API LICENCE – HEATHROW EXPRESS OPERATING COMPANY LIMITED
This Heathrow Express Operating Licensor Limited API Agreement (the “Agreement”) is entered into by and between:
(1) You and, if applicable, the company or legal entity that you represent, or on behalf of which you are acting (the “Licensee”); and
(2) Heathrow Express Operating Licensor Limited, a company with its registered office at The Compass Centre, Nelson Road, Hounslow, Middlesex, TW6 2GE, with company number 03145133 (the “Licensor”)
each a “Party” and together the “Parties”.
Part A: General
1. Acceptance of the Agreement
The Licensor grants the Licensee rights to view the API and, upon subscription by the Licensee to the relevant product(s) on the Platform, use the API to interface between the Platform and the Application, subject to the terms of this Agreement. By registering as a user of the Platform, the Licensee agrees to be bound by this Agreement.
2. Changes to the Agreement
2.1. The Licensor reserves the right from time to time, and at its sole discretion, and without any liability to the Licensee or any third party to change the Agreement by posting an amended Agreement on the API Portal. The most recent version of the Agreement will supersede all previous versions.
3.1. In this Agreement, unless otherwise stated
means the Licensor’s application programming interface, which is to be used as an interface between the Platform and the Applications, and includes the documents (in whatever media) that accompany the application programming interface;
means any content, images, photographs, illustrations, icons, texts, video, audio, written materials, software or other content, materials or data that the Licensee accesses or otherwise uses on the Platform as part of the Licensee’s use of the API;
means the use of API Data by the Licensee specifically for testing the possible integration of the API into the Licensee’s website;
means any applications or services provided by the Licensee through the Licensee’s website;
means any day which is not a Saturday, Sunday or bank or public holiday in England;
means the date on which the Licensee signs up to create a API Management account and thereby accepts the terms of this Agreement;
means in relation to each Party, all information of a confidential nature relating to the business and/or operations of that Party (whether such information is disclosed in writing, by delivery of items, orally, by visual presentation, by means of providing access to such information (when, for example, the information is contained on a database) or otherwise), including:
(a) any trade secrets, processes, customer lists, databases, trading details, information in relation to employees and officers or other information or activities of a confidential nature or which is commercially sensitive or price sensitive relating to either party or third parties (including details of activities, businesses or finances of any such company);
(b) any other information specifically designated by a Party as confidential;
(c) any information concerning airport security, law enforcement or investigations by authorities; and
(d) the provisions and subject matter of this Agreement, including pricing information;
Data Protection Legislation
means (i) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the Processing of personal data to which a Party is subject, including the Data Protection Act 2018 and the GDPR as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (ii) any code of practice or guidance published by the Information Commissioner's Office from time to time;
Force Majeure Event
means the following: act of God, act of terrorism, war, explosions, fires, floods, volcanic eruption, volcanic ash cloud, tempests, earthquake, insurrection, riot, civil disturbance, rebellion, strike, lock-out or labour dispute but excluding:
(a) any industrial action occurring within the organisation of the affected Party or any of its sub-contractors; or
(b) the failure by a sub-contractor of the affected Party to perform its obligations under any sub-contract;
Intellectual Property Rights
(a) patents, rights to inventions, utility models, copyright and related rights, trademarks, service marks, trade, business and domain names, processes, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, know-how and Confidential Information; and
(b) all other intellectual property rights and similar or equivalent rights or forms of protection anywhere in the world which currently exist or are recognised in the future,
in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights;
means losses, liabilities, damages, compensation, awards, payments made under settlement arrangements, claims, proceedings, costs and other expenses including fines, penalties, interest, legal and other professional fees and expenses;
means the Licensor’s website known as the API Portal, comprising the Licensor’s relevant products or services, including developer services, mobile services and any other features, content, or applications offered or operated from time to time by use whether accessed via the Internet, mobile device or other electronic device;
means the date on which the Licensor grants a licence to the Licensee to use the API, following receipt of a request from the Licensee for such licence via the Platform; and means Terminals 2, 3, 4 and 5 of Heathrow Airport.
4.1. In this Agreement, unless the context otherwise requires:
4.1.1. The singular includes the plural or vice versa;
4.1.2. References to sub clauses and clauses are to sub clauses and clauses of this Agreement;
4.1.3. References to persons include individuals, trusts, partnerships, unincorporated bodies, government entities, companies and/or corporations (in each case whether or not having separate legal personality);
4.1.4. References to including and include(s) shall be deemed to mean respectively including without limitation and include(s) with limitation;
4.1.6. Clause headings do not affect the interpretation of this Agreement; and
4.1.7. References to legislation (including any subsidiary legislation) include any modification or re-enactment thereof.
