If you submit an Order Form for any OpenAthens services, you accept that the Order Form and the following OpenAthens Terms and Conditions create a legally binding contract between your institution, organisation or company and Jisc Commercial Limited (JCL). These terms and conditions also govern trials of OpenAthens services. Therefore please read these OpenAthens Terms and Conditions carefully and only submit an Order Form if the terms and conditions are acceptable to your institution, organisation or company.
1. Links to documents referred to at clauses 3.1g) and 3.1j), 4.1h)
and 4.1i) and sections 4.1.3 and 5.1 of the Data Protection Schedule have been revised for clarity.
2. Clause 5.6 revised to clarify role played by invoicing agents for non-UK customers.
These changes are introduced in accordance with clause 6 of the terms and conditions.
Download JCL Terms and conditions OpenAthens Version 7.3 as a PDF.
1.1 When starting with a capital letter, the following words and phrases have the meanings shown:
a) Agreement – the Order Form and these Terms & Conditions together with any documents referred to herein. In the event of conflict an Order Form accepted by JCL prevails over these Terms & Conditions.
b) Commencement Date – the date which is fourteen days after the date when the Customer submits an Order Form. Unless JCL rejects the Order Form beforehand, fees for the Products accrue from the Commencement Date irrespective of whether the Products were made available from an earlier date.
c) Customer – the institution, organisation or company identified on the Order Form, who will use the Products.
d) Initial Term – the initial term of the Agreement, identified on the Order Form and starting from the Commencement Date. This will usually be either a one year or three year period. As explained further below, prices are fixed and both parties are committed for the duration of the Initial Term.
e) Intellectual Property – copyright, rights related to or affording protection similar to copyright, rights in databases, patents and rights in inventions, specifications, formulae, processes, semi-conductor topography rights, trade marks, rights in internet domain names and website addresses and other rights in trade, product or business names and logos, designs, know-how and trade secrets and all rights in derivative works created or developed by or on behalf of the owner or licensor of such rights; and all other rights having equivalent or similar effect to any of the foregoing in any country or jurisdiction.
f) JCL – means Jisc Commercial Limited, Company Number 09316933, whose registered office is at 4 Portwall Lane, Bristol, BS1 6NB.
g) Order Form – a JCL order form completed and submitted by or on behalf of the Customer. The party submitting the Order Form must ensure that it shows any special price or payment details agreed with JCL.
h) Products – the Software and/or Services applicable to the Customer.
i) Service – the authentication, authorisation, administration and support services described in the applicable product description, documentation and service levels published on the Website and/or supplied with the Software. The term “Service” includes any necessary OpenAthens software which is both installed and operated remotely by JCL. Service also includes any OpenAthens ad hoc consultancy which JCL agrees to provide to the Customer for an agreed price.
j) Software – the machine readable modules and version of the OpenAthens software ordered by the Customer or any versions subsequently deployed by the Customer. The modules and versions are described in the relevant product description and documentation published on the Website and/or supplied with the software.
k) Subscriber – a party who has the right to access the Customer’s on-line resources and also has the right to use JCL services to do so.
l) Terms & Conditions – these OpenAthens Terms and Conditions; and
m) Website – the www.openathens.org website, or such other url as JCL may from time to time advise.
1.2 Headings are included for ease of reference only and do not affect the interpretation of any provision.
2. Commencement and Duration
2.1 JCL may reject any Order Form for any of the following reasons:
a) it has not been fully and accurately completed;
b) the intended Customer is not entitled to receive the Products;
c) the party submitting the Order Form or the intended Customer has an inadequate credit rating or poor trading history with JCL;
d) monies due prior to the Products being made available have not been received by JCL;
e) the Customer requires purchase orders to be issued in order for payments to be made but the Order Form is not accompanied by the Customer’s purchase order;
f) on any other reasonable and similar grounds.
2.2 JCL will be deemed to have accepted the Order Form if:
a) it has made the Products available to the Customer and has issued a corresponding invoice; or
b) it has not rejected an Order Form by the Commencement Date.
2.3 Except where clause 2.1 applies, JCL will make the Products available to the Customer by the Commencement Date.
2.4 The Customer may terminate the Agreement at the end of the Initial Term by giving JCL not less than ninety days prior written notice.
2.5 If notice has not been given by the Customer under clause 2.4, the Agreement will continue for successive one year periods. The Customer may terminate the Agreement at the end of any successive one year period by giving JCL not less than ninety days prior written notice.
