Privacy

In this schedule:

Controller” means a “data controller” for the purposes of the DPA and a “controller” for the purposes of the GDPR (as such legislation is applicable);

Data Protection Legislation” shall mean the DPA, or, from the date it comes into force in the UK, the GDPR (as applicable) and any other laws relating to the protection of personal data and the privacy of individuals;

Data Subject” has the same meaning as in the Data Protection Legislation;

DPA” means the UK Data Protection Act 2018;

GDPR” means the General Data Protection Regulation (EU) 2016/679;

Personal Data” means “personal data” (as defined in the Data Protection Legislation) that are Processed under the agreement;

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

Processing” has the same meaning as in the Data Protection Legislation and “Process” and “Processed” shall be construed accordingly; and

Processor” means a “data processor” for the purposes of the DPA and a “processor” for the purposes of the GDPR (as such legislation is applicable).

1.2. The parties acknowledge that the Company is a Processor acting on behalf of the Customer and that, for the purposes of this Agreement:

1.2.1.  the type of Personal Data and categories of Data Subjects are included on the Sales Enquiry; and

1.2.2. the nature/purpose of the Processing is to enable the Company to carry out its duties under this Agreement (which form the subject matter of the Processing) and the duration of the Processing shall be the term of this Agreement.

1.3. Each party shall comply with their respective obligations under the Data Protection Legislation and the Company shall, in particular:

1.3.1. Process the Personal Data only to the extent, and in such manner, as is necessary for the purpose of carry out its duties under this Agreement and in accordance with the Customer’s written instructions and this schedule;

1.3.2. implement appropriate technical and organisational measures in accordance with the Data Protection Legislation to ensure a level of security appropriate to the risks that are presented by such Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the likelihood and severity of risk in relation to the rights and freedoms of the Data Subjects;

1.3.3. not transfer the Personal Data outside of the European Economic Area without the prior written consent of the Customer;

1.3.4. ensure that any employees or other persons authorised to process the Personal Data are subject to appropriate obligations of confidentiality;

1.3.5. not engage any third party to carry out its Processing obligations under this Agreement without obtaining the prior written authorisation of the Customer and, where such authorisation is given, procuring by way of a written contract that such third party will, at all times during the engagement, be subject to data Processing obligations equivalent to those set out in this schedule.  The Customer hereby authorises the Company to engage any affiliated E Faraday Group Limited company and its approved partners to Process the Personal Data to provide software support services;

1.3.6. notify the Customer, as soon as reasonably practicable, about any request or complaint received from Data Subjects without responding to that request (unless authorised to do so by the Customer) and assist the Customer by technical and organisational measures, insofar as possible, for the fulfilment of the Customer’s obligations in respect of such requests and complaints;

1.3.7. on request by the Customer and taking into account the nature of the Processing and the information available to the Company, assist the Customer in ensuring compliance with its obligations under the GDPR (where applicable) with respect to:

(i) implementing appropriate technical and organisational measures in accordance with Article 32 of the GDPR;

(ii) where relevant, notifying any Personal Data Breach to the Information Commissioner’s Office (or any replacement body) and/or communicating such Personal Data Breach to the Data Subject in accordance with Articles 33 and 34 of the GDPR; and

(iii) where necessary, carrying out and/or reviewing and, if applicable, consulting with the relevant supervisory authority with respect to data protection impact assessments in accordance with Articles 35 and 36 of the GDPR;

1.3.8. on request by the Customer, make available all information necessary to demonstrate the Company’s compliance with this schedule and otherwise permit, and contribute to, audits carried out by the Customer (or its authorised representative); and

1.3.9. on termination or expiry of this agreement, destroy or return to the Customer (as the Customer directs) all Personal Data and delete all existing copies of such Personal Data except to the extent the Company is required to retain a copy of the Personal Data by law.