Data Processing Addendum (DPA)

1. Definitions

• "we", "us", or "LNG" - Legal Notice Gateway Ltd of 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ, the data controller and processor.
• Data Protection Laws: The UK GDPR and the Data Protection Act 2018.
• Personal Data, Data Subject, Processing, Controller, and Processor: Shall have the meanings given to them in the Data Protection Laws.
• Sub-processor: Any third party appointed by the Processor to process Personal Data on behalf of the Controller.

2. Roles and Responsibilities

3. Scope and Details of Processing

• Subject Matter: The facilitation and submission of legal notices as requested by the Controller.
• Duration: The processing shall continue for the duration of the Principal Agreement plus any period required for statutory retention.
• Nature and Purpose: To process Notice Content Data for transmittal to Publishers and to maintain a record of service.
• Types of Personal Data: Names, trading names, business addresses, operator licence details, and contact information.
• Categories of Data Subjects: Individuals named within legal notices and the Controller’s staff members.

4. Obligations of the Processor

• Instructions: Process Personal Data only on the documented instructions of the Controller, including those set out in the Principal Agreement.
• Confidentiality: Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality.
• Security: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in the Privacy Policy.
• Sub-processors: The Controller provides a general authorisation for the Processor to engage Sub-processors. The Processor shall ensure that any Sub-processor is bound by data protection obligations equivalent to those in this DPA.
• Data Subject Rights: Assist the Controller, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.
• Assistance: Assist the Controller in ensuring compliance with obligations regarding security, breach notification, and data protection impact assessments.
• Deletion or Return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, unless UK law requires the storage of that Personal Data.
• Audit: Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the UK GDPR and allow for and contribute to audits.

5. International Transfers

The Processor shall not transfer Personal Data outside of the UK unless it ensures that the transfer is conducted in accordance with Data Protection Laws. The Controller acknowledges that Sub-processors located in the US are engaged under the UK Extension to the EU-US Data Privacy Framework or standard contractual clauses.

6. Limitation of Liability

The total aggregate liability of either party for any breach of this DPA shall be subject to the limitation of liability provisions set out in the Principal Agreement.