Data Processing Addendum

1. Definitions 

1.1. In addition to terms defined in the Terms & Conditions (Section B), in this Addendum the following terms shall have the meanings set out below: 

1.1.1. “Applicable Laws” means any laws or regulations, regulatory policies, guidelines or industry codes (whether national or international) which apply to EmpowerRD (or any of its Sub-Processors) and/or the provision of or the subject matter of the Claims Service in each case as in force from time to time; 

1.1.2. “Company Personal Data” means any Personal Data Processed by EmpowerRD on behalf of the Company pursuant to or in connection with the Agreement; 

1.1.3. “Data Protection Laws” means: (i) the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019), the Data Protection Act 2018, the Data (Use and Access) Act 2025 and the Electronic Communications (EC Directive) Regulations 2003; and (ii) any other data protection laws and regulations, orders and any codes of practice, guidelines and recommendations issued by the Information Commissioner’s Office or any replacement or equivalent body, as amended and in force from time to time; 

1.1.4. “Sub-processor” means any person appointed by or on behalf of EmpowerRD and that Processes Company Personal Data on behalf of the Company in connection with the Agreement. 

1.2. The terms, “Commission”, “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Commissioner” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data 

2.1. This Addendum applies to the Processing of Personal Data by EmpowerRD in the course of providing the Claims Service. For the purposes of the Claims Service and this Addendum, the Company is the Controller and EmpowerRD is the Processor. 

2.2. EmpowerRD shall Process Personal Data as reasonably necessary for the provision of the Claims Service arising from the Agreement and in accordance with Company’s documented instructions which, unless expressly agreed otherwise, shall at all times be consistent and in accordance with the nature of the Agreement. EmpowerRD may Process Personal Data otherwise than in accordance with Company’s instructions if required to do so by Applicable Laws.  In such case EmpowerRD shall inform Company of that legal requirement, unless prohibited from doing so by Applicable Laws. 

2.3. The Company shall comply with all Data Protection Laws applicable to Company as Controller. 

3. Security

3.1. EmpowerRD shall implement and maintain appropriate technical and organisational measures to protect Company Personal Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Such technical and organisational measures shall be at least equivalent to the technical and organisational measures set out in the EmpowerRD Information Security Policy.

3.2. EmpowerRD shall provide such reasonable assistance as the Company reasonably requires (taking into account the nature of processing and the information available to EmpowerRD) to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to data subjects.

4. EmpowerRD Personnel 

4.1. EmpowerRD shall take reasonable steps to (i) require background screening and to ensure the reliability of any personnel who may have access to the Company Personal Data or the locations in which the Personal Data is processed, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Company Personal Data for the purposes of the Agreement; and (ii) ensure that any personnel are informed of the confidential nature of Personal Data, and are under a contractual or statutory obligation of confidentiality. 

4.2. EmpowerRD has appointed a data protection officer who may be contacted at [email protected]. 

5. Sub-processors 

5.1. The Company authorises EmpowerRD to appoint Sub-processors for the Processing of Company Personal Data in accordance with this paragraph 5.  

5.2. EmpowerRD shall be responsible for ensuring that each Sub-processor has entered into a written agreement requiring the Sub-processor to comply with terms no less protective than those set out in this Addendum.  EmpowerRD shall be liable for the acts and omissions of any Sub-processor to the same extent as if the acts and omissions were performed by EmpowerRD. 

5.3. The Company authorises EmpowerRD to use those Sub-processors set out at www.empowerrd.com/data-processors (“Sub-processor List”).  Subject to paragraph 5.4, EmpowerRD may from time to time engage additional or replacement Sub-processors, provided that EmpowerRD updates the Sub-processor List and gives the Company written notice of such update at least thirty (30) days prior to the change. 

5.4. If the Company notifies EmpowerRD in writing of any objections (grounds for objection being non-compliance with Data Protection Laws) to a Sub-processor added to the Sub-processor List within fourteen (14) days after the date on which EmpowerRD gives notice to the Company:

5.4.1. EmpowerRD shall work with Company in good faith to make available a commercially reasonable change in the provision of the Claims Service which avoids the use of the proposed Sub-processor; and 

5.4.1. where such a change cannot be made and EmpowerRD chooses to retain the Sub-processor, EmpowerRD shall notify Company at least fourteen (14) days prior to the authorisation of the Sub-processor to Process Personal Data and the Company may, within thirty (30) days of receipt of such notification, terminate the Claims Service with immediate effect. 

