ABOUT W3P

Nettl Works makers uses the w3p software platform and is accessed on-line by you (subject to the agreement below).

 

SUPPLY AGREEMENT

THIS AGREEMENT GOVERNS YOUR USE OF THE PLATFORM AND SUPPLY OF GOODS AND SERVICES. IN CONSIDERATION OF US MAKING THE PLATFORM AVAILABLE TO YOU, YOU AGREE TO BE BOUND BY THIS AGREEMENT AND ALL ADDENDUMS TO IT AND REVISIONS THEREOF. YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT. YOU AGREE THAT THIS AGREEMENT IS LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU AND THAT YOU HAVE HAD AN OPPORTUNITY TO SEEK INDEPENDENT LEGAL ADVICE PRIOR TO AGREEING TO BE BOUND BY IT. YOU FURTHER AGREE THAT THIS AGREEMENT AND ALL ADDENDUMS TO IT CONSTITUTES THE ENTIRE AGREEMENT BETWEEN US AND SUPERSEDES ANY PROPOSAL OR PREVIOUS AGREEMENT, ORAL OR WRITTEN AND ANY OTHER COMMUNICATION BETWEEN US RELATING TO YOU ACCESSING OR USING THE PLATFORM. FOR THE AVOIDANCE OF ANY DOUBT HOWEVER, THIS CLAUSE DOES NOT SEEK TO EXCLUDE OR LIMIT OUR LIABILITY FOR FRAUDULENT MISREPRESENTATION.

 

Background 

This supply agreement is by and between Grafenia Operations Limited (“GOL”, “us” or “we”) and the supplier (“Supplier” or “you”) detailed in the Supply Agreement Particulars or, where you have applied on-line, the email confirmation sent to you (together the “Supply Agreement Particulars”). It sets forth the terms and conditions of Supplier’s access to the Platform and supply of products and services. As a condition of the Subscription, Supplier must accept this Agreement in its entirety. It is a fairly lengthy agreement and it contains important provisions that govern your rights and obligations. At our sole discretion we may modify the Agreement at any time and such changes will be effective immediately, you herby waive any right you may have to receive notice of such changes and you will be bound by such modifications and the Agreement will remain in full force and effect until terminated in accordance with termination provisions set forth below. If the Agreement is modified we will upload an amended Agreement to the web site located at www.nettl.works/terms (or any alternative or replacement website, together the “Site”). At any particular time, the version of the Agreement that will govern your relationship with us and our rights and obligations with respect to the Platform will be that version of the Agreement appearing on the Site at the time you last accessed the Platform.

 

BACKGROUND 

(A)        The Grafenia Group operates a business which utilises the w3p Platform to facilitate the supply of products and services to networks of graphic designers around the world.

(B)        The Grafenia Group has established substantial reputation and goodwill in the w3p Platform and the Supplier recognises and acknowledges the necessity of conforming to high standards and uniform specifications required by GOL in the supply of products and services. 

(C)        GOL wishes to engage the Supplier and the Supplier wishes to supply GOL with products and services on the terms and conditions of this Agreement for resale by GOL to Licensees and Customers.

 

 

OPERATIVE PROVISIONS

1            Definitions

1.1        In this Agreement (including the background above) the following expressions shall have the following meanings: 

 

Affiliate
a person shall be an affiliate of a person if it:

(a)   Controls (directly or indirectly) the Party in question, or

(b)   is Controlled (directly or indirectly) by the Party in question, or

(c)    is Controlled (directly or indirectly) by a third party which also directly Controls the Party in question where Control in relation to a Party shall mean the beneficial ownership of more than 50% of the issued share capital of that Party or the legal power to direct or cause the direction of the general management of that Party and controls, controlling and controlled shall be construed accordingly.

 

Applicable Laws
all relevant statutes, byelaws, regulations, guidelines, industry codes and requirements of any government or other competent authority in force relating to the Supplier and the conduct of its business and/or the performance of its obligations under this Agreement and/or the Supplier Products (including in relation to the manufacture, labeling, packaging, storage, handling, supply and delivery of the Supplier Products);

 

Authorised User
any individual who is employed or engaged under contract as part of the Supplier’s staff and in respect of whom GOL has set up a User Account;

 

Carrier
any carrier whose services can be ordered by Licensees through the w3p Platform;

 

Change of Control
a change in the person or persons Controlling (including a change in the majority of the members of the board of directors) the Supplier;

 

Confidential Information
the terms of this Agreement and all communications and all information whether written, visual or oral and all other materials including graphic files relating to Jobs supplied to or obtained by the Supplier from GOL in contemplation of or in connection with or during the continuance of this Agreement which shall include Customer Information and any other information from whatever source supplied to or obtained by the Supplier from GOL concerning the trade secrets, Licensees, business associations, financial arrangements, know how (including the w3p Documentation) or commercial affairs of the Grafenia Group;

 

Customer
any customer of the Grafenia Group or an Affiliate of a customer of the Grafenia Group or a customer of a Licensee or an Affiliate of a customer of a Licensee;

 

Customer Information
the Customer’s name, address, contact details and order details and any other information relating to the Customer that is made available pursuant to this Agreement; 

 

Despatch
means to deliver into the physical possession of the Carrier the date of which shall be as evidenced by the Carrier’s delivery manifest;

 

Expected Turnaround Time
the number of Working Days from receipt of a Job within which the Supplier will produce and Despatch the Job to the Carrier, such expected turnaround time to be as agreed and set out on the w3p Platform prior to the date of this Agreement or, in the case of further Supplier Products made available after the date of this Agreement, as agreed between the Parties and subsequently set out on the w3p Platform;

 

Force Majeure
means an event beyond a party’s reasonable control (which could not reasonably have been anticipated and avoided by a party) preventing or delaying it from performing its obligations under this Agreement, including war, terrorism, riot or civil commotion; strikes, lock outs or other industrial action (excluding those of the affected party’s own employees); restrictions imposed by government or public authority; explosion, fire, flood, or natural disaster. Force Majeure does not include non-performance by suppliers or subcontractors of the affected party;

 

Good Industry Practice
the exercise of skill, diligence, prudence and foresight which would reasonably be expected from a skilled and experienced supplier of services similar to the Supplier Products, seeking in good faith to comply with its contractual obligations and all Applicable Laws;

