GIKI ZERO DATA PROCESSING AGREEMENT Pre March 2022

Last update: July 20 2021

Previous versions: None

This Data Processing Agreement is entered into between GIKI SOCIAL ENTERPRISE LTD has its registered offices at 20-22, Wenlock Road, London, England, N1 7GU (Giki) and the company who has agreed to subscribe to the terms of this Data Processing Agreement by e-mail, online or any other means (Customer).

BACKGROUND
(A) Giki has developed certain software applications and platforms which it makes available to subscribers via the internet on a pay-per-use basis for the enterprise roll-out of Giki Zero (see https://zero.giki.earth/).
(B) The Customer wishes to use Giki’s service for the benefit of its employees, agents and independent contractors.
(C) Giki has agreed to provide and the Customer has agreed to take and pay for Giki’s service subject to the terms and conditions of a separate Giki Pro Zero Agreement (the “Giki Pro Subscription Agreement”).
(D) The parties agree that the provision of this Data Processing Agreement shall apply in respect of the processing of any personal data under the terms of the Giki Pro Subscription Agreement.

Agreed terms
1. Interpretation
1.1 Terms not defined in this Data Processing Agreement shall have the meaning ascribed to them in the Giki Pro Subscription Agreement.
1.2 The definitions and rules of interpretation in this Clause apply in this Data Processing Agreement.

Authorised Users: those employees, agents and independent contractors of the Customer who are authorised by the Customer to use the Services and the Documentation, as further described in the Giki Pro Subscription Agreement.

Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.

Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); [and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party].

UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1.3 Clause and paragraph headings shall not affect the interpretation of this Data Processing Agreement.
1.4 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality).
1.5 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.6 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.7 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
1.8 A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this Data Processing Agreement.
1.9 A reference to a statute or statutory provision shall include all subordinate legislation made as at the date of this Data Processing Agreement under that statute or statutory provision.
1.10 A reference to writing or written includes faxes but not e-mail.
1.11 References to Clauses are to the clauses of this Data Processing Agreement.

2. Data Processing Terms
2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
2.2 Giki shall, in providing the Services, comply with its Privacy Policy relating to the privacy and security of the personal data of Authorised Users available at https://zero.giki.earth/privacy-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by Giki in its sole discretion. The parties acknowledge that Giki will be the data controller of such personal data.
2.3 Giki will share with you the following personal data of the relevant Authorised Users and the parties acknowledge that the Customer shall be an independent data controller of such information:
(a) calculated environmental impact information of Authorised Users;
(b) Giki score of Authorised Users; and
(c) the type and overall number of steps that Authorised Users have committed to and completed.
2.4 The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to Giki for the duration and purposes of this Data Processing Agreement so that Giki may lawfully use, process and transfer the personal data in accordance with this Data Processing Agreement on the Customer’s behalf.
2.5 Where Giki acts as a data processor on behalf of the Customer, Giki shall:
(a) process that personal data only on the documented written instructions of the Customer unless Giki is required by the laws of any member of the European Union or by the laws of the European Union applicable to Giki and/or Domestic UK Law (where Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK) to process personal data (Applicable Laws). Where Giki is relying on Applicable Laws as the basis for processing personal data, Giki shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Giki from so notifying the Customer;
(b) not transfer any personal data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled:
(i) the Customer or Giki has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) Giki complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
(iv) Giki complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data;
(c) assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the Customer without undue delay on becoming aware of a personal data breach;
(e) at the written direction of the Customer, delete or return personal data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the personal data (and for these purposes the term “delete” shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this Clause 2 and immediately inform the Customer if, in the opinion of Giki, an instruction infringes the Data Protection Legislation.

3. Security
3.1 Each party shall ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).

4. Term and termination
4.1 This Data Processing Agreement shall continue until the expiry or termination of the Giki Pro Subscription Agreement.

5. Severance
5.1 If any provision or part-provision of this Data Processing Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Data Processing Agreement.
5.2 If any provision or part-provision of this Data Processing Agreement is deemed deleted under Clause 5.1 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

6. Entire agreement
6.1 The Giki Pro Subscription Agreement and the Data Processing Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
6.2 Each party acknowledges that in entering into this Data Processing Agreement it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Data Processing Agreement.
6.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Data Processing Agreement.
6.4 Nothing in this Clause shall limit or exclude any liability for fraud.

7. Third party rights
This Data Processing Agreement does not confer any rights on any person or party (other than the parties to this Data Processing Agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.

8. Notices
8.1 Any notice required to be given under this Data Processing Agreement shall be in writing and shall be delivered by hand or sent by pre-paid first- class post or recorded delivery post to the other party at its address set out in this Data Processing Agreement, or such other address as may have been notified by that party for such purposes, or sent by fax to the other party’s fax number as set out in this Data Processing Agreement.
8.2 A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in business hours, at 9 am on the first business day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by fax shall be deemed to have been received at the time of transmission (as shown by the timed printout obtained by the sender).

9. Governing law
This Data Processing Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non- contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.

10. Jurisdiction
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Data Processing Agreement or its subject matter or formation (including non-contractual disputes or claims).