EUROPEAN ECONOMIC AREA DATA CONTROLLER/PROCESSOR AGREEMENT June 2016

1 GENERAL

1.1 The Controller is the holder of a licence to use Cubiks Products as defined in any agreement (“Licence”) currently in force between the Controller and any member of the Cubiks Group of Companies (“Licensor”). The Cubiks Group of Companies is defined below.

1.2 The Processor is the Licensor with whom the Controller is contracting.

1.3 The Processor may subcontract its obligations under this Agreement to Cubiks Limited, registered number 3840112 whose registered office is at Ranger House, Walnut Tree Close, Guildford, Surrey, GU1 4US, United Kingdom and to the third parties as set out in Appendix 1 below (“Sub-Processors”). The Processor remains fully responsible to the Controller for the compliance of such Sub-Processors with the terms and conditions herein.

1.4 This Agreement is made between the Controller and the Processor and is supplemental to and forms part of any Licence as described in 1.1 above.

1.5 In consideration of the provision by the Licensor of online access to the Cubiks Products and the mutual undertakings set out herein the parties agree as follows.

2. PURPOSE

The purpose of this Agreement is to ensure that the Processing of Personal Data (as these terms are defined below) is carried out in accordance with Articles 6 to 12, and Articles 14 to 17 of the European Union Directive 95/46/EC (“On the protection of individuals with regard to the processing of personal data, and on the free movement of such data”), as set out in the legislation of the Member State in which Controller is established, subject to that legislation being in accordance with the Directive.

These Articles and legislation require a written contract to exist between Controller and Processor, and for Processor to take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing.

3. APPENDICES The Appendices to this Agreement shall form an integral part of this Agreement.

4. DEFINITIONS

For the purposes of this Agreement, the following terms shall have the meanings set out below. These are cognisant of the meanings given them in Article 2 of Directive 95/46/EC.

(a) “Controller” shall mean the natural or legal person, public authority, agency or any other body as described in clause 1 above and which alone or jointly with others determines the purposes and means of the Processing of Personal Data;

(b) “Processor”, in relation to Personal Data, shall mean any natural or legal person, public authority, agency or any other body (other than an employee of Controller) who Processes the Personal Data on behalf of Controller;

(c) “Data Subject” shall mean an individual who is the subject of Personal Data;

(d) “Personal Data” shall mean any information relating to an identified or identifiable Data Subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(e) “Processing” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and “Process” shall be construed accordingly.

In addition:

(f) “Member State” shall mean a state which is a member of the European Economic Area, that is, a member of the European Union or of the European Free Trade Area, but excluding Switzerland;

(g) “Directive” shall mean the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, entitled “on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data” and any modification of such directive or any replacement directive;

(h) “Supervisor” shall mean the Data Protection Supervisory Authority, as defined in Article 28 of Directive, of the Member State in which Controller is established. If Controller is established in more than one Member State, it shall refer to the Data Protection Supervisory Authority for the Member State in which Controller is acting for the purposes of this Agreement;

(i) “Cubiks Group of Companies” shall mean those companies which can be found listed at http://www.cubiks.com/SiteInformation/Pages/CubiksGroupLimited.aspx. The term Cubiks Group of Companies includes a single member of that group.

5. PROCESSING

The details of the Processing of Personal Data covered by this Agreement are specified in Appendix 1.

6. CONTACTS

All contacts between the Parties concerning this Agreement shall be between the persons nominated in Appendix 2, and such other persons as the nominated Contacts may from time to time authorise in writing. Any changes to the contacts nominated in Appendix 2 shall be agreed in writing between the Parties.

7. OWNERSHIP OF THE DATA

All Personal Data stored and Processed under the terms of this Agreement by Processor on behalf of Controller are and shall remain exclusively the property of Controller.

8. OBLIGATIONS OF CONTROLLER

Controller agrees and warrants:

(a) that the Processing of Personal Data by him has been and will continue to be carried out in accordance with all the relevant provisions of Directive 95/46/EC and in accordance with the privacy and data protection notice of the Processor (or such other notice as the parties may agree);

(b) that if the Processing involves any of the special categories of data as defined in paragraph 1 of Article 8 of the Directive 95/46/EC, Controller has collected those data, and is requesting their Processing by Processor, in accordance with paragraph 2 of the said Article;

(c) to respond in a reasonable time, and to the extent reasonably possible, to enquiries from Supervisor on the Processing of the relevant Personal Data by Controller;

(d) to respond in a reasonable time and to the extent reasonably possible to enquiries by a Data Subject concerning the Processing of his Personal Data by Controller, and to give appropriate instructions to Processor in a timely manner.

9. OBLIGATIONS OF PROCESSOR

Processor agrees and warrants:

(a) to Process Personal Data on behalf of Controller, in accordance with the instructions of Controller (i) to ensure compliance with paragraph (b) below and (ii) subject to such instructions being consistent with the established functionalities and established capabilities of the Cubiks Products which are the subject of the Licence. Processor further agrees not to carry out any Processing of Personal Data supplied by Controller without the explicit instructions of Controller;

(b) to process Controller’s Personal Data in accordance with Article 17 of the Directive;

(c) to ensure that all Processor’s staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this Agreement;

(d) that he has no reason to believe that any legislation, rule of law or order of a court applicable to him prevents him from fulfilling his obligations under this Agreement and that, in the event of his becoming so aware, he will notify Controller as soon as reasonably possible;

(e) to deal promptly, fully and properly with all reasonable enquiries from Controller relating to his Processing of the Personal Data and to cooperate with the Supervisor in the course of any of its enquiries and to abide by the advice of the Supervisor with regard to the Processing of the Personal Data;

(f) to deal promptly, fully and properly with all enquiries from Controller relating to subject access requests from Data Subjects received by Controller and passed to Processor for Processing, ensuring such requests are dealt with in the manner and within the time limits specified by Article 12 of the Directive, and as interpreted by the data protection law of the Member State in which the Controller is acting for the purposes of this Agreement;

(g) to return to Controller in good time for transmission to the Data Subject all material produced in response to a subject access request;

(h) at the request of Controller to submit its data processing facilities for audit which shall be carried out by Controller, or by an inspection body composed of independent members and in possession of the required professional qualifications, selected by Controller, or by the Supervisor and, where applicable, in agreement with the Supervisor.