6. Data Subject Rights 

6.1. Company acknowledges, as part of the Claims Service, it is responsible for responding to any Data Subject’s request under any Data Protection Laws to exercise the Data Subject’s right of access, right of rectification, restriction of Processing, right to be forgotten, data portability, object to processing, or its right not to be subjected to an automated decision-making process (“Data Subject Request”). EmpowerRD shall: 

6.1.1. to the extent permitted by Applicable Laws, promptly notify Company if it receives a Data Subject Request from a Data Subject; and 

6.1.2. taking into account the nature of the Processing, reasonably assist Company to access Company Personal Data to the extent that Company Personal Data is not accessible to Company (as part of the Claims Service) to fulfil the Company’s obligations to respond to Data Subject Requests. 

6.2. Unless prohibited by Applicable Laws or a legally binding law enforcement request, EmpowerRD shall promptly notify Company of any request by government agency or law enforcement authority for access to or seizure of Personal Data.

7. Personal Data Breach Notification. 

7.1. EmpowerRD shall notify Company within 72 hours of becoming aware of a Personal Data Breach affecting Company Personal Data.  EmpowerRD will provide Company with sufficient information to enable the Company to meet any obligations to report or inform Data Subjects and/or the Commissioner of the Personal Data Breach. 

7.2. EmpowerRD shall co-operate with Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of Personal Data Breaches.   

7.3. EmpowerRD shall provide the Company with such reasonable assistance as the Company reasonably requires in relation to: (i) the notification of a Personal Data Breach to the Commissioner or (ii) the communication of a Personal Data Breach to a Data Subject.

8. Audit; return or deletion of Personal Data 

8.1. EmpowerRD will use commercially reasonable efforts to provide the Company with all information reasonably necessary to demonstrate that EmpowerRD fulfils its obligations under this Addendum and Data Protection Laws.  In addition EmpowerRD will, at the written request of the Company, allow for and contribute to audits, including inspections by the Company or its auditor.

8.2. On expiry or earlier termination of the Agreement, EmpowerRD shall, at Company’s option, return or delete any Personal Data in EmpowerRD’s possession or control, and not retain any copies unless EmpowerRD is required to do so by Applicable Laws. 

For the avoidance of doubt, the right to suspend or block access to the Claims Service under Clause 12.2 of the Terms and Conditions shall not override EmpowerRD’s obligations under this Addendum to ensure the integrity of Personal Data and to provide the Company with an opportunity to request the return of the Company Personal Data prior to any permanent deletion.

9. Details of Processing; DPIAs

9.1. EmpowerRD will Process Company Personal Data to provide the Claims Service. The subject matter, nature and purpose of the Processing shall be as required to perform the Claims Service, and shall be determined by the nature of Company Personal Data submitted for Processing by the Company. The duration of the Processing of Personal Data shall be for the duration of this Agreement and the period thereafter until the deletion or return of the Personal Data in accordance with Clause 8.2 of this Addendum.

9.2. The types of Personal Data and categories of Personal Data, and the categories of Data Subjects, shall be those determined by the Company being the Company Personal Data. The obligations and rights of the Company in relation to the Processing of Personal Data shall be as set out in this Addendum and the Agreement and in the Data Protection Laws. 

9.3. EmpowerRD shall use commercially reasonable efforts to assist the Company with any data protection impact assessments, and prior consultations with the Commissioner or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the UK GDPR or equivalent provisions of any other Data Protection Laws, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, EmpowerRD.  

1o. Transfers of Personal Data

10.1. Unless otherwise agreed, in order to provide the Claims Service EmpowerRD and its Sub-processors will only access Personal Data from, and transfer Personal Data to (i) countries or territories formally recognised by the United Kingdom as providing, and which formally recognise the United Kingdom as providing, an adequate level of data protection (“Adequate Countries”) or (ii) other countries, provided that EmpowerRD uses a Valid Transfer Mechanism in accordance with paragraph 11 below. 

11. Valid Transfer Mechanisms

11.1. EmpowerRD may use one or more of the transfer mechanisms listed below for any transfers of Personal Data from the United Kingdom to a third country:

11.1.1. The International Data Transfer Agreement (IDTA) issued by the Commissioner; 

11.1.2. The ‘UK Addendum’ to the European Commission’s Standard Contractual Clauses (version 2021/914 or subsequent versions) for international data transfers; or

11.1.3.Any other alternative mechanism approved under Data Protection Laws, such as an adequacy regulation or a recognized certification scheme (e.g., the UK Extension to the Data Privacy Framework).

12. General Terms 

12.1. With regard to the subject matter of this Addendum, in the event of inconsistencies between

(i) the provisions of this Addendum and

(ii) Section A or Section B of the Agreement, the provisions of this Addendum shall prevail.