5. Grant of Licence to view API
5.1. In consideration of the Licensee performing its obligations in accordance with this Agreement, and with effect from the Commencement Date, the Licensor grants the Licensee a non-exclusive, non-transferable licence to view the API on the Platform.
5.2. For the avoidance of doubt, the Licensee shall not be permitted to use the API for any purpose (including the API Purpose) until it has completed the subscription process on the Platform in accordance with clause 6 below.
5.3. The grant of the licence to view the API shall continue until terminated in accordance with clause 17.
6. Subsequent grant of Licence to use API
6.1. In consideration of the Licensee performing its obligations in accordance with this Agreement, and with effect from the Subscription Date, the Licensor may grant the Licensee a non-exclusive, non-transferable licence to use the API for the API Purpose and subject to other restrictions on use in clause 7 below.
6.2. The grant of a licence to use the API to any Licensee shall remain at the Licensor’s discretion, and the Licensee shall in no circumstances be obliged to grant such licence to the Licensee.
6.3. The grant of the licence to use the API shall continue until terminated in accordance with clause 17.
6.4. The API licensed under this Agreement may include patches, fixes, updates, upgrades, new releases or new versions subsequently received (if any) of the API; however, the Licensor shall be under no obligation to provide the Licensee with the same.
7. Use of the API
7.1. The Licensee shall not use the API contrary to any restriction stated in this Agreement, or otherwise in a way that is not expressly permitted by this Agreement.
7.2. Except to the extent that the activities are expressly agreed by the parties to this Agreement, the Licensee:
7.2.1. must comply with the API Purpose;
7.2.2. shall ensure that the Licensee’s use of the API is in accordance with all relevant legislation, regulations, codes of practice, guidance and other requirements of any relevant government, governmental or regulatory agency or other relevant body;
7.2.3. must not use the API:
22.214.171.124. in connection with a criminal offence under the applicable national laws or regulations or against public order or applicable ethical standards and codes;
126.96.36.199. in any way which causes or is intended to cause annoyance, inconvenience or needless anxiety;
188.8.131.52. for any unlawful purpose whatsoever, including fraud or terrorism;
184.108.40.206. in any way that could be harmful to the Licensor’s systems or data (including uploading any material that otherwise contains a virus or other malicious code);
220.127.116.11. in any way which breaches or could potentially breach a legal duty to a third party (including a duty of confidentiality) or which infringes or could infringe a person’s right to privacy;
18.104.22.168. in any way which may infringe the Intellectual Property Rights of the Licensor and/or of third parties or which promotes any unlawful act;
22.214.171.124. to directly or indirectly, sell, supply or otherwise provide or allow access to the API and/or API Data to any third party without the written consent of the Licensor;
7.2.4. shall not decompile, observe, study or test the functioning of the API except and only to the extent that such restriction is prohibited under UK law, or with the express written permission of the Licensor;
7.2.5. shall not pretend to be the Licensor, any of its Affiliates, or an agent of the Licensor or its Affiliates or someone else, or otherwise represent the Licensee’s identity or affiliation;
7.2.6. shall not forge headers or otherwise manipulate identifiers (including URLs) in order to disguise the origin of any API Data transmitted through the API; and
7.2.7. shall not transmit software viruses or any other computer code, files or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment.
7.3. The Licensee expressly agrees that the Licensee has sole responsibility for adequate protection and backup of data and/or equipment used by the Licensee in connection with the API Data.
7.4. The Licensee expressly agrees to provide access to the Application and/or other materials related to the Licensee’s use of the API Data as reasonably requested by the Licensor to verify the Licensee’s compliance with the Agreement.
7.5. The Licensee agrees that the Licensor may modify, suspend, restrict or terminate the Licensee’s access to all or any part of the API Data, at any time without any liability to the Licensee and without the requirement of prior written notice.
7.6. The Licensee shall ensure that appropriate contingency procedures are in place in order to deal with any data being unavailable as a result of actions imposed by the Licensor pursuant to clause 6.7.
7.7. The Licensee’s use of the API shall be limited to those data limits which are licensed to it under its subscription agreement with the Licensor.
7.8. Where the Licensee is permitted in accordance with this Agreement to allow a third party to benefit from the API, the Licensee shall ensure that all such use:
7.8.1. does not exceed the API Purpose;
7.8.2. is controlled by the Licensee; and
7.8.3. is otherwise subject to and in accordance with the terms of this Agreement.
7.9. To the extent that the Licensee experiences any problems with accessing the API, the Licensee shall notify the Licensor of such problems.
