DATED 29 July 2004 DATA PROTECTION AGREEMENT
Exhibit 10.4
DATED 29 July 2004
(1) |
NORWICH UNION CUSTOMER SERVICES (SINGAPORE) PRIVATE LIMITED | |
(2) |
NORWICH UNION INSURANCE LIMITED | |
(3) |
EXLSERVICE HOLDINGS, INC | |
(4) |
XXXXXXXXXX.XXX (INDIA) PRIVATE LIMITED |
Dated: 29 July 2004
BETWEEN:
(1) | Norwich Union Customer Services (Singapore) Private Limited, a company registered in Singapore with registration number 200303457R and whose registered office is at 0 Xxxxxxx Xxx, #00-00 XXX Xxxxxx 0, Xxxxxxxxx 000000 (“the Client”); and |
(2) | Norwich Union Insurance Limited, a company registered in England and Wales with registration number 99122 and whose registered office is at Xxxxxx Xxxxxx, Xxxxxxx, XX0 0XX (“NUI”); |
(Parties (1) and (2) shall be collectively referred to as “Norwich Union”), and
(3) | Exlservice Holdings, Inc, a company registered in the State of Delaware, whose principal office is at 000 Xxxx Xxxxxx, 00xx Xxxxx, Xxx Xxxx, XX00000 (“EXL Holdings (US); and |
(4) | Xxxxxxxxxx.xxx (India) Private Limited, a company incorporated in India with registered number 55-99888 and whose registered office is at 000X, Xxxxxx Xxxxxx, Xxxxxxxxxx Xxxx, Xxx Xxxxx, Xxxxx (“EXL India”). |
(Parties (3) and (4) shall be collectively referred to as “the Service Providers”)
NOW IT IS HEREBY AGREED as follows:
1 | DEFINITION AND INTERPRETATION |
In this Agreement, unless otherwise specified or inconsistent with the context;
1.1 | the following expressions shall have the following meanings: |
“Associated Company” |
: | any holding company from time to time of the Client and any subsidiary from time to time of the Client or of any such holding company and the terms “holding company and “subsidiary” shall have the meaning given to them by Xxxxxxx 000 Xxxxxxxxx Xxx 0000; | ||
“Authorised Agent” |
: | (a) any third party contracting with the Client for the provision of services including, but not limited to, facilities management or maintenance services’ or | ||
(b) any third party contracting with an Associated Company for the provision of services including, but not limited to, facilities management or maintenance services. | ||||
“Data Protection Laws” |
: | has the meaning set out in clause 5; | ||
“Data Controller” |
: | shall have the same meaning as set out in the Directive; | ||
“Data Subject” |
: | shall have the same meaning as set out in the Directive; | ||
“Directive” |
: | means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data andon the free movement of such data; |
“Information Commissioner” |
: | means the United Kingdom supervisory authority for data protection located at Xxxxxxxx Xxxxx, Xxxxx Xxxx, Xxxxxxxx, Xxxxxxxx, XX0 0XX; | ||
“Insurance Services Framework Agreement” |
: | the agreement dated with the date of this agreement between the Client and EXL Holdings (US); | ||
“Parties” |
: | means the Parties to this Agreement, and. a “Party” means any one of them; | ||
“Personal Data” |
: | shall have the same meaning as set out in the Directive; | ||
“Process/Processing” |
: | shall have the same meaning as set out in the Directive and “Processed” shall be construed accordingly; | ||
“Protected Data” |
: | any Personal Data Processed by the Service Providers in connection with the Insurance Services Framework Agreement and any Work Order; | ||
“Special Categories of Data” |
: | shall have has the same meaning set out in the Directive; | ||
“Work Order” |
: | means an Insurance Services Work Order entered into pursuant to the Insurance Services Framework Agreement. |
1.2 | references to clauses and appendices are to clauses of and the schedules to this Agreement; |
1.3 | the appendices form part of this Agreement and have the same force and effect as if expressly set out in the body of this Agreement; |
1.4 | words importing gender include each gender; |
1.5 | references to persons include bodies corporate, firms and unincorporated associations and that person’s legal personal representatives and successors; |
1.6 | the singular includes the plural and vice versa; |
1.7 | clause headings are included for the convenience of the Parties only and do not affect its interpretation; |
1.8 | references to statutory provisions shall be construed as references to those provisions as respectively amended, consolidated, extended or re-enacted from time to time and shall be construed as including references to the corresponding provisions of any earlier legislation directly or indirectly amended, consolidated, extended or replaced by those statutory provisions or re-enacted and shall include any orders, regulations, instruments or other subordinate legislation made under the relevant statute; and |
1.9 | references to any English legal or accounting term for any action, remedy, method of judicial proceeding, legal or accounting document, legal or accounting status, insolvency proceeding, event of incapacity, court, governmental or administrative authority or agency, accounting body, official or any legal or accounting concept, practice or principle or thing shall in respect of any jurisdiction other than England be deemed to include what most approximates in that jurisdiction to the English legal or accounting term concerned; and |
1.10 | any undertaking by either of the Parties not to do any act or thing shall be deemed to include an undertaking not to permit or suffer or assist the doing of that act or thing. |
2 | DETAILS OF THE TRANSFER |
