Sense Workplace Data Protection Addendum

Last updated: 6^th June 2024

This Data Protection Addendum (the “Addendum”) is incorporated into and forms part of the SaaS agreement in place between Sense Workplace Limited (“Sense”) and the Customer for the provision of the Services (the “Agreement”).

SECTION A - PRELIMINARIES

1. Interpretation

1.1. The following definitions apply in this Addendum.

Data Protection Laws all UK laws relating to the use, protection and privacy of personal data from time to time applicable to the parties, including the (i) UK GDPR; (ii) Data Protection Act 2018; and (iii) Privacy and Electronic Communication Regulations 2003.

Protected Data personal data received from or on behalf of the Customer in relation to Sense’s performance of the Services under the Agreement.

Sub-Processor another processor engaged by Sense for carrying out processing activities in respect of the Protected Data, on behalf of the Customer.

UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

1.2. In this Addendum, the terms controller, data subject, personal data, personal data breach, processor, processing and Commissioner shall have the definitions given to them by the Data Protection Laws.

2. Conflict

In the event of any conflict or inconsistency between the provisions of this Addendum and the remaining provisions of the Agreement, the provisions of this Addendum shall prevail solely with respect to the processing of Protected Data.

SECTION B – ROLES AND SCOPE OF PROCESSING

3. Processing roles

The parties agree that in respect of the Services, the Customer shall be the controller and Sense shall be the processor.

4. Mutual obligations

4.1. Each party shall:

• 4.1.1. at all times during the term of the Agreement, comply with the Data Protection Laws; and
• 4.1.2. to the extent applicable under the Data Protection Laws, obtain and maintain all appropriate registrations required in order to allow it to perform its obligations under the Agreement.

5. Scope of processing

Processing of the Protected Data by Sense under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of personal data and categories of data subjects set out in this paragraph 5. Sense will host the Sense Platform used by the Customer to assist with the Customer’s employee management activities for the duration of the Agreement. The purpose of the processing is to allow Customers’ End Users to access the Platform in accordance with the terms of the Agreement. The nature of the processing is the storage of personal data on the Sense Platform and facilitating log-in to the Sense Platform. The types of personal data processed will be (i) user information: name and email address; and (ii) information uploaded by an End User at their sole discretion, which may include: date of birth, national insurance number, residential address, telephone number, bank account details, pension arrangements, historic and current job roles, employment contract information, salary and benefits details, sickness and absence records, grievance information, appraisals and performance reviews, attendance and annual leave information, religion or trade union membership. Such types of personal data may include special category data and relate to the Customer’s End Users and personnel.

SECTION C – SENSE OBLIGATIONS

6. Sense obligations

6.1. In relation to the Protected Data, to the extent that Sense is the processor of such Protected Data, Sense shall:

• 6.1.1. unless required to do otherwise by applicable laws, only process the Protected Data in accordance with the Customer's documented instructions and in accordance with paragraph 5 of the Agreement;
• 6.1.2. taking into account the nature of the processing, implement appropriate technical and organisational measures to protect the Protected Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure;
• 6.1.3. not, without the prior written consent of the Customer, transfer any Protected Data to a country or territory outside the United Kingdom unless such country or territory has been deemed to provide an adequate level of protection to personal data or adequate contractual or other assurances have first been put in place such as will enable each party to comply with the requirements of the Data Protection Laws;
• 6.1.4. take reasonable steps to ensure the reliability of its personnel who have access to any Protected Data and ensure that Protected Data shall only be accessible by its personnel to the extent they need to know or require access for the purpose of properly performing their duties in relation to the Agreement and who, are bound to maintain its confidentiality;
• 6.1.5. notify the Customer without undue delay of any personal data breach that it becomes aware of and provide reasonable assistance to the Customer in respect of any such personal data breach;
• 6.1.6. within 30 days of the end of the Term, on the written instructions of the Customer, delete or return all Protected Data processed in relation to the Agreement, unless Sense is required to retain the Protected Data to comply with applicable laws; and
• 6.1.7. subject to the Customer paying Sense's reasonable costs (unless prohibited by applicable law), provide such cooperation and assistance to the Customer as the Customer reasonably requires (taking into account the nature of processing and the information available to Sense) in ensuring compliance with:
  • 6.1.7.1. the Customer's obligations to respond to any complaint or request from any applicable data protection authority or data subjects seeking to exercise their rights under any Data Protection Laws, including by notifying the Customer of each data subject request Sense receives in respect of the Protected Data;
  • 6.1.7.2. the Customer's obligations to:
    • 6.1.7.2.1. carry out any data protection impact assessments (“DPIA”) on the impact of the processing of Protected Data; and
    • 6.1.7.2.2. consult the Commissioner prior to any processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the Customer to mitigate the risk.

7. Infringing instructions

7.1. Sense shall inform the Customer without undue delay if Sense believes that a processing instruction infringes Data Protection Laws.

7.2. To the extent permitted under applicable law, Sense shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer's unlawful processing instructions.

SECTION D – SUB-PROCESSORS

8. Sub-Processors

8.1. The Customer authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors at the Commencement Date. Sense shall give the Customer 30 days’ prior written notice of any change to the List of Sub-Processors. In the event the Customer reasonably believes that any such change materially adversely affects it, it may by notice elect to terminate the Agreement in respect of all impacted Services provided it exercises such right within 14 days of receipt of the change notification and notifies Sense in writing at the time of exercising such right of the material adverse effect which has caused it to exercise this right.

8.2. Sense shall:

• 8.2.1. prior to any Sub-Processor authorised in accordance with paragraph 8.1 carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this Addendum that is enforceable by Sense; and
• 8.2.2. remain fully liable for all acts and omissions of each Sub-Processor as if such acts and omissions were its own.

SECTION F – INFORMATION AND AUDITS

9. Information and audits

9.1. The Customer can access information about Sense’s security measures and third party certifications at https://www.sense.hr/security.html.

9.2. In the event that the Customer, acting reasonably, deems the information provided in accordance with paragraph 9.1 insufficient to satisfy its obligations under Data Protection Laws, Sense shall:

• 9.2.1. make available to the Customer such information as is reasonably necessary to demonstrate Sense's compliance with its obligations under this Addendum; or
• 9.2.2. allow for audits, at the Customer’s cost, by the Customer (or the Customer’s independent third party auditors) for the purpose of demonstrating Sense's compliance with its obligations under this Addendum (subject to the Customer providing no less than 30 days’ prior written notice of such audit and a maximum of 1 audit request in any 12 month period under this paragraph 9.2.2).

9.3. Any information provided to, or obtained by, the Customer under this paragraph 9 shall be Sense’s Confidential Information.

SECTION F – CUSTOMER WARRANTIES

10. Customer warranties

10.1. The Customer warrants, represents and undertakes, that all:

• 10.1.1. Protected Data provided by the Customer to Sense for use in conjunction with the Services shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws; and
• 10.1.2. instructions given by it to Sense in respect of Protected Data shall at all times be in accordance with Data Protection Laws.