Introduction
1.1 Background. GHM Communications (“Supplier”) and Customer have entered into an agreement for the provision of services (“Agreement”) under which Supplier has agreed to provide Services (as defined in the Agreement) to Customer.
1.2 In order to provide such Services, Supplier must process personal data on behalf of Customer. This Data Processing Addendum (the “Addendum”) describes the type and categories of personal data being processed, the purpose of the processing, and the parties’ rights and obligations in relation to it.
1.3 The Personal Data are being processing to enable Supplier to provide Services to Customer (the “Purpose”). The Parties consider the processing is necessary and proportionate to the Purpose
1.4 Categories of personal data. The categories of personal data to be processed by Supplier include: personal and contact details: including names, address, telephone, email address, financial information; details of marketing and communications preferences; and details of an individual’s involvement with Customer.
1.5 Points of contact. Supplier has appointed a specified contact to oversee its compliance with this Addendum and act as the point of contact in the event of a breach, data subject request, audit or other issue which arises in relation to the processing.
1.6 The point of contact is: Neil McManus, Data Protection Officer, [email protected], tel: 01865 367111
1.7 Security. The technical and organisational measures implemented by Supplier under paragraph 5 of this Addendum to ensure adequate protection of the personal data include (but are not limited to) the following: Management and organisational measures, policies, procedures, audit, access controls, staff training, vetting and physical security measures.
Definitions
2.1 The words and phrases below have the following meanings in this Addendum:
2.1.1 Data Protection Law
Applicable UK laws and regulations protecting the privacy of individuals and their fundamental rights and freedoms in relation to their personal data as amended and updated from time to time (including, from its date of entry into force, the General Data Protection Regulation 2016/679);
2.1.2 Personal data
The personal data (as defined in Data Protection Law) which is processed by Supplier on behalf of Customer.
2.2 The terms “data subject”, “processor”, “controller”, “processing”, “personal data breach”, “special categories of personal data” (also known as “sensitive personal data”) and “supervisory authority” have the meanings set out in Data Protection Law.
2.3 This Addendum forms part of the Agreement between Supplier and Customer.
Relationship
3.1 The parties acknowledge that the factual arrangement between them dictates the classification of each party in respect of the Data Protection Law. Notwithstanding the forgoing, whenever Supplier processes personal data:
3.1.1 Customer will be the controller and Supplier will be the processor in respect of such personal data; and
3.1.2 Supplier shall only process personal data on Customer’s documented instructions (unless required to do so otherwise by European Union or member state law, in which case Supplier shall notify Customer of this beforehand unless prevented from doing so by law) and in full compliance with this Addendum and any obligations imposed on it by Data Protection Law.
Confidentiality
4.1 Where the personal data are confidential (whether expressly marked as confidential or not), Supplier shall keep them secret and not disclose them to any third party without Customer’s prior written authorisation (except to the extent disclosure is required by law).
Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons, Supplier shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing. This shall include the following measures (as appropriate):
5.1.1 pseudonymisation and encryption;
5.1.2 Supplier’s ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
5.1.3 Supplier’s ability to restore availability and access to personal data in a timely manner in the event of an incident;
5.1.4 a process for regularly testing, assessing and evaluating the effectiveness of its technical and organisational measures for ensuring the security of the processing; and
5.1.5 providing any assistance Customer reasonably requires (at Customer’s own cost) in order for it to implement appropriate technical and organisational measures to protect personal data.
5.2 In assessing the appropriate level of security to be taken under paragraph 5.1, Supplier will take account of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
5.3 Supplier will ensure that persons (including employees) with access to personal data are made aware of their data protection and security obligations and do not process the personal data except in accordance with Customer’s instructions.
Sub-processing
6.1 Customer agrees that, subject to paragraph 6.3 of this Addendum, Supplier may appoint other processors (“sub-processors”) to process personal data on its behalf in connection with the Services.
6.2 Supplier will not use a sub-processor Customer has objected to on reasonable grounds.
6.3 If Supplier engages another processor to carry out specific processing activities on behalf of Customer, Supplier will ensure that the sub-processor:
6.3.1 only does so on the documented instructions of Supplier and that any sub-processors agree to a contract which provides a level of protection for the rights and freedoms of individuals whose personal data is being processed which is at least equivalent to the protection provided in this Addendum; and
6.3.2 provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Law (including the requirements relating to security, integrity and confidentiality), and where that sub-processor fails to fulfil its obligations, Supplier shall remain fully liable to Customer for the performance of those obligations.
