8. Data Protection
8.1 In this clause 8, Data Protection Laws means the EU Data Protection Directive 95/46/EC as implemented in the appropriate local territories of the European Union until 25 May 2018 and on and from 25 May 2018 ("GDPR Date") the General Data Protection Regulation (EU) 2016/679 ("GDPR") (as amended and superseded from time to time), and/or all Applicable Law from time to time, in each case in each jurisdiction where the Services are delivered in relation to data privacy; "Process/Processing", "Data Subject", "Personal Data" and "Personal Data Breach" shall have the same meaning as in the Data Protection Laws.
8.2 Each party confirms that it holds, and during the term of this Contract will maintain, all registrations and notifications required in terms of the Data Protection Laws which are appropriate to its performance of its obligations under this Contract.
8.3 Each party confirms that, in the performance of this Contract, it will comply with the Data Protection Laws.
8.4 In so far as Hawk Incentives Processes any Personal Data on behalf of Client, Hawk Incentives shall:
8.4.1 not Process the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with Client’s documented instructions (whether in this Contract or otherwise) unless Processing is required by EU or Member State law to which Hawk Incentives is subject or English law, in which case Hawk Incentives shall, to the extent permitted by such law, inform Client of that legal requirement before Processing that Personal Data;
8.4.2 not authorise any sub-contractor to process the Personal Data ("sub-processor") other than with the prior written consent of Client (which is deemed given by Client issuance of the Order Form to permit Hawk Incentives, in the ordinary course of its business operations to appoint an Affiliate or other third party to provide, within the UK or other EEA member state, save as otherwise detailed at clause 8.4.11 below, contact centre services, data hosting, back up and other automated processing functions) provided that in the case of each approved sub-processor, Hawk Incentives shall include terms in the contract between itself and each sub-processor which are equivalent to those set out in this clause 8 and remain fully liable to Client for any failure by each sub-processor to fulfil its obligations in relation to the Processing of any Personal Data. The list of sub-contractors currently used by Hawk Incentives for the Services can be found in part F of clause 1 above. Hawk Incentives will notify Client of changes to such list through publication of a new list in a revised version of these terms and conditions appearing on Hawk Incentives’s website. Client’s continued purchase of Products after such publication will be deemed to be Client’s acceptance of the changes to Hawk Incentives’ sub-contractors;
8.4.3 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security to protect against unauthorised or unlawful Processing of the Personal Data or accidental damage to, or loss or destruction of, it appropriate to the risk and shall take all measures required pursuant to the Data Protection Laws. Accordingly, Hawk Incentives shall not be required to complete any questionnaires or similar submitted by Client in relation to information and/or data security;
8.4.4 take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
8.4.5 promptly notify Client if it receives a request from a Data Subject under any Data Protection Laws in respect of the Personal Data, including, from the GDPR Date, requests by a Data Subject to exercise rights under Chapter III of GDPR unless Hawk Incentives is legally prevented from doing so;
8.4.6 reasonably co-operate, upon Client’s written request and at Client’s cost, to enable Client to comply with the exercise of such rights by a Data Subject and/or to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of the Personal Data or this Contract;
8.4.7 notify Client without undue delay upon becoming aware of a Personal Data Breach providing Client with sufficient information which allows it to meet any obligations to report a Personal Data Breach under the Data Protection Laws;
8.4.8 co-operate with Client and take such reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each Personal Data Breach;
8.4.9 in the event of a Personal Data Breach, Hawk Incentives shall not inform any third party without first obtaining Client’s prior written consent, unless notification is required by EU or Member State law to which Hawk Incentives is subject;
8.4.10 allow reasonable access no more than once in every twelve month period to its data processing facilities, procedures and documentation by Client’s auditors in order to ascertain compliance with the Data Protection Laws and the terms of this clause 8. Hawk Incentives shall provide reasonable cooperation to Client in respect of any such audit and shall at Client’s request, provide Client with evidence of compliance with its obligations under this Contract;
8.4.11 not (and shall procure that its sub-processors shall not) under any circumstances transfer Data outside the EEA unless authorised in writing by Client to do so which consent is hereby provided by the Client to the transfer of Personal Data by Hawk Incentives to its Affiliates outside the EEA, who may in the provision of the Services act as sub-processors for Hawk Incentives, and provided always that Hawk Incentives has first ensured that the following conditions are fulfilled: (a) the Client or Hawk Incentives has provided appropriate safeguards in relation to the transfer; (b) the Data Subject has enforceable rights and effective legal remedies; (c) Hawk Incentives complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred; and (d) Hawk Incentives complies with reasonable instructions notified to it in advance by the Client with respect to the processing of Personal Data.
8.5 Subject to the requirements of any applicable exit plan, Hawk Incentives shall cease Processing, as soon as reasonably practicable, upon the termination or expiry of this Contract (or, if sooner, the Services to which it relates) and as soon as possible thereafter, at Client’s election, either return, or securely wipe from its systems, the Personal Data and any copies of it or of the information it contains.
8.6 Client warrants that it has (and, at all times during the period this Contract is in force, it will have) the requisite rights, authority and consents to disclose any Personal Data to Hawk Incentives for the purpose of the performance of this Contract and that use by Hawk Incentives of such Personal Data to provide the Services hereunder in accordance with the Contract and the instructions of Client will not infringe the rights of any third party.