Processing of Personal Data in the Provision of Services

Except as defined in these provisions, capitalised terms shall have the meanings given to them in the Statement of Work and/or the Professional Services Agreement (the “Agreement”) (as the case may be) entered into by the Parties. These provisions shall apply to the processing of Customer personal data by the Supplier in the provision of the Services.

1 DEFINITIONS

For the purposes of these provisions, the following definitions shall apply:

1.1 "Applicable Data Protection Laws” means:

a. To the extent the UK data protection law applies: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. 

b. To the extent the EU GDPR applies: the law of the European Union or any member state of the European Union to which the Supplier is subject, which relates to the protection of personal data; 

1.2 “Customer Personal Data” means any personal data which the Supplier processes in connection with this Agreement, in the capacity of a processor on behalf of the Customer; 

1.3 “EU GDPR” means the General Data Protection Regulation ((EU) 2016/679) as it has effect in EU law; and

1.4 “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018. 

1.5 The terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the Applicable Data Protection Laws.

2 OBLIGATIONS OF THE PARTIES

2.1 The Supplier shall promptly notify the Customer in writing of any loss or damage to the Customer Data. In the event of any loss or damage to Customer Data caused by the Supplier, the Supplier shall use commercially reasonable endeavours to restore the lost or damaged Customer Data from the latest backup of such Customer Data. The Supplier shall not be responsible for any loss, destruction, alteration or unauthorised disclosure of Customer Data caused by any third party.

2.2 Both Parties will comply with all applicable requirements of Applicable Data Protection Laws. These provisions are in addition to, and do not relieve, remove or replace, a Party's obligations or rights under Applicable Data Protection Laws.

2.3 The Parties have determined that, for the purposes of Applicable Data Protection Laws, the Supplier shall process the personal data set out in Schedule 1 of this document, as a processor on behalf of the Customer and the Customer is the controller of the personal data.

2.4 Without prejudice to the generality of Clause 2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Supplier for the duration and purposes of the Agreement.

2.5 Without prejudice to the generality of Clause 2 the Supplier shall, in relation to Customer Personal Data:

1. process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process that Customer Personal Data for the purpose as set out in Schedule 1 of this document;

2. implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

3. ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;

4. assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Supplier), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

5. notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;

6. at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless the Supplier is required by Applicable Laws to continue to process that Customer Personal Data. For the purposes of this Clause 6 (f) Customer Personal Data shall be considered deleted where it is put beyond further use by the Supplier; and

7. maintain records to demonstrate its compliance with these provisions and allow for reasonable audits by the Customer or the Customer's designated auditor, for this purpose, on reasonable written notice.

2.6 The Customer hereby provides its prior, general authorisation for the Supplier to:

1. appoint processors to process the Customer Personal Data, provided that the Supplier:

   1. shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Supplier in these provisions;

   2. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and

   3. shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Supplier's reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Laws, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection;

       

2. only transfer Customer Personal Data outside of the UK as required to deliver the Services, provided that the Supplier shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the Information Commissioner’s Office (see section 114, DPA 2018) from time to time (where the UK GDPR applies to the transfer).

2.7 The Supplier's total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of the Agreement or any collateral contract insofar as it relates to the obligations set out in this document or Applicable Data Protection Laws shall be limited to the amount set out in Clause 13.3 of the Agreement.

2.8 To the extent that the Supplier cannot comply with a change to the Customer’s instructions when processing Customer Personal Data without incurring material additional costs:

1. the Supplier shall: (i) immediately inform the Customer, giving full details of the problem; and (ii) cease all processing of the affected data (other than securely storing those data) until revised instructions are received;

2. any changes in the Customer’s instructions that affect the pricing structure or commercial relationship between the Parties shall be agreed by both Parties in writing.

Schedule 1 - Particulars of the Data Processing