Terms and Conditions

Ipsos Retail Performance Limited Terms and Conditions

1. Definitions

a. Customer – means [INSERT CUSTOMER].

b. Customer Data – means the data inputted by the Customer or generated via the Equipment or Software through use of the Services.

c. Data Protection Legislation – means as per the definition in Schedule 1.

d. Documentation – means the documentation, advice, information or outputs provided to the Customer to support the usage of the Software or the Services.

e. Equipment – means the equipment to be installed at a Customer location defined in a quotation prepared by the Ipsos Service Provider.

f. Fees – means the fee scale defined in an order acknowledgment / quotation prepared by the Ipsos Service Provider. Fees quoted are exclusive of expenses and prevailing government taxes (such as Value Added Tax).

g. Initial Term – means the term defined in the quotation

h. Ipsos Service Provider/ Service Provider – means Ipsos Retail Performance Limited.

i. Mandatory Policies – means the Ipsos Policies on Public Releases, Privacy and Data Security and such other policies applicable to users of its Channel Performance (a subsidiary within the group of companies which the Ipsos Service Provider is a part of) services from time to time.

j. Services – means the services defined in a quotation prepared by the Ipsos Service Provider.

k. Support Fees – means the support fees set out in the Proposal or (if the Customer is commissioning on the basis of subscription services) free of charge.

l. Deliverables – means the presentations, reports, data or other results of the Services identified in the Proposal and specifically prepared by Supplier for the Client.

m. Confidential Information – shall mean all information relating to the intellectual property and business practices of either party including, without limitation: (i) information relating to research and development, methodologies, processes, know-how, specifications; and (ii) business plans, financial information, products, services, costs, sources of supply, strategic, advertising and marketing plans, customer lists, pricing methods, project and commercial proposals (including the proposal or quotation and any information contained in those documents), personnel, and business relationships.

n. Proposal – shall mean the proposal to which this document is attached, issued by the Service Provider to the Customer for the provision of the Services identified in the proposal or other similar document issued by the Service Provider relating thereto.

2. The Services shall be delivered by the Ipsos Service Provider (and not any other Ipsos company) in accordance with this Agreement and the Mandatory Policies.

3. Wi-Fi Analytics – Ipsos Retail Performance monitors the signals emitted from Wi-Fi enabled devices to perform aggregated data analysis for market research purposes. Each device has a unique ID associated with it, also known as the MAC address. No personal data is stored and all captured information is cleared from our database after four years.
Should you wish to remove your device from any form of Wi-Fi analytics undertaken by Ipsos Retail Performance, please email here.

 

Delivery and Setup

4. Delivery time shall not be of the essence. While reasonable efforts will be made to adhere to proposed delivery dates, such dates are estimates only and the Ipsos Service Provider shall not be liable for any losses, damages, costs or expenses incurred by the Customer as a result of not reaching an estimated delivery date.

