In this Policy: –
- “Controller” shall have the meaning set out in the GDPR;
- “Data Protection Laws” means the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communication Regulations 2003, any amendment, consolidation or re-enactment thereof, any legislation of equivalent purpose or effect enacted in the United Kingdom, or, where relevant, the European Union, and any orders, guidelines and instructions issued under any of the above by relevant national authorities, a judicial authority in England and Wales or, where relevant, a European Union judicial authority;
- “Data Subject” shall have the meaning set out in the GDPR;
- “Disclosing Party” shall mean the party to this Agreement who discloses or makes available Personal Data.
- “GDPR” means General Data Protection Regulation (EU) 2016/679 as in force from time to time; and, as applicable to the EEA and the United Kingdom, including any variations and adoptions of the regulation therein as Replacement National Legislation;
- “Personal Data” has the meaning given to it by the GDPR, but shall only include personal data to the extent that such personal data, or any part of such personal data, is processed in relation to the services provided under this Agreement;
- “Processor” shall have the meaning set out in the GDPR;
- “Receiving Party” shall mean the party to this Agreement who receives or obtains Personal Data whether directly from the Disclosing Party or indirectly;
- “Replacement National Legislation” means legislation in the United Kingdom which is enacted to cover, in whole or part, the same subject matter as the GDPR.
- Words and phrases with defined meanings in the GDPR have the same meanings when used in this Attachment, unless otherwise defined in this Attachment.
- If the GDPR ceases to apply to the United Kingdom, references to the GDPR, to provisions within it and to words and phrases with defined meanings in it, shall be deemed references to Replacement National Legislation, the nearest equivalent provisions in it and the nearest equivalent words and phrases in it (as the case may be).
- Each party shall comply with the Data Protection Laws applicable to it in connection with this Agreement and shall not cause the other party to breach any of its obligations under Data Protection Laws.
- The parties have agreed that the Receiving Party will process Personal Data as the Processor on behalf of the Disclosing Party which shall act as a Controller of such Personal Data in connection with this Agreement. The Processor shall, or shall ensure that its sub-contractor shall:
- process the Personal Data only on behalf of the Controller, only for the purposes of performing its obligations under this Agreement, and only in accordance with instructions contained in this Agreement or instructions received in writing from the Controller from time to time. The Processor shall notify the Controller if, in its opinion, any instruction given by the Controller breaches Data Protection Laws or other applicable law;
- not otherwise modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party (including without limitation the Data Subject itself) unless specifically authorised in writing by the Controller;
- document all processing in accordance with Article 30 GDPR;
- only grant access to the Personal Data to persons who need to have access to it for the purposes of performing this Agreement;
- ensure that all persons with access to the Personal Data are:
- reliable, trustworthy and suitably trained on Data Protection Laws; and
- subject to an obligation of confidentiality or are under an appropriate statutory obligation of confidentiality.
- taking into account the nature of the processing and the information available to the Processor, assist the Controller in ensuring compliance with its obligations pursuant to Article 32 to 36 GDPR inclusive;
- as a minimum, take all measures required pursuant to Article 32 GDPR in accordance with best practice and the security obligations set out in this Agreement (as amended from time to time), whichever imposes a higher standard, and at the request of the Controller provide a written description of, and rationale for, the technical and organizational measures implemented, or to be implemented, to:
- protect the Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, alteration or disclosure; and
- detect and report personal data breaches within good time
- Such measures shall be subject to the adequacy assessment of the Controller. Where the Controller does not deem such measures adequate, the Processor shall revise them until the Controller does so. Once approved by the Controller, the Processor shall be bound to implement and maintain such measures, and shall provide the Controller with reasonable assistance in documenting its adequacy assessment;
- report to the Controller on a regular basis, and at least once every year, on the status of the Personal Data security. These reports shall at least include the status of the data processing systems, the security measures, registered downtime of technical security measures and the required and/or recommended improvements;
- notify any loss, damage or destruction of Personal Data to the Controller as soon as reasonably practicable and in any event within 24 hours of becoming aware of such breach and provide all reasonable assistance to the Controller in relation to the notification of such breach to the Information Commissioner and any other applicable regulator and any data subject;
- provide all reasonable assistance to the Controller in ensuring compliance with its legal obligations relating to data security and privacy impact assessments.
