Matrix 247 Data Processing Addendum (DPA)

1. Definitions
   • Business Purposes: the services to be provided by Matrix Platinum Limited (Matrix) to the Client as described in the contract between Matrix and the Client (the ‘Contract’, being subject to one of Telecommunications & Internet Terms and Conditions; Hosted Terms and Conditions; Mobile Terms and Conditions) and any other purpose specifically identified in ANNEX A to this DPA.
   • Data Protection Legislation: all applicable data protection laws in the UK including the UK GDPR and Data Protection Act 2018, the Privacy in Electronic Communications Regulations and any other applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data as amended, replaced or updated from time to time and the terms “Controller”, “Processor”, “Personal Data” and “Processing” shall have the meanings given in the Data Protection Act 2018.
   • EEA: the European Economic Area.
   • Master Agreement: The IT Service Agreement between the Client and Matrix 247 (the Parties) subject to Matrix 247 IT Products and Services- Standard Terms and Conditions.
   • UK GDPR: has the meaning given to it in the DPA 2018.

Other defined terms have the meaning given in the Master Agreement.

2. Both parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.

3. The parties acknowledge that for the purposes of the Data Protection Legislation, if Matrix247 processes Personal Data on behalf of the Client in performance of services under the Contract , the Client is the Controller and Matrix247 is the Processor. Annex A (as well as any additional specifics contained in an Order, if applicable) will set out the scope, nature and purpose of processing by Matrix247, the duration of the processing and the types of Personal Data and categories of Data Subject.

4. Without prejudice to the generality of paragraph 2, the Client will ensure that it has all necessary appropriate lawful bases, consents and notices in place to enable lawful transfer of the Personal Data to Matrix247 for the duration and purposes of the Contract.

5. Without prejudice to the generality of paragraph 2, Matrix247 shall, in relation to any Personal Data processed in connection with the performance by Matrix247 of its obligations under a Contract:
a) process that Personal Data only on the basis of this DPA and/or documented written instructions of the Client unless Matrix247 is required  by applicable laws to otherwise process that Personal Data;
b) ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
d) not transfer any Personal Data outside of the UK (or the EEA for as long as it has an adequacy decision from the UK Government) unless the following conditions are fulfilled:
(i) the Client or Matrix247 has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) Matrix247 complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iiii) Matrix247 complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data;
(e) assist the Client, at the Client’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(f) notify the Client without undue delay on becoming aware of a Personal Data Breach;
(g) at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required or permitted by law to store the Personal Data; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this DPA.

6. Matrix is authorised to engage third parties as set out in ANNEX A to process Personal Data on behalf of the Client, each, an (“Authorised Sub-Processor“). Matrix will notify the Client of any changes or additions to the Authorised Sub Processors.. Matrix will ensure that there is in place a written contract between the Processor and the Authorised Sub-Processor that specifies the Authorised Sub-Processor’s processing activities and imposes on the Authorised Sub- Processor equivalent terms as those imposed on the Processor in this DPA. As between the Client and Matrix247, Matrix247 shall remain fully liable for all acts or omissions of any Authorised Sub-Processor.

ANNEX A            Personal Data processing purposes and details

 A.1. Purpose

 The purpose of the data processing under the DPA  is the provision of the services by Matrix pursuant to the Contract. This includes processing as further instructed by the Client in its use of the services and as necessary to supply, maintain and support the services.

 A.2. Nature of Processing

 In providing the services to the Client under the Contract, Matrix will process such personal data as required to perform the contracted services and as reasonably directed  by the Client. In particular, this relates to the delivery of hosted IT, telecommunications and mobile device services, including managed IT and communication channels between the end clients of the Client and representatives and/ or employees of the Client.

 A.3. The processing includes the following types of personal data about data subjects:

 In providing the services to the Client under the Contract, Matrix will process such personal data as required to perform the contracted services and as reasonable directed  by the Client.

 Personal Data related to end users:

 First and Last name

• Contact information (email, phone, address)
• Personal identification number (Used for identification and authentication)
• Electronic Communications Metadata (information connected to communications e.g. location (geo positioning data if service enabled), time of call, numbers called)
• Electronic Communications Data (encompass any information concerning the content transmitted or exchanged e.g. webchat transcript, voice recording/transcript, SMS transcript, email content and attachments)
• Digital identity verification data (depending on provider of trust services) IP-address, make and version of mobile phone or computer, geo location at the time electronic identification (eID authentication) is used).
• Profile data related to access and use of hosted systems, devices and telecommunications.

Personal data related to agents:

 Name

• Title, Position, and Organisation
• Contact information (company, email, phone, physical business  address)
• Work role, skills & experience
• Data related to scheduling and reporting
• Employee ID or another identifier
• Electronic Communications Metadata (information connected to communications e.g. location data (IP Address), time of call, numbers called)
• Electronic Communications Data (encompass any information concerning the content transmitted or exchanged e.g. webchat transcript, voice recording/transcript, SMS transcript, email content and attachments)
• Profile data related to access and use of hosted systems, devices and telecommunications.
• Usernames and passwords

A.4. Processing includes the following categories of data subject:

• End users (users of hosted IT systems, mobile devices or telecommunications services provided through the services)
• Agents (employees or any other representatives of the Customer acting on behalf of the Customer)

A.5. Duration of Processing

 The processing shall take place for the duration of the Contract

Approved Sub-processors: