| General Data Protection Regulation: Agreement Variation | |
|---|
| GDPR Agreement Variation | | This document is supplemental to the agreement and the agreement shall remain in full force and effect. Both parties agree that this variation shall apply to the original agreement from the date signed. | | Document Control: Compliance Manager 28.06. For privacy reasons, the names of the parties involved are substituted as "jjjj" and "cccc". |
| 1. Definitions | | Applicable Law means any law, statute, regulation, bylaw or subordinate legislation in force from time to time which a party is subject and/or in any jurisdiction in which the party operates; | | Business Day means any day other than a Saturday, Sunday or public holiday in England; | | Complaint means a complaint or request relating to either parties obligations under Data Protection Legislation relevant to this Contract, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority; | | Data Controller has the meaning given to that term (or to the term "controller") in Data Protection Legislation; | | Data Processor has the meaning given to that term (or to the term "processor") in Data Protection Legislation; | | Data Protection Legislation means any Applicable Law relating to the processing, privacy and use of Personal Data as applicable to the Customer, the Supplier and/or the Services including: | | (a) in the United Kingdom: | | (1) the Data Protection Act 1998 and the Privacy and Electronic Communication (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulation implementing Directive 95/46/EC (Data Protection Directive) or Directive 2002/58/EC (ePrivacy Directive); and/or | | (2) the General Data Protection Regulation (EU) 2016/679 (GDPR) and/pr any corresponding or equivalent national laws or regulations (Revised UK DP Law); and | | (b) any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes or conduct or approved certification mechanisms issued by any relevant Supervisory Authority; | | Data Subject has the meaning given to that term in Data Protection Legislation; | | Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation; | | Data Protection Losses means all liabilities and other amounts, including all: | | (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); | | (b) loss or damage to reputation, brand or goodwill; | | (c) to the extent permitted by Applicable Law: | | (1) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; | | (2) compensation paid to a Data Subject (including compensation to protect goodwill and ex gratia payments); and | | (3) costs of compliance with investigations by a Supervisory Authority; and | | (d) the costs of loading Protected Data, to the extent the same are lost, damaged or destroyed and any loss or corruption of Protected Data (including the costs of rectification or restoration of Protected Data); | | Personal Data has the meaning given to that term in Data Protection Legislation; | | Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data; | | Processing has the meanings given to that term in Data Protection Legislation (and related terms such as Process and Processed have corresponding meanings; | | Protected Data means Personal Data received from or on behalf of the Customer in connection with the performance of the suppliers obligations under this contract; and | | Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Legislation. |
| In this Schedule | | (a) references to any Applicable Laws (including Data Proteciton Legislation) shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including perticularly the GDPR and/or the Revised UK DP Law) and the equivalent terms defined in such Applicable Laws, once in force and appliable; | | (b) a reference to a law includes all subordinate legislation made under the law; and | | (c) the paragraphs in this Schedule shall survive termination or expiry of this Contract (or any of the services). |
| 2. Terms | | 2.1 This Data protecting Variation Agreement between jjjj Ltd ("us"/"we"/"our") and cccc Ltd ("you"/"your"/"Processor") hereby updates our Principal Agreement in respect of Protected Data, we shall be the Data Controller and your shall be the Data Processor. | | 2.2 You shall comply with Data Protection Legislation in connection with the Processing of Protected Data, the services and the exercise and performance of its respective rights and obligation under this Contract. | | 2.3 We shall comply with Data Protection Legislation in respect of our obligations under this Contract and Data Protection Legislation. | | 2.4 The processing to be carried out by you under this Agreement shall comprise the processing set out in the Principal Agreement, and such other Processing as agreed by the parties in writing from time to time. | | 2.5 When Processing Protected Data you shall: | | 2.5.1 only Process Protected Data to the extent and in such a mannor as it reasonably necessary to provide the Services in accordance with our instructions set out in this Schedule and the Principal Agreement and as updated from time to time by written agreement of the parties (Processing Instruction) except to the extent Applicable Law prevents you from complying with such instructions, in which case you must inform us of this requirement before Processing the Protected Data (unless the legal requirement prohibits this); | | 2.5.2 immediately notify us in writing when you become aware of any instruction fro us which may infringe Data Protection Legislation; | | 2.5.3 implement appropriate technical and organisational security measures so as to ensure a level of security appropriate to the risks that are presented b the Processing or Protected Data, in particular unauthorised disclosure, access or Processing, accidental loss, alteration or destruction. These measures must to a minimum be in accordance with Data Proection Lagislation; | | 2.5.4 ensure access to Protected Data is limited to the authorised personnel who have received adequate training on compliance with this Schedule and Data Protection Legislation, who need access to it to supply the services and are subject to an obligation to keep the Protected Data confidential; | | 2.5.5 notify us of any Personal Data Breach withour undue delay (but in no event later than twenty-four (24) hours after necoming aware of the Personal Data Breach) and provide such details as we require in relation to the Personal Data Breach including: | | 2.5.5.1 