 

Grafenia Group
at any time during the term of this Agreement GOL and its Affiliates;

 

Insolvency Event
means in respect of a party, that it suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due within the meaning of section 123 of the Insolvency Act 1986, or enters into a composition, compromise or arrangement to reschedule or restructure its debt with or for the benefit of its creditors (except for the purpose of a bona fide reconstruction or amalgamation), or it compulsorily or voluntarily enters into liquidation  or commences negotiations in respect of the same (except for the purpose of a bona fide reconstruction or amalgamation), or it has an administrator, receiver, liquidator or manager appointed over the whole or a substantial part of its assets or any petition or notice is filed or given in respect of the same by any person, or any creditor or encumbrancer attaches or takes possession of or a distress, execution, sequestration or other such process is levied or enforced on or sued against the whole or any part of its assets which is not discharged within 14 days, or it ceases or threatens to cease business or is dissolved, or if any equivalent, analogous or similar event occurs or proceeding is taken, with respect to that company in the Territory or in any jurisdiction to which it is subject;

 

Intellectual Property
any copyright, database, design, patent, trademark, trade name or other intellectual property right whatsoever (whether registered or unregistered and whether existing now or at any time in the future) together with any goodwill and/or know-how relating or attaching to any such intellectual property rights and all extensions and renewals of any such intellectual property rights and the right to apply for any such intellectual property right;

 

Job
an order placed with the Supplier by GOL for Supplier Products as identified by a Unique Job Number;

 

Licensee
any business or undertaking that utilises all or any part of the w3p Platform under licence from the Grafenia Group and/or purchases any Supplier Products from the Grafenia Group;

 

Manufacturing Specification
the products characteristic as set out on the w3p Platform and the manufacturing tolerances defined by GOL detailing the allowable extent of the inherent variations, fluctuations, or inconsistencies with the Supplier Products due to the manufacturing processes;

 

Party
a party to this Agreement;

 

P-Flapi
the Application Programme Interface which enables the Supplier Production MIS to interface with the w3p Platform;

 

P-Flapi specifications
the Grafenia Group’s documentation and instructions regarding methods, processes, techniques, systems and schemes devised and compiled by it, and any amendment or variation thereof at any time hereafter made available to the Supplier, to be observed and implemented by the Supplier in using P-Flapi and implementation of P-Flapi with the Supplier Production MIS;

 

Production Price
the price at which the Supplier will sell the Supplier Products to GOL as agreed and set out on the w3p Platform as at the date of this Agreement or, in the case of further Supplier Products made available after the date of this Agreement, the price agreed between the Parties and subsequently set out on the w3p Platform;

 

Supplier Production MIS
the software utilised by the Supplier in the manufacture of Supplier Products;

 

Supplier Products
the products and services to be supplied by the Supplier in accordance with this Agreement;

 

Unique Job Number
the unique identification number generated by the w3p Platform in respect of each Job for Supplier Products;

 

User Account
The password and username supplied to Authorised Users to access the w3p Platform;

 

w3p Documentation
the written specification of the methods, processes, techniques, systems and schemes devised and compiled by the Grafenia Group to be observed and implemented by the Supplier in utilising the w3p Platform and supplying the Supplier Products any amendment or variation to such specification at any time during the term of this Agreement;

 

w3p Platform
the Grafenia Group’s proprietary management information platform to, amongst other things, be utilised by the Grafenia Group and its Licensees to provide products and services, including the Supplier Products, to Customers; 

 

Working Day
any day except a Saturday and Sunday and any Bank and/or public holiday in the United Kingdom.

1.2        In this Agreement:

1.2.1       The headings used are included for convenience only and are not to be used in construing or interpreting this Agreement;  

1.2.2       Any reference to any statute, decree, law, statutory instrument or other regulation having the force of law shall be deemed to include any lawful modifications thereto or re-enactments thereof after the date of signature of this Agreement;

1.2.3       Any reference to the plural shall include the singular and vice versa and any reference to one gender shall include all genders; 

1.2.4       Any reference to a person shall include natural persons, partnerships and other such unincorporated bodies, corporate bodies and all other legal persons of whatever kind or however constituted;

1.2.5       Any reference to a clause or schedule shall (unless otherwise specifically provided) be a reference to a clause or schedule of this Agreement;  

1.2.6       Any obligation by a Party not to do an act or thing shall be deemed to include an obligation not to permit such act or thing to be done by another person;

1.2.7       The words include, includes, including and included shall be construed without limitation; 

1.2.8       Unless expressly stated otherwise the cost and expenses of performing an obligation shall be borne by the Party tasked with performing that obligation; 

1.2.9       Any word which is not defined in this Agreement but which is defined within the w3p Documentation or which has in respect of the operation of the Grafenia Group’s business a customarily accepted meaning by GOL shall have that meaning unless inconsistent with the context;

1.2.10    Where any right can be exercised under this Agreement for the benefit of the Grafenia Group, if so required by GOL, it can be exercised for any specific member or members of the Grafenia Group; 

1.2.11    Where the context so requires a reference to the Grafenia Group shall be construed as a reference to either a specific member or specific members of the Grafenia Group as opposed to the Grafenia Group as a whole.

 

2            Commencement and term 

2.1        This Agreement shall commence on the date set out on the Supply Agreement Particulars and shall continue thereafter until terminated by either Party giving to the other not less than 4 week’s notice.

 

3            Supply of Products  

3.1        The Supplier agrees that it will supply Supplier Products pursuant to each Job placed in accordance with this Agreement.

3.2        The Supplier acknowledges and agrees that it will supply GOL with Supplier Products at the lower of, the Production Price, or the lowest price that it supplies or offers to supply that product (or equivalent products) to anyone else whether through its website, password protected wholesale platform or any other channel (taking into account all discounts, rebates concessions and similar). 

3.3        The Supplier shall not increase the Production Price without GOL’s written consent and subject always to clause 3.2 above.

3.4        The Supplier acknowledges and agrees that it shall be responsible for all costs (including packaging but not the delivery costs) associated with producing and Despatching each Job for delivery to the address specified by GOL via the w3p Platform. For the avoidance of doubt the Supplier shall not be entitled to make any specific charge in respect of such costs, such costs being deemed included in the relevant Production Price. 

