Data processing terms
Legal
Ilkari
- Cookie policy
- Modern slavery statement
- Privacy statement
- Supplier data processing terms & conditions
- Terms of use
- Report abuse
Ilkari Domains
Ilkari supplier data processing terms & conditions
Purpose
The purpose of this Agreement is to facilitate the provision of the Services set out in the Services Agreement between both Parties and also signed by both parties to this Agreement.
Terms & conditions
1. Definitions
Words and expressions used in this Agreement but not defined herein shall have the meanings given to such words and expressions in the EU General Data Protection Regulations (“GDPR”) and any additional implementing legislation (the “Data Protections Laws”) and (if applicable)any other applicable data protection legislation in the jurisdiction of where the Data Controller’s Affiliate(s) operate in.
2. Protection of data
2.1 In discharging its obligations under this Agreement, the Data Processor is responsible for its compliance with the Data Protection Laws.
2.2 Without prejudice to the generality of clause 2.1 and further to the provisions of the Data Protection Laws, the Data Processor agrees that it will:
2.2.1 only deal with and process personal data for the Purpose in Schedule 1 of this Agreement and in compliance with, and subject to, the instructions received from the Controller and in compliance with this Agreement and will not use or process personal data for any other purpose whatsoever;
2.2.2 adopt and maintain appropriate (including organisational and technical) security measures in dealing with the personal data in order to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the processing involves the transmission of personal data over a network, and against all other unlawful forms of processing; and
2.2.3 without prejudice to the generality of clause 2.2.2, (i) log all access to and use of the personal data and make such logs available to the Controller without delay upon request and (ii) comply with all security policies communicated to the Processor by the Controller.
2.3 The Processor agrees at the request of the Controller to submit its data processing facilities and/or any location from which Personal Data can be accessed for audit to ascertain and/or monitor compliance with these terms and conditions and the data protection laws generally which audit shall be carried out, with reasonable notice and during regular business hours and under a duty of confidentiality, by the Controller and/or by a third Party appointed by the Controller unless the Controller believes the Processor is in breach of any of its obligations under these terms and conditions in which case the requirement to provide notice of such an audit shall not apply.
2.4 Without prejudice to the generality of clause 2.1, the Processor agrees to deal promptly, properly and in good faith with all reasonable inquires relating to the Processor’s processing of personal data whether such inquiry is made by the Data Controller, a data subject or the Irish Data Protection Commissioner or any other data protection authority. The Processor agrees that it will inform the Controller of any inquiry received from any data subject or data protection authority relating to the Processor’s processing of Personal Data and to provide the Controller with a copy of the inquiry within 48 hours of the receipt of such an inquiry.
3. Indeminty
Both parties have mutually agreed that neither Party will be liable to the other Party for any amount with respect to loss of profit or loss of revenue; loss of data; losses or damage to goodwill; loss or damage to reputation; wasted expenditure; exemplary or punitive damages; or consequential, indirect, incidental or special losses or damages, arising out of or in connection with this Agreement whether or not the likelihood of such loss or damage is contemplated.
4. Prohibition on transfer and disclosure
4.1 For the avoidance of doubt, and without prejudice to the generality of clause 2, the Processor shall not disclose personal data processed on behalf of the Controller to any third Party without written consent.
4.2 For the avoidance of doubt, and only where applicable, the Processor may transfer Personal Data from the European Economic Area (EEA) to third countries outside the EEA, provided that such transfers are conducted in compliance with Chapter V of the GDPR. The Processor shall implement appropriate safeguards in accordance with Article 46 GDPR, including but not limited to the use of Standard Contractual Clauses (SCCs) as approved by the European Commission, and shall assess the need for supplementary measures to ensure an adequate level of protection.
5.Confidentiality
5.1 The Processor hereby acknowledges that all information (however recorded or preserved) disclosed by the Controller to the Processor or its representatives or any other third Party constitutes confidential information.
5.2 The Processor hereby acknowledges that it shall keep the Controller’s confidential information confidential and shall not:
5.2.1 use any confidential information except for the Purposes; or
5.2.2 disclose any confidential information in whole or in part to any third Party without the prior written consent of the Controller except as required by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction provided that, as far as it is legally permitted to do so, it gives the Controller as much notice of the disclosure as possible.
5.3 The Controller reserves all rights in its confidential information. No rights in respect of the Controller’s confidential information, other than those expressly stated in this Agreement, are granted to the Processor, or are implied from this Agreement.