8. API Data
8.1. The Licensee acknowledges that the API Data may contain third party Intellectual Property Rights and the Licensee shall ensure that use of such API Data does not infringe the Intellectual Property Rights of such third parties. In the event of any such infringement, the Licensee’s permission to use the API Data will automatically terminate and any copies made of the API Data must be immediately destroyed.
8.2. Notwithstanding anything to the contrary, the Licensee agrees that if they consume or display the API Data in a way which the Licensor finds unacceptable for any reason, including if their display violates the Agreement, the Licensor may require that the Licensee immediately change or cease the Licensee’s access to API Data and/or the display of API Data.
8.3. The Licensee expressly agrees that it is the Licensee’s responsibility to evaluate and bear all risks associated with the Licensee’s use of any of the API Data, including any reliance on the accuracy, completeness, or usefulness of the API Data and the risks of unauthorised access.
8.4. The Licensor grants the Licensee a limited, non-exclusive, revocable, non-assignable and non-transferable licence to download, copy, display, view and use the API Data for the API Purpose, provided that the Licensee shall not:
8.4.1. create copies of the API Data except to the extent permitted by this Agreement;
8.4.2. without the prior written consent of the Licensor, make derivative works of, or commercially distribute or otherwise exploit the API Data, or use the Platform or any of the API Data in a manner that inaccurately suggests an association between the Licensee and the Licensor or its licensors;
8.4.3. otherwise use or exploit the API Data in any way for any purpose except the API Purpose;
8.4.4. combine, associate, synthesise or reverse engineer API Data; or
8.4.5. engage in any kind of commercialisation, marketing advertising, licensing or resale that is based on the API Data.
8.5. The Licensee grants to the Licensor a royalty-free, perpetual, irrevocable, sub-licensable, non-exclusive, transferable licence to use, reproduce, modify, publish, edit, translate, distribute, perform and display any content or material that the Licensee provides to the Licensor through the API, including end-user content or material and any data or analytics generated from the same.
9.1. The Licensee shall ensure that it shall implement appropriate technical and organisational measures to protect the API Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.
10. Data Protection and Privacy
10.1. The Licensee shall comply with the provisions of [Schedule 1].
11. Intellectual Property Rights
11.1. Except for the Licensee’s licence right to use the API and API Data as expressly granted above, all Intellectual Property Rights in and to the API and API Data shall vest and remain vested in the Licensor or its licensors.
11.2. To the extent that the Licensee acquires any Intellectual Property Rights in the API, Platform or API Data (with the exception of any API Data provided by the Licensee under clause 7.5 of this Agreement), the Licensee shall assign or procure the assignment of such Intellectual Property Rights with full title guarantee (including by way of present assignation of future Intellectual Property Rights) to the Licensor or any relevant third party nominated by the Licensor. The Licensee shall execute all such documents and do such things as the Licensor may consider necessary to give effect to this clause.
11.3. All Intellectual Property Rights in and to the Application shall vest and remain vested in the Licensee.
11.4. The Licensee acknowledges and agrees that:
11.4.1. the API and API Data contain confidential information and proprietary information and it shall not conceal, modify, remove, destroy or alter in any way any proprietary markings of the Licensor or in the API, API Data or any related materials and documentation;
11.4.2. all trade marks, logos and service marks (collectively the “Trade Marks”) which appear on the Platform or API are registered or unregistered Trade Marks or are licences for use by the Licensor by third parties, and that all other Trade Marks are proprietary marks and are registered to their respective owners;
11.4.3. nothing contained on the Platform or API should be construed as granting, by implication or otherwise, any licence or right to use any Trade Marks displayed on the Application or API without the written permission of the Licensor or such third party who owns the Trade Mark; and
11.4.4. it shall not deal with any Trade Mark displayed on the Platform or any other content on the Platform, contrary to the provisions of the Agreement.
12. Modifications to the API
12.1. The Licensor reserves the right to make modifications to the API at any time for any reason, and notice of such modifications shall be made available to the Licensee.
12.2. The Licensee acknowledges and agrees that all Intellectual Property Rights in any modifications or enhancements made to the API by the Licensee shall vest in the Licensor upon creation, and the Licensor shall be entitled to use any information provided by the Licensee relating to modifications or enhancements that could be made to the API, without any right of the Licensee for compensation for the same;
12.3. To the extent that the Licensee acquires any Intellectual Property Rights in any modifications to the API, the same requirements as under clause 11.2 (Intellectual Property Rights) shall apply in respect of such modifications.
