UK & European Data Processing Schedule

Updated: 20 December 2024

 

1. Definitions

1.1 The definitions in the Agreement and in this Schedule shall apply to this Schedule.

Customer Personal Data” means any Data which is personal data processed by Atticus in connection with the Subscription Services or Additional Services on behalf of Customer or any of the Instructing Parties as described in clause 1.13 below.

Data Protection Legislation” means the data protection laws applicable to the processing of personal data in connection with the Subscription Services and Additional Services, including, where applicable, the European General Data Protection Regulation (EU) 2016/679, the UK General Data Protection Regulation (as defined in section 3(10) of the Data Protection Act 2018), California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. (“CCPA“) and other applicable data protection laws of any relevant jurisdiction, in each case as amended or replaced from time to time.

The terms “controller”, “data subject”, “personal data”, “personal data breach”, “processing”, “processor” and “transfer” and their variations and similar terms, shall have the meaning given to them in Data Protection Legislation applicable to either party.

1.2 Customer Personal Data may contain personal data in relation to which the Customer, Authorised User, its group company, contractor or agent (each such party, an “Instructing Party”) is controller or is acting on behalf of the controller. Customer warrants and represents that it is authorised to give instructions on behalf of each of the Instructing Parties. Apart from Customer’s instructions and any instructions given by Authorised Users by using the Subscription Services and Additional Services, no other instructions shall be binding on Atticus. Customer appoints Atticus to process Customer Personal Data on behalf of the Instructing Parties subject to this Schedule as is necessary to provide the Subscription Services and Additional Services or as otherwise agreed in writing.

1.3 Each party agrees that as between the parties:

(i) Customer and each of the Instructing Parties is the controller in relation to Customer Personal Data; and

(ii) Atticus is a processor in relation to Customer Personal Data.

1.4 In relation to its processing of Customer Personal Data during the Subscription Term, save as otherwise provided by law, Atticus agrees to:

(a) process personal data only in accordance with the Customer’s documented lawful instructions, reasonably given in the context of the Subscription Services and Additional Services from time to time, and the Agreement, and inform the Customer if, in Atticus’ opinion, an instruction infringes the Data Protection Legislation. For the avoidance of doubt, Atticus (i) shall only process Customer Personal Data to provide the Subscription Services and Additional Services (i.e. for the “business purpose”, as defined in the CCPA (where applicable), of providing its services to Customer); (ii) acknowledges that it does not receive Customer Personal Data as consideration for its services; (iii) shall not “sell” or “share” (including as each such term is defined in the CCPA) or otherwise make available Customer Personal Data for targeted, cross‐context behavioural or other advertising; and (iv) shall not use any Customer Personal Data to train any artificial intelligence model of Atticus or any third party;

(b) implement appropriate technical and organisational measures to appropriately safeguard Customer Personal Data having regard to the nature of Customer Personal Data which is to be protected and the risk of harm which might result from any personal data breach, subject to clause 6.4 of the Terms;

(c) notify the Customer without undue delay if it becomes aware of a personal data breach. Where practicable, Atticus will provide phased notifications as information becomes available. Atticus will investigate the personal data breach and take reasonable action to identify, prevent and mitigate the effects of any personal data breach caused by Atticus. At the Customer’s expense, Atticus will take such further action as the Customer may reasonably request to comply with Data Protection Legislation;

(d) notify the Customer without undue delay of any data subject request under Data Protection Legislation relating to Customer Personal Data. Atticus may acknowledge each data subject access request. Where agreed between the parties, Atticus may, at Customer’s expense, respond to the subject access request on Customer’s behalf;

(e) notify the Customer without undue delay of any regulatory or law enforcement request relating to Customer Personal Data. Atticus will use reasonable endeavours to redirect such request to Customer and challenge any request reasonably considered unlawful. Where permitted by law, Atticus shall suspend any disclosure of Customer Personal Data to the public body pending a decision on the merits of the challenge by a competent judicial authority;

(f) notify the Customer upon becoming aware of any new law, practice or changes in leadership in public bodies that will likely give rise to a risk of unlawful surveillance by public bodies contrary to the Universal Declaration of Human Rights;

(g) where required under Data Protection Legislation applicable to Customer, Atticus will enter into standard contractual clauses (“SCCs“) or international data transfer agreement (“IDTA“) with the Customer or the relevant Instructing Parties for the international transfer of Customer Personal Data to Atticus. Atticus will not transfer any Customer Personal Data outside the relevant territory (e.g. UK or European Economic Area) without implementing with the recipient appropriate safeguards required under Data Protection Legislation, such as, where applicable, the SCCs or IDTA, except where otherwise required by law or to a Subprocessor (as defined below) appointed in accordance with paragraph 1.5 of this Schedule. Atticus may at any time replace the SCCs or IDTA by notice to Customer with immediate effect with such other instrument which complies with the Data Protection Legislation;