10. DISCLOSURE

Processor will only disclose Personal Data in accordance with instructions from Controller, and will take appropriate security measures, in accordance with Article 17 of the Directive, to ensure that no unauthorised disclosure occurs.

11. LIABILITY

(a) It is noted that, under Article 23 of the Directive, an individual who suffers damage by reason of any contravention of the data protection law is entitled to compensation from Controller for that damage and, in certain circumstances, for damage and consequential distress.

(b) The Parties agree that if Controller is held liable for a violation referred to in subparagraph (a) above, Processor will, in proportion to the extent to which it is liable, indemnify Controller for any cost, charge, damages, expenses or loss Controller has incurred provided that the maximum aggregate liability of Processor and any Sub-Processor under this Data Agreement and the Licence shall be limited to 110% of the Annual Service Fee actually paid by the Controller to Cubiks in accordance with the Licence during the Contract Year when liability arises (or during the Term of the Licence if shorter). If not otherwise defined in this Agreement, capitalised terms in this clause 11 shall have the meanings given to them in the Licence.

12. MEDIATION AND JURISDICTION

(a) The Parties agree that if there is a dispute between a Data Subject and Controller and that dispute is not amicably resolved, they will cooperate to offer the Data Subject the opportunity to refer the dispute to mediation by an independent person or, where applicable, by the Supervisor.

(b) Paragraph (a) shall apply without prejudice to the Data Subject’s rights to seek remedies in a court in accordance with the data protection law.

13. TERMINATION OF THE AGREEMENT

(a) The Parties agree that the termination of the Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Agreement as regards the Processing of Personal Data.

(b) Subject to a reasonable time interval to ensure that Controller has made alternative arrangements for Processing his Personal Data, and subject to these arrangements working satisfactorily, Processor shall, insofar as it is practicable, delete or render anonymous all copies of Controller’s Personal Data held and processed by Processor.

(c) If Controller’s Personal Data, for reasons of practicality, cannot be so deleted or render anonymous, Processor shall take appropriate action to ensure that those Personal Data will not be further processed, disclosed, or in any way used, other than their later deletion should that become possible.

14. VARIATION OF THIS AGREEMENT

The Parties undertake not to vary or modify the terms of this Agreement, other than:

(a) to correct such deficiencies as may become apparent in this Agreement in relation to the application to the Processing of the Directive or its interpretation by the Member State in which the Controller resides; or

(b) any variation necessitated by any relevant subsidiary legislation, or by any amendment to the Directive or other relevant data protection law; or

(c) any variation to the Processing requirements of Controller; or

(d) any other change necessitated by law.

15. GOVERNING LAW

This Agreement shall be governed by the laws of England.

APPENDIX 1

By contributing to any of these assessments, Data Subject agrees to information provided by him/her being used by for the following purposes:

  • Cubiks may use Data Subject's Personal Data for monitoring, validation, statistical, research, benchmarking, product development and management purposes which will include ensuring that employers’ decisions are based on fair, objective and scientifically derived information. This may involve matching the Data Subject’s Personal Data with data from other sources. The results will not be used in relation to the Data Subject and will be anonymised as soon as possible.
  • Cubiks may use the Data Subject's Personal Data to assist Licence Holder in the use and understanding of any Cubiks Product and, if necessary, in IT system fault finding.
  • Cubiks, if acting on behalf of Licence Holder, may use Data Subject's Personal Data for human resources purposes and to provide human resources services to the Licence Holder.
  • Cubiks’ agents, associates, integration partners, suppliers and other trusted third parties may be involved in the processing of Data Subject's Personal Data, through necessity and/or convenience
  • Licence Holder and any member of the Licence Holder’s group (meaning a company which controls the Licence Holder, is controlled by the Licence Holder or is controlled by the company that controls the Licence Holder) may use the data subject’s Personal Data for human resources purposes.
  • Integration partners, suppliers and other trusted third parties may be involved in the processing of Data Subject's Personal Data, through necessity and/or convenience on behalf of the Licence Holder and members of the Licence Holder’s Group.
  • If the Licence Holder or Group Member Company of Licence Holder is carrying out work for a client, then Licence Holder may disclose results to its client on paper or by email. The client of Licence Holder may use the information for human resources purposes only.

Licence Holder is responsible for ensuring that the processing of Personal Data by him has been and will continue to be carried out in accordance with all applicable legal requirements. Furthermore Licence Holder is responsible for identifying any such legal requirements. End

APPENDIX 2

Nominated First Contacts

On behalf of Controller: Director of Human Resources or designated representative.

On behalf of Processor: Group Company Secretary represented by Cubiks Helpdesk, telephone 00 44 1483 544 240.

End

© 2013 Cubiks Intellectual Property Limited