This General Data Protection Regulation Addendum is between Hainan Airlines Holding Company Limited (“Customer”) and [the opposing party of the contract] (“Supplier”). This addendum applies to each agreement between Customer (or any Customer’s affiliates) and Supplier (or any Supplier’s affiliates) under which Supplier process Customer Data as part of performing under that agreement (“Agreement”). The addendum will be effective on the last signature date.
means the Personal Data of each Party's employees or staff Processed by the other Party, under, or in connection with, the Agreement;
means the Personal Data and Sensitive Personal Data Processed by (or on behalf of) Customer under, or in connection with, the Agreement as more particularly described in Schedule  (Data Protection Particulars);
means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the processing of personal data to which a Party is subject, including the Data Protection Act 1998 ("DPA") and EC Directive 95/46/EC (the "DP Directive") (up to and including 24 May 2018), the Data Protection Act 2018 (subject to royal assent), and the GDPR (on and from 25 May 2018); and (b) any code of practice or guidance published by the ICO and/or European Data Protection Board from time to time;
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;
指欧洲议会及理事会2016年4月27号颁布的关于个人数据处理的自然人保护以及废止95/46/EC号法令（《一般数据保护条例），OJ L 119/1, 4.5.2016》）的（EU）2016/678号规定；
means in respect of either party, that party, its holding company, its subsidiaries and any other direct or indirect holding company or subsidiary from time to time of such holding company or subsidiary;
"Intellectual Property Rights"
means all patents, rights to inventions, utility models, copyright and related rights, trade marks, service marks, trade, business and domain names, processes, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, know-how and [Confidential Information], and all other intellectual property rights and similar or equivalent rights or forms of protection anywhere in the world which currently exist or are recognised in the future, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights; and in each case all goodwill in or attaching to same;
means losses, liabilities, damages, compensation, awards, payments made under settlement arrangements, claims, proceedings, costs and other expenses including fines, interest and penalties, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, legal and other professional fees and expenses;
For the purpose of this clause 1, "Controller", "Data Subject", "Personal Data", "Process", "Processed", "Processing", "Processor" and "Sensitive Personal Data" (including from 25 May 2018 special categories of Personal Data set out in Article 9(1) of the GDPR) shall have the meanings given to them in the Data Protection Laws.
[Reference in this clause to Customer providing or receiving an item (including Customer Data or information) pursuant to the Agreement shall include items provided by or to any member of Customer Group.]
Each Party agrees that in performing its obligations under this Contract, it shall comply with the obligations imposed upon it under the Data Protection Laws.
The Parties each acknowledge and agree that they may need to Process the other Party's Contact Data (in their respective capacities as Data Controllers) under and in connection with the Agreement and shall do so in accordance with (a) their respective privacy policies and (b) Data Protection Legislation.
Notwithstanding the foregoing, the Parties agree that for the purposes of this Addendum, Customer is the Controller of the Customer Data and in accordance with the terms of the Agreement appoints the Supplier to act as Processor in relation to the Customer Data made available to it by Customer under the Agreement for the purpose of providing the [Services].The particulars of the Customer Data are set out in Schedule .
In relation to any Customer Data that Customer provides or make available to the Supplier, or that the Supplier Processes on Customer 's behalf pursuant to the Agreement, Supplier shall:
comply with the obligations imposed upon a Processor under the Data Protection Laws and shall co-operate with Customer and take all such action as are necessary to enable Customer to comply with its obligations under the Data Protection Laws and shall not perform its obligations under this Addendum in such a way as to cause Customer to breach any of its obligations under the Data Protection Laws, expressly and without limitation, the Processor shall comply with the obligations set out in Articles 28(2), (3), and (4) of the GDPR;
only Process Customer Data for and on behalf of Customer for the purposes of performing its obligations under the Agreement, and only in accordance with the terms of the Agreement and any instructions from Customer;
ensure that appropriate operational and technical measures are in place to safeguard against any unauthorised or unlawful Processing of the Customer Data and against accidental loss or destruction of, or damage to, Customer Data and where requested provide to Customer evidence of its compliance with such requirement;
not transfer any Customer Data outside the EEA unless it has the Customer's prior written consent and in granting consent to the transfer, the Customer may impose, at the [Supplier's sole cost and expense] such terms on the Processing of the Customer Data, on the other Party and/or on any sub-contractor, including incorporating model clauses and/or a direct data processing agreement;
[within [thirty (30)] calendar days of a request from Customer, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by Customer (and/or its representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Clause 1 (Data Protection), and provide reasonable information, assistance and co-operation to Customer, including access to relevant staff and/or, on the request of Customer, provide Customer with written evidence of its compliance with the requirements of this Clause 1 (Data Protection);]
implement any measures necessary to restore the security of compromised Customer Data; and
assist Customer to make any notifications to a regulator (including the Information Commissioner) and affected Data Subjects;
if Supplier is required by any law of the European Union to act other than in accordance with any instructions from Customer given under clause 1.4.2, provided the Supplier is not prohibited by law from doing so;
respond to any request for support, information or action required by Customer within such timescales as notified to it by Customer and where no such timescale is provided respond promptly to ensure that Customer meets its duties under the Data Protection Laws in a timely manner; and
except to the extent required by Applicable EU Law, upon the earlier of:
termination or expiry of the Agreement (as applicable); and/ or
the date on which the Customer Data is no longer relevant to, or necessary for, the Permitted Purpose,
Supplier shall cease Processing all Customer Data and return and/or permanently and securely destroy so that it is not longer retrievable (as directed in writing by Customer) all Customer Data and all copies in its possession or control.
The Supplier shall indemnify and keep indemnified Customer and each member of its Group from and against all [Losses] suffered or incurred by Customer and each member of its Group arising out of or in connection with claims and proceedings arising from any breach of the Supplier’s obligations under this Clause 1.
The Addendum is made and signed in four (4) duplicates, two (2) of them being received by either of the contracting parties.
Neither party has entered this Addendum in reliance on any promise, representation, or warranty not contained herein. This Addendum will be interpreted according to its plain meaning without presuming that it should favor either party.