GDPR Terms and Conditions


Terms and Conditions

This Amendment to the Terms and Conditions supersedes and replaces all clauses in the existing Terms and Conditions relating to data protection and liability, including any exclusions or limitations on such liability to comply with the GDPR.

In the event of inconsistencies or conflict between the provisions of this Amendment and the existing Terms and Conditions, the provisions of this Amendment shall prevail.

Definitions and Interpretation

In this Amendment the following expressions bear the following meanings:

  • "Data Breach" means any breach of security, breach of the Data Privacy Laws or breach of X-on's obligations under this Amendment or the Existing Terms and Conditions or any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer or its Clients Data;
  • "Data Controller" has the meaning given to that term (or to the term 'controller') in Data Privacy Laws;
  • "Data Processor" has the meaning given to that term (or to the term 'processor') in Data Privacy Laws;
  • "Data Privacy Laws" means all statutes, laws, secondary legislation and regulations pertaining to privacy, confidentiality and or data protection of Personal Data or corporate data, including (but not limited to) the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI2003/2426), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699)), E-Privacy Regulation, General Data Protection Regulation (GDPR, EU 2016/679) and any relevant national laws implementing Directives 95/46/EC, 2002/58/EC 7 97/66/EC or General Data Protection Regulation (EU) 2016/679) to the extent applicable to this Amendment Agreement and the relationship between the Parties;
  • "Data Protection Losses" means all liabilities and other amounts, including (without limitation) all: costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); loss or damage to reputation, brand or goodwill; administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; compensation paid to a Customer (including compensation to protect goodwill and ex gratia payments); and costs of compliance with investigations by a Supervisory Authority; the costs of loading Customer Data, to the extent that the same are lost, damaged or destroyed, and any loss or corruption of Customer Data (including the costs of rectification or restoration of Customer Data) to the extent permitted by applicable law;
  • "Data Subject" has the meaning given to that term in Data Privacy Laws;
  • "Data Subject Request" means a request made by a Customer or its clients to exercise any rights of a data subject;
  • "Client(s)" means the end customers or a person about whom the Customer processes Personal Data in relation to providing services;
  • "Customer Data" means Personal Data received about or relating to Customers or their Clients;
  • "Customer(s)" means a current, past, future or potential X-on Customer; and/or and employee, member of staff or contractor of the Customer ("Staff") where X-on is providing services in respect of such Staff or otherwise received Customer Data relating to such Staff through the course of providing the Services;
  • "Personal Data" has the meaning given to that term in Data Privacy Laws;
  • "Processing" has the meaning given to that term in Data Privacy Laws (and related terms such as Process have corresponding meanings);
  • "Processing Instructions" means the instruction given to the processor (X-on) by the Customer;
  • "Supervisory Authority" means the local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority. Board or other body responsible for administering Data Privacy Laws in the United Kingdom.

