DATA PROCESSING ADDENDUM

Last updated 26 June 2020

This Data Processing Addendum (“Addendum”) the addendum referred to in Part A of the Terms and Conditions should be read as incorporated into those Terms and Conditions. This Addendum reflects the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of Applicable Data Protection Laws (as defined below). Capitalised terms contained herein but not defined shall have the meaning set in the Terms and Conditions.

Definitions. In this Addendum, the following definitions apply.

  1. Applicable Data Protection Laws: (i) all applicable data protection and privacy legislation in force from time to time in the UK including the UK Data Protection Act 2018, the General Data Protection Regulation ((EU) 2016/679) as revised and superseded from time to time; (iii) Directive 2002/58/EC as updated by Directive 2009/136/EC, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); and (iv) any other laws and regulations relating to the processing of Personal Data and privacy which apply to a party and, if applicable, the guidance and codes of practice issued by the relevant government department or data protection or supervisory authority.

    Controller, Processor, Data Subject, Data Subject Request, Personal Data, Personal Data Breach, Special Categories of Personal Data, Processing and "appropriate technical and organisational measures" shall have the meanings given to them in the Applicable Data Protection Laws.

  2. General. The Processor agrees that the only types of Personal Data and categories of Data Subject specified in Schedule 1 of this Addendum will be Processed for the purpose of providing services as defined in the Terms and Conditions. Both parties agree to comply with all Applicable Data Protection Laws. Where Processor Processes Personal Data controlled by the Controller, Processor shall process such Personal Data only in accordance with the Controller’s documented instructions (save to the extent such instructions infringe the Applicable Data Protection Laws). The Processor shall not apply or use such Personal Data for purposes other than those specified in the Terms and Conditions. The Processor shall not share any Personal Data with any third-party except for sub-processors and only in as much as necessary for the purposes of the Terms and Conditions and in compliance with this Addendum. The Processor shall maintain a record of its Processing activities.

  3. Data Protection. In accordance with Applicable Data Protection Laws, the Processor shall implement appropriate technical and organisational measures to protect Personal Data against actual or suspected accidental or unlawful destruction or accidental loss, and against unauthorised alteration, disclosure, acquisition or access, and against all other unlawful forms of Processing of Personal Data. Upon termination of the Supplier’s business relationship with Materials Market, Materials Market shall, at the choice of the Supplier, delete or return all Personal Data it has been processing on its behalf.

  4. Data Subject Requests. The Processor shall, to the extent permitted by law, notify the Controller upon receipt of a Data Subject Request and shall not respond to any such request without the Controller’s prior written instructions, save for instances where (a) the request is provided by a Data Subject who has a direct relationship with the Processor and the Processor is a Controller of that Personal Data, or (b) where failure to promptly respond will cause the Processor to breach their obligations under any Applicable Data Protection Laws. The Processor shall use reasonable endeavours to provide assistance and take such action as the Controller may reasonably request to allow the Controller to fulfil its obligations to Data Subjects or under Applicable Data Protection Laws in respect of Data Subject Requests, including, without limitation, meeting any deadlines imposed by such obligations.

  5. Processor's Personnel. The Processor shall ensure that its personnel engaged in Processing of Personal Data have received appropriate training on their responsibilities and have executed written confidentiality agreements in respect of such data.

  6. Sub-processing. The Processor shall ensure that any subcontract entered into with a subcontractor must be in writing and must impose on the subcontractor the same obligations as those to which the Processor is subjected to under this Addendum. Upon reasonable request made by the Controller, the Processor shall provide the Controller with a current list of the names and contact information of sub-processors Processing Personal Data of the Controller.

  7. Liability. The Processor shall not be liable for any indirect losses, damages, costs or expenses and other liabilities (including legal fees) incurred by the Controller and its affiliates arising out of or in connection with any breach of the Processor's obligations under this Addendum. This clause 7 does not exclude any liability that cannot be otherwise legally excluded.

  8. Personal Data Breaches and Incidents. The Processor shall notify the Controller of any Personal Data Breaches or other incidents that have resulted in any accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, access to or encryption of Personal Data.

  9. Audits. Where requested by the Controller, subject to reasonable and appropriate confidentiality undertakings, the Processor shall permit the Controller (or its authorised representative) to inspect and audit its Processing activities upon reasonable notice and at mutually agreed time to verify and/or procure that the Processor is in full compliance with its data protection obligations under this Addendum. Unless such audit indicates material non-compliance with this Addendum, all the Processor’s reasonable costs associated with the audit will be covered by the Controller.

  10. Headings. The headings herein are for convenience of reference only and do not constitute part of this Addendum or affect the interpretation hereof.

SCHEDULE 1

Data Subjects

The Personal Data Processed concerns the following categories of Data Subjects: Customers.

Categories of Data

The Personal Data Processed concern the following categories of Data: name, email, postal address, telephone number.

Special Categories of Data

The Personal Data Processed concern the following special categories of Data: none.