Data Protection Agreement
Data Protection Policy
2 Definitions
2.1 In this Schedule, the following terms shall have the meanings set out below and cognate terms shall be
construed accordingly:
2.1.1 "Customer Personal Data" means any Personal Data Processed by the Service Provider on behalf of the
Customer pursuant to or in connection with this Agreement.
2.1.2 "Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR, as transposed
and effective in the United Kingdom.
2.1.3 "EEA" means the European Economic Area.
2.1.4 "GDPR" means EU General Data Protection Regulation 2016/679.
2.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data
Breach", "Processing", “Process” and "Supervisory Authority" shall have the same meaning as in the GDPR,
and their cognate terms shall be construed accordingly.
3 Introduction
3.1 Both parties will comply with all applicable Data Protection Laws. This paragraph is in addition to, and does not
relieve, remove or replace, a party's obligations or rights under Data Protection Law.
3.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller
and the Service Provider is the Processor.
3.3 Without prejudice to the generality of paragraph 2.1, the Customer will ensure that it has all necessary
appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the
duration and purposes of this Agreement.
4 Processing of Customer Personal Data
4.1 The Statement of Work sets out the information required by article 28(3) of the GDPR.
4.2 Without prejudice to the generality of paragraph 3.1, the Service Provider shall not Process Customer Personal
Data except:
4.2.1 on the documented written instructions of the Customer; and
4.2.2 as necessary to comply with its obligations set out in this Agreement and always in accordance with the security
criteria set out herein,
4.2.3 unless Processing is required by any applicable law to which the Service Provider is subject, in which case the
Service Provider shall to the extent permitted by applicable law inform the Customer of that legal requirement
before the relevant Processing of that Customer Personal Data.
4.3 The Service Provider reserves the right to charge the Customer at the then current hourly rates for any
assistance provided to the Customer pursuant to this Schedule.
5 Security & Remote Access
Security
5.1 The Service Provider undertakes in relation to the Customer Personal Data to implement appropriate technical
and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the
measures referred to in Article 32(1) of the GDPR.
5.2 The measures set forth in paragraph 5.1 shall be:
5.2.1 no less than those adopted by the Service Provider to protect any of its own confidential information; and
5.2.2 in accordance with the Base Security Requirements set out in Appendix 1.
5.3 Upon request, the Service Provider shall provide the Customer with details about the measures set forth in this
paragraph 5.
5.4 In assessing the appropriate level of security, the Service Provider shall take account in particular of the risks
that are presented by Processing, in particular from a Personal Data Breach.
5.5 The Service Provider shall take reasonable steps to ensure the reliability of any employee, agent or contractor
who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to
those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the
purposes of the Statement of Work to which the Processing relates, and to comply with applicable laws, ensuring
that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of
confidentiality.
Remote Access
5.6 Without prejudice to the generality of the aforesaid, and subject to compliance with the provisions referred to in
paragraph 5.2.2, the Customer authorizes the Service Provider to access any of the Customer’s IT infrastructure
remotely and as may be required and necessary for the Service Provider to provide the Services.
6 Sub-processing
6.1 To the extent that the Service Provider is allowed and authorised, pursuant to the provisions of this Agreement
or any Statement of Work to engage and/or appoint a third party for carrying out specific processing activities
on behalf of the Customer (“sub-processor”), it is being expressly acknowledged that, prior to such
engagement, the Service Provider shall ensure that the sub-processor is bound by an agreement, which
contains terms which offer the same level of protection as that set forth in this Schedule. In all cases, the
Service Provider shall remain fully liable for any failure of the sub-processor in respect to compliance with EU
Data Protection Laws.
6.2 The Service Provider shall, prior to engaging or removing a sub-processor, be required to obtain the consent of
the Customer, which consent shall not be unreasonably withheld.
7 Data Subject Rights
7.1 The Service Provider shall implement technical measures, as are necessary and reasonable, to be able to assist
the Customer in complying with any of the Customer’s obligations under the GDPR to respond to requests by
Data Subjects to exercise Data Subject rights, including the rights set forth in Articles 15 to 23 of the GDPR.
7.2 The Service Provider shall:
7.2.1 promptly notify the Customer if it receives a request from a Data Subject in respect of Customer Personal Data;
7.2.2 ensure that it does not respond to that request except on the documented instructions of the Customer or as
required by applicable laws, in which case the Service Provider shall to the extent permitted by applicable laws
inform the Customer of that legal requirement before responding to the request and
7.2.3 promptly comply with any request for assistance received by the Customer pursuant to paragraph 8.1 below.