5.4 The provisions of this clause 5 shall continue to apply after termination of this Agreement.
6. Security
6.1 The Processor confirms that it has implemented and shall maintain appropriate technical and organisational security measures to safeguard all personal data processed pursuant to this Agreement against unauthorised or unlawful processing and against accidental loss, disclosure or destruction of, or damage to, that personal data in such a way as to comply with Data Protection Laws, including encryption of the personal data (where appropriate).
6.2 The Processor shall, as part of the measures referred to in clause 6:
6.2.1 comply with the Controller’s security policy(s) (which shall be made available to the Processor upon written request) and any further minimum information security standards agreed in writing for the purposes of this Agreement;
6.2.2 logically separate all personal data processed for the purposes of this Agreement from all other personal data processed.
7. Record keeping and bookkeeping accounts
7.1 The Processor shall maintain a record of its processing activities under this Agreement; and
7.1.1 make such record available to the Irish Data Protection Commission and/or relevant Supervisory Authority;
7.1.2 provide the Controller with such information as the Controller requests from time to time to enable the Controller to satisfy itself that the Processor is complying with its obligations under this Agreement;
7.1.3 allow the Controller, its agents, representatives and external auditor’s access (on reasonable notice and during normal business hours) to audit the Processor’s compliance with this Agreement;
7.1.4 at any time upon request, and in any event upon termination or expiry of this Agreement, (unless the Controller agrees otherwise in writing in each case) deliver up in such manner as the Controller shall reasonably direct personal data that is processed pursuant to this Agreement.
8. Data subject rights
8.1 The Processor shall assist the Controller by appropriate technical and organisational measures to comply with its obligations to fulfil data subjects’ rights under data protection laws, including:
8.1.1 responding to requests or queries from data subjects in respect of their personal data;
8.1.2 cooperating with an investigation in connection with the personal data by a regulatory body; or
8.1.3 reconstructing and/or otherwise safeguarding the personal data, within any timescales specified by the Controller. If no timescales are specified, the Processor must respond to and comply with the Controller’s request within a reasonable period of time after receiving the request for assistance.
8.1.4 as soon as reasonably practicable and in any event within 24 hours of the date of the request (i) comply with any request made by the Controller in relation to one or more identified data subjects to provide information about the categories of personal data processed by the Processor in respect of such data subject along with any other reasonable information requested by the Controller or the data subject in respect of such processing and deliver up a copy of all personal data processed by the Processor in respect of one or more identified data subjects; (ii) rectify or permanently erase the identified personal data; (iii) cease all processing of the identified personal data;
8.1.5 except as expressly contemplated by this Agreement, not combine or supplement any personal data provided to the Processor (whether directly or indirectly) with any other data (including without limitation any other Personal Data), without the Controller’s prior written consent;
8.1.6 maintain reasonably appropriate processes, systems and controls to guard against any act or omission that would put the Controller in breach of Data Protection Laws.
9. Notification requirements
9.1 The Processor shall notify the Controller:
9.1.1 of the location where any personal data is Processed under this Agreement;
9.1.2 promptly (and in any event within 24 hours) of receiving any complaint, an exercise of a right under the data protection laws in respect of personal data;
9.1.3 if the Processor becomes aware of or suspects a personal data breach, without undue delay (having regard to the nature of the personal data and the scope and context of the personal data breach (or suspected personal data breach) and the likelihood and severity of the risks to data subjects presented by the personal data breach (or suspected personal data breach) (and in any event within 24 hours)
9.2 The Processor shall:
9.2.1 cooperate with the Controller’s investigation into the personal data breach and carry out its own investigation in accordance with the Controller’s instructions, where possible, ensuring that such investigation is carried out in such a manner to enable the Controller to maintain legal privilege in such investigation;
9.2.2 in the event of a personal data breach, take all reasonable steps to mitigate the risk of any similar personal data breach occurring in the future, along with all further reasonable steps that it may be instructed to take by the Data Controller and notify the Controller within 24 hours of any steps taken; and
9.2.3 not disclose any information about or in connection with any unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal data, other than to the Controller; with the Controller’s express prior written approval; and/or as required to be disclosed by applicable law or by a regulatory authority.
10. Governing law and jurisdiction
This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with the laws of the jurisdiction of where the Data Controller’s Affiliate(s) operate in. The parties agree that any disputes shall be subject to the jurisdiction of the courts of the respective country in which the dispute arises, unless otherwise agreed in writing.
Last reviewed in July 2025.