3.5        The Supplier shall ensure that all Supplier Products to be supplied under this Agreement shall be packaged in secure packaging which packaging must be labelled in the manor specified in the w3p Documentation and incorporate such GOL logos and/or indicia as required by GOL.

3.6        The Supplier shall use its best endeavours to Despatch each Job within the Expected Turnaround Time. The Supplier acknowledges and agrees that Despatch of each Job shall be deemed to take place on the date (as evidenced by the Carrier’s delivery manifest) that the Licensor passes the goods to the Carrier. 

3.7        If the Expected Turnaround Time has been exceeded the Supplier shall ensure the Job in question is, when completed, Despatched on a same day delivery service at the Supplier’s cost. 

3.8        The Supplier shall audit its performance each month and within 14 days of the end of each calendar month will provide GOL with details, in such form as GOL reasonably requires, of the Supplier’s success rate in meeting its obligations to Despatch jobs within the Expected Turnaround Time.

3.9        Risk of loss of or damage to the Jobs shall only pass to GOL on delivery to the address specified by GOL via the w3p Platform.

3.10     The Supplier shall operate its business and supply the Supplier Products with the highest level of skill, care and diligence in accordance with Good Industry Practice, using appropriately qualified, skilled and experienced personnel.  

3.11     The Supplier will ensure that it has the capability to fulfil each Job having regard to historic and reasonably anticipated demand for Supplier Products merchandised via the w3p Platform.

3.12     The Supplier will ensure that the Supplier Products (and all goods, materials standards and techniques used in providing the Supplier Products) supplied by the Supplier pursuant to this Agreement shall be fit for purpose and of a high quality and be free from defects in workmanship and in accordance with Manufacturing Specification.

3.13     The Supplier acknowledges that all Supplier Products supplied by the Supplier pursuant to each Job are resold by the Grafenia Group to Licensees and that the Grafenia Group provides compensation (as set out in the w3p Documentation) to Licensees in respect of late Despatch and / or failure to supply Jobs that meet the Manufacturing Specification. In the event that the Grafenia Group is liable to pay compensation to any Licensee (or other third party purchaser of the Supplier Products), and notwithstanding that the Supplier is still obliged to fulfil any late Job (and shall not be relieved from such obligation by paying compensation as required by this clause), the Supplier agrees to pay GOL, a sum equal to the sum that the Grafenia Group has compensated the Licensee with.  GOL shall, without prejudice to any other right, be entitled to set-off and deduct such sum from any sum due to the Supplier pursuant to this Agreement.

3.14     The Supplier will provide customer support to Licensees in respect of general product enquiries and late Despatch and quality issues in respect of specific Jobs, by telephone, email, or such other medium and utilising only such infrastructure as GOL reasonable requires from time to time, which shall be made available between the hours of 9am and 5.30pm, Monday to Friday.  GOL will provide all email accounts required in order to provide such support and provide the Supplier with access to them. The Supplier will provide a dedicated telephone number for GOL to redirect customer support enquires which the Supplier’s employees will answer as Works “Location Name” (and shall follow any other reasonable request or script that GOL specifies in relation to the provision of support). The Supplier acknowledges the importance of confidentiality in respect of its provision of customer support as GOL’s agent, it will use its best endeavours to ensure its identity is not transmitted or communicated in the course of providing customer support and acknowledges and agrees that a breach of this clause is an irremediable material breach of this Agreement.

3.15     The Supplier warrants, represents and undertakes that it shall comply with and supply the Supplier Products in accordance with all Applicable Laws. 

3.16     The parties agree to comply with the data protection provisions of the Schedule.

 

4            Payment 

4.1        Unless otherwise stated, all sums payable by GOL to the Supplier under or in connection with this Agreement shall be paid as set out in the Supply Agreement Particulars under the heading Payment Method and Payment Terms to the Supplier’s bank account by the method set out in the Supply Agreement Particulars under the heading Payment Method and Payment Terms or such other method as the GOL may reasonably require, but for the avoidance of doubt GOL shall not be liable to account to the Supplier for any sums in respect of any Jobs which have not been Despatched.

4.2        GOL will self invoice in respect of Jobs and each Monday will produce invoices in respect of Jobs placed with and produced in the preceding week (as determined by the date that a production run is completed, as indicated on the w3p platform) by the Supplier, these invoices shall save for manifest error be final and binding upon the Supplier, the Supplier must notify GOL of any error with 7 days of receipt of the invoice in question.

 

5            P-Flapi

5.1        The Supplier may process orders via w3p platform using a web browser. They may elect to use P-Flapi to automate accept and process Jobs via an API.  

5.2        GOL will provide the Supplier with the P-Flapi Specifications and access to its password controlled on-line test environment in order for the Supplier to test its implementation of P-Flapi with the Supplier Production MIS prior to making it available in a live environment. The Supplier shall treat such P-Flapi Specifications and passwords with the strictest confidence and shall use the same only for the purposes of the said testing and for no other purpose whatsoever, and shall destroy and/or return the same to GOL upon request.

5.3        The Supplier acknowledges that under no circumstances will GOL be providing any services in the nature of software engineering, software development or similar (together “Software Services”) whether in respect of the integration of P-Flapi or otherwise. GOL may in its absolute discretion decide to supply limited support by way of email response to queries that the Supplier may have in respect of the integration of P-Flapi.  If GOL does agree to provide such email support then the Supplier agrees:

5.3.1       to pay the charges that GOL has, prior to GOL providing the support in question, informed the Supplier in writing will be payable in respect of such support; 

5.3.2       that GOL has no knowledge, and is not deemed to have any knowledge, of the Licensee Production MIS;

5.3.3       the support is provided on the basis of GOL’s use of the w3p Platform and not as a Software Services provider and the Supplier relies on such support entirely at its own risk.

5.4        The Supplier will use P-Flapi strictly in accordance with the P-Flapi Specifications. The Supplier acknowledges and agrees that GOL shall have no liability to the Supplier in respect of any matter complained of by the Supplier or otherwise in connection with which the Supplier has failed to adhere to the P-Flapi Specifications. 

5.5        Following any updates, revisions or substitutions of or to the P-Flapi that GOL may make from time to time, the Supplier shall obtain and/or use the same and/or make such changes to its Licensee Production MIS as are necessary to enable the Supplier Production MIS to utilize P-Flapi as envisaged by this Agreement. GOL shall provide any additional P-Flapi specifications as necessary in this regard. 