3. JCL Obligations and Warranties
3.1 For the duration of the Agreement and subject to its terms and conditions, JCL:
a) grants the Customer a non-exclusive, non-transferable licence to load, install and use the Software and the documentation supplied with the Software;
b) warrants that it has proper authority to grant the foregoing licence;
c) will from time to time make available to the Customer such bug fixes and upgrades of the Software that are made available generally to customers of the Software;
d) warrants that the Software will perform in all material respects in accordance with its product description and the documentation supplied with the Software, except that Software supplied for trial purposes is provided “as-is” without warranty and clause 3.1i) does not apply. The Customer acknowledges that software, by its nature, is not error-free and agrees that the existence of such errors will not constitute a breach of the Agreement;
e) warrants that it has checked the Software for viruses using commercially available virus checking software;
f) will perform the Services in accordance with the service descriptions published on the Website with the degree of skill and diligence which would ordinarily be expected from a skilled and experienced provider of similar services under similar circumstances. The Customer agrees that computer and communications systems may not be uninterrupted or fault free and that occasional periods of downtime for repair, maintenance and upgrading may be required. JCL will endeavour to minimise any such periods of non-availability and will give the Customer not less than forty-eight hours’ notice of each planned shutdown period;
g) will use reasonable endeavours to achieve the service levels and performance indicators published on the Website; and to keep the Customer informed where the targets may be exceeded and to give estimates of the expected resolution time;
h) will apply appropriate system security measures to the database of user details as necessary to meet its obligations under these Terms and Conditions;
i) will promptly correct any material non-conformity in the above undertakings that is notified to it by the Customer within ninety days from delivery of the Software or performance of the non-conforming Service, provided that the Customer will provide such information and assistance as is reasonably necessary for the non-conformity to be identified and analysed;
k) JCL’s obligations in this clause 3 replace all other warranties express or implied in contract, law or tort, including but not limited to any implied warranties of satisfactory quality or fitness for any particular purpose.
4. Customer Obligations
4.1 In respect of the Products, the Customer will ensure that:
a) all use is in accordance with and for the purposes of the Agreement;
b) all use is in accordance with the documentation supplied by JCL;
c) appropriate measures are put in place to prevent unauthorised access to and use of the Products;
d) appropriate measures are taken to supervise and control the use of the Products and that all users and administrators have training adequate to their role;
e) no person or party responsible to the Customer attempts to by-pass any security measures put in place by JCL or put in place by any third party service provider in connection with the Service;
f) no administrator or authorised user of the Products attempts to gain unauthorised access to any other JCL software, services, systems or websites;
g) appropriate action is taken and that JCL and any relevant third party service provider are promptly informed, in the event of any abuse of the Products arising under clauses 4.1c), d) or e) or otherwise;
h) the Customer’s nominated administrators are familiar with and adhere to the OpenAthens Administrator Regulations published on the Website;
i) all users and administrators are familiar with and adhere to any guidelines published by JCL on the Website or at https://docs.openathens.net;
4.2 In respect of the Software, the Customer will:
a) not sell, sub-license, lease, rent or loan the Software to any third party;
b) not retain copies of the Software except as uninstalled back-ups, or as permitted by law;
c) not disassemble, decompile, reverse engineer or otherwise interfere with the Software except as permitted by law;
d) not translate, adapt, vary, modify, alter, develop, customise or create any derivative work of the Software or any part thereof;
e) copy and use the documentation supplied with the Software solely for the proper use of the Software;
f) abide by any terms notified by JCL, of any third party licences for software incorporated into or distributed with the Software;
g) not remove any copyright notices or trademarks from the Software or the documentation supplied with it and shall reproduce the same on all copies;
h) comply with JCL’s requirements concerning any diagnostic or statistics gathering facilities incorporated in or supplied with the Software;
i) keep all copies of the Software secure and maintain accurate records of the number and location of all copies;
j) remove the Software from any hardware onto which it has been loaded prior to decommissioning or disposing of the same.
4.3 In respect of Products supplied for trial purposes, in addition to any other provision of the Agreement the Customer will:
a) use such Products solely for the purpose of evaluation and not for any administrative, management, operational or commercial purpose;
b) raise all support calls and queries by email or through JCL’s web interface and not by telephone.
