This data processing agreement (“DPA”) forms part of and is subject to the Agreement entered into by Sky and the Supplier. Terms not otherwise defined in this DPA shall have the same meaning as in the Agreement. In the event of a conflict or inconsistency between this DPA and the remainder of the Agreement, this DPA shall govern to the extent required to resolve such conflict or inconsistency, unless a provision of the Agreement explicitly overrides any provision of the DPA by specific reference to such provision(s).
1. DEFINITIONS AND INTERPRETATION
1.1 The following terms shall have the meanings ascribed to them:
“Applicable Data Protection Law” means all applicable laws relating to privacy and data protection including but not limited to (a) the General Data Protection Regulation (EU 2016/679) (the “GDPR”), and (b) the UK GDPR, and (c) Directive on privacy and electronic communications (2002/58/EC, as amended), as well as all laws implementing each of (a) to (c) above, including the UK Data Protection Act 2018, as amended and updated from time to time. In the event, any such Directive, Regulation or laws are repealed or replaced, the successor legislation to such repealed or replaced Directive, Regulation and/or law shall be deemed to constitute Applicable Data Protection Law.
“Instruction” means a written instruction (including by email) from Sky to the Supplier relating to the Supplier’s processing of personal data as Sky’s processor.
“SCCs” means in respect of personal data to which the: (i) GDPR applies, either: (a) where Sky acts as controller and the Supplier acts as processor, the version of the EU Commission-approved Standard Contractual Clauses titled “Sky’s Standard Contractual Clauses – Controller-Processor”, (b) where both parties act as independent controllers, the version of the EU Commission-approved Standard Contractual Clauses titled “Sky’s Standard Contractual Clauses – Controller-Controller”, or (c) where Sky acts as processor and the Supplier acts as sub-processor, the version of the EU-Commission approved Standard Contractual Clauses titled “Sky’s Standard Contractual Clauses – Processor-Processor”, in each case available at https://www.skygroup.sky/suppliers; (ii) UK GDPR applies, a version of the applicable clauses referenced at (i) above, as amended by the UK Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 (the “UK Addendum”), and (iii) Swiss Federal Act on Data Protection (“FADP”) applies, a version of the applicable clauses referenced at (i) above that includes all necessary amendments to make them legally effective in Switzerland, including but not limited to the following: references to the GDPR will be deemed to be references to the FADP, references to “personal data” will be deemed to include references to legal entities (until the entry into force of the revised FADP), references to “sensitive data” will be deemed to be references to “sensitive personal data and personality profiles”, and the term “Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with Clause 18(c).
“UK GDPR” has the meaning ascribed to it section 3(10) of the UK Data Protection Act 2018.
“Third Country” means: (i) if the relevant Sky entity is established in the EEA or Switzerland, a jurisdiction outside the EEA or Switzerland that has not been deemed adequate for data protection purposes by the European Commission, or (ii) if the relevant Sky entity is established in the UK, a jurisdiction outside the UK that has not been deemed adequate for data protection purposes under UK law.
1.2 Where defined in Applicable Data Protection Law, the terms “controller”, “data subject”, “data protection impact assessment”, “data protection officer”, “personal data”, “personal data breach”, “prior consultation”, “pseudonymisation”, “processor”, “processing”, “restriction of processing”, “supervisory authority concerned” shall have the same meanings as ascribed to them in Applicable Data Protection Law. Where any such term is not defined in Applicable Data Protection Law, it shall have the meaning ascribed to it in the UK GDPR.
2. ROLES OF THE PARTIES
2.1 Save where clause 2.1 or clause 2.2 applies, Sky, acting as controller, hereby appoints the Supplier for the duration of this Agreement as its processor with respect to the data processing carried out in connection with this Agreement,. The details of the personal data processing carried out by the Supplier are set out in the Order(s) and such details shall only apply in respect of the personal data processing carried out under such Order(s).