8 Personal Data Breach
8.1 The Service Provider shall notify the Customer without undue delay upon the Service Provider becoming aware
of a Personal Data Breach affecting Customer Personal Data, providing the Customer with sufficient information
to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach
under the EU Data Protection Laws.
8.2 Such notification shall as a minimum:
8.2.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and
the categories and numbers of Personal Data records concerned;
8.2.2 communicate the name and contact details of the Service Provider’s data protection officer or other relevant
contact from whom more information may be obtained;
8.2.3 describe the likely consequences of the Personal Data Breach; and
8.2.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.3 The Service Provider shall co-operate with the Customer and take such reasonable commercial steps as are
directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data
Breach.
9 Data Protection Impact Assessment and Prior Consultation
The Service Provider shall provide reasonable assistance to the Customer with any data protection impact assessments,
and prior consultations with any competent data privacy authorities, which the Customer reasonably considers to be
required by article 35 or 36 of the GDPR (or equivalent provisions of any implementing legislation), in each case solely
in relation to Processing of Customer Personal Data.
10 Deletion or return of Customer Personal Data
10.1 The Service Provider shall, unless it is legally required to keep such Customer Personal Data, promptly and in
any event within 30 calendar days of the date of cessation of any Services to which the Processing of any
Customer Personal Data relates ("Cessation Date"):
10.1.1 specifically if requested by the Customer, to return a complete copy of all Customer Personal Data to Customer
by secure file transfer in such format as is reasonably notified by Customer to Company; and
10.1.2 in all events, delete and procure the deletion of all copies of those Customer Personal Data
10.2 The Service Provider shall comply with any such written request within 30 calendar days of the Cessation Date.
10.3 The Service Provider shall provide written certification to the Customer that it has fully complied with the
provisions of this paragraph within 30 calendar days of the Cessation Date.
10.4 For the avoidance of doubt, in this paragraph, the term “delete” shall mean to remove or obliterate Personal
Data such that it cannot be recovered or reconstructed.
11 Audit
The Service Provider shall make available to the Customer on request all information necessary to demonstrate
compliance with this Schedule, and shall allow for and contribute to audits, including inspections, by the Customer or
an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data.
12 Restricted Processing and Transfers
The Service Provider shall not be allowed to transfer or otherwise Process Customer Personal Data outside the EEA,
unless this is carried out in compliance with the provision of the GDPR.
2 Definitions
2.1 In this Schedule, the following terms shall have the meanings set out below and cognate terms shall be
construed accordingly:
2.1.1 "Customer Personal Data" means any Personal Data Processed by the Service Provider on behalf of the
Customer pursuant to or in connection with this Agreement.
2.1.2 "Data Protection Laws" means the GDPR and laws implementing or supplementing the GDPR, as transposed
and effective in the United Kingdom.
2.1.3 "EEA" means the European Economic Area.
2.1.4 "GDPR" means EU General Data Protection Regulation 2016/679.
2.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data
Breach", "Processing", “Process” and "Supervisory Authority" shall have the same meaning as in the GDPR,
and their cognate terms shall be construed accordingly.
3 Introduction
3.1 Both parties will comply with all applicable Data Protection Laws. This paragraph is in addition to, and does not
relieve, remove or replace, a party's obligations or rights under Data Protection Law.
3.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller
and the Service Provider is the Processor.
3.3 Without prejudice to the generality of paragraph 2.1, the Customer will ensure that it has all necessary
appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the
duration and purposes of this Agreement.
4 Processing of Customer Personal Data
4.1 The Statement of Work sets out the information required by article 28(3) of the GDPR.
4.2 Without prejudice to the generality of paragraph 3.1, the Service Provider shall not Process Customer Personal
Data except:
4.2.1 on the documented written instructions of the Customer; and
4.2.2 as necessary to comply with its obligations set out in this Agreement and always in accordance with the security
criteria set out herein,
4.2.3 unless Processing is required by any applicable law to which the Service Provider is subject, in which case the
Service Provider shall to the extent permitted by applicable law inform the Customer of that legal requirement
before the relevant Processing of that Customer Personal Data.
4.3 The Service Provider reserves the right to charge the Customer at the then current hourly rates for any
assistance provided to the Customer pursuant to this Schedule.
5 Security & Remote Access
Security
5.1 The Service Provider undertakes in relation to the Customer Personal Data to implement appropriate technical
and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the
measures referred to in Article 32(1) of the GDPR.
5.2 The measures set forth in paragraph 5.1 shall be:
5.2.1 no less than those adopted by the Service Provider to protect any of its own confidential information; and
5.2.2 in accordance with the Base Security Requirements set out in Appendix 1.