(h) ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality;

(i) provide such assistance as the Customer may reasonably require in order to ensure the Customer’s compliance with the Data Protection Legislation in relation to data security, data breach notifications, data protection impact assessments, international data transfer impact assessment and prior consultations with the data protection authority;

(j) assist the Customer in complying with its obligations under the Data Protection Legislation by making available to the Customer the information and Customer Personal Data processing records necessary to demonstrate its compliance with the Data Protection Legislation and allowing for and contributing to audits and inspections carried out by an independent third party, as the parties may agree from time to time; and

(k) on the Customer’s instructions, delete or return all Customer Personal Data to the Customer after the end of the provision of Subscription Services and Additional Services. Atticus may delete or destroy any Customer Personal Data that are no longer needed in connection with its provision of the services.

1.5 Atticus may engage subcontractors to process Customer Personal Data (each a “Subprocessor”) subject to paragraph 1.6 of this Schedule.

1.6 When engaging a Subprocessor, Atticus will:

(a) carry out reasonable due diligence;

(b) enter into a contract on terms, as far as practicable, that are substantially similar to those in this Schedule, and which, where required by applicable Data Protection Legislation or contract, may include SCCs or IDTA with respect to the processing and transfers of Customer Personal Data. Where the Subprocessor provides industry standard services (e.g. AWS) and operates on non-negotiable terms, then, notwithstanding anything to the contrary in this Agreement, Atticus may accept such terms. Atticus will on request, subject its confidentiality obligations, provide a copy of such terms to Customer and both parties agree to comply with such terms. Atticus’ liability to Customer in respect of data protection obligations of such Subprocessor shall not exceed the Subprocessor’s liability under those terms;

(c) remain fully liable for the Subprocessor’s failure to fulfil its data protection obligations under such contract; and

(d) inform the Customer of any intended changes concerning the addition or replacement of a Subprocessor (existing Subprocessors listed here) from time to time. If the Customer objects to any such change on reasonable grounds, then acting in good faith the parties will work together to resolve such objection. If they are unable to resolve the objection, Atticus may terminate the Agreement without liability by notice with immediate effect.

1.7 Customer shall comply and ensure the Instructing Parties’ compliance with this Schedule and Data Protection Legislation. Customer shall promptly provide such assistance as Atticus may reasonably require in order to comply with its data protection and information security obligations.

1.8 Customer warrants and represents on a continuous basis that its instructions under this Schedule will not put Atticus or any Subprocessor in breach of the Law and that it and its agents will not deliberately do or omit to do anything which may put Atticus or any Subprocessor in such breach.

1.9 Save as otherwise required by law, the Customer may not publish any filing, communication, notice, press release, or report concerning any personal data breach involving Atticus without Atticus’ prior written approval; such approval shall not be unreasonably delayed or withheld.

1.10 Any Customer request that, acting reasonably, Atticus believes is disproportionate, taking into account the context of the Subscription Services and the Additional Services and the parties’ obligations under Data Protection Legislation, will be subject to a prior discussion between the parties in good faith and an agreement on the scope of services required and, where applicable, the payment of reasonable charges and expenses payable within 14 days of invoice date.

1.11 Apart from the Customer and Atticus or their successors no other party shall have any rights under this Schedule.

1.12 In addition to any exclusion and limitation of liability under the Agreement, Atticus shall not be liable in connection with this Schedule to the extent any loss or damage is caused or contributed to by an Instructing Party.

1.13 Details of Customer Personal Data:

Types of Customer personal data: Name, role or other personal data content of various documents relating to a corporate transaction, litigation or other Customer client matter uploaded in the Subscription Services and similar Customer Personal Data processed in connection with the Subscription Services and Additional Services.

Categories of data subject: Individuals whose personal data is featured in such documents in the Subscription Services and Additional Services.

Subject matter: The processing that is required in order to provide the Subscription Services and Additional Services described in the Agreement.

Duration of processing: For the duration of the Subscription Term and thereafter until erased in accordance with the data disposal processes of Atticus.

Nature and purposes of the processing: For Atticus to perform its obligations pursuant to the Agreement; and for delivery and provision of the Subscription Services and Additional Services to the Customer.