HEATLINK SERVICES LTD

PRIVACY POLICY – 2019

1. Processing of Customer Personal Data

1.1 Scope of this Privacy Policy and Role of Parties. This Privacy Policy applies to the Processing of Personal Data by Heatlink Services Limited in the course of the undertaking of its business.

1.2 Instructions for Processing Personal Data. Heatlink Services Limited shall Process Personal Data as reasonably necessary and the Heatlink Services Limited may Process Personal Data otherwise than in accordance with Customer’s instructions if required to so by Applicable Law. In such case Heatlink Services Limited shall inform Customer of that legal requirement, unless prohibited from doing so by Applicable Law.

1.3 Compliance with Laws. Heatlink Services Limited in Processing the Customer Personal Data in accordance with Clause 1.2 above, shall comply with all applicable Data Protection Laws.

2. Heatlink Services Personnel

2.1 Personnel Reliability. Heatlink Services Limited shall take reasonable steps to require background screening and to ensure the reliability of any personnel who may have access to the Customer Personal Data or the Customer environments in which the Personal Data is processed, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data. In doing so we will ensure any personnel are informed of the confidential nature of Personal Data, have received training, and are subject to confidentiality obligations or professional or statutory obligations of confidentiality.

2.2 Data Protection Officer. Heatlink Services Limited have appointed a data protection officer. The appointed person may be reached at gemma@heatlinkservices.co.uk

Laws applicable to the Customer. In such an event, If Customer notifies Heatlink Services Limited in writing of any objections (on reasonable grounds) to a Sub-processor added to the Sub-processor List within fourteen (14) days after the date of the applicable Sub-processor Notice:

3. Support in Complying with Data Subject Rights

3.1 Requests from Data Subjects. Customer acknowledges, as part of the Services, it is responsible for responding to any Data Subjects’ request under any Data Protection Law to exercise the Data Subject’s right of access, right of rectification, restriction of Processing, right to be forgotten, data portability, object to processing, or its right not to be subjected to an automated decision-making process (“Data Subject Request”). Heatlink Services Limited shall to the extent permitted by Applicable Law, promptly notify Customer if it receives a Data Subject Request from a Data Subject; and

3.2 Government and Law Enforcement Authority Requests. Unless prohibited by Applicable Law or a legally-binding request of law enforcement, Heatlink Services Limited shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Personal Data.

4. Breach Incident Notification.

4.1 Breach notice. Heatlink Services Limited shall notify Customer within 24 hours upon Heatlink Services Limited becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. To the extent able within the scope of the Services, Heatlink Services Limited will provide Customer with sufficient information to allow it to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

4.2 Investigatory Cooperation. Heatlink Services Limited shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

5. Security

5.1 Technical and organisational measures. Heatlink Services Limited shall implement and maintain appropriate technical and organisational measures designed to protect the security, confidentiality and integrity of Customer Personal Data, including to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, such Personal Data as set forth in Schedule A. Heatlink Services Limited regularly monitors compliance with these measures. Heatlink Services Limited reserves the right to update its technical and organisational measures and will not materially decrease the overall security of the Services pursuant to the Principal Agreement.

5.2 Return and Deletion of Personal Data. Upon termination of the Services, Heatlink Services Limited shall at Customer’s option, return and/or delete any Personal Data retained on the Services in accordance with the terms of the Principal Agreement and not retain any copies unless Heatlink Services Limited is required to do so by Applicable Law.

6. Location and Storage of Personal Data

Personal Data may be stored at various data centre premises as part of the Services (the “Designated Data Centre Location”).

7. General Terms

7.1 Without prejudice to any Mediation and Jurisdiction and Governing Law of any other agreement between the parties, or the applicability of any Data Protection Laws:

7.1.1 the parties to this Privacy Policy hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Privacy Policy, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

7.1.2 the obligations of Heatlink Services Limited and Affiliates arising hereunder are subject to and governed by the laws of the country or territory expressly set forth in the Principal Agreement.

7.2 With regard to the subject matter of this Privacy Policy, in the event of inconsistencies between the provisions of this Privacy Policy and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Privacy Policy, the provisions of this Privacy Policy shall prevail.

7.3 Customer is responsible for coordinating all communication with Heatlink Services Limited on behalf of its Customer Group Members with regard to this Privacy Policy. Customer represents that, in relation to this Privacy Policy, it, as agent for its Customer Group Members (where applicable),is authorized to issue instructions; make and receive any communications or notifications; and enter into any agreement expressly contemplated herein for and on behalf of any of its Customer Group Members.

7.4 Customer and/or its Customer Group Members may only disclose the terms of this Privacy Policy to a Supervisory Authority to the extent required by law or such Supervisory Authority. Customer shall reasonably ensure that the Supervisory Authority does not disclose the terms of this Privacy Policy to the public or any third party, including :(i) marking copies of this Privacy Policy as “Confidential and Commercially Sensitive”;(ii) requesting return of copies of this Privacy Policy once the governmental regulatory notification has been completed or approval granted; and (iii) requesting prior notice and consultation before any disclosure of this Privacy Policy by the Supervisory Authority.