13. Confidential Information
13.1. The Licensee shall maintain the confidentiality of the Licensor’s Confidential Information and shall not without the prior written consent of the Licensor use, disclose, copy or modify the Licensor’s Confidential Information (or permit others to do so) other than as necessary for the performance of the Licensee’s obligations under this Agreement;
13.2. The Licensee undertakes to:
13.2.1. disclose the Licensor’s Confidential Information only to those of the Licensee’s officers, employees, agents, professional advisers and contractors to whom and to the extent to which such disclosure is necessary for the purposes contemplated under this Agreement;
13.2.2. to procure that such persons are made aware of and agree in writing to observe the obligations in this clause; and
13.2.3. the Licensee shall give notice to the Licensor of any unauthorised misuse, disclosure, theft or loss of the Licensor’s Confidential Information immediately upon becoming aware of the same.
13.3. The provisions of this clause shall not apply to information which:
13.3.1. is or comes into the public domain through no fault of the Licensee, its officers, employees, agents or contractors;
13.3.2. is lawfully received by the Licensee from a third party free of any obligation of confidence of its disclosure;
13.3.3. is independently developed by the Licensee without access to or use of such information;
13.3.4. is required by law, by court or governmental or regulatory order to be disclosed provided that the Licensee, where possible, notifies the Licensor at the earliest opportunity before making any disclosure.
13.4. The obligations under this clause shall survive the variation, expiry or termination of this Agreement.
14.1. The Licensee warrants that:
14.1.1. it has the right, power and authority to enter into this Agreement;
14.1.2. it holds all rights and has obtained all licenses and consents required to use the API, its interface with the Application and the API Data;
14.1.3. its use of the API will not infringe any rights of any third party or the Licensor’s rights, nor will it breach any applicable laws or regulations, including Data Protection Laws;
14.2. The API is provided on an ‘as is’ basis and the Licensee acknowledges and agrees that:
14.2.1. the API may not be free of bugs or errors and agrees that the existence of minor bugs or errors shall not constitute a breach of this Agreement;
14.2.2. the Licensee remains responsible for its own hardware, content and any other data uploaded through the API;
14.2.3. the Licensor is not responsible for any liability that arises in connection with third parties unlawfully obtaining access to the Licensee’s API subscription in order to abuse the nature and intent of the API; and
14.2.4. the Licensee is responsible for any and all liability that arises in connection with any activity using the Licensee’s username or password (whether authorised or not)
14.3. The Licensor does not warrant or represent that the API shall be:
14.3.1. uninterrupted or error-free; or
14.3.2. compatible with third-party software or equipment; and
14.3.3. the Licensee agrees that it is satisfied that the API and the API Data are suitable for the purpose for which the Licensee proposed to use the same.
14.4. The Licensor and its suppliers give no warranties and make no representations about any API Data or about results to be obtained from using the API and shall not be liable for any loss or damage arising out of any virus or other malicious code
14.5. Any warranties given by the Licensor shall be subject to the Licensee using the API in compliance with this Agreement, and the Licensor shall not be liable under this clause for, or required to remedy, any problem arising from:
14.5.1. any modification made to any part of the API by anyone other than the Licensor without its express prior written consent; or
14.5.2. any defect or error wholly caused by any equipment used in connection with the API.
15. Limits on Liability
15.1. This clause 14 sets out the entire financial liability of the Licensor (including any liability for the acts or omissions of its employees, agents, consultants, and subcontractors) to the Licensee in respect of
15.1.1. any breach of the Agreement;
15.1.2. any use made by the Licensee of the API or the API Data, or any part of either; and
15.1.3. any representation, statement or tortious act or omission (including negligence) arising under or in connection with the Agreement.
15.2. All warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded from the Agreement.
15.3. Nothing in this Agreement limits or excludes the liability of either Party:
15.3.1. for death or personal injury resulting from its negligence, or that of its employees, officers, agents or subcontractors;
15.3.2. for fraud, fraudulent misrepresentation or fraudulent concealment by the Licensor or its employees, officers, agents or subcontractors; or
15.3.3. for any other matter in respect of which liability cannot by applicable law be limited or excluded.
15.4. Subject to clause 15.2 and clause 15.3:
15.4.1. The Licensor shall not be liable for:
126.96.36.199. depletion of goodwill and/or similar losses; or
188.8.131.52. loss of contract; or
184.108.40.206. loss of use; or
220.127.116.11. loss or corruption of data or information; or
18.104.22.168. any special, consequential or indirect losses or damage,
in each case arising out of or in connection with this Agreement, including as a result of breach of contract, tort (including negligence), under statute or otherwise, and regardless of whether the Licensee knew or had reason to know of the possibility of the loss, injury, or damage in question.