5.6        The Supplier acknowledges and agrees that notwithstanding any other provision of this Agreement there are no service levels, warranties, representations, guarantees or other commitments made or given by GOL to the Supplier (whether express or implied) in respect of P-Flap, the P-Flap Specifications or any support, assistance, advice, know how and guidance given by GOL pursuant to this clause 4 which is made strictly on the understanding that the Supplier shall be deemed to possess the skill and competence of a person ordinarily engaged in the implementation of software of the type and nature of P-Flapi.

 

6            w3p Documentation

6.1        GOL shall provide the Supplier with password protected access to the w3p Documentation on the w3p Platform. 

6.2        The Supplier shall comply with the policies and procedures of GOL as set out in the w3p Documentation from time to time and shall co-operate with GOL and its Licensees in all matters relating to the Supplier Products and comply with their reasonable instructions.

 

7            Warranties and Liability 

7.1        Each Party warrants that it has the right to enter into this Agreement.

7.2        GOL does not warrant or represent that the w3p Platform will be continuously available and/or comply with any functionality and/or performance specification attributed to it by GOL.

7.3        GOL shall not in any event be liable for any indirect, special or consequential loss, howsoever arising in connection with or out of this Agreement or in respect of the supply function or use of the w3p Platform or P-Flapi and shall not, subject to clause 7.4, be liable for any other loss except as provided in this Agreement. 

7.4        Nothing in this Agreement shall limit or exclude either Party’s liability for death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other liability which cannot be excluded or limited under English law or any other Applicable Law.

 

8            Indemnity by Supplier 

8.1        The Supplier hereby agrees and undertakes fully and effectively to indemnify and keep indemnified GOL and any member of the Grafenia Group as well after as before the expiry or termination of this Agreement from and against all damages, loss, claims, demands, expenses (including legal and professional expenses), costs and liabilities which GOL and/or any member of the Grafenia Group may at any time incur as a result of any and all breaches by the Supplier (directly or through an Affiliate) of any provisions of this Agreement and/or the Supplier’s negligence.

 

9            Confidentiality 

9.1        For the avoidance of any doubt save strictly for the purpose of exercising its rights and/or performing its obligations under this Agreement the Supplier shall not have either during the term of this Agreement or at any time after its termination or expiry any rights whatsoever in the Confidential Information.  

9.2        The Supplier covenants and agrees:  

9.2.1       to hold all Confidential Information in its possession, custody or power in safe custody at its own risk;  

9.2.2       to use the Confidential Information exclusively for the purposes of this Agreement and to procure that no other person shall at any time without the prior written consent of GOL whether before or after termination of this Agreement divulge or use whether directly or indirectly for its own benefit or that of any other person, firm or company any of the Confidential Information;

9.2.3       not to disclose the Confidential Information to any person other than to those of its employees and/or professional advisors to whom and to the extent only that such disclosure is necessary for the purposes of this Agreement (and in such circumstances the Supplier shall be liable for any breach of this clause by such person and will ensure that the person receiving the Confidential Information in question is under a duty, at least as onerous as that set out in this clause, to keep such Confidential Information confidential) or to any person where such disclosure is required by Law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives GOL as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause, it takes into account GOL’s reasonable requests in relation to the content of such disclosure.

9.3        The obligation of confidentiality and the prohibitions against use hereby undertaken by the Supplier shall cease to apply to any Confidential Information which: 

9.3.1       falls within the public domain through no act or default of the Supplier;

9.3.2       is already known to the Supplier prior to disclosure by GOL (other than where such knowledge is a result of a divulgence of Confidential Information under an obligation of confidentiality) and provided such prior knowledge is evidenced by  written records of the Supplier which pre-date the date of disclosure and such records are produced to GOL within 28 days of disclosure; or 

9.3.3       becomes known to the Supplier as a result of a disclosure by a third party who has lawful right to disclose the Confidential Information. 

 

10         Non Solicitation  

10.1     The Supplier acknowledges and agrees that in order to protect the Confidential Information and business connections of GOL and its Licensees it is the intention of this Agreement that it shall ensure during this Agreement and for a period of 12 months following its termination that neither it nor any of its Affiliates nor any person connected with the Supplier (and in this context connected with shall have the meaning ascribed to it in s.252 of Companies Act 2006) shall supply any products or services, equivalent to the Supplier Products, directly to any Customer or Licensee (or solicit or procure orders from Customers or Licensees for such products or services).  Further the Supplier shall ensure its identity is not transmitted or communicated with any Job supplied or otherwise to any Licensee or Customer and acknowledges and agrees that a breach of this clause is an irremediable material breach of this Agreement. 

 

11         Insurance 

11.1     The Supplier shall at its own expense obtain and maintain with a reputable insurance company, public liability, product liability, and such other insurance in such amounts and in respect of such risks as, having regard to the potential liabilities associated with the supply of the Supplier Products (including the supply of defective Supplier Products) it would in all circumstances be prudent to have in place.

11.2     The Supplier shall from time to time furnish to GOL on demand copies of all such insurance policies together evidence that all premiums due have been paid.

 

12         Change of control

12.1     The Supplier will notify GOL in writing immediately upon the occurrence of a change of Control.

12.2     GOL may terminate this Agreement forthwith by written notice if a Change of Control shall occur.

 

13         Force Majeure 

13.1     A party will not be liable if delayed in or prevented from performing its obligations under this Agreement to the extent such delay or non-performance is due to Force Majeure, provided that it promptly notifies the other party of the Force Majeure event and its expected duration, and uses reasonable endeavours to minimise the effects of that event. 

13.2     If, due to Force Majeure, a party is unable to perform a material obligation under this Agreement, or is delayed in or prevented from performing its obligations for a continuous period of more than 30 days, the other party may terminate this Agreement on not less than 10 days’ notice.

 

14         Termination

14.1     Either Party may terminate this Agreement forthwith without liability by giving notice in writing to the other if the other Party

14.1.1    commits an irremediable material breach of its obligations under this Agreement; 

14.1.2    commits a remediable breach which breach is not remedied within 30 days of the date of service of a written notice outlining the breach and requiring its remedy.

14.2     This Agreement shall automatically terminate without notice being given in the event that either Party is subject to an Insolvency Event. 

14.3     GOL may terminate this Agreement forthwith by giving notice in writing to the Supplier if the Supplier:

14.3.1    shall purport to effect any assignment of any of the rights or licences herein granted other than in accordance with the terms hereof; 

14.3.2    fails to obtain any prior written approval or consent of GOL where expressly required by this Agreement;

14.3.3    discloses or permits or suffers the disclosure of any Confidential Information contrary to the terms hereof; 

14.3.4    or any officer, director or employee of the Supplier knowingly (and, in this context knowingly, shall be taken to include circumstances in which such person ought reasonably to have  known) gives to GOL any false or misleading information or makes any misrepresentation in connection with obtaining this Agreement or at any time during the continuance of this Agreement;

14.3.5    repeatedly or persistently breaches this Agreement; 

14.3.6    is, in the reasonable opinion of GOL, negligent or incompetent in the Supply of the Supplier Products. 

 

15         Consequences of termination

15.1     The Supplier agrees that upon the termination or expiration of this Agreement for any reason it shall:

15.1.1    immediately cease to use in any way whatsoever any and all Intellectual Property of the Grafenia Group;  

15.1.2    return all Confidential Information and/or anything that incorporates and/or features any part of the Confidential Information to GOL or if directed by GOL destroy any and all copies of the same, including permanently erasing it from the Supplier’s computers systems to the extent technically practicable;

15.1.3    do all such acts and things and execute all such documents as GOL shall reasonably require in connection with such termination including transferring any telephone number utilised in the provision of customer support.

15.2     The rights liabilities and obligations of the parties shall cease on termination or expiration of this Agreement save in respect of any accrued rights or liabilities and the coming into force or the continuance in force of any provision of this Agreement which is expressly or by implication intended to come into force or continue in force on or after such termination or expiration. 

15.3     The provisions of this clause 15 shall survive termination or expiration of this Agreement.

 

16         Notices

16.1     Any demand, notice or other communication given or made under or in connection with this Agreement shall be in writing and shall  be given to GOL or to, as the case may be, the Supplier, either personally, by post pre-paid first class, to the address set out on the Supply Agreement Particulars for the Party concerned or e-mail appropriately addressed to the email address set out on the Supply Agreement Particulars in the case of the Supplier and ceo@grafenia.com in the case of GOL or to such other address, facsimile, e-mail or name as either Party may from time to time designate by written notice to the other.

16.2     Notices and communications so designated, shall be deemed to have been duly given or made:

16.2.1    if delivered by hand, upon delivery at the address of the relevant Party;  

16.2.2    if sent by prepaid first class post, two (2) Working Days after posting; or

16.2.3    if sent by e-mail, upon receipt by the sender of confirmation of error free and complete transmission; 

16.2.4    where in accordance with the above provisions any notice or communication would otherwise be deemed to be given or made on a day which is not a Working Day or after 4.00pm on a Working Day, such notice or other communication shall be deemed to be given or made at 9.00am on the next Working Day.

 

17         Dispute Resolution Procedure 

17.1     Each Party  will use reasonable endeavours to resolve or settle any claim or dispute between the Parties and shall ensure that a meeting or conference call is held between respective board members of each Party (or equivalent) within 7 days of the dispute arising or upon request of either Party. 

17.2     In the event that the Parties are unable to resolve or settle any claim or dispute within twenty eight (28) days of either party receiving notice of such claim or dispute from the other then the Parties agree to settle such claim or dispute by mediation in accordance with the Centre for Effective Dispute Resolution (CEDR) Model Mediation Procedure.

17.3     The forum for any mediation held in accordance with this clause shall be in Manchester, England, at such venue as GOL, acting reasonably, selects. The language of the mediation will be English. 

17.4     The mediation will start, unless otherwise agreed between the Parties, within fifty six (56) days of one party issuing a request to mediate to the other.

17.5     Unless otherwise agreed between the Parties, the mediator will be nominated by CEDR.  

17.6     The existence, construction, performance, validity and all aspects of this agreement shall be construed, interpreted, and enforced according to the laws of England and Wales.

17.7     If the dispute is not settled by mediation within 28 days of commencement of the mediation or within such further period as the parties may agree in writing, the dispute shall be referred to and finally resolved by arbitration. CEDR shall be the appointing body and administer the arbitration. CEDR shall apply the UNCITRAL rules in force at the time the arbitration is initiated. In any arbitration commenced pursuant to this clause, the number of arbitrators shall be one and the seat or legal place of arbitration shall be Manchester, England.

 

18         General

18.1     The Supplier acknowledges and agrees that it is responsible for ensuring its Authorised Users keep all User Accounts confidential and do not allow unauthorised persons to access User Accounts. Furthermore the Supplier acknowledges and agrees that it shall be liable for all activities that occur under all User Accounts and in this regard, shall indemnify and keep GOL and any member of the Group, its directors, officers, employees indemnified against all claims, demands, actions, costs, expenses (including, but not limited, to legal costs and disbursements), losses, damages and any other liability whatsoever arising from or suffered or incurred by reason of any use or alleged use of the User Accounts by any person whether or not unauthorised by the Supplier. Furthermore the Supplier agrees to immediately notify GOL of any unauthorised use of any User Accounts. The Supplier accepts and agrees that GOL shall not be liable for any loss or damage arising from the Supplier’s failure to adhere to the forgoing.

18.2     The Supplier acknowledges and agrees that if in the GOL’s sole but reasonable opinion the Supplier has or is likely to breach any provision of this Agreement GOL may without notice to the Supplier deactivate or suspend all or any part of the Supplier’s User Accounts made available to the Supplier pursuant to this Agreement; 

18.3     Each of the restrictions and provisions contained in this Agreement and in each clause and sub‑clause hereof shall be construed as independent of every other such restriction and provision to the effect that if any provision of this Agreement or the application of any provision to any person, firm or company or to any circumstances shall be determined to be invalid and unenforceable by a court of competent Jurisdiction then such determination shall not affect any other provision of the Agreement or the application of such provision to any person, firm, company or circumstance all of which other provisions shall remain in full force and effect.

18.4     No failure of GOL to exercise any power given to it hereunder or to insist upon strict compliance by the Supplier with any obligation or condition hereof and no custom or practice of the Parties at variance with the terms hereof shall constitute a waiver of any of GOL’s rights hereunder.