2.1 | The details of transfers of Protected Data, and in particular the categories of Protected Data and the purposes for which they are transferred, are specified in appendix 1. |
2.2 | The Parties agree that the Client is and will remain the Data Controller in relation to the Protected Data and that the Service Providers will solely act as Data Processors with respect to such Protected Data. |
3 | OBLIGATIONS OF NORWICH UNION |
3.1 | Norwich Union agrees and warrants: |
3.1.1 | that the Processing, including the transfer itself, of the Personal Data by Norwich Union has been and, up to the moment of the transfer, will continue to be carried out in accordance with the relevant provisions of the Data Protection Xxx 0000; |
3.1.2 | to make available to the Data Subjects upon request a copy of this Agreement; and |
3.1.3 | to respond in a reasonable time and to the extent reasonably possible to enquiries from the Information Commissioner on the Processing of the relevant Protected Data by Norwich Union or any one of them and to any enquiries from the Data Subject concerning the Processing of the Protected Data by the Service Providers. |
4 | OBLIGATIONS OF THE SERVICE PROVIDERS |
4.1 | The Service Providers agree and warrant: |
4.1.1 | that they have no reason to believe that the legislation applicable to them prevents them from fulfilling their obligations under this Agreement and that in the event of a change in which is likely to have a substantial adverse effect on the guarantees provided by this Agreement, they will notify the change to the Client and to such other relevant Norwich Union company and if necessary to the Information Commissioner, in which case the Client or NUI will be entitled to suspend the transfer of the Protected Data and/or terminate this Agreement; |
4.1.2 | to process the Protected Data in accordance with the mandatory data protection principles set out in Appendix 2 and to process in all other respects the Protected Data in accordance with: |
(a) | the relevant provisions of the Data Protection Xxx 0000 protecting the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the Processing of Personal Data applicable to a Data Controller in England, or |
(b) | the relevant provisions of any Commission Decision under Article 25(6) of the Directive finding that a third country provides adequate protection in certain sectors of activity only, if the Service Providers are based in that third country and is not covered by those provisions, in so far as those provisions are of a nature which makes them applicable in the sector of the transfer; |
4.1.3 | to deal promptly and properly with all reasonable inquiries from the Client or NUI or the Data Subject relating to its Processing of the Protected Data subject to the transfer and to co-operate with the Information Commissioner in the course of all its inquiries and abide by the advice of the Information Commissioner with regard to the Processing of the Protected Data transferred; |
4.1.4 | at the request of the Client or NUI to submit its data processing facilities for audit which shall be carried out by the Client or NUI or an inspection body composed of independent members and in possession of the required professional qualifications, selected by the Client or NUI, where applicable, in agreement with the Information Commissioner; and |
4.1.5 | to make available to the Data Subject upon request a copy of this Agreement and indicate the office which handles complaints. |
4.2 | Without prejudice to clause 4.1, the Service Providers shall ensure that they only Process the Protected Data for the purposes notified to them by Norwich Union and/or the relevant Data Subjects and that they maintain appropriate technical and organisational measures (including but not limited to, appropriate policies communicated to their employees, management of ongoing compliance and effective security measures) in respect of the Protected Data to prevent unauthorised or unlawful Processing of the Protected Data and against accidental loss or destruction of, or damage to, the Protected Data. |
4.3 | The Service Providers will take all steps required and communicated in writing to them by Norwich Union that the Client or NUI reasonably considers are necessary in order to comply with their respective obligations under the Data Protection Xxx 0000. |
4.4 | The Service Providers, for the purposes of facilitating Norwich Union’s compliance with the Data Protection Laws, shall furnish to the Client or NUI copies of such security, audit and control reports generated by the Service Providers’ auditors as are directly relevant to such compliance. |
4.5 | In the event that either Norwich Union or the Service Providers become aware of any unauthorised, unlawful or dishonest conduct or activities, or any breach of the terms of this Agreement relating to Protected Data, such Party shall notify the other Party thereof. |
5 | DATA PROTECTION LAWS |
Without prejudice to clauses 3 and 4 above, each Party shall comply with any data protection, privacy or similar laws anywhere in the world (“Data Protection Laws”), including but not limited to, the Data Protection Xxx 0000, that apply in relation to any Protected Data and render such assistance and co-operation as is reasonably necessary or reasonably requested by the other Party, including, but not limited to, the provision of information regarding the existence, applicability and extent of application of Data Protection Laws in particular jurisdictions to Protected Data.