the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and data records concerned; | | 2.5.5.2 the likely consequence of the Personal Data Breach; | | 2.5.5.3 any investigations into the Personal Data Breach; | | 2.5.5.4 any measures taken or the Customer recommends to address the Personal Data Breach; and | | 2.5.5.5 steps taken to mitigate its possible adverse effects. | | 2.5.6 refrain from responding to any Complaints or Data Subject Requests you receive directly without our prior written consent. You shall record and then refer all Data Subject Requests and Complaints to us within five (5) Business Days of receipt and provide us with any information any take such action as we request; | | 2.5.7 provide us with full co-operation and assistance in relation to any Complaint or Data Subject Request received by us; | | 2.5.8 maintain complete, accurate and up to date data records of all Processing activities carried out on behalf of us in accordance with Data Protection Legislation and make copies of these records available to us upon request (and in any event within three (3) Business days); | | 2.5.9 provide us with information and co-operation when required to assist us comply with Data protection Legislation, including but not limited to matters relating to the security of Processing, undertsking data impact assessments and prior consultation with a Supervisory Authority and any remedial action and mandatory notifications to a supervisory Authority and/or Data Subject where required in response to a Personal Data Breach; | | 2.5.10 at no cost to us, allow for and contribute to audits, including inspections conducted by us or another auditor mandated by us for the purpose of demonstrating compliance by you with your obligations under Data Protection Legislation and this schedule. You shall promptly resolve at your own cost and expense all data protection and security issues discovered by use that reveal a breach or potential breach of its obligations under this schedule and we may suspend the transfer of Protected Data until the breach is remedied; | | 2.5.11 not engage another Data Processor for carrying out any Processing in respect of the Protected Data without our prior written consent. Where we give such written consent and you allow a third party to Process the Protected Data, you shall ensure that the third party enters into a written contract covering the same data protection obligation as you under this Schedule and you shall remain fully liable for all acts and omissions of each third party as if they were your own; and | | 2.5.12 not transfer the Protected Data outside the European Economic Area without our prior written consent. | | 2.6 You shall without charge and within fourteen (14) Business Days, either securely delete or securely return the Protected Data to us in such a form as we reasonably request after the earlier of: | | 2.6.1 expiry or termination of the Contract; | | 2.6.2 where the Processing of the Protected Data by you is no longer required for your performance of your obligations under the Contract; or | | 2.6.3 we otherwise request. | | 2.7 You shall indemnify and keep us indemnified in respect of all Data Protectioin Losses suffered or incurred by, awarded against or agreed to be paid by us arising from on in connection with: | | 2.7.1 any breach by you of any of your obligations under this Schedule; or | | 2.7.2 you acting outside or contrary to our lawful Processing Instructions in respect to the Processing of the Protected Data. | | 2.8 Nothing in this Schedule shall relieve you of your own direct responsibilities and liabilities under Data Protection Legislation. |
| Executed | | EXECUTED by a duly authorised representative of each party on 25 april 2018 | | Name, Job Title, For and on behalf of jjjj Ltd, signed. | | Name, Job Title, For and on behalf of cccc Ltd, signed. |
| Review | | 2.5.4 It is not practical for the data processor to be responsible for the training of authorised personnel who are working for the data controller. The Data Controller is responsible for training its own staff in all Data Protection matters. The Data Processor is responsible for training its own staff in all Data Protection matters. | | 2.5.10 It is not practical for the data processor to be responsible for paying between 10,000 and 20,000 pounds for each security audit mandated by the data controller. The cost of one external security audit could exceed the annual cost of providing the service. Either the Data Controller pays for an external security audit or the annual cost of the service is doubled. |
| Statement | | 1. The Data Processor has appointed a Data Protection Officer who has prepared and published a Data Protection Impact Assessment (DPIA) that is shared with the Data Controller. | | 2. The Data Processor has deployed all privacy and security control measures that are identified in the Data Protection Impact Assessment, including the following ERA code of practice: | | 2.1 Encryption and pseudonymisation of all Personally Identifiable Information in compliance with GDPR article 32 and article 40 to ensure that a Personal Data Breach cannot happen. | | 2.2 Replication and privacy-by-design of all Personal Data in compliance with GDPR article 28 to ensure that a Personal Data cannot be lost. | | 2.3 Authentication with continual monitoring of all sign-in transactions to ensure that only authorised people using known computers on designated networks are permitted to sign-in during normal business hours of working. | | 3. The Data Processor has published its privacy notice in compliance with GDPR for the benefit of people using the service. | | 4. The Data Processor has published its contact-us (and complaint) message service in compliance with GDPR for the benefit of people using the service. | | 5. The Data Processor has contracted many different security auditors to undertake an external penetration tests every quarter since 2005 - fifty penetration tests have eliminated every vulnerability. | | 6. The Data Processor has contracted many different security auditors to undertake an internal penetration tests every year since 2005 - annual internal penetration tests have never identified a significant security problem and lesser problems are resolved the next day. |
| Obligations | | 1. Data Subject Access Request (SAR) Log with SAR reply service as 2.5.6 and 2.5.7. | | 2. Complaint Log as 2.5.6 and 2.5.7. |
|
|