BSI’S GRANT OF ACCESS TO AND USE OF BSI CONNECT IS GOVERNED BY THESE TERMS AND CONDITIONS (the “TERMS”). THE SUBMISSION OF AN ORDER FORM CREATES A BINDING AGREEMENT BETWEEN THE ORGANISATION NAMED IN THE ORDER FORM AND BSI FOR ACCESS TO AND USE OF BSI CONNECT.
1. DEFINITIONS AND INTERPRETATION
1.1 The following definitions apply to these Terms:
Agreement: the agreement for a Subscription to BSI Connect formed when the Order Form and these Terms are taken together.
Authorised Users: those fixed number of Client employees, agents and independent contractors authorised to use BSI Connect as determined by BSI in its sole discretion from time to time or as specified in the Order Form as part of a Paid Subscription.
BSI: The BSI entity that is specified in the Order Form.
Business Day: a day that is a normal working day for BSI, excluding any locally observed holidays within the Service Location.
Capacity Limit: 10 Giga Byte.
Client: the organisation that completes and submits and Order Form for a Subscription to BSI Connect and agrees to be bound by these Terms.
Client Data: the data provided/transferred to BSI by or on behalf of the Client as part of Client’s use of BSI Connect.
Data Processing Addendum: the additional terms attached as Schedule 1 to these Terms and incorporated by reference.
Documents: means the technical materials provided by BSI to the Client in electronic form describing the use and operation of BSI Connect.
Effective Date: the date BSI acknowledges a Client’s Subscription and provides Client with access to and use of BSI Connect.
Fees: the fees specified in the Order Form for a Paid Subscription to use BSI Connect.
Free Period: an unlimited period of time commencing on the Effective Date during which BSI offers the opportunity to purchase a subscription to BSI Connect within Client’s geographic region.
Free Subscription: the right, free of cost subject to the Capacity Limit, to access and use those features and functions of BSI Connect that BSI may make available from time to time for the duration of the Free Period.
Initial Period: for Paid Subscriptions, the period of 12 months commencing on the Effective Date.
Intellectual Property Rights: any and all present and future, patents, inventions, know- how, trade secrets and other confidential information, trademarks, service marks, logos, emblems, badges, mascots, insignia, identifying music and sounds, get-up, domain names, business names, trade names, moral rights, performance rights, registered designs, copyrights, database rights, design rights and other intellectual property rights of whatever nature, in each case whether registered or unregistered and including applications for registration, and all rights or forms of protection having equivalent or similar effect anywhere in the world.
Order Form: the document made available by BSI, in any medium, for submitting a request for a Subscription to BSI Connect, containing Client specific information including in the case of Paid Subscriptions, Fees, invoicing arrangement, and number of Authorised Users.
Paid Subscription: the right, subject to payment of the Fees, to access and use all the features and functions of BSI Connect for the duration of the Initial or Renewal Period.
Party: BSI or Client.
Subscription: either a Free Subscription or a Paid Subscription to BSI Connect.
Renewal Period: for Paid Subscriptions, each successive period of 12 months following the end of the Initial Period.
Service Location: has the meaning provided in Clause 22.
Subscription Period: The Free Period (in the case of a Free Subscription), or the Initial Period, or a Renewal Period (in the case of a Paid Subscription).
Virus: any code or malware whose purpose is to disable a computer or network or adversely affect its performance such as a computer virus, worm, 'trojan horse', back door or similar item which may impair or otherwise adversely affect the operation of any computer or network, prevent or hinder access to any program or data, impair the operation of any program or the reliability of any data (whether by re-arranging within the computer or any storage medium or device, altering or erasing, the program or data in whole or part or otherwise).
1.2 The clause headings in these Terms are included for convenience only and shall not affect the interpretation of these Terms.
1.3 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality) and that person's personal representatives, successors and permitted assigns.
1.4 Unless the context otherwise requires, words in the singular shall include the plural and, in the plural, shall include the singular and a reference to one gender shall include a reference to the other genders.
1.5 A reference to any Party shall include that Party's personal representatives, successors and permitted assigns.
1.6 A reference to a statute or statutory provision is a reference to it as amended or re-enacted. A reference to a statute or statutory provision includes all subordinate legislation made under that statute or statutory provision.