2.2 Each party acknowledges that it is an independent controller in respect of the personal data of the other party’s personnel that it receives and processes to maintain its business relationship with the other party in connection with this Agreement. In relation to such personal data, each party shall: (i) comply with Applicable Data Protection Law in its processing of such data, and (ii) only process such personal data for the purposes of the Agreement, to comply with applicable law, or, where permitted by Applicable Data Protection Law, to provide the other party with information about its products and services.
2.3 The parties acknowledge that in certain scenarios Sky and the Supplier may act as processor (acting on the instructions of a separate controller) and sub-processor respectively and this Agreement and references to the Supplier acting as processor should be construed accordingly.
3. DATA PROCESSOR OBLIGATIONS
3.1 The Supplier shall comply with its obligations as processor under Applicable Data Protection Law and the Supplier acknowledges that nothing in this DPA relieves it from its responsibilities and liabilities under Applicable Data Protection Law.
3.2 The Supplier shall only process personal data as Sky’s processor in accordance with Sky’s lawful Instructions, except where required to process personal data to comply with EU, EU Member State, or UK law to which the Supplier is subject, in which case it shall notify Sky of the relevant legal requirement before processing unless it is legally prohibited from doing so. The Supplier will notify Sky immediately in the event it reasonably believes any Instruction given by Sky is contrary to Applicable Data Protection Law. The Parties agree that this Agreement is comprised of Sky’s main set of Instructions and the Supplier acknowledges that Sky may issue supplemental Instructions in relation to personal data the Supplier processes as Sky’s processor, including for the Supplier to:
3.2.1 provide at its cost reasonable assistance to Sky, taking into account the nature of processing and the information available to the Supplier, so that Sky is able to:
(A) access all documents (in full or only in so far as they relate to personal data processed by the Supplier as Sky’s processor) which the Supplier is required to maintain under Applicable Data Protection Law (if any) about such personal data processing;
(B) discuss with the Supplier’s data protection officer (if appointed) the Supplier’s processing of personal data;
(C) manage and respond to the exercise by any data subject of any of the rights afforded to data subjects under Applicable Data Protection Law;
(D) manage and respond to any notices or questions addressed to Sky from the supervisory authority concerned;
(E) evaluate the technical and organisational measures the Supplier is required to implement under clauses 3.3, 3.4 and 3.5;
(F) manage, mitigate and resolve any personal data breach, including the preparation and filing of any notification of any personal data breach to the supervisory authority concerned or relevant data subject(s);
(G) carry out data protection impact assessments (at Sky’s discretion) and prior consultations with the supervisory authority concerned (where required under Applicable Data Protection Law) in relation to the personal data the Supplier processes as Sky’s processor; and
(H) demonstrate its compliance with its obligations under Applicable Data Protection Law; and
3.2.2 allow for and reasonably collaborate with (both at the Supplier’s cost) Sky, an auditor mandated by Sky and/or the supervisory authority concerned carrying out desk-based audits, on-site audits and/or inspections of the Supplier, any of its sub-processors and/or any of the facilities and IT systems used to process personal data on Sky’s behalf from time to time (including before such processing commences) to verify the Supplier’s compliance with its obligations under this DPA and Applicable Data Protection Law.
3.3 The Supplier shall:
3.3.1 subject to clause 4, keep the personal data it processes as Sky’s processor strictly confidential;
3.3.2 ensure that its personnel are bound by appropriate, written and enforceable confidentiality obligations concerning the personal data and that they process such personal data only in accordance with Sky’s Instructions;
3.3.3 subject to clause 4, not allow any third party access to the personal data or otherwise transfer the personal data to any third party; and
3.3.4 subject to clauses 4-5, not transfer the personal data outside of the UK or EEA.
3.4 For the duration the Supplier acts as Sky’s processor under this Agreement, the Supplier shall:
3.4.1 implement and document appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the rights and freedoms of the data subjects presented by the Supplier processing personal data as Sky’s processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of such processing as well as the varying likelihood and severity of such risk, including measures to:
(A) guard against unauthorised or unlawful processing and personal data breaches;
(B) as appropriate, apply pseudonymisation and encryption to the personal data;
(C) ensure the ongoing confidentiality, integrity, availability and resilience of the Supplier’s and any sub-processor’s processing systems and services;
(D) restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(E) regularly test, assess and evaluate the effectiveness of such technical and organisational measures;
3.4.2 without prejudice to the generality of clause 3.4.1, comply with the Sky Supplier Security Standard; and
3.4.3 annually certify its compliance with clauses 3.4.1 and 3.4.2 to Sky in writing.
3.5 For the duration the Supplier acts as Sky’s processor under this Agreement, the Supplier shall implement and document appropriate technical and organisational measures in relation to the personal data it processes as Sky’s processor to ensure that it is able to promptly:
3.5.1 provide to Sky any such personal data in a commonly used electronic format, implement the restriction of processing of any such personal data, delete any such personal data and/or modify any such personal data if it receives an Instruction to do so by Sky; and
3.5.2 identify any data subject requests to exercise any of the rights afforded to data subjects under Applicable Data Protection Law in relation to such personal data.
3.6 The Supplier shall notify Sky:
3.6.1 promptly if it receives any notice, request, query, consultation or complaint from the supervisory authority concerned or any data subject relating to the personal data the Supplier (or any sub-processor) processes as Sky’s data (sub)processor (including the requests and/or notices referred to in clause 3.2.1(C)-3.2.1(D) or that otherwise concern to Sky and/or the Supplier’s compliance with Applicable Data Protection Law;
3.6.2 without undue delay (and, in any event, within 24 hours) via email to dp.department@sky.uk, if it becomes aware of any personal data breach or breach of this DPA or SCCs (where applicable) or reasonably suspects that a personal data breach or breach of this DPA or SCCs (where applicable) occurred, providing, to the extent reasonably possible, the information Sky is required under Applicable Data Protection Law to provide to the supervisory authority concerned.
3.7 Subject to the Supplier’s requirements under Law, if the Supplier becomes aware of any personal data breach and without prejudice to clauses 3.2.1(F) and 3.6.2, Sky is exclusively responsible for preparing and managing any notification of and/or correspondence with the supervisory authority concerned, any data subject and/or other third party relating to such personal data beach. Subject to the preceding sentence and any Instruction under clause 3.2.1(F), the Supplier shall take all reasonable steps at its cost to investigate, mitigate and resolve such personal data breach.
3.8 Upon the Agreement’s or relevant Order’s (as applicable) termination or expiry (whichever is sooner) and subject to any Instruction to the contrary as well as the Supplier’s obligations under Law, return to Sky in a reasonably commonly used digital format the personal data it processes as Sky’s processor under the Agreement or the relevant Order (as applicable) and then promptly delete and cease processing all such personal data. The Supplier shall ensure that all of its sub-processors (if any) comply with this clause 3.8 and certify its and such sub-processor’s compliance to Sky in writing.
4. SUB-PROCESSING AND DISCLOSURES
4.1 Subject to clause 4.2 below, Sky hereby consents to the Supplier appointing sub-processors to assist the Supplier with the processing of personal data under the Agreement. Where the Supplier wishes to add or replace a sub-processor or change the data protection terms applicable to a sub-processor’s appointment, the Supplier shall notify Sky providing reasonable details and Sky shall have 14 days to object to such change. Where Sky objects to a change and the Supplier is unable to resolve Sky’s objection, the Supplier will not proceed with the relevant change. If Sky fails to respond within 14 days, it shall be deemed to have consented to the appointment.
4.2 The Supplier shall only allow a sub-processor to process the personal data the Supplier processes under this Agreement as Sky’s processor if:
4.2.1 the Supplier has carried out adequate due diligence and is satisfied that the sub-processor is capable of providing the level of protection for personal data that is required under this DPA and, if applicable, the SCCs.