- not engage another processor (a “Sub-Processor”) to process the Personal Data on its behalf without specific written consent of the Controller, approving a named Sub-Processor, such consent always subject to:
- the Processor binding any Sub-Processor by written agreement, imposing on the Sub-Processor obligations in relation to the Personal Data equivalent to those set out in this Agreement; and
- the Processor remaining liable to the Controller for the acts and omissions of any Sub-Processor, as if they were the acts and omissions of the Processor;
- notify the Controller (within seven days) if it receives:
- a request from a Data Subject to have access to that person’s Personal Data; or
- a complaint or request relating to the Controller’s obligations under Data Protection Laws; or
- any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement;
- not take action in relation to such communication, unless compelled by law or a regulator, without the Controller’s prior approval, and shall comply with any reasonable instructions the Controller gives in relation to such communication;
- provide the Controller with full co-operation and assistance in relation to any complaint or request made in respect of any Personal Data including (without limitation) by:
- providing the Controller with full details of the complaint or request;
- complying with a data access request within the relevant timescales set out in the Data Protection Legislation but strictly in accordance with the Controller’s instructions;
- providing the Controller with any Personal Data it holds in relation to a Data Subject making a complaint or request within the timescales required by the Controller;
- providing the Controller with any information requested by the Controller; and
- assisting the Controller to respond or comply with the Controller’s complaint or request;
- on termination of this Agreement and otherwise at the Controller’s request, delete or return to the Controller the Personal Data, and procure that any party to whom the Processor has disclosed the Personal Data does the same;
- where reasonably possible, store the Personal Data in a structured, commonly used and machine-readable format;
- not transfer Personal Data outside of the European Economic Area without the prior written consent of the Controller. Where the Controller consents to the transfer of Personal Data outside the European Economic Area, the Processor shall comply with:
- the obligations of a controller under Articles 44 to 50 GDPR inclusive by providing an adequate level of protection to any Personal Data transferred; and
- any reasonable instructions of the Controller in relation to such transfer;
- have a data protection officer where required by the GDPR, and where a data protection officer is not required, have a named individual that is responsible and available to deal with data protection issues as and when they arise in conjunction with the Controller; and
- allow the Controller, or its external advisers (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Processor’s data processing activities and those of its relevant agents, group companies and sub contractors, and comply with all reasonable requests or directions by the Controller, and to the extent necessary provide the Controller with access to its premises during normal business hours to enable the Controller to verify and procure that the Processor is in full compliance with its obligations under this Attachment.
- The Processor shall indemnify and keep indemnified the Controller against all liabilities, costs, expenses, damages and losses suffered or incurred by it arising out of or in connection with the Processor’s breach of this Attachment, unless such indemnity is prohibited on grounds of public policy. Notwithstanding anything stated elsewhere in this Agreement the Processor’s liability under this paragraph shall be uncapped.
- Notwithstanding anything stated elsewhere in this Agreement, the Processor’s liability in damages for breach of this Attachment shall also be uncapped.
INTELLECTUAL PROPERTY RIGHTS
- All intellectual property rights in the Personal Data vest and shall remain vested absolutely in the Disclosing Party, that transferred the relevant Personal Data to the Receiving Party.
- Electronic media and other means of transport containing the Personal Data received by the Receiving Party and all copies or reproductions thereof shall also remain the property of the Disclosing Party, that transferred these media or provided other means of transport.
Date of Last Review: 1st April 2023
Latest date of Next Review: 31st March 2024