15.4.2. Subject to clause 14.3, the Licensor shall not be liable whether in contract, tort (including negligence), breach of statutory duty, misrepresentation, restitution or otherwise for any loss arising in connection with the performance, or contemplated performance, of the Agreement.
16.1. The Licensee agrees to indemnify the Licensor against all Losses which the Licensor may sustain or incur in connection with:
16.1.1. the Application infringing the Intellectual Property Rights of any third party;
16.1.2. any misuse of the API or API Data including any claim that the Licensee’s use of the API Data infringes the Intellectual Property Rights, Confidentiality or privacy rights of any third party; and
16.1.3. breach by the Licensee of any warranties, security requirements in relation to the protection of the API Data or non-performance of any of the Licensee’s obligations under this Agreement.
17. Force Majeure
17.1. The Licensor shall have no liability to the Licensee under the Agreement if it is prevented from, or delayed in performing, its obligations under the Agreement or from carrying on its business by Force Majeure Events.
18.1. Either party may, without prejudice to its other rights and remedies, by notice in writing to the other party immediately terminate this Agreement at any time.
18.2. In the event of termination of this Agreement for any reason:
18.2.1. all licences granted to API Licensee under this Agreement shall terminate immediately;
18.2.2. the Licensee shall within seven (7) days (at the Licensor’s option) return or destroy all the Licensor’s Confidential Information and API Data in its possession or under its control and all copies of such information; and
18.2.3. the rights and obligations of the parties under this Agreement which are intended to continue beyond the termination or expiry of this Agreement (including those under Clause 24 (Entire Agreement), 25 (Governing Law and Jurisdiction), 16 (Indemnities), 15 (Limits on Liability), 10 (Data Protection and Privacy) and 13 (Confidential Information)) shall survive the termination or expiry of this Agreement.
19.1. Any notice or other communication required to be given under the Agreement shall be in writing and shall be delivered personally, or sent by pre-paid first-class post, recorded delivery or by commercial courier to the other Party and for the attention of the Licensor Secretary, or as otherwise specified by the relevant party by notice in writing to the other Party.
19.2. Any notice or other communication shall be deemed to have been duly received if delivered personally, when left at the address and for the contact referred to in the Agreement or, if sent by pre-paid first-class post or recorded delivery, at 9.00 am on the second business day after posting, or if delivered by commercial courier, on the date and at the time that the courier's delivery receipt is signed.
19.3. This clause 19 shall not apply to the service of any notice in any proceedings or other documents in any legal action.
19.4. A notice required to be given under the Agreement shall not be validly served if sent by e-mail.
20.1. For the purposes of the Contracts (Rights of Third Parties) Act 1999, this Agreement is not intended to and does not give any person who is not a Party to it any right to enforce any of its provisions
20.2. No Party may assign, novate, transfer, subcontract or encumber any right or obligation under this Agreement, in whole or in part, without the other’s prior written consent or except as expressly permitted in this Agreement.
20.3. Provisions which by their terms or intent are to survive termination of this Agreement will do so.
20.4. This Agreement shall be binding upon, and ensure to the benefit of, each of the Parties, their respective personal representatives and their respective successors in title.
21.1. A waiver of any right under the Agreement is only effective if it is in writing and it applies only to the circumstances for which it is given. No failure or delay by a party in exercising any right or remedy under the Agreement or by law shall constitute a waiver of that (or any other) right or remedy, nor preclude or restrict its further exercise. No single or partial exercise of such right or remedy shall preclude or restrict the further exercise of that (or any other) right or remedy.
21.2. Unless specifically provided otherwise, rights arising under the Agreement are cumulative and do not exclude rights provided by law.
22.1. If any provision of the Agreement (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of the Agreement, and the validity and enforceability of the other provisions of the Agreement shall not be affected.
22.2. If a provision of the Agreement (or part of any provision) is found illegal, invalid or unenforceable, the provision shall apply with the minimum modification necessary to make it legal, valid and enforceable.
23.1. The Licensee shall not, without the prior written consent of the Licensor, assign, transfer, charge, mortgage, subcontract, declare a trust of or deal in any other manner with all or any of its rights or obligations under the Agreement.
23.2. Each party that has rights under the Agreement is acting on its own behalf and not for the benefit of another person.
24. Entire Agreement
24.1. This Agreement (together with (i) all other documents to be entered into pursuant to it and (ii) all documents referred to in it) constitutes the entire agreement between the Parties in relation to its subject matter, and replaces and extinguishes all prior agreements, draft agreements, arrangements, undertakings or collateral contracts of any nature made by the Parties (whether oral or written) in relation to such subject matter.