5. Fees relating to Equipment are quoted DAP and the Customer shall bear the costs of Import duties & taxes

6. Effecting Delivery
a. The Ipsos Service Provider will notify the Customer if requested in advance when the Equipment is ready for delivery (“Delivery Notice”).
b. If within 7 days of the delivery notice the Customer fails to make suitable arrangements for delivery and installation, delivery will be deemed to have taken place 7 days after service of the Delivery Notice. As a result, risk in the Equipment shall pass to the Customer, and the company shall be entitled to demand payment.
c. The Customer shall indemnify and keep indemnified the Ipsos Service Provider against any storage and handling charges and any other costs and expenses incurred by the Customer in respect of any of the Equipment or products between the date of deemed delivery and the actual date of delivery.
d. The Customer shall ensure that any necessary preparatory work (as advised by the Ipsos Service Provider or required by the laws and codes of the relevant jurisdiction from time to time) is completed in accordance with the Ipsos Service Provider’s stated requirements prior to the agreed delivery date, and shall ensure that reasonable access is provided to install the Equipment.
e. The property and title in respect of the Equipment in any Delivery shall not pass to the Customer until Delivery pursuant to clause 6a and payment in full has been received by the Service Provider
f. The Service Provider shall be entitled to revoke at any time the Customer’s right to use of the Equipment at any time.
g. The Customer shall not, until the property and title in respect of all Equipment have passed to the Customer, pledge or allow any lien, charge or other interest to arise over any Equipment or their documents of title.
h. Until the property and title in respect of all Equipment in any Delivery have passed to the Customer, the Service Provider shall be entitled to recover and re-distribute/sell the Equipment and enter any premises where the Equipment are situated for that purpose.
i. The retention of title by the Service Provider of any Equipment pursuant to this clause shall not affect the Service Provider’s right to maintain an action for the price of such Equipment.
j. On termination of this Agreement, howsoever caused, the Service Provider’s rights contained in this clause shall remain in effect.
k. The Service Provider will take all reasonable steps to complete collection and delivery as quickly as possible, but the Service Provider will not be deemed to be in breach of timeliness requirements or be subject to penalties for delay under this Agreement for the length of any reasonable delay.

 

Price, Payment and Term

7. The Customer shall pay the Ipsos Service Provider the Fees for the Term. If the Customer is taking a subscription, the Term shall automatically renew for renewal terms of one (1) year unless terminated in accordance with this Agreement.

8. Payment shall be made within 30 (thirty) days of receipt of invoice or (if earlier) such mandatory period for payments required by local laws.

9. In the event of late payment, the Ipsos Service Provider may
a. charge interest at 4% above LIBOR (except where local law prohibits the charging of interest on late payments); and
b. (at its discretion) withhold delivery of Equipment or suspend provision of Services until such time as the Fees have been paid.

10. This agreement shall, unless otherwise terminated as provided in this clause, continue for the Initial Term and, thereafter, this agreement shall be automatically renewed for successive periods of 1 (one) year (each a Renewal Period) unless
a. either party notifies the other party of termination, in writing, at least 90 days before the end of the Initial Term or any Renewal Period, in which case this agreement shall terminate upon the expiry of the applicable Initial Term or Renewal Period; or
b. otherwise terminated in accordance with the provisions of this Agreement.

11. Without affecting any other right or remedy available to it, either party may terminate this agreement with immediate effect by giving written notice to the other party if:
a. the other party fails to pay any amount due under this agreement on the due date for payment and remains in default not less than 30 days after being notified in writing to make such payment;
b. the other party commits a material breach of any other term of this agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so;
c. the other party repeatedly breaches any of the terms of this agreement in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this agreement;
d. the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts;
e. the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
f. a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
g. an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party;
h. the holder of a qualifying floating charge over the assets of that other party has become entitled to appoint or has appointed an administrative receiver;
i. a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party;
j. a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the other party’s assets and such attachment or process is not discharged within 14 days;
k. any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned above;

12. On termination of this agreement for any reason
a. all licences granted under this agreement shall immediately terminate and the Customer shall immediately cease all use of the Services, Equipment and/or the Documentation;
b. each party shall return and make no further use of any Equipment, property, Documentation and other items (and all copies of them) belonging to the other party. The Customer shall not be entitled to charge the Service Provider for any costs associated with return of Equipment, property, Documentation or any goods which the Service Provider requires to be returned following termination of this agreement;
c. the Ipsos Service Provider may destroy or otherwise dispose of any of the Customer Data in its possession except where the Customer has not yet received such Customer Data, (the Customer shall pay all reasonable expenses incurred in returning or disposing of Customer Data);
d. any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced; and e. the Customer shall immediately pay to the Service Provider all of the Service Provider’s outstanding unpaid invoices and interest and, in respect of the Services supplied but for which no invoice has been submitted, the Service Provider may submit an invoice, which shall be payable immediately on receipt;

 

Customer obligations

13. Where the Customer takes the Services on a subscription basis, the Customer shall
a. maintain the Equipment in good working order for the duration of the Term(In the event that the Ipsos Service Provider determines that the Equipment has not been appropriately maintained for use elsewhere, the Ipsos Service Provider may invoice the Customer for replacement equipment at full reinstatement cost.)
b. Ensure that the Equipment is identifiable as property of the Ipsos Service Provider and not remove or obscure any labels or other identifying details indicating such Equipment belongs to the Ipsos Service Provider.