6 | LIABILITY |
6.1 | The Parties agree that a Data Subject who has suffered damage as a result of any violation of the provisions referred to in clause 12 is entitled to receive compensation from the Parties for the damage suffered. The Parties agree that they may be exempted from this liability only if they prove that neither of them is responsible for the violation of those provisions. |
6.2 | Without prejudice to clause 6.3, Norwich Union and the Service Providers agree that, as between the Parties and a Data Subject, the Parties will be jointly and severally liable to such Data Subject for damage to the Data Subject resulting from any violation referred to in clause 6.1. In the event of such a violation, the Data Subject may bring an action before a court against either the relevant Norwich Union company or the Service Providers or both. |
6.3 | Each Party (an “Indemnifying Party”) shall indemnify any of the other Parties (an “Indemnified Party”) and keep the Indemnified Party indemnified against all claims, demands, actions, costs, expenses (including but not limited to legal costs and disbursements on a full indemnity basis, and whether arising under clauses 6.1 and 6.2 or otherwise) losses and damages arising from or incurred by reason of any wrongful Processing of any Protected Data by the Indemnifying Party or breach of its obligations or warranties under this Agreement, but not to the extent that such disclosure or breach occurs due to the act or omission of the Indemnified Party. |
7 | MEDIATION AND JURISDICTION |
7.1 | The Parties agree that if there is a dispute between a Data Subject and either Party which is not amicably resolved and the Data Subject invokes the Third-Party Beneficiary provision in clause 12, they will accept the decision of the Data Subject: |
7.1.1 | to refer the dispute to mediation by an independent person or, where applicable, by the Information Commissioner; and |
7.1.2 | to refer the dispute to the English courts in accordance with clause 10. |
7.2 | The Parties agree that by agreement between a Data Subject and the relevant Party a dispute can be referred to an arbitration body, if that Party is established in a country which has ratified the New York convention on enforcement of arbitration awards. |
7.3 | The Parties agree that clauses 7.1 and 7. 2 apply without prejudice to the Data Subject’s substantive or procedural rights to seek remedies in accordance with other provisions of national or international law. |
8 | CO-OPERATION WITH SUPERVISORY AUTHORITIES |
The Parties agree to deposit a copy of this Agreement with the Information Commissioner if it so requests.
9 | TERMINATION |
The Parties agree that the termination of this Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under this Agreement as regards the Processing of any Protected Data transferred.
10 | LAW AND JURISDICTION |
This Agreement shall be considered as a contract made in England and according to English law and shall be subject to the exclusive jurisdiction of the English courts, to which jurisdiction the Parties hereby irrevocably submit.
11 | VARIATION OF THE CONTRACT |
The Parties undertake not to vary or modify the terms of this Agreement.
12 | THIRD-PARTY BENEFICIARY CLAUSE |
The Data Subjects can enforce this clause, clause 3.1.2 and 3.1.3, clause 4.1.1, 4.1.2, 4.1.3 and 4.1.5, clause 6.1 and 6.2, and clauses 7, 9 and 11 of this Agreement as Third-Party Beneficiaries. The Parties do not object to the Data Subjects being represented by an association or other bodies if they so wish and if permitted by law.
Signed for and on behalf of Client | ||
By |
/s/ Xxxx Xxxxxx Xxxxxxxx | |
Name |
Xxxx Xxxxxx Xxxxxxxx | |
Title |
Director | |
Date |
29/07/2004 |
Signed for and on behalf of NUI |
||||||||||||||
By |
/s/ Victoria Xxxxx Xxxxxxx Xxxxx |
and | By |
/s/ Xxx Xxxxxxx Gammer | ||||||||||
Name |
Victoria Xxxxx Xxxxxxx Xxxxx |
Name |
Xxx Xxxxxxx Gammer | |||||||||||
Title |
Solicitor |
Title |
Solicitor | |||||||||||
Date |
28 July 2004 |
Date |
28 July 2004 | |||||||||||
______________________ |
Signed for and on behalf of EXL Holdings (US) | ||
By |
/s/ Xxxxx Xxxxxx | |
Name |
Xxxxx Xxxxxx | |
Title |
||
Date |
||
Signed for and on behalf of EXL India | ||
By |
/s/ Xxxxxx Xxxxxx | |
Name |
Xxxxxx Xxxxxx | |
Title |
||
Date |