24.2. Each Party acknowledges that in entering into this Agreement it is not relying on, and shall have no rights or remedies (whether in tort, under statute or otherwise) in respect of any statements, assurances, undertakings or representations (whether innocently or negligently made) by the other Party to this Agreement.
24.3. Nothing in this Agreement shall (except as expressly provided) be deemed to constitute a partnership, or create a relationship of principal and agent between the Parties for any purposes.
25. Governing Law and Jurisdiction
25.1. This Agreement (and any non-contractual obligations arising out of or in relation to this Agreement) shall be governed by and will be interpreted in accordance with English law. All disputes arising out of or relating to this Agreement (or any non-contractual obligations arising out of or in relation to this Agreement) shall be submitted to the exclusive jurisdiction of the English courts.
DATA PROTECTION AND COMPANY DATA
Definitions and interpretation in this Schedule are as follows:
“Controller” has the meaning ascribed to it in the GDPR;
“Data Subject Request” means a subject access request or notice or complaint from a Data Subject exercising his rights under the Data Protection Legislation, including specific requests from individuals to rectify inaccuracies, delete personal data or restrict the Processing of personal data;
“International Transfer Requirements” means the requirement to ensure that transfers of personal data outside of the EEA have adequate protections in place, as set out in the Data Protection Legislation;
“Personal Data” has the meaning ascribed to it in the GDPR;
“Personal Data Breach” has the meaning ascribed to it in the GDPR;
“Processing” has the meaning ascribed to it in the GDPR, and "Processed" and "Process" shall be construed accordingly;
“Processor” has the meaning ascribed to it in the GDPR;
“Pseudonymisation” has the meaning ascribed to it in the GDPR;
“Regulator Correspondence” means any correspondence received from any relevant Regulator in relation to the Processing of the Personal Data;
“Security Requirements” means the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation (including, in particular, Article 32 of the GDPR) (as applicable));
1. DATA PROTECTION
1.1 Personal Data
1.1.1 This paragraph 1.1 shall apply to all personal data Processed by the Licensee (or by a subcontractor on its behalf) under, or in connection with, this Agreement on behalf of the Licensor (the "Personal Data").
1.1.2 The Licensee shall indemnify the Licensor against all Losses which the Licensor may incur or suffer in connection with a breach of the Licensee's obligations under this Schedule.
1.1.3 The Parties shall each Process the Personal Data. The Parties acknowledge that the factual arrangement between them dictates the role of each Party in respect of the Data Protection Legislation. Notwithstanding the foregoing, the Parties anticipate that:
(c) The Licensor shall be a Controller (or a Processor on behalf of the ultimate Controller), where it is Processing the Personal Data in connection with the Data Subject's relationship with the Licensor as an employee, contractor or customer.
(d) the Licensee shall be a:
i. a joint Controller with the Licensor; or
ii. a Processor acting on behalf of the Licensor;
where it is Processing the Personal Data in relation to its use of the API or otherwise performing its retrospective obligations under this Agreement.
1.1.4 While the Parties anticipate that the Licensee shall predominantly perform the role of Processor, the Parties may by written agreement designate one or more of those roles outlined in paragraph 1.1.3 to the Licensee which they believe and understand the Licensee to be fulfilling. For the avoidance of doubt, in any case where the Parties do not designate one or more such roles to the Licensee: (i) the Licensor shall be deemed to be a Controller; and (ii) the Licensee shall be deemed to the Processor. Notwithstanding the foregoing, under no circumstances shall the Licensee be relieved from performing its obligations under paragraph 1.1.11.
1.1.5 Subject to compliance with this paragraph 1, where the Parties designate the Licensee as a joint Controller then, for so long as the Processing carried out by the Licensee is in accordance with the terms of this Agreement and the Data Protection Legislation, the Licensee shall be entitled to determine the precise manner in which the Personal Data is Processed by it.
1.1.6 Where the Parties are Processing (or procuring the Processing of) the Personal Data as joint Controllers, the Parties agree (unless otherwise agreed) that:
(a) they shall each be responsible for the compliance with the obligations imposed on the Controller by the Security Requirements while the Personal Data is in its possession or control;
(b) the Licensor shall be responsible for compliance with the principles of the Data Protection Legislation in relation to:
i. lawfulness, fairness and transparency;
ii. purpose limitation; and
iii. compliance with the rights of the Data Subject; and
(c) the Licensee shall be responsible for compliance with the principles of the Data Protection Legislation in relation to:
i. data minimisation;
iii. storage minimisation/ retention; and
iv. compliance with the International Transfer Requirements.
