Data Processing Terms

In order that you as a service provider and processor (referred to as “Processor” or “you” or “your”) may provide or continue to provide certain services (the “Services”) to us, Phoenix Notary Ltd (the “Notary Business”, “we”, “us” or “our”), you have agreed that these data processing terms (“Terms”) shall apply (notwithstanding any other terms and conditions applicable to the delivery of the Services to the contrary) in order to address the compliance obligations imposed upon the Notary Business and its Clients pursuant to Data Protection Law.

These Terms shall constitute a separate agreement or may be incorporated by reference in the relevant Services agreement, as the case may be.

By accepting any materials from the Notary Business or otherwise commencing the Services (“Effective Date”), you agree that the Processor will process Notary Business Personal Data in accordance with these Terms.

1.      Definitions

1.1  In this Agreement:

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with, a party during the Term.

  • “Data Protection Law” means the data privacy laws applicable to the processing in connection with the Services, including the Data Protection Act 2018, the UK and EU GDPR, or any other applicable data protection laws.

  • “Client” means any client of the Notary Business.

  • “Contractual Clauses” means the standard contractual clauses of the European Commission (or equivalent under UK law) for cross-border transfers of personal data, including the UK International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs.

  • “Notary Business Personal Data” means the personal data processed by the Processor in connection with the Services on behalf of the Notary Business, including names and other information in Client materials.

1.2 The terms “Data Subject,” “Personal Data,” “processing,” “Controller” and “Processor” shall have the meanings given under Data Protection Law.

2.     Appointment

2.1  The Notary Business is appointed by Clients and Client Affiliates to provide and manage various services, including the Services. Accordingly, Notary Business Personal Data may include data in relation to which Clients are Controllers.

2.2  The Processor is appointed to process Notary Business Personal Data only as necessary to provide the Services or as otherwise agreed in writing.

3.     Duration

3.1  The Terms commence on the Effective Date and continue until the Services have ceased and all Notary Business Personal Data in the Processor’s possession or control (including with Subprocessors) has been returned or securely deleted, unless retention is required by law (including anti-money laundering or notarial obligations).

4.    Data Protection Compliance

4.1   The Processor agrees to:

4.1.1  Process Notary Business Personal Data only on our documented lawful instructions.

4.1.2  Inform us if an instruction appears to infringe Data Protection Law.

4.1.3  Ensure all authorised personnel are bound by confidentiality obligations.

4.1.4  Implement appropriate technical and organisational measures to safeguard personal data (as set out in the Schedule).

4.1.5  Promptly inform us of any data subject requests or regulatory/law enforcement requests, and not respond directly without our prior written consent.

4.1.6  Provide assistance as reasonably required to ensure compliance with Data Protection Law, including data security, breach notifications, DPIAs, and consultations with regulators.

4.1.7  Delete or return all Notary Business Personal Data upon request or at the end of the Services, subject to clause 3.

4.1.8  Make information available to demonstrate compliance and allow for audits and inspections, on reasonable prior notice and subject to confidentiality obligations.

5.     Subprocessors

5.1  The Processor may not engage a subprocessor without our prior written consent.

5.2   If consent is given, the Processor must:
(a) carry out due diligence;
(b) enter into a written contract with terms equivalent to these Terms; and
(c) notify us of any intended changes. If we object on reasonable grounds, the parties shall work in good faith to resolve the objection.

6.    Security Incidents

6.1  A “Security Breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Notary Business Personal Data.

6.2   The Processor will notify us without undue delay if aware of a Security Breach.

6.3   The Processor will investigate, mitigate, and take reasonable action in response to the Security Breach, and provide further assistance as requested.

6.4   The Processor may not release or publish any communication regarding a Security Breach without our prior written approval.

7.     International Data Transfers

7.1   The Processor will not transfer Notary Business Personal Data outside:
(a)the UK;
(b) the EEA; or
(c) any other restricted territory under Data Protection Law,
without prior written consent.

7.2   Where such transfers occur, appropriate safeguards must be in place, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU SCCs, or other lawful transfer mechanisms.

8.    Indemnity

8.1  Notwithstanding any provisions of the relevant Services agreement to the contrary, the Processor shall indemnify the Notary Business, its Clients and Affiliates, and their officers, employees, agents and subcontractors (each an “Indemnified Party”) from and against any claims, losses, demands, actions, liabilities, fines, penalties, expenses, damages and settlement amounts (including reasonable legal fees and costs) incurred by any Indemnified Party as a result of any gross negligence or wilful breach by the Processor of these Terms.

9.    Miscellaneous

9.1   Headings are for convenience only and do not affect interpretation.

9.2  To the extent of any conflict, these Terms prevail over any Services agreement.

9.3   Nothing in these Terms excludes liability that cannot be excluded by law.

9.4   These Terms constitute the entire agreement on this subject matter.

9.5   Notices must be in writing and are deemed received 48 hours after posting by recorded delivery, or on the same day if sent by email with receipt confirmation.

9.6   If any provision is invalid, the remainder shall remain in force.

9.7   These Terms are governed by English law, and the parties submit to the exclusive jurisdiction of the English courts.

Schedule: Minimum Security Measures

Technical measures:

  • Firewalls, access controls, strong passwords, secure configurations.

  • Regular software updates and decommissioning of old systems.

  • Real-time anti-virus and anti-malware protection.

  • Encryption of portable devices and data in transit.

  • Multi-factor authentication, WPA-secured WiFi, intrusion detection systems.

  • Backups and disaster recovery procedures.

Organisational measures:

  • Vetting of staff and subcontractors.

  • NDAs for all personnel.

  • Regular training on confidentiality and data protection.

  • Principle of least privilege for data access.

  • Physical security (locks, cabinets, CCTV, reception desk).

  • Policies for information security, acceptable use, BYOD.

  • Secure disposal of documents and materials.