1.7 Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
2. TERMS OF SERVICE
2.1 BSI will perform the services described and in accordance with the Proposal and these terms of service (Contract).
2.2 These terms of service, together with any terms set out in the Proposal, are the only terms that will govern the Contract. Any terms contained in or incorporated by reference in any acknowledgements, confirmations, standard forms, purchase orders or any other documents issued by either party, or implied by trade custom, practice or course of dealing, other than those permitted within these terms of service, will not apply.
2.3 If there is an inconsistency between any of the provisions of the Contract and any master services agreement, purchase proposal, Client’s standard conditions of purchase or any other document stated to be relating to BSI’s services or the Contract, the provisions of the Contract will prevail.
2.4 Notwithstanding clause 2.2, BSI may amend these terms from time to time, and will notify the Client of material changes taking place. Client may reject the amendment and terminate the Contract by notifying BSI of its intention to do so on 30 days’ written notice. If Client provides no notice, Client is deemed to have accepted the amended terms.
3. PROVISION OF BSI CONNECT
3.1 Where Client has been provided a Free Subscription:
3.1.1 in consideration of Client’s continued compliance with these Terms, BSI hereby grants to the Client a non-exclusive, revocable, non-transferable, non-sublicensable right for the Subscription Period to permit Authorised Users, solely for the Client's internal business operations, to: (i) access and use those limited features and functions of BSI Connect that may be made available by BSI in its sole and absolute discretion from time to time; and (ii) use the Documents which shall include but is not limited to making sufficient copies as are necessary for Client; and
3.1.2 the availability of data storage beyond the Capacity Limit for the storage of Client Data in BSI Connect may require the purchase of additional storage space at BSI’s then published rates for such storage or as otherwise determined by BSI.
3.2 Where Client has been provided a Paid Subscription, in consideration of the Fees paid by Client to BSI and Client’s continued compliance with these Terms, BSI hereby grants to the Client a non-exclusive, revocable, non-transferable, non-sublicensable right for the Subscription Period to permit Authorised Users, solely for the Client's internal business operations, to:(i) access and use BSI Connect; and (ii) use the Documents which shall include but is not limited to making sufficient copies as are necessary for Client.
3.3 All rights not expressly granted by BSI to the Client to use BSI Connect are reserved to BSI. Client shall not have the right to modify, translate, reverse engineer, disassemble or decompile any portion of BSI Connect. The Client shall not have the right to (i) license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available BSI Connect to any third party in any way; and (ii) “frame” or “mirror” any content from BSI Connect on any server or wireless or internet-based device. BSI reserves the right to make changes to any part of BSI Connect that it deems necessary or useful and notify the Client five (5) Business Days ahead of material changes taking place.
3.4 Client grants to BSI a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into BSI Connect any suggestion, enhancement request, recommendation, correction or other feedback provided by Client or its Authorised Users relating to the operation of BSI Connect.
4. ACCESS AND AUTHORISED USERS
4.1 BSI Connect shall be accessible from the online location or such other hosted location notified to the Client. Client will ensure that all Authorised Users are made aware of and comply with any additional terms of use or applicable privacy policy that may be posted at a user’s point of access.
4.2 BSI shall use reasonable endeavours to make BSI Connect accessible to Authorised Users 24 hours a day, seven days a week, except for planned and emergency maintenance
4.3 The Client undertakes that:
4.3.1 the maximum number of Authorised Users that it permits to access and use BSI Connect and the Documents shall not exceed the number of users specified in the Order Form or by BSI as applicable; and
4.3.2 it shall permit BSI or BSI's designated auditor to audit the Client’s use of BSI Connect in order to confirm compliance with these Terms. Each such audit may be conducted no more than once per quarter, at BSI's expense, and this right shall be exercised with reasonable prior notice, in such a manner as not to substantially interfere with the Client's normal conduct of business.
5. SUPPORT SERVICES
5.1 For Paid Subscriptions only, BSI shall provide: (i) an e-mail address to raise any problems encountered during the use of BSI Connect and (ii) access to self-learning material. BSI shall use reasonable endeavours to diagnose and fix reported issues or answer any questions related to BSI Connect that are presented to the help desk but does not guarantee that the Client will receive a particular outcome.