1.1.7 Where a Party acts as Controller, where required it shall make due notification to any relevant Regulator including any required notification of its use and Processing of the Personal Data.
1.1.8 The Licensee shall comply, at all times, with the Data Protection Legislation and shall not perform its obligations under this Agreement in such a way as the Licensee knows or believes (or would reasonably be expected to know or believe) would cause the Licensor to breach any of its applicable obligations under the Data Protection Legislation.
1.1.9 Without prejudice to the obligations of the Licensee under this paragraph 1, and the rights and remedies of the Licensor in connection with a failure to perform them, nothing in this paragraph 1 shall give rise to any liability on the part of the Licensee for a failure by the Licensor to comply with its obligations under the Data Protection Legislation where such failure is unconnected to the acts or omissions of the Licensee or Licensee Personnel.
1.1.10 Where the Licensee acts as a Processor, the Licensee shall (and shall procure that all Licensee Personnel and its Subcontractors shall):
(a) process the Personal Data only in accordance with instructions from the Licensor (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Licensor to the Licensee during the Term); and
(b) to the extent required by European Union law or the law of one of the Member States of the European Union and/or the United Kingdom, to the extent legally permissible, promptly, and in any event within twenty-four (24) hours, inform the Licensor if the Licensee is required by European Union law or the law of one of the Member States of the European Union to act in a way that would be in breach of any of this paragraph 1.1.10.
1.1.11 Regardless of whether the Licensee is acting as Processor or joint Controller, the Licensee shall (and shall procure that the Licensee Personnel and its Subcontractor shall):
(a) process the Personal Data only to the extent, and in such manner, as is necessary for the API Purpose or as is required by Applicable Law or any Regulator and shall inform the Licensor immediately if it considers in its opinion any of the Licensor's instructions infringes Data Protection Legislation;
(b) assist the Licensor, where necessary, in the completion of data protection impact assessments relating to the Processing of Personal Data under this Agreement, including providing information about processing activities;
(c) make available all information necessary to demonstrate compliance with the Licensee's obligations as Processor and/ or joint Controller (as applicable), as set out in this Agreement and, where applicable, the Data Protection Legislation;
(d) implement appropriate technical and organisational security measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure sufficient to comply with the Security Requirements, such measures to be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction of, or damage to, the Personal Data, and having regard to the nature of the Personal Data which is to be protected. Such measures shall include any specific measures required to be taken under the Heathrow Policies and Procedures.
(e) notify the Licensor of a suspected or actual Personal Data Breach without undue delay and in any event, within twenty-four (24) hours of becoming aware and both;
i. implement any measures necessary to restore the security of compromised Personal Data; and
ii. support the Licensor to make any required notifications to the Regulator and affected Data Subjects;
(f) ensure that it does not subcontract the Processing of Personal Data or transfer the Personal Data to a Subcontractor unless and until:
i. the Licensee has obtained prior written consent from the Licensor;
ii. the Licensee has provided the Licensor with full details of the Subcontractor (including the results of the due diligence undertaken in accordance with paragraph 1.1.12(f) ii below;
iii. the Licensee has undertaken thorough due diligence on the proposed Subcontractor, including a risk assessment of the information governance-related practices and processes of the Subcontractor, which shall be used by the Licensee to inform any decision on appointing the proposed Subcontractor; and
iv. the Subcontractor contract is on terms which are equivalent to, and offer no less protection than, this paragraph 1, and the Licensor shall have the option to require the processing agreement to be a direct agreement between it and the relevant Subcontractor (or to be named as a third party beneficiary in such agreement);
(g) ensure that it takes all reasonable steps to ensure the reliability of any Licensee Personnel who shall have access to the Personal Data and that such Licensee Personnel:
i. are informed of the confidential nature of the Personal Data and comply with the obligations set out in this paragraph 1;
ii. enter into appropriate contractually binding confidentiality undertakings; and
iii. do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Licensor;
(h) notify the Licensor within three (3) Working Days if it receives:
i. a request from a Data Subject to have access to his Personal Data; or
ii. a complaint or request relating to any Heathrow Companies obligations under the Data Protection Legislation, as well as any Data Subject Request;
(i) use all reasonable endeavours in accordance with Good Industry Practice to assist the Licensor to comply with the obligations imposed on the Licensor by the Data Protection Legislation. This may include providing the Licensor with full cooperation and assistance in relation to any Data Subject Request, including:
i. providing full details of the Data Subject Request;
ii. complying with the Data Subject Request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Licensor’s instructions;