5. Prices and Payment
5.1 Prices for the Products are not subject to change during the Initial Term and thereafter on each anniversary of the Commencement Date, may be adjusted at JCL’s discretion by the annual movement in the latest available All Items Retail Prices Index excluding Mortgage Interest Payments published by the UK Office for National Statistics (RPIX).
5.2 As an alternative to the adjustment described in clause 5.1, the prices for Products may be adjusted after the Initial Term with effect from any anniversary of the Commencement Date, by any general change to JCL’s prices applicable to all customers or all customers of particular JCL software or services. In such case JCL shall give the Customer at least ninety days written notice of the price change. If the Customer does not accept the new price it may terminate the Agreement in accordance with clause 2.4 or 2.5 but where the required notice period is, for this purpose only, reduced to not less than sixty days.
5.3 In addition to clauses 5.1 and 5.2, all prices which were established by reference to a number of users, Subscribers, servers, registered online resources or some other licensing constraint, shall be appropriately adjusted if any such constraint is exceeded. In addition, if the Customer is a UK Higher or Further Education Institution, all prices which were established by reference to the Customer’s Jisc band or any similar scale, shall be appropriately adjusted where the Customer becomes re-classified to a higher Jisc band or scale point.
5.4 Prices exclude UK VAT and any sales or purchase taxes, taxes on property or use, withholding tax, duties, levies or similar in any territory whether relating to the Agreement or the Products; which shall be paid by the Customer at the prevailing rate.
5.5 If the Customer is a UK Higher or Further Education Institution, JCL may issue its first invoice on the Commencement Date to cover the period from the Commencement Date until the next thirty-first of July that occurs. Thereafter payments are due by the first of August each year. JCL will invoice not less than thirty days in advance.
5.6 If the Customer is not a UK Higher or Further Education Institution, JCL (or its duly appointed agent) may issue its first invoice on the Commencement Date to cover the first twelve months from the Commencement Date. Thereafter payments are due each year by the anniversary of the Commencement Date. JCL (or its duly appointed agent) will invoice not less than thirty days in advance.
5.7 Where clause 5.3 applies a supplementary invoice will be raised and the provisions of this clause 5 will apply to the revised price derived under clause 5.3.
5.8 Payments are due within thirty days of invoice date. In the event of late payment, JCL will be entitled to suspend the Service by giving the Customer not less than ten days prior notice and/or to levy interest in accordance with the Late Payment of Commercial Debts (Interest) Act 1998.
6.1 In order to continuously improve its operations, JCL may from time to time revise the Service or these Terms & Conditions or any of the documents referenced herein.
6.2 Revisions are intended to clarify or improve customers’ rights or benefits rather than reducing them.
6.3 Revisions will be automatically effective ninety days after being published on the Website.
6.4 If any revision would reduce customers’ rights or benefits, then JCL will notify the Customer as well as publishing the revision on the Website.
6.5 If the Customer (acting reasonably) cannot accept any revision it may terminate the Agreement by giving JCL written notice not less than sixty days prior to the date when the revision would become effective. In such case the Customer will be entitled to a pro-rata rebate of fees already paid for Products that would have been supplied subsequent to the date of termination.
7.1 In any twelve month period, neither party’s aggregate liability to the other for direct loss or damage, howsoever arising, shall exceed 110% of the value of Products supplied in the twelve months prior to the event giving rise to the liability.
7.2 Neither party shall be liable to the other for any indirect, special or consequential loss or damage, loss of profits, business, revenue or goodwill howsoever arising.
7.3 Notwithstanding any of the foregoing, neither party excludes or limits liability for death or personal injury arising from its negligence or for liability resulting from its wilful misconduct or fraud.
8. Intellectual Property
8.1 The Customer retains ownership of any Intellectual Property in data and information supplied by the Customer and in any online resources of the Customer. JCL or its licensors own all Intellectual Property in the Products and the documentation supplied with the Products.
9. Intellectual Property Indemnity
9.1 JCL will indemnify the Customer from all claims that the Products infringe the Intellectual Property of any third party provided that:
a) such indemnity shall not apply to the extent that the infringement arises out of misuse of the Software or any combination, operation or use of the Software with software, systems or equipment not approved by JCL;
b) the Customer does not knowingly make or intimate any admission, settlement, opinion or undertaking that may be detrimental to JCL’s defence;
c) the Customer gives JCL prompt written notice of any claim made against the Customer and JCL shall have the right to defend and settle such claims at its own discretion;
d) the Customer, at JCL’s cost, gives such assistance as JCL may reasonably require to settle or oppose any such claim;
e) the Customer applies all reasonable endeavours to mitigate JCL’s exposure under this indemnity;
f) JCL shall be entitled to secure the right for the Customer to continue using the Products or to avoid the infringement by modifying the Products or replacing the Products or infringing part with software or service of similar capability.