14. Where the Customer takes the Services without any Equipment (such as where the Customer has pre-existing hardware it wishes the Ipsos Service Provider to co-ordinate with), the Customer shall
a. ensure that the Customer’s hardware is of a sufficient standard and quality for the provision of services by the Ipsos Service Provider
b. maintain the Customer’s hardware in a good working order for the duration of the Term (acknowledging that the Ipsos Service Provider may be unable to provide Services in the event of a malfunction or failure of any hardware provided by the Customer) c. the Customer shall not be entitled to withhold or set-off any payments due to the Service Provider for any delay or failure in pre-existing hardware causing the Services to not be performed.

15. The Customer confirms that
a. without affecting its other obligations under this agreement, it shall comply with all applicable laws and regulations with respect to its activities under this Agreement;
b. it shall obtain and shall maintain all necessary licences, consents, and permissions necessary for the Ipsos Service Provider, its contractors and agents to perform their obligations under this agreement, including without limitation the Services;
c. it shall carry out all other Customer responsibilities set out in this Agreement in a timely and efficient manner. In the event of any delays in the Customer’s provision of such assistance as agreed by the parties, the Ipsos Service Provider may adjust any agreed timetable or delivery schedule as reasonably necessary;
d. it shall ensure all authorised users use the Services and the Documentation in accordance with this Agreement and any terms and conditions provided by the Ipsos Service Provider from time to time AND that the Customer shall be responsible for any breaches by authorised users; and
e. it is, to the extent permitted by law and except as otherwise expressly provided in this agreement, solely responsible for procuring, maintaining and securing its network connections and telecommunications links from its systems to the Equipment and the Ipsos Service Provider’s systems. All problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer’s network connections or telecommunications links or caused by the internet shall be the sole responsibility of the Customer.

16. The Customer shall provide the Ipsos Service Provider with
a. all necessary co-operation in relation to this Agreement;
b. all necessary access to such information as may be required by the Supplier in order to provide the Services, including but not limited to Customer Data, security access information and configuration services; and
c. ensure that its retail locations, network and systems comply with the relevant specifications required for the Services provided and as advised by the Ipsos Service Provider from time to time.
d. Where Personal Data is processed in accordance with Data Protection Legislation for the Services, the Client and Supplier warrant that they will comply with the requirements of the data processor clauses set out in Schedule 1 of this Agreement.

 

Intellectual Property, Ownership and Publicity

17. Customer shall own the Deliverables (including copyright or other intellectual property rights) upon payment of the relevant price. Service Provider retains full ownership and intellectual property rights in all techniques, models, processes, tools, methodologies and know-how, (including without limitation all databases, computer programs and software, processes, formulae, tools, models, algorithms and products, proposals survey questionnaires, data files and other forms used in the fieldwork) that are used, created or developed in connection with the Services (“Supplier IP”).
18. Under no circumstances will the Service Provider disclose information regarding respondents that will make them personally identifiable except as permitted by and in accordance with applicable law and professional codes of conduct.

19. Notwithstanding the foregoing, to the extent that the Agreement specifies that the Services include normative data to assist the Customer with the interpretation of the Services, syndicated research services and/or any Deliverables will be comprised of syndicated research reports (“Syndicated Deliverables”): (i) the Service Provider shall at all times retain sole and exclusive ownership rights in the Syndicated Deliverables as well as all Supplier IP; (ii) Customer may not sell, distribute, copy or reproduce in full or in part any of the Syndicated Deliverables, without authorisation from the Service Provider, which the Service Provider may withhold in its sole discretion; and (iii) this Agreement constitutes a revocable, non-exclusive license from the Service Provider to the Customer to use the Syndicated Deliverables solely for internal purposes, subject at all times to the ownership rights of the Service Provider set forth herein.

