Data protection addendum
This current consolidated Data Protection Addendum was published on 31 July 2023.
In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of this Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:
has the meaning given to that term in Data Protection Laws;
means as applicable and binding on either party or the Services:
(a) the GDPR;
(b) the Data Protection Act 2018;
(c) any laws which implement or supplement any such laws; and
any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
has the meaning given to that term in Data Protection Laws;
means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR;
means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);
means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are made under paragraph 7.1;
means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
means the latest version of the list of Sub-Processors used by Phocas, as Updated from time to time, which as at Order Acceptance is available at https://www.phocassoftware.com/terms/subprocessors
has the meaning given to that term in Data Protection Laws;
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);
has the meaning given to that term in paragraph 3.1.1;
has the meaning given to that term in Data Protection Laws;
means Personal Data in the Customer Data;
means a Processor engaged by Phocas or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer;
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; and
bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).
The parties agree that, for the Protected Data, the Customer shall be the Controller and Phocas shall be the Processor. Nothing in this Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.
To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct Phocas to process the Protected Data in accordance with this Agreement.
Phocas shall process Protected Data in compliance with:
the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and
the terms of this Agreement.
The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with:
all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
the terms of this Agreement.
The Customer warrants, represents and undertakes, that at all times:
the processing of all Protected Data (if processed in accordance with this Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;
fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data that may be undertaken by Phocas and its Sub-Processors in accordance with this Agreement;
the Protected Data is accurate and up to date;
except to the extent resulting from Transfers to International Recipients made by Phocas or any Sub-Processor, the Protected Data is not subject to the laws of any jurisdiction outside of the United Kingdom;
it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to Phocas (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by Phocas or any other person;
all instructions given by it to Phocas in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
it has undertaken due diligence in relation to Phocas’s processing operations and commitments and it is satisfied (and at all times it continues to use the Services remains satisfied) that:
(a) Phocas’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Phocas to process the Protected Data;
(b) the technical and organisational measures set out in the Information Security Policy and this Agreement (each as Updated from time to time) shall (if Phocas complies with its obligations under such Addendum and this Agreement) ensure a level of security appropriate to the risk in regards to the Protected Data as required by Data Protection Laws; and
(c) Phocas has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
Insofar as Phocas processes Protected Data on behalf of the Customer, Phocas:
unless required to do otherwise by applicable law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this Agreement (including with regard to Transfers of Protected Data to any International Recipient), as Updated from time to time (Processing Instructions);
if applicable law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless applicable law prohibits such information on important grounds of public interest); and
shall promptly inform the Customer if Phocas becomes aware of a Processing Instruction that, in Phocas’s opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to paragraphs 2.4 and 2.5; and
(b) to the maximum extent permitted by applicable law, Phocas shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph 3.1.3.
The Customer shall be responsible for ensuring all Authorised Affiliates and Authorised Users read and understand the Privacy Policy (as Updated from time to time).
The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Subscribed Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the User Manual). The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command Phocas is under no obligation to seek to restore it.
Subject to applicable Subscribed Service Specific Terms or the Order Form the processing of the Protected Data by Phocas under this Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the schedule.
Phocas will maintain technical and organisational measures as set out in Annexure A.
During the period in which Phocas processes any Protected Data, the Customer shall regularly undertake a documented assessment of whether the security measures set out in Annexure A are sufficient to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access to the extent required by Data Protection Laws in the circumstances. The Customer shall promptly notify Phocas of full details of any additional measures the Customer believes are required as a result of the assessment. The Customer acknowledges that Phocas provides a one-to-many service from a single common platform and the needs or assessments of other customers may differ. Phocas shall not be obliged to implement any further or alternative security measures, but this is without prejudice to the Customer ’s right to terminate this Agreement for convenience in accordance with the express provisions of this Agreement if it concludes the measures adopted by Phocas are no longer sufficient for its needs.
Subject to paragraph 5.2, Phocas shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data in connection with this Agreement without the Customer’s prior written authorisation. The Customer shall not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors).
The Customer:
authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as at Order Acceptance; and
authorises the appointment of each Sub-Processor (or any change to any of the Sub- Processors) identified on the List of Sub-Processors as Updated from time to time. Phocas shall notify the Customer of any additions to its List of Sub-Processors. The Customer shall be given the opportunity to make a reasonable objection to any new Sub-Processor and state its grounds for doing so. The Customer acknowledges that Sub-Processors are essential in order for Phocas to provide the Services and that objecting to the use of a Sub-Processor may prevent Phocas from continuing to provide the Services to the Customer. In the event that Phocas is unable to adequately address those objections, either party may terminate the Agreement upon notice. In such circumstances Phocas shall not be obliged to refund any Subscription Fees paid by the Customer, and the Customer shall prior to termination pay to Phocas the remainder of any Subscription Fees in respect of the Subscribed Service Period.
Phocas shall:
prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially similar obligations as under paragraphs 2 to 11 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures);
remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
Phocas shall ensure that all natural persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with applicable law, in which case Phocas shall, where practicable and not prohibited by applicable law, notify the Customer of any such requirement before such disclosure).
Phocas shall refer all Data Subject Requests it receives to the Customer without undue delay.
Phocas shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Phocas) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
security of processing;
data protection impact assessments (as such term is defined in Data Protection Laws);
prior consultation with a Supervisory Authority regarding high risk processing; and
notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,
provided the Customer shall pay Phocas for all work, time, costs and expenses incurred Phocas or any Sub-Processor(s) in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis at Phocas’s rates set out in Phocas’s Standard Pricing Terms.
Subject to paragraphs 7.2 and 7.3, Phocas shall not Transfer any Protected Data:
to any country or territory outside the United Kingdom; and/or
to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without the Customer’s prior written authorisation except where required by applicable law (in which case the provisions of paragraph 3.1 shall apply).
The Customer hereby authorises Phocas (or any Sub-Processor) to Transfer any Protected Data to any International Recipient(s), provided all Transfers of Protected Data by Phocas (or any Sub-Processor) to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws and this Agreement. The provisions of this Agreement (including this Data Protection Addendum) shall constitute the Customer’s instructions with respect to Transfers in accordance with paragraph 3.1.1.
The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that Phocas does not control such processing and the Customer shall ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all applicable laws.
Phocas shall maintain, in accordance with Data Protection Laws binding on Phocas, written records of all categories of processing activities carried out on behalf of the Customer.
On request, Phocas shall provide the Customer (or auditors mandated by the Customer) with a copy of the third party certifications and audits to the extent made generally available to its customers. Such information shall be confidential to Phocas and shall be Phocas’ Confidential Information as defined in this Agreement, and shall be treated in accordance with applicable terms.
The Customer acknowledges and accepts that relevant contractual terms agreed with Sub- Processor(s) may mean that Phocas or Customer may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors and the Customer’s rights under paragraph 8 shall not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s). Paragraph 5.3.1 shall be construed accordingly.
In respect of any Personal Data Breach, Phocas shall, without undue delay (and in any event within 72 hours):
notify the Customer of the Personal Data Breach; and
provide the Customer with details of the Personal Data Breach.
Following the end of the provision of the Services (or any part) relating to the processing of Protected Data, unless otherwise requested not to by the Customer, Phocas shall dispose of Protected Data in accordance with its obligations under this Agreement. Phocas shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with this Agreement.
This Data Protection Addendum (as Updated from time to time) shall survive termination (for any reason) or expiry of this Agreement and continue until no Protected Data remains in the possession or control of Phocas or any Sub-Processor, except that paragraphs 10 to 11 (inclusive) shall continue indefinitely.
The Schedule - Data Processing Details
Subject-matter of processing:
Services provided by Phocas to the Customer pursuant to this Agreement.
Duration of the processing:
Phocas will process the Customer Personal Data until the earlier of final termination or final expiry of this Agreement, except as otherwise expressly stated in this Agreement.
Nature and purpose of the processing:
Phocas will process the Customer Personal Data as necessary to provide the Subscribed Services pursuant to this Agreement and in accordance with the documented instructions of the Customer from tie to tie in its use of the Services (including those in this Agreement).
The processing activities will consist of access, collection, recording, organisation, storage, hosting, making available to Users, consultation and use of Customer Personal Data.
The purposes will consist of the provision of the Subscribed Services together with compliance with support and security obligations under this Agreement.
Type of Personal Data:
The Personal Data includes:
In respect of Customer customers who are individual named persons and the personnel of any Customer’s customers: Customer Name, Delivery Address (including post code), Main Address (including post code), Phone, Contact Name, VAT Code, VAT, Customer Number, Customer ID, Value, Quantity, Delivered quantities and pieces, Discount, Whether the customer paid account or cash, Volume, Average costs, Costs, Extended cost of sale, Margin cost price, Payment Type, Rebate, Credit Limits, Parent/Host Accounts, Landlord (home) branch, Invoice Numbers, Order Numbers, Transaction Site Postcode, marketing preferences, any other personal data input by the Customer into the Services.