5.3 Upon request, the Service Provider shall provide the Customer with details about the measures set forth in this
paragraph 5.
5.4 In assessing the appropriate level of security, the Service Provider shall take account in particular of the risks
that are presented by Processing, in particular from a Personal Data Breach.
5.5 The Service Provider shall take reasonable steps to ensure the reliability of any employee, agent or contractor
who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to
those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the
purposes of the Statement of Work to which the Processing relates, and to comply with applicable laws, ensuring
that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of
confidentiality.
Remote Access
5.6 Without prejudice to the generality of the aforesaid, and subject to compliance with the provisions referred to in
paragraph 5.2.2, the Customer authorizes the Service Provider to access any of the Customer’s IT infrastructure
remotely and as may be required and necessary for the Service Provider to provide the Services.
6 Sub-processing
6.1 To the extent that the Service Provider is allowed and authorised, pursuant to the provisions of this Agreement
or any Statement of Work to engage and/or appoint a third party for carrying out specific processing activities
on behalf of the Customer (“sub-processor”), it is being expressly acknowledged that, prior to such
engagement, the Service Provider shall ensure that the sub-processor is bound by an agreement, which
contains terms which offer the same level of protection as that set forth in this Schedule. In all cases, the
Service Provider shall remain fully liable for any failure of the sub-processor in respect to compliance with EU
Data Protection Laws.
6.2 The Service Provider shall, prior to engaging or removing a sub-processor, be required to obtain the consent of
the Customer, which consent shall not be unreasonably withheld.
7 Data Subject Rights
7.1 The Service Provider shall implement technical measures, as are necessary and reasonable, to be able to assist
the Customer in complying with any of the Customer’s obligations under the GDPR to respond to requests by
Data Subjects to exercise Data Subject rights, including the rights set forth in Articles 15 to 23 of the GDPR.
7.2 The Service Provider shall:
7.2.1 promptly notify the Customer if it receives a request from a Data Subject in respect of Customer Personal Data;
7.2.2 ensure that it does not respond to that request except on the documented instructions of the Customer or as
required by applicable laws, in which case the Service Provider shall to the extent permitted by applicable laws
inform the Customer of that legal requirement before responding to the request and
7.2.3 promptly comply with any request for assistance received by the Customer pursuant to paragraph 8.1 below.
8 Personal Data Breach
8.1 The Service Provider shall notify the Customer without undue delay upon the Service Provider becoming aware
of a Personal Data Breach affecting Customer Personal Data, providing the Customer with sufficient information
to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach
under the EU Data Protection Laws.
8.2 Such notification shall as a minimum:
8.2.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and
the categories and numbers of Personal Data records concerned;
8.2.2 communicate the name and contact details of the Service Provider’s data protection officer or other relevant
contact from whom more information may be obtained;
8.2.3 describe the likely consequences of the Personal Data Breach; and
8.2.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.3 The Service Provider shall co-operate with the Customer and take such reasonable commercial steps as are
directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data
Breach.
9 Data Protection Impact Assessment and Prior Consultation
The Service Provider shall provide reasonable assistance to the Customer with any data protection impact assessments,
and prior consultations with any competent data privacy authorities, which the Customer reasonably considers to be
required by article 35 or 36 of the GDPR (or equivalent provisions of any implementing legislation), in each case solely
in relation to Processing of Customer Personal Data.
10 Deletion or return of Customer Personal Data
10.1 The Service Provider shall, unless it is legally required to keep such Customer Personal Data, promptly and in
any event within 30 calendar days of the date of cessation of any Services to which the Processing of any
Customer Personal Data relates ("Cessation Date"):
10.1.1 specifically if requested by the Customer, to return a complete copy of all Customer Personal Data to Customer
by secure file transfer in such format as is reasonably notified by Customer to Company; and
10.1.2 in all events, delete and procure the deletion of all copies of those Customer Personal Data
10.2 The Service Provider shall comply with any such written request within 30 calendar days of the Cessation Date.
10.3 The Service Provider shall provide written certification to the Customer that it has fully complied with the
provisions of this paragraph within 30 calendar days of the Cessation Date.
10.4 For the avoidance of doubt, in this paragraph, the term “delete” shall mean to remove or obliterate Personal
Data such that it cannot be recovered or reconstructed.
11 Audit
The Service Provider shall make available to the Customer on request all information necessary to demonstrate
compliance with this Schedule, and shall allow for and contribute to audits, including inspections, by the Customer or
an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data.
12 Restricted Processing and Transfers
The Service Provider shall not be allowed to transfer or otherwise Process Customer Personal Data outside the EEA,
unless this is carried out in compliance with the provision of the GDPR.