1. Interpretation and scope
1.1. This data processing agreement (DPA) is incorporated into the Contract between Atlas Merlin Ltd (Atlas Merlin) and the Customer by clause 8.3 of Atlas Merlin’s standard terms and conditions located at https://atlasmerlin.com/legal/terms (the Conditions). It applies to all processing of personal data carried out by Atlas Merlin on behalf of Customer in connection with the Contract.
1.2. Capitalised terms used but not defined in this DPA have the meanings given to them in the Conditions. The terms personal data, controller, processor, data subject, process, processing, personal data breach, special categories of personal data and supervisory authority have the meanings given to them in the Data Protection Laws.
1.3. In this DPA:
- Data Protection Laws means the UK GDPR, the Data Protection Act 2018, and any other data protection or privacy laws applicable to a party’s processing of personal data under the Contract, in each case as amended or replaced from time to time.
- Data Protection Particulars means the particulars of the processing of personal data under an Order, set out in the Order itself in accordance with clause 8.4 of the Conditions, in a section headed “Data Protection Particulars” or otherwise identified as such.
- Standard Contractual Clauses means, as applicable, the International Data Transfer Agreement issued by the Information Commissioner under section 119A of the Data Protection Act 2018, or the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A of the Data Protection Act 2018, in each case as amended or replaced from time to time.
- Sub-processor means any third party engaged by Atlas Merlin to process personal data on behalf of Customer in connection with the Contract.
- UK GDPR has the meaning given to it in section 3(10) of the Data Protection Act 2018.
1.4. In the event of conflict between this DPA and the Conditions, this DPA will prevail in respect of matters relating to the processing of personal data. In the event of conflict between this DPA and an Order, the Order will prevail in respect of the matters to which it relates.
1.5. Atlas Merlin may modify this DPA from time to time and will notify Customer of any modifications that materially change Customer’s rights, in the manner contemplated by clause 2.3 of the Conditions.
2. Processing on documented instructions
2.1. Atlas Merlin will process personal data on behalf of Customer only on Customer’s documented instructions, including in relation to transfers of personal data to a country outside the United Kingdom, unless required to do otherwise by applicable law. Where Atlas Merlin is required by applicable law to process personal data otherwise than on Customer’s instructions, Atlas Merlin will (unless prohibited by that law on important grounds of public interest) inform Customer of that legal requirement before processing.
2.2. Customer’s documented instructions are set out in:
2.2.1. the Contract (including the Conditions, the Order, and the Data Protection Particulars); and
2.2.2. any further instructions reasonably given by Customer to Atlas Merlin in writing in the course of Atlas Merlin’s provision of the Software, including by email or through Atlas Merlin’s standard support channels.
2.3. Atlas Merlin will inform Customer if, in its opinion, an instruction given by Customer infringes the Data Protection Laws. Atlas Merlin is not obliged to monitor Customer’s instructions for compliance with the Data Protection Laws and may rely on the lawfulness of any instruction given by Customer unless and until it identifies an apparent infringement.
3. Confidentiality
3.1. Atlas Merlin will ensure that any person it authorises to process personal data on behalf of Customer is bound by an appropriate obligation of confidentiality, whether contractual or statutory.
4. Security
4.1. Atlas Merlin will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing of personal data under the Contract, in accordance with Article 32 of the UK GDPR. The measures Atlas Merlin has implemented as at the date of this DPA are described in Annex 2.
4.2. Atlas Merlin may update the measures described in Annex 2 from time to time, provided that the updated measures provide a level of security that is at least equivalent to that described in Annex 2 as at the date of this DPA.
5. Sub-processors
5.1. Customer grants Atlas Merlin general authorisation to engage Sub-processors to process personal data on behalf of Customer in connection with the Contract. Customer is deemed to have authorised the Sub-processors listed at https://atlasmerlin.com/legal/sub-processors as at the date of the Order.
5.2. Atlas Merlin will give Customer at least 30 days’ prior written notice of the addition or replacement of any Sub-processor by updating the list referred to in clause 5.1 and notifying Customer by email to the address designated by Customer for such notices.
5.3. Customer may object to the addition or replacement of a Sub-processor notified under clause 5.2 on reasonable data protection grounds by giving Atlas Merlin written notice within 30 days of Atlas Merlin’s notice. The right to object under this clause 5.3 applies only to Sub-processors added or replaced after the date of the Order, and not to any Sub-processor authorised under clause 5.1.
5.4. If Customer objects under clause 5.3, the parties will discuss the objection in good faith for a period of 30 days and seek a mutually acceptable resolution, which may include Atlas Merlin not engaging the proposed Sub-processor in respect of Customer’s personal data, or Atlas Merlin proposing an alternative Sub-processor.
5.5. If the parties are unable to reach a mutually acceptable resolution under clause 5.4 within the 30-day period, Customer may, as its sole and exclusive remedy, terminate the affected Order by giving Atlas Merlin written notice within 30 days of the end of that period. Termination under this clause 5.5 will not entitle Customer to any refund of Licence Fees or other amounts paid or invoiced in respect of the period prior to the effective date of termination, and Customer will remain liable for all such amounts.
