Data Protection Agreement - Controller to Controller

  1. For the purposes of this Data Protection Agreement:

    (a) Binding Corporate Rules, Certifications, Code of Conduct, Controller, Joint Controller(s), Data Subject, integrity and confidentiality, Personal Data, Personal Data Breach, Processing(including derivatives Processed and Process), Processor, Standard Data Protection Clauses, Data Subject Rights, Transparency, Personal Data Breach and Supervisory Authorities have the meanings given to those terms under the European Parliament Regulation (EU) 2016/679 (the “GDPR”) or, where relevant, the meaning of the essentially equivalent terms in other applicable Data Protection Laws;

    (b) TPI Personal Data means all Personal Data which may be supplied by or on behalf of the TPI to the Jumeirah or its subcontractors in connection with this Agreement;

    (c) Data Protection Laws means any applicable law relating to the Processing, privacy, and use of Personal Data including: (i) the GDPR; (ii) any corresponding national laws or regulations; and (iii) corresponding guidance, codes or certification mechanisms of the relevant regulator or Supervisory Authority regarding such laws;

    (d) Data Protection Losses means all liabilities and amounts, including all: (i) costs (including legal costs), claims, demands, actions, settlements, losses and damages; (ii) regulatory fines, penalties and Data Subject compensation; and (iii) costs of rectification or restoration of Jumeirah Personal Data;

    (e) Including, includes means including/includes without limitation; and

  2. Reference to laws: (i) includes all corresponding subordinate legislation; and (ii) means that law as amended or re-enacted from time to time. An obligation to perform “in accordance with Data Protection Laws” (or similar) means in accordance with the corresponding Data Protection Laws in force at the time of performance.
  3. The parties acknowledge and agree that in respect of the Processing of Personal Data under this Agreement they act as Independent Controllers. The parties will each comply with their separate Controller responsibilities independent of each other and in accordance with Data Protection Laws.
  4. In respect of Processing Personal Data, the parties shall:

    5. (a) implement appropriate technical and organisational measures in accordance with Data Protection Laws to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, access, or Processing;

    (b) notify the other party promptly, and without undue delay if a Supervisory Authority contacts the party in relation to the Processing of Personal Data; and

    (c) notify the other party promptly, and without undue delay, of any actual or suspected Personal Data Breach relating to Personal Data which is being Processed under this agreement and (a) do all such things as reasonably necessary to assist the other party in mitigating the effects of the Personal Data Breach; (b) implement any measures necessary to restore the security of any compromised Personal Data; (c) work with the other party to make any required notifications to Supervisory Authorities and affected Data Subjects in accordance with the Data Protection Laws (including the timeframes set out therein); and (d) not do anything which may damage the reputation of the other party or the other party’s relationship with the relevant Data Subjects, save as required by Data Protection Laws.

    (d) not allow any Personal Data to be processed or transferred to any country outside of the United Arab Emirates other than to the European Union, European Economic Area or the United Kingdom unless in compliance with Data Protection Laws

  5. Each party shall protect and indemnify the other party on demand and at all times keep them protected and indemnified, to the fullest extent permitted by applicable law, in respect of all Data Protection Losses suffered or incurred by each party or their agents, including arising directly or indirectly from or in connection with any breach by a party of its obligations under this Agreement.