Requests from data subjects and supervisory authorities
7.1 If a data subject makes a request relating to the exercise of his or her legal rights in relation to personal data, Supplier shall (taking into account Customer’s duty to respond to the data subject within 1 month) provide Customer with any assistance Customer reasonably requires in order to facilitate that data subject’s rights, including the following (as applicable under Data Protection Law at the time of such request):
7.1.1 responding to a data subject access request;
7.1.2 erasing personal data in accordance with the data subject’s right to erasure;
7.1.3 allowing the data subject to exercise his or her right to restrict processing;
7.1.4 notifying any persons who have received personal data about any rectification, erasure or restriction of processing which has taken place at the request of a data subject;
7.1.5 providing the data subject with a copy of his or her data in a structured and common electronic format where technically feasible; or
7.1.6 giving effect to the data subject’s rights to object to profiling, automated decision-making and to cease processing for direct marketing purposes.
7.2 Any information and assistance Supplier provides under paragraph 7.1 of this Addendum will be at Customer’s own cost
7.3 Supplier shall also cooperate with any requests to it or Customer by a supervisory authority.
Personal data breaches and notification
8.1 If Supplier becomes aware of a personal data breach relating to personal data, Supplier shall:
8.1.1 Notify Customer as soon as reasonably practicable upon becoming aware of the breach, describing the nature of the personal data breach, including where possible:
8.1.1.1 the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
8.1.1.2 the name and contact details of Supplier’s contact from whom more information can be obtained;
8.1.1.3 to the extent possible, details of the likely consequences of the personal data breach; and
8.1.1.4 the measures Supplier has taken or proposes to take to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effect.
8.1.2 provide Customer with such information and assistance (at Customer’s own cost) as it reasonably requires in relation to the personal data breach (including in relation to action to remedy or mitigate the breach); and
8.1.3 document the personal data breach and any related action taken by Supplier.
Privacy impact assessments
9.1 Taking into account the nature of the processing and the information available, Supplier shall provide Customer with such information and assistance (at Customer’s own cost) as it reasonably requires in order to:
9.1.1 carry out privacy impact assessments in relation to the processing;
9.1.2 consult with a supervisory authority prior to processing; and/or
9.1.3 meet any obligations under Data Protection Law deriving from the activities described in paragraph 9.1.1 and 9.1.2.
Deletion and return of data
10.1 After completing the processing of personal data (whether due to termination or expiry of the Agreement, or otherwise), Supplier will delete or return all personal data (including any copies of the personal data) save to the extent Supplier is required to store such copies to comply with any applicable law.
Records, audits and inspections
11.1 Supplier will maintain (and make available to the supervisory authority on request) a written record of all categories of processing activities carried out on behalf of Customer, containing:
11.1.1 the names, contact details and (where applicable) data protection officer details for Customer, Supplier and any sub-processors Supplier appoints;
11.1.2 the categories of processing carried out on behalf of Customer
11.1.3 where applicable and subject to paragraph 12 of this Addendum, details of transfers of personal data to a third country or an international organisation, including details of that country or organisation and the documentation of suitable safeguards; and
11.1.4 a description of the technical and organisational security measures referred to in paragraph 5.1 of this Addendum.
11.2 Supplier shall (at Customer’s cost and subject to Customer providing appropriate confidentiality undertakings) provide reasonable cooperation with any request by Customer to carry out audits or inspections. Supplier may satisfy its obligations under this clause by it making available copies of third party audits.
Nothing in this clause shall require Supplier to disclose or permit access to any of its (or any third party’s) confidential or commercially sensitive information.
International transfers
12.1 Supplier will not export personal data to a country outside the European Union unless:
12.1.1 the transfer is on the basis of a valid adequacy decision made by the European Commission
12.1.2 appropriate safeguards are in place (as set out in Data Protection Law); or
12.1.3 such transfer is otherwise permitted under applicable Data Protection Law.