5.6. Atlas Merlin will impose on each Sub-processor, by a written contract, data protection obligations that are equivalent in substance to those imposed on Atlas Merlin under this DPA. Atlas Merlin will remain liable to Customer for the acts and omissions of its Sub-processors as if they were its own.
6. International transfers
6.1. Atlas Merlin will not transfer personal data to a country outside the United Kingdom except:
6.1.1. to a country, territory, sector or international organisation that is the subject of UK adequacy regulations under section 17A of the Data Protection Act 2018; or
6.1.2. where appropriate safeguards are in place in accordance with Article 46 of the UK GDPR, including by means of Standard Contractual Clauses; or
6.1.3. where another lawful basis for the transfer applies under the UK GDPR.
6.2. Customer acknowledges that Atlas Merlin processes personal data through Sub-processors located in the European Union, and that such transfers are made in reliance on the United Kingdom’s adequacy regulations in respect of the European Union.
6.3. Where Customer instructs Atlas Merlin to transfer personal data to a recipient in a country outside the United Kingdom that is not the subject of UK adequacy regulations, Customer is responsible for ensuring that an appropriate transfer mechanism is in place under the Data Protection Laws. Atlas Merlin will provide reasonable assistance to Customer in implementing such a mechanism, at Customer’s cost.
6.4. Where the Data Protection Laws applicable to Customer require Standard Contractual Clauses or another transfer mechanism to be entered into between Customer and Atlas Merlin in respect of any transfer of personal data under the Contract, the parties will agree the relevant transfer mechanism in the Data Protection Particulars.
7. Data subject rights and assistance
7.1. Atlas Merlin will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil Customer’s obligation to respond to requests from data subjects exercising their rights under the Data Protection Laws.
7.2. If Atlas Merlin receives a request from a data subject in respect of personal data processed by Atlas Merlin on behalf of Customer, Atlas Merlin will:
7.2.1. promptly forward the request to Customer; and
7.2.2. not respond substantively to the data subject other than to acknowledge receipt and to direct the data subject to Customer, unless instructed by Customer or required by law to do so.
7.3. Assistance provided by Atlas Merlin under this clause 7 will be provided without additional charge to the extent it is reasonable in scope and frequency. Atlas Merlin may charge Customer a reasonable fee, calculated by reference to Atlas Merlin’s then-current standard rates, for assistance that is unusual in nature, requires significant technical effort, or is requested with a frequency or volume that materially exceeds normal levels.
8. Assistance with Customer’s compliance obligations
8.1. Atlas Merlin will, taking into account the nature of the processing and the information available to it, provide reasonable assistance to Customer in ensuring Customer’s compliance with its obligations under Articles 32 to 36 of the UK GDPR, including in relation to:
8.1.1. the security of processing;
8.1.2. the notification of personal data breaches to supervisory authorities and to data subjects;
8.1.3. data protection impact assessments; and
8.1.4. prior consultation with supervisory authorities.
8.2. Assistance provided by Atlas Merlin under this clause 8 will be provided without additional charge to the extent it is reasonable in scope and frequency. Atlas Merlin may charge Customer a reasonable fee, calculated by reference to Atlas Merlin’s then-current standard rates, for assistance that is unusual in nature, requires significant technical effort, or is requested with a frequency or volume that materially exceeds normal levels.
9. Personal data breaches
9.1. Atlas Merlin will notify Customer without undue delay after becoming aware of a personal data breach affecting personal data processed by Atlas Merlin on behalf of Customer.
9.2. Atlas Merlin’s notification under clause 9.1 will, to the extent the relevant information is available to Atlas Merlin at the time of notification, include:
9.2.1. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
9.2.2. the likely consequences of the personal data breach;
9.2.3. the measures taken or proposed to be taken by Atlas Merlin to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; and
9.2.4. the contact details of a person from whom further information can be obtained.
9.3. Where Atlas Merlin is unable to provide all of the information referred to in clause 9.2 at the time of the initial notification, Atlas Merlin will provide further information as it becomes reasonably available.
10. Audit
10.1. Atlas Merlin will make available to Customer all information reasonably necessary to demonstrate Atlas Merlin’s compliance with its obligations under Article 28 of the UK GDPR and this DPA. Such information may include responses to security questionnaires, summaries of internal or third-party testing, and copies of any relevant certifications held by Atlas Merlin.
10.2. If the information made available under clause 10.1 is not reasonably sufficient to demonstrate Atlas Merlin’s compliance, Customer may, on giving Atlas Merlin not less than 30 days’ prior written notice, conduct an audit of Atlas Merlin’s processing of personal data under the Contract, subject to the following:
10.2.1. audits will be conducted no more than once in any 12-month period;
10.2.2. audits will be conducted during Atlas Merlin’s normal business hours and in a manner that does not unreasonably interfere with Atlas Merlin’s business operations;
10.2.3. audits will be conducted by Customer or by an independent third-party auditor appointed by Customer, provided that the auditor is not a competitor of Atlas Merlin and is bound by appropriate obligations of confidentiality;
10.2.4. Customer will bear its own costs and the costs of any third-party auditor in connection with the audit, except that if the audit reveals a material breach by Atlas Merlin of its obligations under this DPA, Atlas Merlin will reimburse Customer’s reasonable costs of the audit; and
10.2.5. all information obtained by Customer or its auditor in the course of the audit will be treated as Atlas Merlin’s Confidential Information.