Terms and Conditions

  1. Data Controller Obligations
    1. Implementing appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
    2. X-on acknowledges that the Customer shall be solely responsible for the following:
      1. implementing appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
      2. the purpose(s) for which and the manner in which the Customer and its Client Data will be Processed or used;
      3. what Client Data to collect and the legal basis for doing so;
      4. which items (or content) of Customer and Client Data to collect;
      5. which individuals to collect Customer and Client Data about;
      6. whether to disclose the Customer or Client Data, and if so, who to;
      7. whether subject access and other individuals' rights apply including the application of any exemptions;
      8. how long to retain the Customer and Client Data; and
      9. whether to make non-routine amendments to the Customer or Client Data
  2. Data Processor Obligations
    1. X-on shall comply with all Data Privacy Laws in connection with its role as a Processor of the Customer and its Clients Data, the services and the exercise performance of its respective rights and obligations.
    2. X-on shall process the Customer and its Client data only in accordance with the Customers prior written instructions:
      1. for such other purposes as may be instructed by or agreed with the Customer or as otherwise notified in writing from time to time; and
      2. in accordance with the Data Privacy Laws;
    3. X-on shall at its own cost and expense, implement appropriate technical, security and organisational measure to protect the Customer and its Client Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. In particular, such measure shall include, but not be limited to pseudonymisation and encrypting Customer and its Clients Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer and Its Clients Data can be restored in a timely manner after an incident or necessary to ensure the protection of Customer and its Clients Data.
      1. These Security controls implemented by X-on are defined in the X-on Information Security Policy in compliance with X-on's ISO 27001 Information Security Management System certification. Maintaining ISO 27001 compliance includes the regular assessment and evaluation of the effectiveness of the technical and organisational measures adopted by X-on.
    4. X-on shall not otherwise modify, amend, remove or alter the contents of the Customer and its Clients Data or disclose or permit the disclosure of any of the Customer or its Clients Data to any third party without the prior written authorisation of the Customer.
    5. X-on upon the termination of the contract, shall, unless otherwise required by Data Privacy Laws, return or delete, at the Customer's sole discretion, all Customer and its Clients Data and shall from the date of termination cease processing such Data.
    6. X-on shall ensure that only those personnel who need to have access to the Customer and its Clients Data are granted access to such Data and that all of the personnel required to access the Customer and its Clients Data:
      1. are reliable and have been trained in how to handle and process Customer and its Clients Data; and
      2. have been informed of the confidential nature of the Customer and its Clients Data and are subject to a duty of confidentiality;
    7. X-on shall:
      1. not appoint a sub-processor without the prior written consent of the Customer, and where the Customer grants its consent ensure an agreement is entered into with the relevant sub-processor which includes terms which are substantially the same as the terms set out in this Amendment. X-on shall remain responsible and liable for any act or omission or sub-processors. The Customer will not unreasonably withhold this consent and will provided valid legal reasons if consent is to be withheld;
      2. not transfer Customer or its Clients Data to a country or territory outside the European Economic Area except with the prior written consent of the Customer;
      3. assist the Customer by keeping records of all Data processing activities and implementing appropriate technical and organisational measures for the fulfilment of the Customers' obligations to respond to requests from Data Subject's to exercise Data Subject rights under the Data Privacy Laws including those laid down in Chapter III of the GDPR including Data Subject's rights to access, rectify, erase or object to the processing of Customer or its Clients Personal Data. Requests should be made by email to or by raising by a ticket directly via the X-on salesforce customer portal or by phone to 0333 332 0002;
      4. notify the customer without undue delay to ensure any timescales prescribed by Data Privacy Laws can be achieved and in any case within 24 hours if it becomes aware of a Data Breach affecting Customer or its Clients Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Data Breach under the Data Privacy Laws. X-on shall cooperate with the customer and take such reasonable commercial steps as are directed by the customer in relation to any such Data Breach;
      5. notify the Customer in the event that it notifies either the Supervisory Authority or a Data Subject of a Data Breach;
      6. provide reasonable assistance to the customer with any data protection impact assessments;
    8. Customers must inform X-on without undue delay if they suspect there has been a Data Breach affecting Customer Data by contacting X-on's Data Protection Office by email to or by phone to 0333 3320116.
    9. The Customer shall nominate and advise X-on of its nominated Data Protection Office.
    10. In the event that X-on believes that the customer's Processing Instructions infringe Data Privacy Laws or in any other way are unlawful, X-on must immediately inform the customer.
  3. Liability and indemnity
    1. X-on warrants that the services will be performed with reasonable care and skill and with the objective in meeting the requirements of the Terms and Conditions.
    2. Nothing in the Terms and Conditions shall exclude or restrict either party's liability for death or personal injury resulting from its negligence.
    3. X-on shall operate the services provided in line with the stated service availability level to the terms stated in this Terms and Conditions, where this is not achieved it will be liable for service credits, to the level terms stated in the service agreement. In the event of non functionality of the service it shall not be further liable for loss of profit or any other amounts.
    4. X-on shall in relation to the GDPR Regulation be:
      1. liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller;
      2. exempt from liability under paragraph 3.4.1, if it proves that it is not in any way responsible for the event giving rise to the damage;
    5. Where X-on (Processor) and the Customer (Controller), are involved in the same processing and where they are, under paragraph 4.4, responsible for any damage caused by processing, each party shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
    6. Where X-on has, in accordance with paragraph 4.5, paid full compensation for the damage suffered, X-on shall be entitled to claim back from the Customer and other controllers or processors involved in the same processing, that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.4.
  4. Responsible persons
    1. X-on's Data Protection Officer and contact details are:
      Name: Callum Guy
      Phone Number: 0333 332 0116