iii. providing the Licensor with any Personal Data it holds in relation to a Data Subject (within the reasonable timescales required by the Licensor, having regard to the Data Protection Legislation and any timescales within which the Licensor may be required to act in connection with such Data Subject Request); and
iv. providing the Licensor with any information requested by the Licensor;
(j) permit the Licensor and any Regulator to inspect and audit the Licensee's data Processing activities and records (and/or those of its agents, subsidiaries and Subcontractors), including to verify the Licensee's compliance with this paragraph 1.1.11 and the Data Protection Legislation. Further, the Licensee shall comply with all reasonable requests or directions by the Licensor and/or any Regulator to enable the Licensor and/or any Regulator to verify and/or procure that the Licensee is in full compliance with its data Processing obligations under this Agreement;
(k) provide a written description of the measures employed by the Licensee and Subcontractors for Processing Personal Data in order to comply with paragraph 1.1.11(b) (within the reasonable timescales required by the Licensor having regard to the Data Protection Legislation and any timescales within which the Licensor may be required to act in connection with such written description), as well as a description of the nature and purpose of the Processing activities, the type of personal data being processed and the categories of Data Subjects;
(l) maintain accurate and up to date records of its data Processing activities in connection with the Services;
(m) not Process or otherwise transfer any Personal Data outside the United Kingdom and/or the European Economic Area. If, after the Signature Date, the Licensee (or any Subcontractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area other than as detailed above, the following provisions shall apply:
i. the Licensee shall submit a Change Request to the Licensor which shall be dealt with in accordance with the Contract Change Control Procedure Schedule 7 and paragraphs 1.1.12 (m)ii to 1.1.12 (m) iv (inclusive);
ii. the Licensee shall set out in its Change Request and/or Impact Assessment details of the following:
1. the Personal Data which will be Processed and/or transferred outside the European Economic Area;
2. the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area;
3. any Subcontractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and
4. how the Licensee will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Licensor's compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area;
iii. in providing and evaluating the Change Request and Impact Assessment, the Parties shall ensure that they have regard to and comply with then-current Heathrow Group, Government and relevant Regulator policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and
iv. the Licensee shall comply with such other instructions and shall carry out such other actions as the relevant Heathrow Companies may notify in writing, including incorporating additional standard and/or model clauses (which are approved from time to time by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Agreement or in a separate data processing agreement.
1.1.12 Other than as expressly permitted in accordance with this paragraph 1 no elements of the Services shall be provided from any location (other than the Location(s) and the premises of the Licensee in the United Kingdom) that has not been agreed in writing by the Licensor in accordance with the Contract Change Control Procedure (and specifically they shall not be provided from any location outside the European Economic Area, nor shall any data relating to the Services be transferred outside the European Economic Area, without the Licensor's express written consent);
1.2 In this Schedule, the term “Licensor Data” means (i) any data (other than Personal Data and Confidential Information), documents, text, drawings, diagrams, images or sounds (together with any database made up of any of those), embodied in any medium, that are supplied to the Licensee by or on behalf of the Licensor, or (ii) Foreground IPR which the Licensee is required to generate, process, store or transmit pursuant to this Agreement.
1.3 The Licensee acknowledges that the Licensor Data is the property of the Licensor and the Licensor reserves all Intellectual Property Rights which may, at any time, subsist in the Licensor Data. To the extent that any Intellectual Property Rights in any of the Licensor Data vest in the Licensee by operation of law, such Intellectual Property Rights shall be assigned by the Licensee to the Licensor by operation of this paragraph 1.3 immediately upon the creation of such Licensor Data. In case of any discrepancies or deviations between this Schedule and the Agreement, the Agreement shall prevail.
1.4 The Licensee shall:
1.4.1 not delete or remove any proprietary notices or other notices contained within or relating to the Licensor Data;
1.4.2 not alter, store, copy, disclose or use the Licensor Data, except as necessary for the performance of this Agreement or as otherwise expressly authorised by this Agreement or the Licensor;
1.4.3 preserve, so far as possible, the integrity of the Licensor Data and prevent its loss, damage, corruption, disclosure, theft, manipulation or interception (taking all precautions as may be necessary for such preservation);
1.4.4 make secure back-up copies of the Licensor Data on such regular basis as is reasonable for the particular data concerned or as instructed by the Licensor from time to time; and
1.4.5 immediately notify the Licensor if any of the Licensor Data is lost, becomes corrupted, is damaged or is deleted accidentally.
1.5 To the extent that Licensor Data is held by the Licensee, the Licensee shall supply such Licensor Data to any of the Heathrow Companies which may request the same from time to time.
1.6 The provisions of this Schedule shall survive the termination or expiry of this Agreement.