services by the Referrer to BLINK under this Agreement.

Duration of Processing of Personal Data by the Referrer:
The duration of this Agreement.

Types of Personal Data being Processed by the Referrer:
Name, Email Address, Phone Number and Other contact information
‍
Categories of Data Subject in respect of whom Personal Data is being Processed by the Referrer:
Clients and their employees