18.5     No waiver by GOL of any particular default by the Supplier shall affect or impair GOL’s rights in respect of any subsequent default of any kind by the Supplier, nor shall any delay or omission of GOL to exercise any rights arising from any default affect or impair GOL’s rights in respect of the said default or any other default of the Supplier hereunder. Subsequent acceptance by GOL of any payments by the Supplier shall not be deemed a waiver of any preceding breach by the Supplier of any of the terms covenants or conditions of this Agreement.  

18.6     The Supplier shall not, without the prior written consent of GOL, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. GOL may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. 

18.7     All rights and licences not specifically and expressly granted to and conferred upon the Supplier by this Agreement are for all purposes reserved to GOL.

18.8     This Agreement constitutes the entire agreement between the Parties, and supersedes any previous agreement between the Parties relating to the subject matter of this Agreement.  The Supplier acknowledges that it has not relied on or been induced to enter this Agreement by any representation, promise, undertaking or statement other than those expressly set out in this Agreement.  GOL is not liable to the Supplier for a representation that is not set out in this Agreement.  This clause 18.6 does not limit GOL’s liability in respect of a fraudulent misrepresentation. 

18.9     The Parties agree that a person who is not a party to this agreement shall have no rights under the Contract (Rights of Third Parties) Act 1999 to rely upon or enforce any term of this Agreement.

18.10  Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way. 

18.11  No variation of this Agreement shall be binding unless in writing and signed by a duly authorised director or employee of each of GOL and the Supplier.

19         Counterparts

19.1     This Agreement may be signed in any number of counterparts and by the parties on separate counterparts, each of which when signed and dated shall be an original, and such counterparts taken together shall constitute one and the same agreement. This Agreement shall not be effective until each party has signed one counterpart.

 

Schedule (Data Protection)

1)     General 

(a)   In this Schedule:

(i)     the definitions and rules of interpretation set out in clause 1 of the Agreement shall apply, except as to where they are inconsistent with provisions set out in this Schedule in which case the latter shall prevail;

(ii)    the following definitions shall apply:

GOL Personal Data shall mean any Personal Data that is provided to or received by the Supplier or Contracted Processor and is processed by the Supplier or Contracted Processor on behalf of GOL: pursuant to this Agreement; 

Contracted Processor means Supplier or a Sub-processor;

Data Protection Legislation: means all applicable data protection and privacy legislation, laws and regulations in force from time to time in the UK including GDPR and  the Data Protection Act 2018 and (to the extent applicable to the processing of GOL Personal Data under this Agreement) in any Member State of the European Union as amended, updated or succeeded from time to time;

Data Controller, Data Processor, Personal Data Breach, Data Subject and Personal Data have the meanings as defined in the Data Protection Legislation; 

EEA means the European Economic Area;

International Organisation shall have the meanings as defined in the Data Protection Legislation;

GDPR means the General Data Protection Regulation ((EU) 2016/679);

Supplier Group Company means Supplier and its Affiliates;

Standard Contractual Clauses means the contractual clauses set out in Annex B, amended as indicated (in square brackets and italics) in that Annex and under paragraph 5;

Restricted International Transfer means: 

(i)             a transfer of GOL Personal Data from any Grafenia Group company to a Contracted Processor; or 

(ii)            an onward transfer of GOL Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor, 

in each case, where such transfer would be prohibited by Data Protection Legislation in the absence of the Standard Contractual Clauses to be established under clauses 3 (e) and 4 below;

For the avoidance of doubt: (a) without limitation to the generality of the foregoing, the Parties intend that transfers of Personal Data from the UK to the EEA or from the EEA to the UK, following any exit by the UK from the EuropeanUnion shall be Restricted Transfers for such time and to such extent that such transfers would be prohibited by Data Protection Legislation of the UK or EU Data Protection Legislation (as the case may be) in the absence of theStandard Contractual Clauses to be established under clauses clauses 3 (e) and 4 below ; and (b) where a transfer of Personal Data is of a type authorised by Data Protection Legislation in the exporting country, for example in thecase of transfers from within the European Union to a country (such as Switzerland) or scheme (such as the US Privacy Shield) which is approved by the Commission as ensuring an adequate level of protection or any transfer whichfalls within a permitted derogation, such transfer shall not be a Restricted International Transfer;

Sub-processor means any person (including any third party and any Supplier Group Company, but excluding an employee of the Supplier or any of its sub-contractors) appointed by or on behalf of the Supplier or any Supplier Group Company in accordance with this Schedule to process GOL Personal Data on behalf of GOL or any Grafenia Group company in connection with this Agreement;

Supplier Personnel means all staff, contractors, employees, agents, subcontractors and sub-processors of the Supplier.

(b)   The Annexes form part of this Schedule and shall have effect as if set out in full in the body of this Schedule. Any reference to this Schedule includes any Annex.

 

2)     Data Protection Changes 

(a)   In the event of any conflict between any term of the main body of this Agreement and this Schedule, the latter shall take priority.  In the event of any conflict between the terms of the main body of this Schedule and Standard Contractual Clauses (in Annex B), the Standard Contractual Clauses shall prevail.

(b)   The Parties acknowledge that for the purposes of the Data Protection Legislation, GOL (and any relevant Grafenia Group company) is the Data Controller and the Supplier is the Data Processor in respect of GOL Personal Data. Annex A sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of GOL Personal Data and categories of Data Subject.

(c)    Details of GOL Personal Data being Processed by the Supplier in the provision of services under this Agreement are set out in Annex A.