10. Data Protection and Confidential Information
b) JCL and the Customer shall each comply with the provisions of the Data Protection Schedule that is appended to these Terms and Conditions.
c) In the event of any conflict between the Data Protection Schedule and any other provision of these Terms and Conditions, the relevant provision of the Data Protection Schedule shall take precedence.
11. Suspension and Termination
11.1 Either party may terminate the Agreement by written notice if the other party:
a) is in breach of any material term, condition or provision of the Agreement or of any material provision required by law and fails to remedy any such breach within thirty days of written notice; or
b) presents a petition or has a petition presented by a creditor for its winding up, or convenes a meeting to pass a resolution for voluntary winding up, or enters into any liquidation (other than for the purposes of a bona fide reconstruction or amalgamation), or calls a meeting of its creditors, or has a receiver of all or any of its undertakings or assets appointed, or is deemed by any relevant statutory provisions to be unable to pay its debts.
11.2 The Customer may terminate the Agreement in accordance with clauses 2.4, 2.5, 5.2 and 6.5.
11.3 JCL may suspend or terminate the Service upon written notice to the Customer in the event of any material breach or persistent lesser breaches of these Terms and Conditions or the OpenAthens Administrator Responsibilities, both of which are published on the Website.
11.4 By giving the Customer not less than twelve months prior written notice JCL may:
a) terminate the Agreement; or
b) withdraw any versions of the Software that have been generally available for at least three years; or
c) terminate the Service, or any part of the Service, in respect of versions of the Software that JCL will specify.
11.5 All rights and obligations of the parties under the Agreement cease upon termination except for such rights of action that have accrued prior to termination and any rights or obligations under the Agreement or at law, which expressly or by implication come into or continue in force upon termination.
12.1 Neither party may assign or transfer all or part of the Agreement, nor subcontract any of its rights or obligations nor appoint any agent to perform such obligations without the other’s prior written agreement. This provision does not apply to clause 5 of the Data Protection Schedule or to work that JCL subcontracts in the normal course of its business nor to the transfer by JCL of all of its rights and obligations to a wholly owned subsidiary or a parent undertaking.
13.1 Failure by either party to enforce any of the provisions of the Agreement shall not represent a waiver of such rights and shall not affect the validity of the Agreement nor affect that party’s rights to take subsequent action.
14.1 The Agreement may only be amended as set out in clause 6 or by the written agreement of the parties; such written agreement shall state that it is intended to be an amendment to the Agreement.
15.1 If any competent authority finds any part of the Agreement to be invalid, unlawful or unenforceable, the Agreement will be deemed to be amended to the extent required but so as to allow the rest of the Agreement to remain valid and unaffected to the fullest possible extent.
16.1 Any notice or written agreement may be given as follows:-
a) by delivery recorded mail or courier to the authorised representative of the other at any address shown on the Order Form, or to any other address as one party has notified the other of, and will be valid on the date of recorded receipt, or
b) by fax to the authorised representative of the other party to any fax number shown on the Order Form, or to any other fax number as one party has notified the other of, and will be valid at the time shown on a successful transmission report, or
c) by email to the email address of the other party’s authorised representative and will be valid at the time of sending but will not be deemed served if the email system has generated an unsuccessful transmission or delivery report.
17. Force Majeure
17.1 Except for the obligation to make payments properly due, neither party will be liable for any delay or failure to perform obligations caused by circumstances beyond its reasonable control provided that the affected party promptly gives the other written notice of such delay or failure and circumstances and that the affected party uses reasonable endeavours to mitigate the delay or failure.
18. Legal Construction of the Agreement
18.1 No term of the Agreement is enforceable by any person who is not a party to it whether pursuant to the Contracts (Rights of Third Parties) Act 1999 or otherwise.
18.2 The parties agree to use the English language for all matters relating to the Agreement.
18.3 The Agreement is governed by English law and subject to the exclusive jurisdiction of the English courts. The United Nations’ Convention on Contracts for the International Sale of Goods does not apply to the Agreement.
18.4 The Agreement is effective from the Commencement Date and represents the entire agreement and understanding between the parties in respect of the Products. JCL is not a party to agreements for the provision of online resources by third parties to Subscribers.
