Schedule Data Processing Obligations
"Data Protection Legislation” means (whilst they are in force):
- the UK Data Protection Act 2018;
- the EU General Data Protection Regulation (“GDPR”); and
- any successor legislation to the UK Data Protection Act 2018 or the GDPR and any other applicable laws and regulations relating to the processing of personal data and privacy.
“Personal Data”, “Data Controller”, “Data Processor”, “Data Subject” and “Process” are as defined in the Data Protection Legislation.
- You shall be the Data Controller and we shall be the Data Processor in respect of any Personal Data Processed by us on your behalf in performing the obligations under this Agreement. You shall be solely responsible for determining the purposes for which and the manner in which such Personal Data is Processed. However, we shall further be authorised to Process the Personal Data if it is required so to do by the laws of the UK or of any member of the EU, or by the laws of the EU applicable to us to process Personal Data (“Applicable Laws”). Where we rely on laws of the UK, or a member of the EU or EU law as the basis for Processing Personal Data, we shall promptly notify you of this before performing the Processing required by the Applicable Laws unless those Applicable Laws prohibit us from so notifying you. You will ensure that you have all necessary appropriate consents and notices in place to enable the lawful transfer of the Personal Data to us and the Processing of the Personal Data by us (or any of our authorized sub-processors) for the purposes of this Agreement.
- We shall both at all times during the term of this Agreement comply with all applicable requirements of the Data Protection Legislation in relation to the Processing of Personal Data.
- Where required to do so by Data Protection Legislation, we will maintain a written log of all Processing of Personal Data performed on your behalf and provide you with a copy of such log on request. The written log shall include the following information:
- the categories of Processing carried out on your behalf;
- a list of any transfers of Personal Data to a third party outside the EEA and UK (including the name of the relevant non-EEA country and organisation), and documentation of the suitable safeguards in place for such transfers. For the avoidance of doubt, all such transfers are subject always to your consent in accordance with this Agreement; and
- a general description of the technical and organisational security measures referred to in this Agreement.
- Where we Process Personal Data on your behalf, we shall, in respect of such Personal Data:
- not access or use Personal Data except as is necessary to provide the Services, and then only as reasonably necessary for the performance of this Agreement;
- act strictly in accordance with this Agreement and on your written instructions received from time to time;
- comply promptly with any request from you to amend, delete or transfer Personal Data;
- not disclose Personal Data to any employee, director, agent, contractor or affiliate of ours (“our Personnel”), or any third party, except as is necessary for the performance of the Services, or to comply with applicable laws, or with your prior written consent;
- implement and maintain appropriate technical and organisational measures:
- to protect the security and confidentiality of Personal Data Processed by us in providing the Services;
- to protect Personal Data at all times against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, access, or Processing; or
- as required under the Data Protection Legislation.
- notify you of any request made by a Data Subject under Data Protection Legislation in relation to or in connection with Personal Data Processed by us on your behalf and at all times cooperate with and assist you to execute your obligations under the Data Protection Legislation in relation to such Data Subject requests;
- process the Personal Data in accordance with the specified duration, purpose, type and categories of Data Subjects as specified in the Annex to this Schedule.
- We shall within 24 hours, or earlier if reasonably practicable, of becoming aware, notify you in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. The notice provided will specify:
- the categories and number of the individuals and the records concerned;
- the likely consequences of the breach;
- any steps taken to mitigate and address the breach; and
- specify an appropriate point of contact within our organisation who you can contact about the breach. We must promptly give you the detail you request to allow us to understand the impact of the breach. We will promptly comply with any instructions provided by you, and cooperate with you, in relation to the data breach.
- We will obtain your prior written consent before engaging a subcontractor to Process Personal Data on your behalf. Where that consent is given, it will be conditional upon our having executed a written contract with the third party which contains terms for the protection of Personal Data which are no less protective than the terms set out in this Agreement.
- We shall not, and shall procure that our subcontractors shall not, transfer or Process, any Personal Data outside the EEA and/or the UK without your prior written consent. You shall notify us of the terms you would require for your consent to be given.
- We shall provide you with such reasonable assistance as you require in relation to any complaints made by Data Subjects or investigations or enquiries made by any regulator or supervisory authority relating to you or your obligations under the Data Protection Legislation.
- In relation to Personal Data Processed by us under this Agreement, we shall co-operate with you to the extent reasonably necessary to enable you to adequately discharge your responsibility as a data controller under Data Protection Legislation (including in respect of the preparation of data protection impact assessments).
- You shall have the right to audit us and relevant records and materials as necessary to demonstrate our compliance with our obligations under this Agreement and Data Protection Legislation. At any time we will co-operate fully to allow and assist such audits, including on-site inspections of our business premises or processing facilities, conducted by you or your auditor.
- We will tell you immediately if we are asked to do something which might infringe the Data Protection Legislation or other data protection law of the EU or a Member State.
- We shall ensure that any of our Personnel with access to Personal Data are both bound by confidentiality obligations in respect of access, use or processing of such Personal Data, and have received appropriate training.
- At your request, we shall provide a copy of all Personal Data held by us in the format and on the media reasonably specified by you.
- On termination or expiry of this Agreement, at your request, we shall delete or return to you all Personal Data processed by us on your behalf, and we shall delete existing copies of such Personal Data except where necessary to retain such Personal Data strictly for the purposes of compliance with UK, EU or EU Member State Laws applicable to us.
- We will each agree to any reasonable amendment to this Agreement required to bring it into line with any amendment to or re-enactment of any Data Protection Legislation, in particular to reflect the GDPR, or to allow each of the parties to comply with any requirement or recommendation of the Information Commissioner or any other data protection or supervisory authority in relation to the Processing of Personal Data.