10.3. The limitations in clause 10.2 do not apply to any audit, inspection or investigation conducted by a supervisory authority under the Data Protection Laws.
11. Return or deletion of personal data
11.1. On expiry or termination of the Contract, Atlas Merlin will, at Customer’s choice, delete or return to Customer all personal data processed on Customer’s behalf under the Contract, and delete any existing copies, unless applicable law requires Atlas Merlin to retain the personal data.
11.2. Customer may exercise its choice under clause 11.1 by written notice given in accordance with clause 7.4 of the Conditions. In the absence of such notice, Atlas Merlin may retain the personal data for the period and on the terms set out in clause 7.4 of the Conditions.
11.3. Clause 11.1 is subject to the final paragraph of clause 9.4 of the Conditions in respect of computer back-up media made in the ordinary course of business.
12. General
12.1. Term. This DPA applies for as long as Atlas Merlin processes personal data on behalf of Customer under the Contract, and any provisions of this DPA that by their nature should survive expiry or termination of the Contract will so survive.
12.2. Liability. The liability of each party under or in connection with this DPA is subject to clause 6 of the Conditions.
12.3. Notices. Notices given under this DPA will be given in accordance with the notice provisions of the Conditions, except that notices under clauses 5 (Sub-processors), 9 (Personal data breaches) and 10 (Audit) may be given by email to the addresses designated by the parties for such notices.
12.4. Governing law and jurisdiction. This DPA is governed by the laws of England and the parties submit to the exclusive jurisdiction of the courts of England in accordance with clause 10.8 of the Conditions.
12.5. Severability and other general provisions. Clauses 10.1 to 10.6 of the Conditions apply to this DPA as if set out in full in this DPA.
Annex 1: Details of processing
This Annex 1 sets out the general particulars of the processing of personal data by Atlas Merlin on behalf of Customer under the Contract. Order-specific particulars are set out in the Data Protection Particulars.
Subject matter of the processing. The processing of personal data by Atlas Merlin in the course of providing the Software to Customer under the Contract.
Duration of the processing. The Contract Period, together with any further period during which Atlas Merlin retains personal data in accordance with clause 11 of this DPA and clause 7.4 of the Conditions.
Nature of the processing. Collection, storage, organisation, retrieval, analysis, transmission and deletion of personal data, in each case as necessary for the operation of the Software and the provision of related services to Customer.
Purposes of the processing. Providing, operating, maintaining, supporting and improving the Software for Customer, in accordance with the Contract and Customer’s documented instructions.
Types of personal data. The Software is designed for the detection of objects and events in industrial environments, and is not designed to identify individuals. In the course of its operation, however, the Software may incidentally process personal data, which typically consists of images and video footage in which individuals (such as workers at Customer’s sites) may appear, together with associated metadata (such as timestamps and device identifiers). Order-specific details of personal data processed under a particular Order are set out in the Data Protection Particulars.
Categories of data subjects. Individuals who appear in images, video footage or other data captured by Devices operated under the Contract, including workers, contractors and visitors at Customer’s sites. Order-specific details of categories of data subjects under a particular Order are set out in the Data Protection Particulars.
Obligations and rights of Customer. As set out in the Contract, this DPA, and the Data Protection Laws.
Annex 2: Technical and organisational measures
Atlas Merlin implements technical and organisational measures appropriate to the risk presented by its processing of personal data on behalf of Customer, taking into account the nature, scope, context and purposes of the processing. The measures include:
Access control. Access to systems and data used in connection with the Software is restricted to authorised personnel on a need-to-know basis. Authentication uses individual user accounts and, where appropriate, multi-factor authentication.
Confidentiality of personnel. All personnel authorised to access personal data are bound by written obligations of confidentiality, whether under employment contracts or consulting agreements.
Encryption in transit. Personal data transmitted over public networks is protected by industry-standard encryption.
Endpoint protection. Devices used by Atlas Merlin personnel to access systems holding personal data are subject to appropriate endpoint controls, including device encryption and access protection.
Hosting and infrastructure. Atlas Merlin uses reputable cloud infrastructure providers and configures services in accordance with provider security guidance.
Secure development. Atlas Merlin follows secure development practices, including code review and dependency management.
Personal data breach response. Atlas Merlin maintains a process for identifying, investigating and responding to suspected personal data breaches, including notification to Customer in accordance with this DPA.
Review. Atlas Merlin reviews these measures from time to time and updates them as appropriate to maintain a level of security appropriate to the risk.
Annex 3: Sub-processors
The Sub-processors engaged by Atlas Merlin to process personal data on behalf of Customer in connection with the Contract are listed at https://atlasmerlin.com/legal/sub-processors. Atlas Merlin maintains and updates this list in accordance with clause 5 of this DPA.