In respect of personnel of Customer: User ID, name, email address, password, phone (landline and mobile), language and time zone preferences and any usage statistics in respect of User’s account.
Categories of Data Subjects:
The data subjects are:
- Personnel of Customer
- Customers of Customer and such customers’ personnel
Phocas Internal Technical and Organisational Measures (TOMs)
These Internal TOMs describe the measures that Phocas Group Pty Ltd has put in place to ensure the security of data.
Phocas has appointed a Privacy Manager and an IT Security Officer who are responsible for coordinating Phocas’ security policies and procedures.
Phocas personnel who have access to data are subject to confidentiality obligations.
Phocas maintains and follows IT security policies and practices that are integral to Phocas’ business and mandatory for all Phocas employees, including supplemental personnel. IT security policies are reviewed periodically and a required to maintain protection of services and content.
Within the Phocas' IT Security department, there are suitably qualified personnel. These personnel will coordinate the implementation of IT security for Phocas data
Phocas segregates duties, roles and responsibilities. This prevents misuse or unauthorised/unintentional changes of data.
Phocas promotes a culture of privacy in all activities relating to data.
Phocas informs and trains all its personnel about relevant security procedures.
Phocas informs all personal on disciplinary actions for those who have violated security policies and standards.
Phocas has an inventory of all media on which data is stored. Access to the inventories of such media is restricted to Phocas personnel authorised to have such access.
All Phocas data is classified, labelled and handling rules specified.
No personal data is stored on portal devices (e.g. USB Memory sticks, external hard drives.
Phocas maintains a record of security privileges of individuals having both physical and logical access to data. This record is maintained and is up to date.
Phocas uses Multifactor identification to access data.
Phocas logs all access to data.
Phocas implements a least privilege rule to all data access.
Phocas does not use shared user accounts.
Phocas audits all users and their privileges to data quarterly.
Only anonymised data is used on test and development systems.
Data in transit to third parties will be encrypted.
Personal data on the Phocas’ premises is encrypted.
Phocas backup data stored on-site or off site is encrypted.
Phocas has a policy on the usage of cryptographic controls in order to create, manage, distribute, use, store and revoke of digital certificates and keys.
Only authorised users have access to Phocas’ facilities where information systems that process data are located.
Phocas implements a clear screen policy (lock and log-off when away from desk) for areas where data is processed.
Phocas protects against loss of data due to power supply failure or power surges.
Prior to any physical electronic disposal, [Client] ensures all data is deleted.
Phocas maintains policies and procedures describing its security measures and responsibilities of its personnel who have access to data.
Phocas maintains multiple copies of data, ensuring data can be recovered.
Phocas uses off-site storage for copies of data and has procedures for recovery of data.
Phocas has controls to help avoid malicious software gaining unauthorised access to data.
Phocas logs access and use of information systems containing data. This log includes data and time of day, access granted or denied, and activity.
Phocas has implemented network security to protect information systems containing data.
Phocas has implemented network security safeguards including: network segregation, intrusion detection, and perimeter protection.
Phocas will maintain appropriate security during software lifecycles.
Phocas will identify and evaluate technical vulnerabilities and threats. Phocas will implement an effective patch and vulnerability management policy to mitigate any threat to information systems that process data.
Any third party that Phocas uses to process data will have contracts that as a minimum will include General Terms and Agreements, Data Sharing Agreement, Data Sharing Schedule, and a TOM. This TOM as a minimum will be equivalent to this ToM.
Third Parties that use sub processors will agree with [Client] the content of these contracts prior to any signature.
Third Parties will not share any data (including with sub-contractors) without clear and unambiguous consent of Phocas.
Phocas maintains a record of all security breaches.
Phocas has an incident response procedure for IT security incidents.
Phocas has a business continuity and disaster recovery plan for all information systems that process data.
Phocas tests its business continuity and disaster recovery plan once a year.
Phocas complies with security requirements and policies, applicable laws and regulatory requirements.
No notice internal audits can be given by the Phocas Privacy Manager to Business Process Owners.
Phocas undertakes a GDPR external audit once a year.