Data Protection

PART A

  1. For the purposes of this Schedule:
    1. Data Protection Laws means any applicable law relating to the processing of Personal Data, as applicable to either party or the Services, including:
      1. the Directive 95/46/EC (Data Protection Directive) or the GDPR;
      2. any laws which implement such laws;
  • any laws that replace, extend, re-enact, consolidate or amend any of the laws stated in (i) and (ii) above;
  1. all guidance, codes of practice and codes of conduct issued by any relevant Data Protection Supervisory Authority relating to such Data Protection Laws (whether legally binding or not).
  1. GDPR means the General Data Protection Regulation (EU) 2016/679;
  2. Protected Data means Personal Data received from or on behalf of the Customer, or obtained in connection with the performance of the Supplier’s obligations under the Agreement; and
  3. Sub-processor means any agent, subcontractor or any other third party engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data.

The terms “Controller”, “Data Subject”, “International Organisation” “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.

Compliance with data protection laws

  1. The parties agree that the Customer is a Controller and the Supplier is a Processor for the processing of Protected Data pursuant to this Agreement.
  2. The Supplier shall ensure its Sub-Processors and each of the Supplier personnel shall comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Services.
  3. Nothing in this Agreement relieves the Supplier of any responsibilities or liabilities under Data Protection Laws.

Indemnity

  1. Each party shall be liable for and shall indemnify (and keep indemnified) the other against all actions, proceedings, liabilities, costs, claims, losses, expenses, compensation paid to Data Subjects and other reasonable professional costs and expenses suffered or incurred by the indemnified party arising out of or in connection with any breach of the Data Protection Laws by the indemnifying party, its employees or agents.

Instructions

  1. The Supplier shall only process (and shall ensure Supplier personnel only process) the Protected Data in accordance with Section 1 of Part B of this Schedule and the Customer’s written instructions. The Supplier will immediately inform the Customer if any instruction relating to the Protected Data infringes or may infringe any Data Protection Law.

Security

  1. The Supplier shall implement appropriate technical and organisational measures to protect the Protected Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The technical and organisational security measures which the Supplier shall have in place are set out in Part B to this Schedule.

Sub-processing

  1. The Supplier will not permit any processing of Protected Data by any third party (except Supplier personnel that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior specific written permission of the Customer, except (i) as specifically stated in this Schedule, or (ii) where such processing is required by any applicable law, regulation or public authority.
  2. The Supplier shall prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written agreement containing data protection obligations that provide at least the same level of protection for Protected Data as those in this Schedule.
  3. The Supplier shall remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own.
  4. Where a Sub-processor is engaged by the Supplier, the Supplier shall:
    1. carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Protected Data required by this Schedule;
    2. remain liable for any breach of this Schedule caused by a Sub-processor; and
    3. provide relevant details and a copy of each agreement with a Sub-Processor to the Customer on request.

Assistance

  1. The Supplier shall, taking into account the nature of the processing, provide reasonable assistance to the Customer insofar as this is possible, to enable the Customer to respond to requests from a data subject seeking to exercise their rights under Data Protection Laws. In the event that such request is made directly to the Supplier, the Supplier shall promptly inform the Customer of the same.
  2. The Supplier shall to the extent required by Data Protection Laws, taking into account the nature of the processing and the information available to the Supplier, provide the Customer with commercially reasonable assistance with data protection impact assessments (as such term is defined in Data Protection Laws) or prior consultations with data protection authorities that the Customer is required to carry out under Data Protection Laws.

Data subject requests

  1. The Supplier will record and refer all requests and communications received from Data Subjects or any Supervisory Authority to the Customer which relate (or which may relate) to any Protected Data promptly (and in any event within three days of receipt) and will not respond to any without the Customer’s express written approval and strictly in accordance with the Customer’s instructions unless and to the extent required by law.

International transfers

  1. The Supplier will not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the EEA or to any International Organisation without the prior written consent of the Customer.

Audits and records

  1. The Supplier will, in accordance with Data Protection Laws, make available to the Customer such information in the Supplier’s possession or control as the Customer may reasonably request with a view to demonstrating the Supplier’s compliance with the obligations of data processors under Data Protection Laws in relation to its processing of Protected Data.
  2. The Customer may exercise its right to audit under Data Protection Laws through the Supplier providing:
    1. an audit report not older than 18 months by an independent external auditor demonstrating that the Supplier’s technical and organisational measures are in accordance with the Supplier’s industry audit standard; and
    2. additional information in the Supplier’s possession or control to a Supervisory Authority when it requests or requires additional information in relation to the data processing activities carried out by the Supplier under this Schedule.

Breach

  1. The Supplier shall promptly (and in any event within 24 hours) notify the Customer if it (or any of its Sub-Processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data.
  2. The Supplier shall promptly (and in any event within 24 hours) provide all information as the Customer requires to report the circumstances referred to in paragraph 19 (above) to a Supervisory Authority and to notify affected Data Subjects under Data Protection Laws.

Type of Personal Data:

  • Email address;
  • personal address;
  • Phone number;
  • Full name.

Categories of Data Subjects:

Protected Data will concern the following categories of Data Subjects:

  • Data Subjects about whom the Supplier collects Protected Data in its provision of the Services; and/or
  • Data Subjects about whom Protected Data is transferred to the Supplier in connection with the Services by, at the direction of, or on behalf of Customer.

Section 2 – Minimum technical and organisational security measures

Without prejudice to its other obligations, the Supplier shall implement and maintain at least the following technical and organisational security measures to protect the Protected Data:

  • None of the customers data will be revealed without his or her consent.