 

3)     Supplier GDPR obligations

(a)   The Supplier undertakes to GOL and any Grafenia Group company on whose behalf  it processes GOL Personal Data, that it shall, with effect from the date of this Agreement in relation to any GOL Personal Data processed in connection with the performance by the Supplier of its obligations under this Agreement: 

(i)     Comply with Data Protection Legislation;

(ii)   process that Personal Data only on the written instructions of GOL or relevant Grafenia Group company unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify GOL and any relevant Grafenia Group company of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying GOL and any relevant Grafenia Group Company; 

(iii)  ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of GOL Personal Data and against accidental loss or destruction of, or damage to, GOL Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting GOL Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to GOL Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

(iv)  ensure that all Supplier Personnel who have access to and/or process GOL Personal Data are obliged and have signed contractual undertakings to keep GOL Personal Data confidential; and 

(v)   not transfer any GOL Personal Data outside of the European Economic Area or to an International Organisation unless the prior written consent of GOL and any relevant Grafenia Group company has been obtained and the following conditions are fulfilled: 

(a)            GOL and any relevant Grafenia Group company or the Supplier has provided appropriate safeguards in relation to the transfer (and the data subject has enforceable rights and effective legal remedies) which the Parties agree can be provided by adoption of the Standard Contractual Clauses in accordance with paragraph 3 (e) and paragraph 4 below; or

(b)            The country or territory or international organisation (as applicable) to which the GOL Personal Data is transferred is the subject of a positive decision of adequacy pursuant to Article 45 of GDPR (that is, the European Commission has determined that it ensures an adequate level of protection),

and in all cases the Supplier complies with reasonable instructions notified to it in advance by GOL and any relevant Grafenia Group company with respect to the processing of GOL Personal Data;

(vi)  assist GOL and any relevant Grafenia Group company in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(vii) notify GOL and any relevant Grafenia Group company without undue delay and in any event within 8 business hours on becoming aware of a Personal Data breach relating to GOL Personal Data;

(viii)     at the written direction of GOL and any relevant Grafenia Group company, delete or return GOL Personal Data and copies thereof to GOL or the relevant Grafenia Group company on termination of the agreement unless required by Applicable Law to store the Personal Data; and 

(ix)  maintain complete and accurate records and information to demonstrate its compliance with this paragraph 3 and allow for audits by GOL or GOL’s designated auditor.

(b)   Any appointment of a Sub-processor by the Supplier is subject to the prior written consent of GOL and each relevant Grafenia Group company and provided in any event that the Supplier has entered into an agreement with the relevant Sub-processor imposing the same data protection obligations on the Sub-processor as set out in this paragraph 3 and this Schedule and as required by Data Protection Legislation. 

(c)    The Supplier shall remain fully liable for all acts or omissions of any Sub-processor appointed by it pursuant to this paragraph 3. 

(d)   If any arrangement in paragraph 3(b) or paragraph 3 (c) involves a Restricted International Transfer, the Supplier shall before the Sub-processor first processes GOL Personal Data procure that the Sub-Processor enters into an agreement incorporating the Standard Contractual Clauses with the relevant Grafenia Group company (and GOL shall procure that the relevant Grafenia Group company who is party to any such Standard Contractual Clauses co-operate with their population and execution).

 

4)     International Transfers

a)     Subject to paragraph 3 (b) and 3 (c):

i)      GOL and, where appropriate, each other relevant Grafenia Group company (as “data exporter”) and each Contracted Processor, as appropriate, (as “data importer”) hereby  enter into the Standard Contractual Clauses in respect of and prior to any Restricted International Transfer from that Grafenia Group company to that Contracted Processor. 

ii)     If any transfer of GOL Personal Data from any Supplier Group Company to any Contracted Processor involves a Restricted International Transfer, the Parties shall procure that GOL, or relevant Grafenia Group Company, as appropriate (as “data exporter”) and such Contracted Processor (as “data importer”) shall enter into the Standard Contractual Clauses in respect of and prior to any Restricted International Transfer from that Supplier Group Company to that Contracted Processor.

iii)    GOL may enter into Standard Contractual Clauses pursuant to clauses 4 (a) (i) and (ii) on behalf of another Grafenia Group company, where appropriate.  All Parties acknowledge and agree that where this Agreement is amended and updated to reflect the addition of a new Grafenia Group company as a data exporter, then only that Grafenia Group company need sign the amended Annex A for it to be binding on all parties.

 

5)     Changes in Data Protection Legislation

a)     GOL may: 

i)      by at least 30 (thirty) calendar days’ written notice to the Supplier from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under paragraph 4, as they apply to Restricted International Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Legislation, to allow those Restricted International Transfers to be made (or continue to be made) without breach of that Data Protection Legislation; and 

ii)     propose any other variations to this Schedule which GOL reasonably considers to be necessary to address the requirements of any Data Protection Legislation.

b)     If GOL gives notice under paragraph 5 a) (i) Supplier and each relevant Supplier Group Company shall promptly co-operate (and ensure that any affected Sub-processors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under paragraph 3 (d). 

c)     If GOL gives notice under paragraph 5 a) (ii) the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in GOL’s notice as soon as is reasonably practicable.

 

ANNEX A

 

DATA PROCESSING

 

  1. Subject matter of Processing – The GOL Personal Data to be processed by the Supplier pursuant to this Agreement concerns the services as set out in this Agreement.

 

  1. Duration of the Processing – The GOL Personal Data to be processed under this Agreement shall be processed for the duration of this Agreement.

 

  1. Nature and purposes of the Processing – The GOL Personal Data to be processed under this Agreement shall be processed for the following nature and purpose: for any related reasons under the direction of GOL as relevant to provide the services supplied under this Agreement.

 

  1. Type of Personal Data – The Personal Data to be Processed by the Service Supplier pursuant to this Agreement concerns the following type of Personal Data:

Full names

Addresses 

Email Addresses

Phone numbers 

Other Identity Data 

Financial Data

 

  1. Categories of Data Subjects – The Personal Data to be Processed under this Updated Agreement concern the following categories of Data Subjects:

Customers and Licensees and employees and personnel of Customers and Licensees (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants).

End user customers of Licensees and Customers and their employees and personnel (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants).

 

ANNEX B : Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. 

Name of the data exporting organisations: 

GRAFENIA OPERATIONS LIMITED 

Tel: 0161 848 5700 

Fax: 0161 848 5719

Email: ceo@grafenia.com

 (the data exporter)

And 

Name of the data importing organisation:

The Supplier whose details are set out on the Supply Agreement Particulars.

 (the data importer)

each a “party”; together “the parties”, 

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1. 

 

Background 

The data exporter has entered into a data processing Schedule (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.

 

  1. Clause 1 – Definitions 

For the purposes of the Clauses:

personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;  

the data exporter means the controller who transfers the personal data 

the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

the subprocessor means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract; 

the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

 

  1. Clause 2 – Details of the transfer 

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

 

  1. Clause 3 – Third-party beneficiary clause
  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary. 
  1. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  1. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses. 
  1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. 