18.5 Any terms and conditions relating to purchase orders issued by the Customer in connection with the Products will have no effect and it is understood that JCL will accept these purchase orders subject to the terms and conditions of the Agreement only.
18.6 To confirm their agreement with all the foregoing, the Customer has authorised the Order Form to be issued to JCL.
In addition to clauses 1 to 18, the following supplementary terms and conditions apply where the Customer uses the Products in order to allow authorised and/or authenticated access to its online resources. In case of any inconsistency, these supplementary terms and conditions prevail over clauses 1 to 18.
A1 Additional undertakings by Customers providing access to online resources
Customers providing access to online resources additionally undertake to not knowingly do anything which may adversely affect JCL’s reputation;
A2 Additional undertakings by JCL to Customers providing access to online resources
If the Customer provides access to online resources, JCL additionally undertakes the following:
a) to ensure that the relevant modules of the Software meet the access management specifications, technologies or standards that JCL shall from time to time publish at https://docs.openathens.net. JCL cannot make any commitment that the foregoing versions, specifications and standards will meet the requirements of the Customer;
b) to provide the Customer with an administration account for the duration of the Agreement to be used for the purposes only of: (i) carrying out tests in relation to the Software, (ii) providing potential Subscribers with trial accounts not exceeding forty-two days duration and (iii) logging service calls on the support interface;
c) to provide support during normal business hours in the UK for problems with the Products or service offered to Subscribers, which prevent or hinder access to any online resource other than where such problem results from the Customer’s default. Any agreed arrangements for additional coverage and any attendant charges must be set out on the Order Form;
d) to publish on the Website or at https://docs.openathens.net, best practice guidelines on passwords and access control for all customers. In addition, although it does not control and therefore cannot accept responsibility where breaches may have occurred, JCL will investigate instances where it becomes aware that such guidelines appear to have been breached or where unauthorised access to the Customer’s online resources appears to have occurred.
1.1 The following additional definitions apply to this Data Protection Schedule
|Applicable EU Law||any law of the European Union (or the law of one of the Member States of the European Union);|
|Controller, Processor and Data Subject||shall have the meaning given to those terms in the GDPR;|
|Data Protection Legislation||means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction which relates to the protection of individuals with regards to the Processing of Personal Data to which a Party is subject, including the Data Protection Act 2018 and the GDPR; and (b) any code of practice or guidance published by the Regulator or European Data Protection Board from time to time;|
|Data Protection Particulars||means, in relation to any Processing under this Agreement:
a) the subject matter and duration of the Processing;
b) the nature and purpose of the Processing;
c) the type of Personal Data being Processed; and
d) the categories of Data Subjects.
|Data Subject Request||means an actual or purported subject access request or notice or complaint from (or on behalf of) a Data Subject exercising his rights under the Data Protection Legislation;|
|Data Transfer||means transferring the Personal Data to, and / or accessing the Personal Data from and / or Processing the Personal Data within, a jurisdiction or territory that is a Restricted Country;|
|GDPR||means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;|
|Permitted Purpose||means the purpose of the Processing as specified in the Data Processing Particulars;|
|Personal Data||has the meaning given to it in the GDPR and for the purposes of this Agreement includes Sensitive Personal Data;|
|Personal Data Breach||has the meaning given to it in the GDPR and, for the avoidance of doubt, includes a breach of clause 4.1.3;|
|Personnel||means all persons engaged or employed from time to time by JCL in connection with this Agreement, including employees, consultants, contractors and permitted agents;|
|Processing||has the meaning given to it in the GDPR (and “Process” and “Processed” shall be construed accordingly);|
|Regulator||means the UK Information Commissioner’s Office (including any successor or replacement body);|
|Regulator Correspondence||means any correspondence or communication (whether written or verbal) from the Regulator in relation to the Processing of the Personal Data;|
|Restricted Country||means a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 25(2) of the DP Directive and/ or Article 45(1) of the GDPR (as applicable);|
|Security Requirements||means the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation (including, in particular, the seventh data protection principle of the DPA 2018 and/ or the measures set out in Article 32(1) of the GDPR (taking due account of the matters described in Article 32(2) of the GDPR)) as applicable;|
|Sensitive Personal Data||means Personal Data that incorporates such categories of data as are listed in Article 9(1) of the GDPR;|
|Service||means the provision of OpenAthens services as defined within this Agreement;|
|Schedule||means this schedule which forms part of the Agreement;|
|Third Party Request||means a written request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulation.|
2. Arrangement between the parties
2.1 The Parties shall each Process the Personal Data in accordance with the terms of this Schedule. The Parties acknowledge that the factual arrangement between them dictates the classification of each Party in respect of the Data Protection Legislation. Notwithstanding the foregoing, the Parties anticipate and agree that the Customer shall act as Controller and JCL shall act as Processor, as follows:
2.1.1 The Customer shall be a Controller where it is Processing the Personal Data in relation to the services being supplied by JCL; and
2.1.2 JCL shall be a Processor where it is Processing the Personal Data in relation to the Permitted Purpose in connection with the performance of its obligations under these service terms.
