Data Processing Addendum Controller (Client) / Processor (RFA)

The purpose of this Agreement is for the sharing and processing of personal data, the terms and conditions of such are set out at Agreement below that shall apply to processing.


Data Subjectan individual who is the subject of Personal Data;

Force Majeure Eventmeans any circumstance not within a party’s reasonable control including, without limitation: (a) acts of God, flood, drought, earthquake or other natural disaster; (b) epidemic or pandemic; (c ) terrorist attack, civil war, civil commotion or riots, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, or breaking off of diplomatic relations; (d) nuclear, chemical or biological contamination or sonic boom; (e) any law or any action taken by a government or public authority, including without limitation imposing an export or import restriction, quota or prohibition, or failing to grant a necessary licence or consent; (f) collapse of buildings, fire, explosion or accident; and (g) any labour or trade dispute, strikes, industrial action or lockouts (other than in each case by the party seeking to rely on this clause, or companies in the same group as that party); (h) non- performance by suppliers or subcontractors (other than by companies in the same group as the party seeking to rely on this clause) and; Page 2 of 14 (i) interruption or failure of utility service;

Shared Personal Datathe personal data to be shared between the parties to be set out in writing between the parties;

Standard Contractual Clauses” (“SCC”) Standard Contractual Clauses for the transfer of Personal Data from the UK to controllers and processors established in third countries and countries that are not subject to an approved adequacy regulation by the Secretary of State, Commissioner such SCCs as approved by the Information Commissioner’s Office (“ICO”) (international data transfers), as set out on the ICO website at;

UK Data Protection Legislationall applicable data protection and privacy legislation in force from time to time in the UK including without limitation the retained EU law version of the General Data Protection Regulation (“UK GDPR”); the Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018”); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and the guidance and codes of practice issued by the Commissioner and which are applicable to a party;

Transfers from a Data Controller to a Data Processor, for the Processing of Personal Data as shall be set out below:


1.1  Both parties will comply with all applicable requirements of the UK Data Protection Legislation.

1.2  The parties acknowledge that for the purposes of the UK Data Protection Legislation, the Customer is the data controller and RFA as the Provider is the data processor (where “Data Controller” and “Data Processor” have the meanings as defined in the UK Data Protection Legislation). The schedule hereto below sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data (as defined in the UK Data Protection Legislation, “Personal Data”) and categories of Data Subject.

1.3  The Customer is you and the Provider is Red Flag Alert Technology Group.

1.4  Without prejudice to the generality of clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the duration and purposes of this Agreement.

1.5  Without prejudice to the generality of clause 1.1, the Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under this Agreement, shall warrant that it shall:

(a) process that Personal Data only on the written instructions of the Customer unless the Provider is required by the laws of the UK or European Union that are applicable to the Provider to process Personal Data (“Applicable Laws”). Where the Provider is relying on the Applicable Laws as the basis for processing Personal Data, the Provider shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer;

(b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

( c ) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;

(d) only transfer Personal Data outside the UK if one of the following conditions applies:

(i) the Secretary of State has issued an adequacy regulation confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms; or

(ii) appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the Secretary of State, an approved code of conduct or a certification mechanism;

(iii) the Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks in limited circumstances and as a one off transfer; or

(iv) the transfer is necessary for one of the other reasons set out in the UK GDPR or DPA 2018 as an exemption, including the performance of a contract, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving consent and, in some limited cases, for legitimate interest;

(e) assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the UK Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with the UK’s ICO;

(f) notify the Customer without undue delay on becoming aware of a Personal Data Breach;

(g) at the written direction of the Customer, securely use commercially reasonable endeavours to delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Laws to store the Personal Data; and

(h) maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits by the Customer or the Customer’s designated auditor;

(i) comply with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data in accordance with the UK GDPR and the EU GDPR (if applicable);

(j) ensure that the Secretary of State has made an adequacy regulation in accordance with sections 17A to 17C of the DPA 2018 for the transfer to occur; and

(k) if the Processing involves a transfer of Personal Data outside of the UK, the parties agree to use commercially reasonable endeavours to enter into the standard contractual clauses promptly, in the event that, the EU Commission has not adopted an adequacy decision for the UK following the transitional period in accordance with the EU Future Relationship Act 2020 or that an adequacy regulation ceases to be made in the future for the UK or any superseding legislation that is in place from time to time.

1.6  The Customer does not consent to the Provider appointing any third party processor of Personal Data under this Agreement unless and until the Customer has provided specific written permission for a particular third party processor to be appointed. Should such permission be given, the Provider shall enter into a written agreement with the third party processor incorporating terms which are to be the same or substantially similar to those in this Agreement. As between the Customer and the Provider, the Provider shall remain fully liable for all acts or omissions of it and of any third party processor appointed by it at all times and for all purposes.

1.7  The parties may at any time agree to revise relevant clauses in this Agreement by replacing them with any applicable controller to processor standard clauses or similar terms (i) forming part of an applicable certification scheme or (ii) issued by or on behalf of the Information Commissioner’s Office (which shall apply when replaced by attachment to this Agreement).


2.1 The Provider shall indemnify the Customer against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the Customer arising out of or in connection with the breach of the UK Data Protection Legislation by the Provider, its employees or agents, provided that the Customer gives to the Provider prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and authority to manage, defend and/or settle it.


3.1  This Agreement and any dispute relating to it shall be governed exclusively by the laws of England and Wales, whose courts shall have exclusive jurisdiction.

3.2  No part of this Agreement shall create any rights pursuant to the Contracts (Rights of Third Parties) Act 1999.

3.3  Neither party may assign, novate or otherwise transfer any right or obligation under this Agreement without first obtaining unequivocal consent in writing from the other party.

3.4  In the event of any conflict between the terms and conditions in this Agreement and the terms and conditions in any prior or existing agreement between the parties, the terms and conditions in this Agreement shall take precedence.

3.5  Should any part of this Agreement be found to be unlawful or unenforceable, the offending part is to be deemed omitted without affecting the legality or enforceability of any other parts of the agreement.


4.1 This Agreement will remain in full force and effect so long as:

(a) this Agreement remains in effect; or

(b) the Provider, Controller retains any Personal Data related to this Agreement in its possession or control (“Term”).

4.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination in order to protect Personal Data will remain in full force and effect.

4.3 The Provider’s or Controller’s failure to comply with the terms of this Agreement is a material breach of this Agreement.

4.4 If a change in any UK Data Protection Legislation prevents either party from fulfilling all or part of its obligations, the parties will suspend the processing of Personal Data in accordance with this Agreement until that processing or sharing complies with the new requirements. If the parties are unable to bring the Personal Data processing or sharing into compliance with the UK Data Protection Legislation within 30 day, they may terminate this Agreement on written notice to the other party of no less than 90 days.


5.1 No party shall be in breach of this Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance obligation has been delayed or failed to be performed.

5.2 Purpose of Processing. The Provider shall process the Personal Data provided by the Customer strictly only in accordance with clause 1.5(a) above and/or to the extent that such processing enables it to properly fulfil its obligations under the Contract and any renewal or extension thereof.

5.3 Duration of Processing. The Provider’s entitlement to process Personal Data shall continue strictly only for the duration of the Contract and any renewal or extension thereof, following which clause 1.5(g) above will apply.

5.4 Categories of Data Subject. The categories of Data Subject shall be determined exclusively by the nature and purpose of the Contract and any renewal or extension thereof and comprise (i) clients, prospective clients and former clients of the Customer, (ii) permanent, temporary, prospective and former employees, agents, contractors and other personnel of the Customer, (iii) individuals with a direct interest in general business aspects of the Customer’s operations, (iv) individuals with a direct interest in client, prospective client and former client matters transacted by the Customer and (v) visitors to the Customer’s website. Certain Data Subjects will belong to more than one category.