 

  1. Clause 4 – Obligations of the data exporter

The data exporter agrees and warrants:

(a)  that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)  that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses; 

(c)  that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)  that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)  that it will ensure compliance with the security measures;

(f)   that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; 

(g)  to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)  to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)   that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)   that it will ensure compliance with Clause 4(a) to (i).

 

 

  1. Clause 5 – Obligations of the data importer

The data importer agrees and warrants:

(a)  to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; 

(b)  that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)  that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)  that it will promptly notify the data exporter about:

(i)         any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)        any accidental or unauthorised access, and 

(iii)       any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)  to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; 

(f)   at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)  to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)  that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i)   that the processing services by the subprocessor will be carried out in accordance with Clause 11; 

(j)   to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

 

  1. Clause 6 – Liability
  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered. 
  1. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
  1. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities. 
  1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

 

  1. Clause 7 – Mediation and jurisdiction
  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: 

(a)        to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)        to refer the dispute to the courts in the Member State in which the data exporter is established.

  1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

 

  1. Clause 8 Cooperation with supervisory authorities 
  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  1. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  1. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

 

  1. Clause 9 – Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

 

  1. Clause 10 – Variation of the contract 

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause. 

 

  1. Clause 11 – Subprocessing
  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’sobligations under such agreement.
  1. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  1. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  1. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

 

  1. Clause 12 – Obligation after the termination of personal data processing services
  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  1. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

 

APPENDIX 1 TO ANNEX B (THE STANDARD CONTRACTUAL CLAUSES)

This Appendix forms part of the Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. 

Data exporter

The data exporter is:

GRAFENIA OPERATIONS LIMITED

Tel: 0161 848 5700

Fax: 0161 848 5719

Email: ceo@grafenia.com

 

Data importer

The data importer is:

The Supplier whose details are set out on the Supply Agreement Particulars.

 

Data subjects

The personal data transferred concern the following categories of data subjects:

Full names 

Addresses 

Email Addresses

Phone numbers

Other Identity Data

Financial Data

 

 

Categories of data 

The personal data transferred concern the following categories of data:

Customers and Licensees and employees and personnel of Customers and Licensees (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants).

End user customers of Licensees and Customers and their employees and personnel (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants).

 

Special categories of data (if appropriate) 

The personal data transferred concern no special categories of data.

 

Processing operations

The personal data transferred will be subject to the following basic processing activities:

Access and administrative operations relating to the processing of print jobs and manufacturing of printed items.

 

APPENDIX 2 TO ANNEX B (THE STANDARD CONTRACTUAL CLAUSES)

This Appendix forms part of the Clauses. 

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

Data Importer ensures that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of GOL Personal Data and against accidental loss or destruction of, or damage to, GOL Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting GOL Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to GOL Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

Further security measures:

 

1.     Please describe the access control (physical) measures in your company to prevent unauthorized persons from gaining access to data processing systems within which personal data are processed or used (If your company has several subsidiaries or branches please distinguish the differences between the locations).  

Examples:

  • Access control system, card reader (magnetic card or chip card)
  • Management of keys / documentation of key holders
  • Door protection (electronic door openers, combination lock, etc.)
  • Security fences
  • Safety doors and/or safety windows
  • Burglar bars at windows and doors
  • Security service, front desk
  • Burglar alarm system
  • CCTV
  • Specific measures to protect the server room

 

2.     Please describe the admission control measures taken in your company to prevent data processing systems from being used without authorization.

Examples:

  • Personal and individual user log-in when entering the system and / or the corporate network
  • Password procedures (definition of password parameters regarding complexity and updating intervals)
  • BIOS passwords
  • Additional system log-in for special applications
  • Automatic blocking of computer after a certain period of time without user activity (also password-protected (screensavers or automatic pause function)
  • All passwords are electronically documented and protected against unauthorized access through encryption

 

  1. Please describe the access control (virtual) measures taken in your company To ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorizations in the course of processing or use and after storage. 

Examples:

  • Authorization management
  • Differentiated authorizations
  • Profiles
  • Roles
  • Authorization documentation
  • Authorization routines
  • Reports / data logs
  • Reviews / audits (for example in the context of ISO certifications, SOX compliance)
  • Encryption of CD/DVD-ROMs, external hard drives and/or laptop computers (e.g. using TrueCrypt, SafeGuard Easy, WinZip etc.)

 

  1. Describe the transmission control measures taken in your company to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.

Examples:

  • E-mail encryption
  • Encryption of CD/DVD-ROM, external hard drives and / or laptop computers (e.g. using TrueCrypt, SafeGuard Easy, WinZip)
  • Secure data networks (VPN = Virtual Private Network)
  • Logging
  • Protection of data storage media and containers during physical transport
  • Secured WLAN
  • SSL encryption in case of web access

 

  1. Describe the measures of input control to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed. 

Examples: 

  • Access rights (see No. 6)
  • System logs
  • Security/logging software
  • Functional responsibilities

 

  1. Describe the assignment control measures in your company to ensure that, in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the principal. 

Examples: 

  • Written agreement on data processing in accordance section 11 of the BDSG describing the rights and obligations of the Agent and the Principal
  • Training of all employees who enjoy access rights. Follow-up training at regular intervals
  • Data secrecy agreements with all employees in accordance with section 5 BDSG
  • Regular data protection audits conducted by the corporate data protection officer
  • Appointment of contact partners and project managers in charge of the agreement on data processing

 

  1. Describe the availability control measures your company takes to ensure that personal data are protected from accidental destruction or loss.

Examples: 

  • Back-up processes
  • Mirroring of hard drives
  • Uninterruptible power supply (UPS)
  • Retention of back-ups (safe, separate fire section, etc.)
  • Virus protection /firewall
  • Contingency plans
  • Air conditioning
  • Fire protection and protection against fire-fighting water
  • Alarm system
  • Suitable archiving facilities

 

  1. Describe the separation control measures your company has taken to ensure that data collected for different purposes can be processed separately. 

Examples:

  • Separation of systems
  • Separation of databases
  • Logical separation of different clients’
  • databases
  • Securing multi-client capability (auditing acceptability)
  • Separation of development, GOL and productive data.