1.2 The Annexes form part of this Data Protection Addendum and will have effect as if set out in full in the body of this Data Protection Addendum. Any reference to this Data Protection Addendum includes the Annexes.
1.3 In the case of conflict or ambiguity between:
1.3.1 any provision contained in the body of this Data Protection Addendum and any provision contained in the Annexes, the provision in the body of this Data Protection Addendum will prevail;
1.3.2 the terms of any accompanying documents annexed to this Data Protection Addendum and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
1.3.3 any of the provisions of this Data Protection Addendum and the provisions of the Contract, the provisions of this Data Protection Addendum will prevail.
2. Processor and Controller
2.1 The parties agree that, for the Protected Data, you shall be the Controller and Orlo shall be the Processor. Nothing in our Contract relieves you of any responsibilities or liabilities under any Data Protection Legislation.
2.2 To the extent the you are not sole Controller of any Protected Data you warrant that you have full authority and authorisation of all relevant Controllers to instruct Orlo to process the Protected Data in accordance with our Contract.
2.3 You shall ensure (and are exclusively responsible for) the accuracy, quality, integrity and legality of Your Data and that its use (including use in connection with the Services) complies with all Data Protection Legislation and intellectual property rights.
2.4 Orlo shall process the Protected Data in compliance with:
2.4.1 the obligations of Processors under Data Protection Legislation in respect of the performance of its and their obligations under our Contract; and
2.4.2 the terms of our Contract.
2.5 You shall ensure that your employees and other permitted third parties (as applicable), shall at all times comply with:
2.5.1 all Data Protection Legislation in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of your respective rights and obligations under our Contract, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Legislation; and
2.5.2 the terms of our Contract.
2.6 You warrant, represent and undertake, that at all times:
2.6.1 all Protected Data (if processed in accordance with our Contract) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Legislation;
2.6.2 fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Legislation in connection with all processing activities in respect of the Protected Data which may be undertaken by Orlo and our Sub-Processors in accordance with our Contract;
2.6.3 the Protected Data is accurate and up to date;
2.6.4 you shall establish and maintain adequate security measures to safeguard the Protected Data in your possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure); and
2.6.5 all instructions given by you to Orlo in respect of Personal Data shall at all times be in accordance with Data Protection Legislation.
3. Instructions and details of processing
3.1 Insofar as Orlo processes Protected Data on your behalf, Orlo:
3.1.1 unless required to do otherwise by Data Protection Legislation, shall (and shall take steps to ensure each person acting under our authority shall) process the Protected Data only on and in accordance with your documented instructions as set out in this paragraph 3.1 and paragraph 3.3 (including when making a Transfer of Protected Data to any International Recipient), as updated from time to time (Processing Instructions); and
3.1.2 if Data Protection Legislation requires us to process Protected Data other than in accordance with the Processing Instructions, we shall notify you of any such requirement before processing the Protected Data (unless Data Protection Legislation prohibits such information on important grounds of public interest).
3.3 Subject to the order form the processing of the Protected Data by Orlo under our Contract shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Annex 1.
4. Technical and organisational measures
4.1 Taking into account the nature of the processing, Orlo shall implement and maintain technical and organisational measures:
4.1.1 in relation to the processing of Protected Data by Orlo, as set out in Annex 2 (Data Security Measures); and
4.1.2 subject to paragraph 6.1, to assist you insofar as is possible (taking into account the nature of the processing) in the fulfilment of your obligations to respond to Data Subject Requests relating to Protected Data. We reserve the right to charge you for reasonable costs incurred by us in the event the request for assistance will involve disproportionate effort by us.
5. Using staff and other Processors
5.1 Orlo shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data (except in accordance with our Contract) without notifying you prior to the Sub-Processors appointment.
5.2 You authorise the appointment of each of the Sub-Processors identified on the List of Sub-Processors as updated from time to time.
5.3 Orlo shall:
5.3.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract that complies with Data Protection Legislation; and
5.3.1 remain fully liable for all the acts and omissions of each Sub-Processor as if they were Orlo’s own.
6 Assistance with compliance and Data Subject rights
6.1 Orlo shall refer all Data Subject Requests we receive to you without undue delay.
6.2 Orlo shall provide such assistance as you reasonably require (taking into account the nature of processing and the information available to us) to you in ensuring compliance with your obligations under Data Protection Laws with respect to:
6.2.1 security of processing;
6.2.2 data protection impact assessments (as such term is defined in Data Protection Legislation);
6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach.
6.3 We reserve the right to charge you for reasonable costs incurred by us in the event the request for assistance will involve disproportionate effort by us.
7 International data Transfers
7.1 Subject to paragraphs 7.2 and 7.4, Orlo shall not Transfer any Protected Data:
7.1.1 from any country to any other country; and/or
7.1.2 to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without your prior written authorisation except where we are required to Transfer the Protected Data by the Data Protection Legislation (and shall inform you of that legal requirement before the Transfer, unless those laws prevent it doing so).
7.2 You hereby authorise us to Transfer any Protected Data for to any International Recipient(s), provided all Transfers by us of Protected Data to an International Recipient (and any Onward Transfer) shall be (to the extent required under Data Protection Laws) effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this Data Protection Addendum shall constitute your instructions with respect to Transfers in accordance with paragraph 3.1.1.
7.3 You acknowledge and accept that access and use of the Services by your authorised users may occur outside the EEA and, in such circumstances, the Protected Data may be viewed outside the EEA by the relevant user. Orlo will not be in breach of paragraph 7.1 and paragraph 7.2 in such circumstances.
8 Information and audit
8.1 Orlo shall maintain, in accordance with Data Protection Legislation, written records of all categories of processing activities carried out on your behalf.
8.2 On request, Orlo shall provide you (or auditors mandated by you) with a copy of the third party certifications and audits to the extent made generally available to our customers. Such information shall be confidential to us and you shall maintain the confidentiality of such information and shall not without our prior written consent, disclose, copy or modify the information (or permit others to do so) other that as necessary for the performance of your express rights and obligations under our Contract.
9 Breach notification
9.1 In respect of any Personal Data Breach involving Protected Data, Orlo shall, without undue delay (and in any event within 72 hours):
9.1.1 notify you of the Personal Data Breach; and
9.1.2 provide you with details of the Personal Data Breach.
10 Deletion of Protected Data and copies
10.1 Following the end of the provision of the Services (or any part) relating to the processing of Protected Data Orlo will delete Your Data (normally within one month) but will retain the shortened links you have created using our code so that your users are redirected to the correct location.
11 Compensation and claims
11.1 Orlo shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Contract:
11.1.1 only to the extent caused by the processing of Protected Data under our Contract and directly resulting from our breach of our Contract;
11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Contract by you (including in accordance with paragraph 3.1.3 (b)); and
11.1.3 any liability under this paragraph 11 (Compensation and claims) shall be subject to the limits of liability set out in the Contract (Clause I Disclaimer and Limitation of Liability).
11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Contract or the Services, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
11.2.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
11.2.2 consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under our Contract for paying the compensation.
11.3 The parties agree that you shall not be entitled to claim back from us any part of any compensation paid by you in respect of such damage to the extent that you are liable to indemnify or otherwise compensate us in accordance with our Contract.
11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Legislation to the contrary, except:
11.4.1 to the extent not permitted by Data Protection Legislation; and
11.4.2 that it does not affect the liability of either party to any Data Subject.