20. Neither the Customer nor Service Provider shall have the right to use the other’s trademarks without prior written consent, except for the purposes of the Service Provider ‘s marketing purposes or promotional materials, including on the Service Provider’s website.

 

Warranties and Liability

21. The Customer acknowledges that the provision of the Services is based upon samples and statistical treatment of information, therefore the Ipsos Service Provider cannot warrant total accuracy or predict or assure any particular substantive results of its research in advance.

22. The Ipsos Service Provider warrants that the Equipment will be fit for purpose relating to the Services for the Term, fair wear and tear excepted. This warranty shall not apply to any defect or malfunction of the products which is wholly or partly caused by (i) any maintenance or repair work to the products carried out by any person other than the Ipsos Service Provider or its authorised suppliers; (ii) tampering or interference with the products or any physical damage caused to the products by the Customer’s staff or customers or other third parties; (iii) failure due to defects or lacks of repair at the Customer’s premises including entrance(s) doors, or any other feature of the design of use of the premises which interferes with the Equipment’s sight-lines; (iv) any interruption or fluctuation in power supplies to the products; (v) any interruption or degradation in the network connectivity out of the Ipsos Service Provider’s control.

23. The warranty at clause 22 states the Ipsos Service Provider’s entire responsibility in relation to the Equipment and is in substitution for all other warranties and representations, express or implied, statutory or otherwise which are hereby expressly excluded. If the Ipsos Service Provider is in breach of the warranty set out above, it agrees to rectify the defect at its own expense or, at its option, to replace the Equipment.

24. The Services rely upon embedded software including software to enable the products to interface with the customer’s management information systems. The Ipsos Service Provider warrants and confirms that it has carried out reasonable testing to ensure that the Services are capable of delivering accurately to the operating system used by the Customer, but Ipsos cannot accept any liability for any failures as a result of issues caused by Customer system configurations or other applications operated by the Customer.

25. Except as expressly and specifically provided in this Agreement:
a. the Customer confirms and understands that the Services and Documentation are provided for general information only and not as support to any particular action (or inaction) on the part of the Customer.
b. The Customer assumes sole responsibility for results obtained from the use of the Services and the Documentation by the Customer, and for conclusions drawn from such use. Ipsos Group shall have no liability for any damage caused by errors or omissions in any information, instructions or materials provided to the Customer in connection with the Services, or any actions taken by the Customer based on Customer Data or Services or Documentation provided by the Ipsos Service Provider;
c. all warranties, representations, conditions and all other terms of any kind whatsoever implied by legislation or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement (including but not limited to any implied warranties relating to fitness for purpose); and
d. the Services and the Documentation are provided to the Customer on an “as is” basis.

26. Nothing in this agreement excludes the liability of the Supplier:
a. for death or personal injury caused by the Supplier’s negligence;
b. for breach of applicable Data Protection Legislation; or
c. for fraud or fraudulent misrepresentation.

27. Subject to clause 26:
a. the Ipsos Service Provider shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this agreement; and
b. the Ipsos Service Provider’s total aggregate liability (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement shall be limited to 125% of the Fees paid to the Ipsos Service Provider during the 12 months immediately preceding the date on which the claim arose.

 

Support and Maintenance Services

28. The Ipsos Service Provider will provide support and maintenance services in return for the Support Fee during normal business hours in accordance with the Ipsos Support Services Policy in effect at the time that the Services are provided. The Supplier may amend the Support Services Policy in its sole and absolute discretion from time to time. The Customer may purchase enhanced support services separately at the Supplier’s then current rates.

29. Where the Ipsos Service Provider is providing maintenance and support, the Customer shall provide all reasonable access and assistance to permit the relevant Ipsos Service Provider (or its designated supplier) to investigate or resolve relevant issues.

 

Confidentiality

30. Each party may be given access to confidential information from the other party in order to perform its obligations under this agreement. A party’s confidential information shall not be deemed to include information that
a. is or becomes publicly known other than through any act or omission of the receiving party;
b. was in the other party’s lawful possession before the disclosure;
c. is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or is independently developed by the receiving party, which independent development can be shown by written evidence.

31. Each party shall
a. hold the other party’s confidential information in confidence and not make the other’s confidential information available to any third party, or use the other’s confidential information for any purpose other than the implementation of this agreement; and
b. take all reasonable steps to ensure that the other’s confidential information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this agreement.

32. A party may disclose Confidential Information to the extent such confidential information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause it takes into account the reasonable requests of the other party in relation to the content of such disclosure.

33. No party shall make, or permit any person to make, any public announcement concerning this agreement without the prior written consent of the other parties (such consent not to be unreasonably withheld or delayed), except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.

34. Notwithstanding the foregoing, the Customer acknowledges and agrees that certain Services that the Customer may request may require the Ipsos Service Provider to expose, reveal, disclose or describe the Customer’s Confidential Information, including, without limitation, new concepts, products, services, advertising campaigns or designs as part of the Services. The Customer hereby waives and releases the Ipsos Service Provider from and against any and all claims resulting from or related to the Ipsos Service Provider’s authorised disclosure of the Customer’s Confidential Information as part of the Services.

 

General

35. Both parties will comply with all applicable requirements of the Data Protection Legislation. This is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.

36. Under no circumstance shall the Ipsos Service Provider be responsible to Customer for failure to provide the services or for its delay in performance in accordance with this Agreement due to any event or condition, not existing as of the date of signature of this Agreement, not reasonably within the control of Ipsos as of such date, which prevents in whole or in material part the performance by Ipsos of its obligations hereunder (“Force Majeure”). Without limiting the foregoing, the following shall constitute events or conditions of Force Majeure: acts of State or governmental action, terrorism, riots, disturbances, war, strikes, lockouts, slowdowns, prolonged shortage of energy supplies, epidemics, pandemics, fire, flood, hurricane, typhoon, earthquake, lightning and explosion or any other cause beyond Ipsos’ reasonable control. Should an event of Force Majeure last for more than thirty (30) days, then Ipsos shall have the right to terminate this Agreement without liability to Customer. Unless this Agreement has been terminated as set forth herein, both parties’ obligations hereunder shall resume upon the cessation of the event of Force Majeure.

37. No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

38. Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

39. This agreement and any other documents otherwise referred to herein contain the whole agreement between the parties relating to the subject matter hereof and supersede all prior agreements, arrangements and understandings between the parties relating to that subject matter.

40. Each party acknowledges that, in entering into this Agreement and the documents referred to in it OR annexed to it, it does not rely on any statement, representation, assurance or warranty (whether it was made negligently or innocently) of any person (whether a party to this licence or not) other than as expressly set out in this licence or those documents. Each party agrees that the only rights and remedies available to it arising out of or in connection such statements, representations, assurances or warranties shall be for breach of contract. Nothing in this clause shall limit or exclude any liability for fraud

41. No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

42. If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement. If any provision or part-provision of this agreement is deemed deleted the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

43. No party other than the Customer and the Ipsos Service Provider shall have any rights to enforce any part of these terms.

44. Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.

45. Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed.

46. This agreement and any dispute or claim including non-contractual disputes or claims arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of the state or country of the Ipsos Service Provider.

47. If the Customer is located in a different country to the Ipsos Service Provider, the Customer shall appoint an agent for service of legal notices in the relevant country and promptly provide details of such agent to Ipsos Service Provider.