4.2.2 such sub-processor’s processing of such personal data is: (i) carried out exclusively from a territory that is deemed to provide an adequate level of protection under Applicable Data Protection Law, (ii) subject to an appropriate data transfer mechanism permitted under Applicable Data Protection Law (which may include SCCs executed by the Supplier on Sky’s behalf with the sub-processor pursuant to clause 5.2), or (iii) otherwise deemed under Applicable Data Protection Law to be subject to adequate levels of protection;
4.2.3 it notifies Sky, providing details of the identity and location of the proposed sub-processor, a description of the intended processing to be carried out by the sub-processor and confirmation that adequate due diligence has been conducted as required under clause 4.2.1;
4.2.4 the written contract under which such sub-processor processes such personal data is not less onerous than this DPA.
For the avoidance of doubt, the requirements of this clause 4.2 also apply in the event the Supplier wishes to change the contract referred to in clause 4.2.4. and, in any case, the Supplier shall remain fully liable to Sky for acts and omissions of the Supplier’s sub-processors.
4.3 If the Supplier is required by Law to grant access to or otherwise transfer the personal data to a third party (whether nationally or internationally), it shall:
4.3.1 if permitted by Law, give Sky as much prior notice as is reasonably possible (including reasonable information concerning such access or transfer and the relevant requirement(s) under Law);
4.3.2 limit such access or transfer to the minimum reasonably possible; and
4.3.3 provide Sky at the Supplier’s cost with all reasonable assistance should Sky choose to challenge such access or transfer.
5. INTERNATIONAL DATA TRANSFERS
5.1 If the Supplier processes personal data at or from its facilities in a Third Country as Sky’s processor or this Agreement otherwise involves an international transfer of personal data between Sky and the Supplier for which Applicable Data Protection Law requires a party or the parties to adduce an adequate level of protection, the SCCs shall be incorporated by reference into this Agreement. The parties agree that the Supplier is the Data Importer and relevant Sky Group entity is the Data Exporter. The Supplier represents and warrants that it has fully and accurately completed a data transfer impact assessment (provided to it by Sky) in relation to such processing. Where this clause 5.1 applies and unless otherwise agreed by the parties:
5.1.1 the sections of the Order identified as covering the information required for Appendices 1 and 2 of this Agreement shall be deemed to be Annexes 1 and 2 of the SCCs and Tables 1 and 3 of the UK Addendum (as applicable);
5.1.2 the governing law with respect to a particular transfer will be the country in which the Data Exporter is established; and
5.1.3 for the purposes of Section 19 of the UK Addendum, neither party shall have the right to end the UK Addendum when a revised version is issued by the ICO.
Nothing in this Agreement shall be construed to prevail over any conflicting clause of the SCCs. Each party acknowledges that it has had the opportunity to review the SCCs.
5.2 If the Supplier engages a sub-processor in a Third Country to process personal data and the processing is not otherwise deemed under Applicable Data Protection Law to be subject to adequate levels of protection and the Supplier is unable to rely on an alternative data transfer mechanism permitted under Applicable Data Protection Law, the Supplier will assist Sky to adduce an adequate level of protection for such personal data by executing SCCs with that sub-processor on Sky’s behalf. Sky hereby appoints the Supplier as its agent for the sole purpose of entering into such SCCs on Sky’s behalf. The Supplier shall provide Sky with a copy of any SCCs entered into pursuant to this section promptly on request.
5.3 If, for whatever reason, any transfer of personal data under the SCCs referred to in clauses 5.1 and 5.2 ceases to be lawful, Sky may, at its discretion:
5.3.1 require the Supplier to cease transfers of personal data to, or access to such personal data from, the relevant jurisdictions, or
5.3.2 require the Supplier to promptly cooperate with Sky to facilitate Sky’s use of an alternative lawful data transfer mechanism to enable the transfer of such personal data.
If Sky and the Supplier are unable to promptly enter into such an alternative data transfer mechanism, then Sky may (at its option) terminate the Agreement, or reduce its scope to exclude personal data, at no additional cost to Sky.