5.2 Client acknowledges that the provision of BSI Connect is dependent on access to various third party services (including third party hosting providers such as AWS) and the Client agrees that BSI is not responsible for the non-availability, delays, failures or interruption affecting BSI Connect or the performance of BSI Connect caused by any such third party services, errors, anomalies or bugs in software, hardware or the Internet on which BSI Connect relies as BSI does not control such third party services and such errors or bugs are inherent in the use of such software, hardware and the Internet. Accordingly, any non-availability, delays, failures or interruption affecting BSI Connect as a result of the foregoing shall not constitute a breach by BSI of its warranties in this Agreement and shall not where the Client has a Paid Subscription entitle the Client to terminate the Agreement under clause 9.2.
6. WARRANTIES, REPRESENTATIONS AND EXCLUSIVE REMEDIES
6.1 BSI warrants that:
6.1.1 BSI Connect shall comply with all applicable governing laws and regulations; and
6.1.2 BSI Connect shall perform materially in accordance with the Documentation.
6.2 Where Client has a Paid Subscription, if a breach of the above warranties substantially interferes with the Client’s use of BSI Connect and Client notifies BSI with reference specifically to such warranties, BSI will offer, and Client shall have the option of either (i) extending the Subscription Period for the length of the affected period from BSI’s receipt of such notice at no additional cost or expense to the Client or (ii) terminating the subscription and requesting a refund of a pro-rata portion of the Fee relating to the affected period from BSI’s receipt of such notice and the unexpired Subscription Period.
6.3 Each Party represents that it has the right to enter into the Agreement and carry out its obligations under the Agreement.
6.4 The Client assumes sole responsibility for results obtained from the use of BSI Connect and for conclusions drawn or decisions taken from such use and any reliance on the results obtained from the use of BSI Connect is at Client’s own risk.
6.5 Except for the express warranties provided in this Agreement, BSI Connect is provided and made available “as is” and the warranties contained in the Agreement are in lieu of all other warranties, representations or conditions, express, implied, statutory or otherwise, including but not limited to, those implied warranties of merchantability and fitness for a particular purpose, all of which are expressly disclaimed. BSI does not represent that BSI Connect will be uninterrupted or error free or meet the Client’s specific requirements.
7. PROPRIETARY RIGHTS
7.1 All Intellectual Property Rights belonging to a Party prior to entering into the Agreement shall remain vested and remain the property of that Party. The Client Data hosted by BSI as part of BSI Connect, and all worldwide Intellectual Property Rights in it, is the exclusive property of the Client. All rights in and to the Client Data not expressly granted to BSI in this Agreement remain with the Client.
7.2 Except as expressly set forth herein, no express or implied license or right of any kind is granted to the Client regarding BSI Connect or any part thereof, including any right to obtain possession of any source code, data or other technical material relating to BSI Connect.
7.3 Client grants BSI a non-exclusive, worldwide, royalty-free and fully paid license (a) to use the Client Data as necessary for purposes of providing BSI Connect and (b) to use the Client Data (i) to provide BSI Connect and to perform its obligations under the Agreement and (ii) for research and development purposes, including but not limited to measuring and improving the effectiveness of BSI’s products and services.
8. CHARGES AND PAYMENT APPLICABLE TO PAID SUBSCRIPTIONS
8.1 For Paid Subscriptions, BSI shall invoice the Client for the Fees as set out in the Order Form, and the Client shall pay the Fees within 30 days from the date of an invoice which is not the subject of a genuine dispute.
8.2 If BSI has not received payment within 30 days of the due date, without prejudice to any other rights and remedies:
8.2.1 BSI may, without liability to the Client, suspend the Client's access to BSI Connect while the amounts due remain unpaid; and
8.2.2 interest shall accrue on a daily basis on such due amounts at an annual rate equal to 3% over the then current base lending rate of Barclays Bank plc (or its successor) from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.
8.3 The Fees do not include, and the Client is solely responsible for, all applicable taxes including value added tax and other sales taxes.
8.4 BSI shall be entitled to increase the Fees at the start of each Renewal Term (i) in line with the annual increase in the UK Retail Prices Index without notice; and (ii) upon 60 days' prior notice to the Client where the increase exceeds the annual increase in the UK Retail Prices Index, and the Order Form shall be deemed to have been amended accordingly.
8.5 The number of Authorised Users may be increased during a Subscription Period subject to Client’s payment of the additional fees assessed by BSI for each additional user.