2.2 Each of the Parties acknowledges and agrees that the following table sets out an accurate description of the Data Protection Particulars:
|The subject matter and duration of the Processing||OpenAthens is an identity and access management tool. The Customer is granted access to tools allowing them to create accounts for users. As a minimum, only a name and email address are needed. OpenAthens encrypts this information so that individual identities are not disclosed to the publishers whose resources are accessed without the Customer’s consent. When a Customer creates an account, it will choose what information to collect and what information to disclose to the publishers.
The duration of the Processing will be for the term of the Agreement between the Customer and JCL.
|The nature and purpose of the Processing||The Personal Data will be Processed in order to provide the Service ordered by the Customer.|
|The type of Personal Data being Processed||Identifiers required to operate OpenAthens depend on whether the Customer uses OpenAthens for its account directory or connects it to its own directory or authentication system. If OpenAthens is used as an account directory, an account username, password, name and e-mail address are required by default. If OpenAthens is connected to the Customer’s own directory or authentication system only a unique account identifier is required by default. Any additional identifiers are entirely under the control of the Customer.|
|The categories of Data Subjects||Identifiers required to operate OpenAthens are decided upon by the Customer.|
3. Controller Obligations
3.1 As the Controller in respect of the Processing of the Personal Data, the Customer shall ensure that:
3.1.1 it is not subject to any prohibition or restriction which would prevent or restrict it from disclosing or transferring the Personal Data to JCL in accordance with the terms of this Schedule; and
3.1.2 all fair processing notices have been given (and/ or, as applicable, consents obtained) and are sufficient in scope to allow the Customer to disclose the Personal Data (including any Sensitive Personal Data) to JCL for the delivery of the Service in accordance with the Data Protection Legislation.
4. Processor Obligations
4.1 JCL (as a Processor in relation to any Personal Data Processed by (or on behalf of) the Customer pursuant to the Agreement) undertakes to the Customer that it shall:
4.1.1 Process the Personal Data for and on behalf of the Customer in connection with the performance of the Service only and for no other purpose in accordance with the terms of this Agreement and any instructions from the Customer;
4.1.2 unless prohibited by law, promptly notify the Customer (and in any event within forty-eight (48) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by Applicable EU Law to act other than in accordance with the instructions of the Customer, including where it believes that any of the Customer’s instructions under clause 4.1.1 infringes any of the Data Protection Legislation;
4.1.3 implement and maintain appropriate technical and organisational security measures to comply with at least the obligations imposed on a Controller by the Security Requirements. A description of the technical and organisational security measures that JCL will implement and maintain is set out here: https://openathens.org/openathens-security-guide;
4.1.4 take all reasonable steps to ensure the reliability and integrity of any of the Personnel who shall have access to the Personal Data, and ensure that each member of Personnel shall have entered into appropriate contractually-binding confidentiality undertakings;
4.1.5 notify the Customer promptly, and in any event within forty-eight (48) hours, upon becoming aware of any actual or suspected, threatened or ‘near miss’ Personal Data Breach, and:
(a) implement any measures necessary to restore the security of compromised Personal Data;
(b) assist the Customer to make any notifications to the Regulator and affected Data Subjects;
4.1.6 notify the Customer promptly (and in any event within ninety-six (96) hours) following its receipt of any Data Subject Request or Regulator Correspondence and shall:
(a) not disclose any Personal Data in response to any Data Subject Request or Regulator Correspondence without the Customer’s prior written consent; and
(b) provide the Customer with all reasonable co-operation and assistance required by the Customer in relation to any such Data Subject Request or Regulator Correspondence;
4.1.7 not disclose Personal Data to a third party in any circumstances without the Customer’s prior written consent, other than:
(a) in relation to Third Party Requests where JCL is required by law to make such a disclosure, in which case it shall use reasonable endeavours to advise the Customer in advance of such disclosure and in any event as soon as practicable thereafter, unless prohibited by law or regulation from notifying the Customer;
(b) to JCL’s employees, officers, representatives and advisers who need to know such information for the purposes of JCL performing its obligations under this Agreement and in this respect JCL shall ensure that its employees, officers, representatives and advisers to whom it discloses the Personal Data are made aware of their obligations with regard to the use and security of Personal Data under this Agreement; and
(c) to a sub-contractor appointed in accordance with clause 5 below.
