3.1 Metalitix® collects personal data at the time that a contract is made with a Customer, which makes it a controller of personal data under UK GDPR and the Data Protection Act 2018 (“
UK Data Protection Legislation”). The Metalitix® Platform displays a privacy notice which is accepted by the Customer when it makes a contract with Metalitix®. A link to the privacy notice can be found
here.
3.2 Each party must ensure compliance with applicable UK Data Protection Legislation at all times during the term of the relevant contract. This clause 3.2 is in addition to, and does not relieve, remove or replace a party’s obligations or rights under the UK Data Protection Legislation.
3.3 The parties acknowledge that for the purposes of the UK Data Protection Legislation, the Customer is the controller and Metalitix® is the processor when the Customer interacts with the Metalitix® Platform.
3.4 Without prejudice to the generality of clause 3.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to Metalitix® for the duration and purposes of these Terms of Business.
3.5 Without prejudice to the generality of clause 3.2, Metalitix® shall, in relation to any personal data processed in connection with the performance by Metalitix® of its obligations under these Terms of Business:
3.5.1 process that personal data only on the documented written instructions of the Customer unless Metalitix® is required by UK Data Protection Legislation to otherwise process that personal data;
3.5.2 ensure that it has in place appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss or destruction of the personal data;
3.5.3 ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential; and not transfer any personal data outside of the UK unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
3.5.4.1 the Customer or Metalitix® has provided appropriate safeguards in relation to the transfer;
3.5.4.2 the data subject has enforceable rights and effective legal remedies;
3.5.4.3 Metalitix® complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
3.5.4.4 Metalitix® complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data.
3.5.5 notify the Customer without undue delay of becoming aware of a personal data breach;
3.5.6 at the written direction of the Customer, delete or return personal data and copies thereof to the Customer on termination of the agreement unless required by UK Data Protection Legislation; and
3.5.7 maintain complete and accurate records and information to demonstrate its compliance with clause 3.
3.6 The Customer consents to Metalitix® appointing third-party processors of personal data under this agreement.
3.7 The Customer agrees that it will not store or process information on the Metalitix® Platform relating to an identified or identifiable natural person (for example, by creating custom data fields to store email addresses of people who have participated in a 3D spatial experience). Failure to comply may result in both the Customer and Metalitix® breaching UK Data Protection Legislation, and may jeopardise Metalitix’s ability to provide services to the Customer and other customers.
3.8 Metalitix® is entitled to use and shall own aggregated (anonymised) data which is generated from the Metalitix® Platform for the purpose of Metalitix’s business, including improving, testing, operating, promoting and marketing Metalitix’s products and services (providing that the aggregated anonymised data cannot be linked specifically to the Customer or its data).