9. TERM AND TERMINATION
Clauses 9.1 and 9.2 shall apply to Paid Subscriptions only
9.1 The Agreement shall, unless otherwise terminated as provided in this clause 9, commence on the Effective Date and continue for the duration of each Subscription Period unless either Party notifies the other Party of termination, in writing, at least 30 days before the end of a Subscription Period, in which case the Agreement shall terminate upon the expiry of the applicable Subscription Period.
9.2 Either Party may terminate the Agreement at any time on written notice to the other if the other: (i) is in material or persistent breach of any of these Terms and either that breach is incapable of remedy, or the other Party fails to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach; or (ii) becomes insolvent, or is subject to an order or a resolution for its liquidation, administration, winding-up or dissolution (otherwise than for the purposes of a solvent amalgamation or reconstruction), or has an administrative or other receiver, manager, trustee, liquidator, administrator or similar officer appointed over all or any substantial part of its assets, or enters into or proposes any composition or arrangement with its creditors generally, or is subject to any analogous event or proceeding in any applicable jurisdiction.
9.3 For Free Subscriptions, BSI may terminate the Agreement at any time with or without cause upon 30 days written notice to the Client.
9.4 On termination of the Agreement:
9.4.1 all licences granted under these Terms shall immediately terminate and the Client shall immediately cease all use of BSI Connect and/or the Documents;
9.4.2 BSI may destroy or otherwise dispose of any of the Client Data in its possession; and
9.4.3 any provision of these Terms that expressly or by implication is intended to come into or continue in force on or after termination of the Agreement shall remain in full force and effect.
9.5 Termination of the Agreement shall not affect any of the rights, remedies, obligations or liabilities of the Parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Terms which existed at or before the date of termination.
9.6 If BSI terminates the Agreement for the Client's breach under clause 9.2 above, then, in addition to any other remedies BSI may have at law or in equity, the Client must pay to BSI within 30 days of termination, the Fees for the remainder of the Subscription Period.
10. CONFIDENTIALITY
10.1 Each Party may be given access to confidential information from the other Party in order to perform its obligations under these Terms. A Party's confidential information shall not be deemed to include information that:
10.1.1 is or becomes publicly known other than through any act or omission of the receiving Party;
10.1.2 was in the other Party's lawful possession before the disclosure;
10.1.3 is lawfully disclosed to the receiving Party by a third Party without restriction on disclosure; or
10.1.4 is independently developed by the other Party, and such independent development can be shown by written evidence.
10.2 Subject to clause 10.3, each Party shall hold the other's confidential information in confidence and not make the other's confidential information available to any third party, or use the other's confidential information for any purpose other than the implementation of these Terms.
10.3 A Party may disclose confidential information to the extent such confidential information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, it gives the other Party as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause 10.3, it takes into account the reasonable requests of the other Party in relation to the content of such disclosure.
10.4 The provisions of this clause 10 shall survive termination of the Agreement, however arising.
11. LIMITATION OF LIABILITY
11.1 Nothing in these Terms limit any liability which cannot legally be limited, including, but not limited to, liability for: (i) death or personal injury caused by negligence; (ii)fraud or fraudulent misrepresentation; or (iii) any liabilities which cannot be excluded by statute.
11.2 Subject to clauses 11.1:
11.2.1 BSI shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising; and
11.2.2 BSI's total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution, indemnity, or otherwise, arising in connection with these Terms and whether for a Paid or Free Subscriptions shall be limited to the total Fees paid or payable by Client for BSI Connect for the Subscription Period.
11.3 This clause 11 shall survive termination of the Agreement.
12. DATA PROTECTION
To the extent Client Data includes Personal Data, the Data Processing Addendum shall apply, and the Parties shall comply with the provisions therein.
13. FORCE MAJEURE
BSI shall have no liability to the Client under these Terms if it is prevented from or delayed in performing its obligations under these Terms, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of BSI or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of BSI's sub-contractors, provided that the Client is notified of such an event and its expected duration.
14. VARIATION
No variation of the Agreement shall be effective unless mutually agreed by both Parties.
15. WAIVER
No failure or delay by a Party to exercise any right or remedy provided under these Terms or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
16. SEVERANCE
If any provision or part-provision of these Terms is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of these Terms.
17. ENTIRE AGREEMENT
17.1 The Agreement constitutes the entire agreement between the Parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
17.2 Each Party acknowledges that in entering into the Agreement it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in the Agreement.
18. ASSIGNMENT
18.1 The Client shall not, without the prior written consent of BSI, assign, transfer, charge, sub-contract or deal in any other manner (including a grant to affiliates, subsidiaries or successors-in-interest of a right to use BSI Connect) with all or any of its rights or obligations under these Terms, such consent may be withheld in BSI's sole discretion and subject to any necessary recalculation of the Fees in the case of a Paid Subscription.
18.2 BSI may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under the Agreement.
19. NO PARTNERSHIP OR AGENCY
Nothing in these Terms is intended to or shall operate to create a partnership between the Parties, or authorise either Party to act as agent for the other, and neither Party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
20. THIRD PARTY RIGHTS
These Terms do not confer any rights on any person or party, other than the Parties to the Agreement and, where applicable, their successors and permitted assigns.
21. NOTICES
21.1 Any notice required to be given under these Terms shall be in writing and shall be delivered by hand or sent by post or email to the other Party at its address specified in the Order Form, or such other address as may have been notified by that Party for such purposes during the Subscription Period.
21.2 A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by email shall be deemed to have been received at the time of transmission (as shown by the time sent in respect of an email).
22. GOVERNING LAW
The Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the jurisdiction in which the BSI entity specified in the Order Form is incorporated (the “Service Location”).
23. JURISDICTION
Each Party irrevocably agrees that the courts of the Service Location shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these Terms or its subject matter or formation (including non-contractual disputes or claims).
DATA PROCESSING ADDENDUM
1. DEFINITIONS
In this Data Processing Addendum, terms used but not defined shall have the meaning given in the Agreement. The following definitions shall apply in this addendum:
"Controller", "Processor", “Supervisory Authority”, and "Data Subject"
shall have the meaning given to those terms in the applicable Data Protection Laws;
"Data Protection Laws"
means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the Processing of Personal Data to which a Party is subject, including (where applicable) the GDPR; and (b) any code of practice or guidance published by a relevant Supervisory Authority from time to time;
"GDPR"
means Regulation (EU) 2016/679 of the European Parliament in relation to the processing of the personal data of natural persons;
"Losses"
means all losses, fines, penalties, liabilities, damages, costs, charges, claims, amounts paid in settlement and expenses (including legal fees (on a solicitor/client basis), disbursements, costs of investigation (including forensic investigation), litigation, settlement (including ex gratia payments), judgment, interest and penalties), other professional charges and expenses, disbursements, cost of breach notification including notifications to the data subject, cost of complaints handling (including providing Data Subjects with credit reference checks, setting up contact centres (e.g. call centres) and making ex gratia payments), all whether arising in contract, tort (including negligence), breach of statutory duty or otherwise;
"Permitted Purpose"
means the purpose of the Processing as set out in more detail in the Data Protection Particulars;
"Personal Data"
means any personal data (as defined in the Data Protection Laws) Processed by either Party in connection with the Services, and for the purposes of this Data Processing Addendum includes Sensitive Personal Data;
"Personal Data Breach"
has the meaning set out in the Data Protection Laws;
"Personnel"
means all persons engaged or employed from time to time by BSI in connection with the Services, including employees, consultants, contractors and permitted agents;
"Processing"
has the meaning set out in the Data Protection Laws (and "Process" and "Processed" shall be construed accordingly);
"Restricted Country"
means a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 45(1) of the GDPR (as applicable);
"Sensitive Personal Data"
means Personal Data that reveals such special categories of data as are listed in Article 9(1) of the GDPR;
"Services"
means BSI’s provision to Client of the use of or access to the product identified in the Order Form pursuant to the Agreement; and
"Third Party Request"
means a written request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulation.
2. DATA PROTECTION
2.1 Arrangement between the Parties
2.1.1 The Parties acknowledge that their classification under the Data Protection Laws is based on the factual arrangement between them.
2.1.2 In respect of the Services, the Parties hereby agree that Client shall act as a Controller and BSI shall act as a Processor where BSI is Processing the Personal Data on behalf of Client in relation to the Permitted Purpose in connection with the performance of its obligations under this Data Processing Addendum.
2.1.3 Each Party shall in performing its obligations under this Data Processing Addendum, comply with the obligations imposed upon it under the Data Protection Laws.
