DATA PROCESSING ANNEX (the “Annex”)

Definitions

In this Annex, the following terms, where not inconsistent with the context, shall have the meanings set out below:

“Data Protection Laws” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”) and any other applicable data protection legislation;

“Sub-Processor” means any person (including any third party and any affiliate), instructed, engaged, mandated or appointed by or otherwise acting on behalf of the Processor to Process Personal Data in connection with the Agreement;

Any other capitalised terms used in this Annex shall bear their respective meaning given in the GDPR.

Applicability

The purpose of this Annex is to ensure the compliance with Data Protection Laws.

The Annex shall apply should the Controller, directly or indirectly, provide or make available Personal Data to the Processor in connection with the Agreement, without limiting any confidentiality provision already agreed upon between the Parties.

Processing of Personal Data

1. The Parties shall comply with all applicable Data Protection Laws in the Processing of Personal Data.
2. The Controller instructs the Processor (and authorises the Processor to instruct each Sub-Processor) to Process Personal Data as reasonably necessary for the fulfilment of the Agreement.
3. The Parties shall not Process Personal Data other than on the Controller’s written instructions unless Processing is required by applicable laws to which the Processor is subject, in which case Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.
4. Schedule 1 to this Annex sets out certain information regarding the Processing of the Personal Data as required by article 28(3) of the GDPR. The Parties may make reasonable amendments to Schedule 1 by written notice to the other Party from time to time as the Parties reasonably consider necessary to meet those requirements. Nothing in Schedule 1 confers any right or imposes any obligation on any Party.

Processor

The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Process who may have access to the Personal Data, ensuring in each case that access is  limited to those individuals who need to know/access the relevant Personal Data, for the purposes of the Agreement, and to comply with applicable laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are informed of the confidential nature of the relevant Personal Data, have received appropriate training on their responsibilities and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

The Personal Data shall remain at all times the property of the Controller, including any amendments or alterations to such Personal Data made by or on behalf of Processor under or in connection with this Agreement.

Security

Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

Sub-Processing

The Processor shall give the Controller notice of the current Sub-Processor or of appointment of any new Sub-Processor.  The Processor shall not engage a Sub-Processor without prior specific or general written authorisation of the Controller.

With respect to each Sub-Processor the Processor shall: before the Sub-Processor first Processes Personal Data carry out adequate due diligence to ensure that the Sub-Processor is capable of providing the level of protection for Personal Data required for the Agreement, that the Processor/Sub-Processor relationship is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Annex and meet the requirements of article 28(3) of the GDPR.

Transfer of Personal Data outside the European Economic Area (the “EEA”)

The Processor and its Sub-Processors shall not transfer the Personal Data outside the EEA and shall prevent the Personal Data from being accessed from a country which does not belong to the EEA, except for countries which do ensure an adequate level of data protection according to an adequacy decision of the European Commission, which the Processor shall inform the Controller about.

The Processor will be allowed to bring the Personal Data outside the EEA, under the following two cumulative conditions:

• The prior specific written authorisation of the Controller;
• Appropriate safeguards in conformity with the GDPR are in place.

In case of transfer of the Personal Data to the Processor’s Sub-Processor established outside the EEA, the Standard Contractual Clauses of the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 will be executed between the Controller and the Sub-Processor.

The transfer outside the EEA shall immediately cease to take place from the moment such adequacy decision from the European Commission or such safeguards are no longer valid or its conditions to apply are no longer fulfilled.

Data Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

 The Processor shall:

1. promptly notify the Controller if any Processor receives a request from a Data Subject under any Data Protection Law in respect of the Personal Data; and
2. ensure that the Processor does not respond to that request except on the written instruction of the Controller or as required by applicable laws to which the Processor is subject, in which case the Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before the Processor responds to the request.

Personal Data Breach

Processor shall notify the Controller without undue delay upon the Processor or any Sub-Processor becoming aware of a Personal Data Breach affecting Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Processors.

Deletion or Return of Personal Data

Subject to this section the Processor shall within a reasonable time-period from the date of termination of the Agreement involving the Processing of Personal Data (the “Termination Date”), return or delete and procure the return or deletion of all copies of those Personal Data as may be instructed by the Controller.

Each Processor may retain Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that the Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

Audit Rights

The Processor shall make available to the Controller information necessary to demonstrate compliance with this Annex, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Personal Data by the Processors.

Information and audit rights of the Controller only arise in the case of the preceding clause to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).

Schedule 1: Details of Processing of Personal Data

This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Company Personal Data

The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this Annex.

The nature and purpose of the Processing of Personal Data

In line with the Services provided, it may be possible that the Archive Boxes contain Personal Data. In this case ‘storage’ is the nature of processing. This together with the Personal Data of the Designated Persons.

The types of Personal Data to be Processed

Personal Data belonging to the Designated Persons.

Personal Data contained within the Archive Boxes, although Rentastore does not have access to the contents of the Archive Boxes, except as outlined in the T&Cs.

The categories of Data Subject to whom the Personal Data relates

Personal Data belonging to the Designated Persons.

Personal Data contained within the Archive Boxes, although Rentastore does not have access to the contents of the Archive Boxes, except as outlined in the T&Cs.

The Processor’s contacts for Processing Personal Data

Sales and Operations Manager

The obligations and rights of Company and its Affiliates

The obligations and rights of Company and its Affiliates are set out in the Agreement and this Annex.

Processor Technical and Organisational Security Measures

The Processor Technical and Organisational Security Measures are set out in the Agreement and this Annex.

Approved Sub-Processors

The following Sub-Processors shall be considered approved by the Controller at the time of entering into this Annex:

n/a

New Sub-Processors

The following Sub-Processors have been added and communicated to the Controller prior to the relevant Sub-Processing:

n/a