Processing Obligations
In this Schedule, the following terms will have the following meanings: Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical measures: as defined in the Data Protection Legislation. Data Protection Legislation: the UK GDPR (as defined in the Data Protection Act 2018) and any other UK laws, regulations and secondary legislation relating to the protection of personal data.
Both you and we will comply with all applicable requirements of the Data Protection Legislation. This schedule is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
You and we acknowledge that for the purposes of the Data Protection Legislation, you are the controller and we are the processor. Part 2 of this schedule sets out the nature and purpose of processing by us, the duration of the processing and the types of personal data and categories of data subject.
You will ensure that you have all necessary appropriate consents and notices in place to enable the lawful transfer of any personal data to us for the duration and purposes of this agreement.
We will, in relation to any personal data processed in connection with the performance by us of our obligations under this agreement:
process that personal data only on your documented written instructions or as required by this agreement, unless we are required by applicable laws to otherwise process that personal data. Where we are relying on applicable laws as the basis for processing personal data, we will promptly notify you of this before performing the processing required by the relevant laws unless those laws prohibit us from notifying you;
ensure that we have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
not transfer any personal data outside of the UK or the European Economic Area unless your prior written consent has been obtained and the following conditions are fulfilled:
you or we have provided appropriate safeguards in relation to the transfer;
the data subject has enforceable rights and effective legal remedies;
we comply with our obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
we comply with reasonable instructions notified to us in advance by you with respect to the processing of the personal data;
assist you, at your cost, in responding to any request from a data subject and in ensuring compliance with your obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
notify you without undue delay on becoming aware of a personal data breach;
at your written direction, delete or return to you personal data and copies thereof on termination of the agreement unless required by applicable laws to store the personal data; and
maintain complete and accurate records and information to demonstrate our compliance with this schedule and allow for audits by you or your designated auditor (to be carried out at your cost, during reasonable hours, on reasonable notice and in a manner that does not disrupt our business).
You hereby provide your prior, general authorisation for us to appoint processors to process personal data in connection with this agreement, provided that we:
ensure that the terms on which we appoint such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on us in this schedule;
remain responsible for the acts and omission of any such processor as if they were our acts and omissions; and
inform you of any intended changes concerning the addition or replacement of the processors, thereby giving you the opportunity to object to such changes provided that if you object to the changes and cannot demonstrate, to our reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Legislation, you will indemnify us for any losses, damages, costs (including legal fees) and expenses suffered by us in accommodating the objection.
Data to be Processed
Nature of Processing
Such processing as is necessary to enable us to provide the ordered Services to the Customer. This includes, but is not limited to, storage, retrieval, analysis, data collection and data transfer.
Purpose of Processing
The performance of our obligations and the exercise of its rights in respect of the ordered Services.
Duration of Processing
The duration of the processing of personal data by us under this Contract is the period of this Contract and the longer of such additional period as: 1. is specified in any provisions of this Contract regarding data retention; and 1. is required for compliance with law.
Personal data shall not be processed or held for longer than is necessary to enable us to provide the Services and comply with its obligations under this Contract.
Types of Personal Data
Personal data provided to us by or on behalf of the Customer or the data subjects in connection with the ordered Services. This includes, but is not limited to, the categories listed below.
Against each category are the types of personal data that fall within that category.
Personal Details: contact details.
Position: description of current position, job title, corporate status, management category, job code, grade or level, job function and subfunction(s), company name and code (legal employer entity), branch/unit/department, location, employment status and type, full-time/part-time, dates of hire/re-hire and termination date(s).
System and Application Access Data: information required accessing systems and applications such as System ID, email account, employee ID, system passwords, IP addresses, device metadata, employee role, and electronic content produced by individuals using Customer systems.
External Personal Details and Contact Information: name; e-mail.
Categories of Data Subject
The personal data includes, but is not limited to, the following categories of data subjects: past and present employers, next-of-kin, current application end users; past application end users.
Special categories of data (if appropriate)
Any special category personal data that may be disclosed by or on behalf of you or the data subjects in the use of the Services. This includes, but is not limited to, health/medically sensitive information, place of birth, criminal records, civil litigation record, sexual life (e.g., sexual orientation), race and ethnicity.
Obligations and rights of the controller
As set out in this document.