General Data Protection Regulation

Data Processing Addendum

Due to the requirements of the General Data Protection Regulation ("GDPR"), this GDPR contract addendum (the "Addendum") shall apply to the contract between us and shall govern the rights and obligations of the parties in respect of GDPR.

1. Definitions

1.1 In this Addendum: 

(a)"Controller", "Data Processor", "Data Subject" and "Personal Data" shall have the meanings as defined in the Data Protection Legislation;

(b)"Data Protection Legislation" means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations 2003, and all other applicable laws, enactments, regulations, orders, standards and other similar instruments, each as may be amended or superseded from time to time (including the GDPR, which shall supersede the Data Protection Act with effect from 25 May 2018, and any new UK Data Protection Act); and 

(c)"we", "our" or "us" means London Legalisation Services Ltd and "you" and "your" means our client.

2. Data processing

2.1 To the extent that we process any Personal Data on your behalf while performing the Services, the parties agree that we shall do so as a Data Processor and that you shall be the Data Controller and in any such case we shall:

(a) maintain at all times an appropriate notification under the Data Protection Legislation (where required);

(b) only carry out processing of any such Personal Data on your documented instructions from time to time;

(c) take and/or implement all appropriate technical and organisational measures against unauthorised or unlawful processing of such Personal Data, and against accidental loss, alteration or destruction of, or damage to, such Personal Data, and ensure the security of such data at all times;

(d) notify you without undue delay of any security breach affecting any Personal Data; 

(e) not modify, amend or alter the contents of such Personal Data other than as strictly necessary for the purposes of performing the Services;

(f) not disclose or permit the disclosure of any such Personal Data to a Data Subject unless authorised by you. This obligation shall not apply where disclosure is required by law or regulation. In such circumstances we shall provide prior notification to you of such disclosure, unless such notification is itself precluded by law;

(g) only use and process such Personal Data in accordance with the terms of this agreement and in compliance with the provisions of the Data Protection Legislation, and only then to the extent absolutely necessary for and in connection with the performance of the Services. This shall be without prejudice to clause 2.13; 

(h) only transfer such personal data to countries outside the European Economic Area subject to appropriate protections, such as standard data protection clauses approved by the European Commission;

(i) on termination of this agreement or any earlier termination of our right or obligation to process Personal Data on your behalf, and as otherwise directed by you in respect of such Personal Data, we shall either:

(a) destroy the Personal Data and all copies thereof;

(b) transfer the Personal Data to you or such other third party as you may direct; or

(c) archive the Personal Data subject to agreement on terms of archiving including costs,

unless storage or other processing of the Personal Data is required by law.

2.2 Clause 2.1(i) shall be without prejudice to our rights when we are the Data Controller in relation to the Personal Data.

2.3 If we receive any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data or to compliance by us or you with the Data Protection Legislation (including requests from Data Subjects for the exercising of their statutory rights), we shall promptly notify you and shall provide you with full co-operation and assistance in relation to any such complaint, notice or communication. You shall be responsible for any costs arising from our provision of such assistance.

2.4 We shall provide all reasonable assistance to you, having regard to the nature of processing and the information available to us in order to assist you to comply with your obligations under the Data Protection Legislation (including the notification of a Personal Data breach to the Information Commissioner and to the Data Subject(s) affected, and the preparation of data protection impact assessments, where appropriate). You shall be responsible for any costs arising from our provision of such assistance.

2.5 We shall keep and provide to you on request a record of our use of the Personal Data and processing activities and shall make available to you all information necessary (and allow for and contribute to audits or inspections) to demonstrate compliance with our data processing obligations set out in this agreement. You shall be responsible for any costs arising from our contribution to any such audits or inspections, which shall be limited to one per year unless otherwise required by a supervisory authority.

2.6 We shall ensure our employees or other representatives who are authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.7 We shall have no liability to you for any loss, damage, costs, expenses or other claims for compensation arising from any Personal Data or instructions supplied by you which are incomplete, incorrect, inaccurate, illegible, out of sequence or in the wrong form, or otherwise not fitting any relevant description or warranty, arising from their late arrival or non-arrival, or any other fault of yours.

2.8 We will not be liable for any claim brought by a Data Subject arising from any action or omission by us to the extent that such action or omission resulted from our fulfilment of your instructions.

2.9 You hereby warrant and undertake that you have obtained all necessary permissions for us to process the Personal Data and that you are entitled to transfer the Personal Data to us for the purposes of us performing the Services in accordance with this Agreement. You further warrant and undertake that you have fully complied with your obligations under the Data Protection Legislation regarding our processing of the Personal Data.

2.10 You shall indemnify us against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by us arising out of or in connection with any breach of the warranties contained in clause 2.9.

2.11 You specifically authorise all Vistra Group companies and the third parties listed or referred to in Schedule 2 to this Addendum to act as sub-processors in connection with the performance of the Services.  

2.12 You hereby authorise us to engage third parties to process the Personal Data on our behalf in connection with the performance of the Services provided that we: 

(a)shall obtain your prior written consent before any such new sub-processor is appointed to process Personal Data; 

(b)enter into a written subcontract with such third party to ensure that it only processes the Personal Data in performing the specific obligations required of it under the subcontract and on data processing terms no less onerous than those which bind us under the Agreement (in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Legislation); and  

(c)remain at all times liable under the terms of the Agreement for all obligations in respect of the Personal Data, including for all acts or omissions of any third party sub-processor, subject in any event to any limitation of liability clauses set out in the Agreement.

2.13 For the avoidance of doubt nothing in this Agreement shall bind us, or create any obligation to you by us, in respect of our rights as Data Controller in relation to any information collected for the purposes of credit control and market research purposes and to inform you about our services and products, legal developments and training sessions or events which we believe may be of interest to you.  We may share your personal information with other companies in our group for any of the above purposes. We may also share your information with business partners and suppliers with whom we may have outsourced certain of our business functions.

2.14 In the event of any contradiction / inconsistency between the terms of this Addendum and any term in the Agreement, in respect of any processing of Personal Data the terms of this Addendum shall prevail.



Schedule 1 – Processing of data

Type of data to be processed Personal data provided to us by or on behalf of the client, including personal data provided directly to us by a data subject or third party. The personal data processed under our contract will be dependent upon the scope of the Services provided.
Categories of data subject whose data will be processed Personal data related to such individuals as may be necessary for us to provide our Services. 
Nature and purpose of processingSuch processing as is necessary to:
  • enable us to provide the Services to you; 
  • comply with our obligations and exercise our rights under our contract with you, including the collection, recording, organisation, use, disclosure, restriction, erasure or destruction of data; and 
  • enable third party contractors who we use to provide the Services or part of the Services to carry out their functions.  
Duration of processing The period of our contract and the longer of such additional period as is specified in the terms of our contract regarding data retention, is required in relation to any limitation period for contractual claims or is required for compliance with the law. 



Schedule 2 – Authorised sub-processors


The notaries and translators who we use to provide the Services. 


Apostille Services

Learn more

Apostille FAQs

Learn more

FCO Legalisation

Learn more


Learn more