4.1.8 not make (nor instruct or permit a third party to make) a Data Transfer without putting in place measures to ensure the Customer’s compliance with Data Protection Legislation;
4.1.9 on the written request of the Customer, and with reasonable notice, allow representatives of the Customer to audit JCL in order to ascertain compliance with the terms of this clause 4 and/ or to provide the Customer with reasonable information to demonstrate compliance with the requirements of this clause 4, provided that:
(a) the Customer shall only be permitted to exercise its rights under this clause 4.1.9 no more frequently than once per year (other than where an audit is being undertaken by a Customer in connection with an actual or ‘near miss’ Personal Data Breach, in which case, an additional audit may be undertaken each year by the Customer within thirty (30) days of the Customer having been notified of actual or ‘near miss’ Personal Data Breach);
(b) each such audit shall be performed at the sole expense of the Customer;
(c) the Customer shall not, in its performance of each such audit, unreasonably disrupt the business operations of JCL;
(d) the Customer shall comply with JCL’s health and safety, security, conduct and other rules, procedures and requirements in relation to JCL’s property and systems which have been notified by JCL to the Customer in advance; and
(e) in no case shall the Customer be permitted to access any data, information or records relating to any other customer of JCL.
4.1.10 except to the extent required by Applicable EU Law, on the earlier of:
(a) the date of termination or expiry of the Agreement (as applicable); and/or
(b) the date on which the Personal Data is no longer relevant to, or necessary for, the performance of the Service, cease Processing any of the Personal Data and, within sixty (60) days of the date being applicable under this Clause 4.1.10, return or destroy (as directed, in writing, by the Customer) the Personal Data belonging to, or under the control of, the Customer and ensure that all such data is securely and permanently deleted from its systems, provided that JCL shall be entitled to retain copies of the Personal Data for evidential purposes and to comply with legal and/or regulatory requirements;
4.1.11 comply with the obligations imposed upon a Processor under the Data Protection Legislation; and
4.1.12 assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to JCL, provided that JCL shall be entitled to charge a fee to the Customer (on a time and materials basis and at such rate notified by JCL to the Customer from time to time) in respect of providing any such assistance to the Customer.
4.2 Notwithstanding anything in this Agreement to the contrary, this clause 4 shall continue in full force and effect for so long as JCL Processes any Personal Data on behalf of the Customer.
5.1 JCL may from time to time use sub-contractors to perform all or any part of its obligations under this schedule. JCL shall notify the Customer prior to appointing a sub-contractor. The Customer may object to the appointment of any sub-contractor and JCL shall reasonably take into account the views of the Customer in appointing any such sub-contractor, but for the avoidance of doubt the appointment of any sub-contractor shall be at JCL’s absolute discretion and JCL shall have no obligation to act in accordance with any objection raised by the Customer. Information regarding the sub-contractors JCL uses from time to time in connection with the performance of the Service can be found on the Website here: https://openathens.org/appointed-sub-contractors.
5.2 JCL may from time to time disclose Personal Data to its sub-contractors (or allow its sub-contractors to access Personal Data) for Processing solely in connection with the fulfilment of the Permitted Purpose.
5.3 Where JCL uses a sub-contractor to Process Personal Data for or on its behalf, it will ensure that the subcontractor contract (as it relates to the Processing of Personal Data) is on terms which are substantially the same as, and in any case no less onerous than, the terms set out in clause 4 of this schedule.
5.4 JCL shall remain liable to the Customer for the acts, errors and omissions of any of its sub-contractors to whom it discloses Personal Data, and shall be responsible to the Customer for the acts, errors and omissions of such sub-contractor as if they were JCL’s own acts, errors and omissions to the extent that JCL would be liable to the Customer under this Agreement for those acts and omissions.
V7.3 September 2020