2.1.4 Each Party acknowledges and agrees that the type of Personal Data Processed pursuant to this Data Processing Addendum and the subject matter, duration, nature and purpose of the Processing, and the categories of Data Subjects, are as described in the table below.
| Subject matter and duration of Processing | Delivery of the Service during the term of the Agreement for use by, and access by, the Client and its Authorised Users. |
| Nature and purpose of Processing | BSI’s processing activities will be limited to the storing of Personal Data that may form part of the Client Data that is uploaded to BSI’s systems as part of Client’s access to the Services and making such Client Data available for Client’s retrieval again via Client’s own access to the Services. BSI will have no right to use any such Personal Data for its own purposes or at its own command. |
| Type of Personal Data being Processed | - Names and email addresses - Narratives and incident descriptions about Data Subjects included within Client Data |
| Categories of Data Subjects | - Client’s employees, agents and advisors; Client’s customers; vendors and subcontractors of Client (who are natural persons); Authorised Users. |
2.2 Data Controller Obligations
2.2.1 Without limiting the generality of the obligations set out in paragraph 2.1 above, the Client shall:
(a) ensure that it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring Personal Data to BSI; (ii) prevent or restrict it from granting BSI access to Personal Data; and/or (iii) prevent or restrict BSI from Processing Personal Data, in each case as required for BSI to perform the Services in accordance with this Data Processing Addendum;
(b) ensure that all privacy notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to allow BSI to Process Personal Data as required in connection with the provision of the Services under this Data Processing Addendum and in accordance with the Data Protection Laws;
(c) ensure that all Personal Data disclosed or transferred to, or accessed by, BSI is accurate, up-to-date, adequate, relevant and not excessive to enable BSI to process Personal Data as required for BSI to perform the Services in accordance with this Data Processing Addendum;
(d) maintain technical and organisational security measures sufficient to comply with the obligations imposed on the Controller by Data Protection Laws; and
(e) not do anything which shall damage BSI’s reputation.
2.2.2 For the avoidance of doubt, the Client shall make all required notification(s) to the relevant Supervisory Authority in relation to its processing of Personal Data related to the Services.
2.3 Data Processor Obligations
2.3.1 In relation to the Services, to the extent that BSI Processes any Personal Data as a Processor on behalf of Client for the purpose of performing the Services under this Data Processing Addendum, BSI undertakes to the Client that BSI shall, per GDPR Art. 28:
(a) only Process Personal Data for and on behalf of Client for the purposes of performing its obligations under this Data Processing Agreement and only in accordance with Client's instructions from time to time, unless otherwise required by law;
(b) inform the Client immediately if it considers any of the Client's instructions infringes Data Protection Laws;
(c) implement and maintain appropriate technical and organisational security measures to safeguard against any unauthorised or unlawful Processing of Personal Data;
(d) take all reasonable steps to ensure the reliability and integrity of any of its Personnel who have access to Personal Data and ensure that only Personnel who are required to assist in performing the Services have access to such Personal Data;
(e) ensure that any of its staff and/or contractors who have access to Personal Data have entered into appropriate contractually binding confidentiality undertakings;
(f) not disclose Personal Data to a third party unless the third party agrees to terms which are substantially the same as the terms set out in this Data Processing Addendum or in response to Third Party Requests where BSI is prohibited by law or regulation from notifying Client;
(g) at Client’s direction, arrange for the prompt and safe return and/or secure permanent destruction of all Personal Data, together with all copies in its possession or control (if any) within twenty eight (28) days of such direction, except where BSI is required by applicable law to retain any of such Personal Data;
(h) not transfer any Personal Data to a Restricted Country unless such transfer is made in compliance with the Data Protection Laws;
(i) at Client’s request use reasonable endeavours to assist Client to comply with the obligations imposed on Client by or in relation to:
(i) the rights of Data Subjects;
(ii) assistance to the relevant Supervisory Authority; and/or
(iii) data protection impact assessments
provided that any such assistance shall be provided to Client subject to a fee payable to BSI to be agreed between the Parties; and
(j) notify Client promptly upon becoming aware of any Personal Data Breach, and:
(i) implement any measures necessary to restore the security of compromised Personal Data; and
(ii) assist Client to make any notifications to the relevant Supervisory Authority and affected Data Subjects.
2.3.2 This Data Processing Addendum shall not affect any services (or the obligations owed in respect of them) under the Agreement that are not related to the Processing of Personal Data.