 

 

SCHEDULE ONE
Data processing Clauses

1. DEFINITIONS AND INTERPRETATION
Following meanings except where the context otherwise requires:
“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Processing”, “Supervisory Authority” and “Third Party” shall have the same meaning as set out in Data Protection Legislation
“Data Protection Legislation” – means (i) the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the General Data Protection Regulation ((EU 2016/679 for so long as it is directly applicable in the United Kingdom) and any applicable national implementing laws as amended from time to time (ii) the Data Protection Act 2018; (iii) any laws substituting, re-enacting or replacing any of (i) or (ii) from time to time.
“EU Model Clauses” means the standard contractual clauses set out in the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to Data Processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)
“Subject Access Request” means the right of access by a data subject for a Data Controller to provide a copy of the Personal Data undergoing Processing to the data subject.

For the purposes of this Schedule One, “T&Cs” shall mean the main Ipsos Retail Performance Limited Terms and Conditions to which this Schedule One is annexed to.

1.1 Each Party shall comply with Data Protection Legislation and shall under no circumstances cause the other Party to be in breach of Data Protection Legislation.
1.2 The Customer and Service Party acknowledge that for the purposes of the Data Protection Legislation, a Party may act as an “independent Data Controller”, a “Joint Data Controller”, or a “Data Processor”.

2. OBLIGATIONS OF THE DATA CONTROLLER/JOINT DATA CONTROLLER
2.1 Each Party, where it is an Independent Data Controller, shall be responsible for its own compliance with all its obligations under the Data Protection Legislation.
2.2 Each Party, where they act as Joint Data Controllers, shall comply with its obligations under the Data Protection Legislation and will agree respective duties of each party in compliance with Article 26 of the GDPR.
2.3 The parties each agree to provide such assistance as may reasonably be required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation.
2.3.1 The Parties agree that the responsibility for complying with a Subject Access Request falls to the Party deemed Controller in respect of the Subject Access Request for Personal Data held by that party
2.3.2 If one of the Data Controllers receives a request or inquiry from a data subject regarding matters covered by another Data Controller’s responsibilities, the request shall be forwarded to such Data Controller without undue delay.
2.3.3 The parties shall each comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) data subjects under Article 33 of the GDPR and where deemed Joint Data Controllers shall each inform the other party without undue delay of any Personal Data Breach irrespective of whether there is a requirement to notify any Supervisory Authority or data subject(s). The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

3. OBLIGATIONS OF THE DATA PROCESSOR
3.1 Where the parties agree that a Party acts as a Data Processor in relation to Personal Data where the other Party is a Data Controller, the first Party shall comply and shall procure that any sub-processor complies with the Data Processor’s obligations
3.2 Data Processor will keep and maintain a record of processing activities as required under Article 30 (2) of GDPR.
3.3 Data Processor will ensure that access to the Personal Data is limited to only those employees who require access to it for the purpose of providing the Services and complying with these T&Cs. Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality and in the care and handling of Personal Data.
3.4 Data Processor agrees to assist the Data Controller promptly with all subject information requests which may be received from Data Subjects relating to the Personal Data.
3.5 Other than as set out herein, Data Processor will not disclose the Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law.
3.6 Data Processor will not keep the Personal Data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the Services under these T&Cs. Where this is necessary, Processor will keep an audit trail of which laptops/drives/devices the Personal Data are held on.
3.9 Data Processor will notify the Data Controller of any information security incident that may impact the processing of the Personal Data covered by these T&Cs within twenty-four hours of discovering or becoming aware of any such incident.
3.10 Data Processor will ensure that any affiliates or sub-contractors it uses to process the Personal Data comply with the terms of these T&Cs.
3.11 In the event that the Data Processor transfers the Personal Data outside of the European Economic Area (including to another company within Supplier’s worldwide group of companies) in order to provide the Services and the location of that party is not subject to an adequacy finding by the European Commission, then such transfer shall only occur on the basis of a contract containing the EU Model Clauses. The Data Processor shall provide the Data Controller with a list of such contracts, or copies of the signed contracts on request.
3.12 The parties acknowledge and agree that each party shall maintain appropriate technical and organisational measures including but not limited to the provisions of Article 32 of the GDPR.