Data – Data Processing Agreement (Non-EEA) (GDPR-Ready)

DATED 23 July 2018

(1) Name of Data Controller: You the Customer

 

(2) Name of Data Processor: Gordhan Enterprises Ltd

 

Data Processing AGREEMENT

NON-EEA and GDPR READY

THIS AGREEMENT is made on the day when the customer starts using our website to view/browse and submit an order ticket via the client area.

 

BETWEEN:

 

(1)       The Customer (“Data Controller”) and

 

(2)       Gordhan Enterprises Ltd [a company registered in The United Kingdom under number 11337179] (“Data Processor”)

 

 

WHEREAS:

 

(1)       [Under a written agreement between the Data Controller and the Data Processor dated when the Data controller starts to use the services of Data Processor (“the Service Agreement”) the Data Processor provides to the Data Controller] OR [The Data Controller from time to time engages the Data Processor to provide to the Data Controller] the Services described in Schedule 1.

 

(2)       The provision of the Services by the Data Processor involves it in processing the Personal Data described in Schedule 2 on behalf of the Data Controller.

 

(3)       Under EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organisation which processes personal data on its behalf governing the processing of that data.

 

(4)       The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.

 

(5)       The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.

 

 

IT IS AGREED as follows:

 

  1. Definitions and Interpretation
    • In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

 

“Data Controller”,

“Data Processor”,

“processing”,

“data subject”, and “personal data breach”

shall have the meanings given to the terms “controller”, “processor”, “processing”, “data subject”, and “personal data breach” respectively in Article 4 of the GDPR;
“Data Protection Legislation” means all applicable privacy and data protection laws including the GDPR and any applicable national implementing laws, regulations, and secondary legislation in England and Wales, as amended, replaced, or updated from time to time, including the Privacy and Electronic Communications Directive 2002 (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003;
“ICO” means the UK’s supervisory authority, the Information Commissioner’s Office;
“Personal Data” means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the Data Processor on behalf of the Data Controller, as described in Schedule 2;
“Services” means those [services] AND/OR [facilities] described in Schedule 1 which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purpose[s] described in Schedule 1;
“Standard Contractual Clauses” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to data processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, a complete copy of which is included in Schedule 4;
“Sub-Processor” means a sub-contractor appointed by the Data Processor to process the Personal Data; and
“Sub-Processing Agreement” means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 10.
“Term” means the term of this Agreement, as set out in sub-Clause 14.1.

 

  • Unless the context otherwise requires, each reference in this Agreement to:
    • “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
    • a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
    • “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;
    • a Schedule is a schedule to this Agreement; and
    • a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
    • a “Party” or the “Parties” refer to the parties to this Agreement.
  • The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
  • Words imparting the singular number shall include the plural and vice versa.
  • References to any gender shall include the other gender.
  • References to persons shall include corporations.

 

  1. Scope and Application of this Agreement
    • The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
    • In the event of any conflict or ambiguity, the following shall apply:
      • Where there is any conflict or ambiguity between a provision contained in the body of this Agreement and any provision contained in a Schedule to this Agreement, the provision in the body of this Agreement shall prevail;
      • Where there is any conflict or ambiguity between the terms of any invoice or other document annexed to this Agreement and any provision contained in a Schedule to this Agreement, the provision contained in the Schedule shall prevail;
      • Where there is any conflict or ambiguity between a provision of this Agreement and a provision of the Service Agreement, the provision in this Agreement shall prevail; and
      • Where there is any conflict or ambiguity between a provision of this Agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses shall prevail.

 

  1. Provision of the Services and Processing Personal Data
    • The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:
      • for the purposes of those Services and not for any other purpose;
      • to the extent andin such a manner as is necessary for those purposes; and
      • strictly in accordance with the express written authorisation and instructions of the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).
    • The Data Controller shall retain control of the Personal Data and shall remain responsible for its compliance obligations under the Data Protection Legislation including, but not limited to, providing the required notices and obtaining any required consents, and for any and all processing instructions it gives to the Data Processor.

 

  1. Data Protection Compliance
    • All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the Data Protection Legislation and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise.
    • The Data Processor shall promptly comply with any request from the Data Controller requiring theData Processor to amend, transfer, delete, or otherwise dispose of the Personal Data, or to cease, mitigate, or remedy any authorised processing.
    • The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions.
    • Both Parties shall comply at all times with the Data Protection Legislation and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the Data Protection Legislation.
    • The Data Controller hereby warrants, represents, and undertakes that the Personal Data and its use with respect to the Service Agreement and this Agreement shall comply with the Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing.
    • The Data Processor hereby warrants, represents, and undertakes that:
      • all of its personnel (including, but not limited to, its employees, agents, and sub-contractors) that will access the Personal Data are reliable, trustworthy, and have been suitably trained on the Data Protection Legislation as it relates to this Agreement;
      • the Personal Data shall be processed by the Data Processor (and any Sub-Processors it may appoint) in compliance with the Data Protection Legislation and any and all other relevant laws, enactments, regulations, orders, standards, and other similar instruments;
      • it has no reason to believe that the Data Protection Legislation in any way prevents it from complying with its obligations under the Service Agreement; and
      • it will implement appropriate technical and organisational measures to prevent the unauthorised and/or unlawful processing of the Personal Data and/or the accidental loss of, destruction of, or damage to the Personal Data, ensuring levels of security that are appropriate and proportionate to the harm that may result from such processing, loss, or damage, to the nature of the Personal Data, and that are appropriate to ensure compliance with the Data Protection Legislation and with its own security [policy] OR [policies] including, but not limited to, the security measures required under Clause 9.
    • The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the Data Protection Legislation) and any best practice guidance issued by the ICO and/or any other applicable supervisory authority.
    • The Data Processor shall provide all reasonable assistance [(at the Data Controller’s cost)] to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO and/or any other applicable supervisory authority.
    • When processing the Personal Data on behalf of the Data Controller, the Data Processor shall:
      • not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10;
      • not transfer any of the Personal Data to any territory outside of the European Economic Area (“EEA”) without the written consent of the Data Controller and, in the event of such consent, only if the applicable conditions set out in Clause 11 are satisfied;
      • process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
      • implement appropriate technical and organisational measures, as described in Clause 9 and Schedule 3, and take all steps necessary to protect the Personal Data;
      • if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
      • keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of the Data Protection Legislation and as set out in Clause 16;
      • make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with the Data Protection Legislation;
      • on [reasonable] prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR, as set out in Clause 17. The requirement to give notice will not apply if the Data Controller has reason to believe that a personal data breach has taken place or is taking place or that theData Processor is in breach of any of its obligations under this Agreement or under the Data Protection Legislation;
      • inform the Data Controller immediately if it is asked to do anything that infringes the Data Protection Legislation or any other applicable data protection legislation; and
      • inform the Data Controller promptly if any changes to the Data Protection Legislation may adversely affect its performance of its obligations under the Service Agreement.

 

  1. Data Subject Rights, Complaints, and Personal Data Breaches
    • The Data Processor shall [, at the Data Controller’s cost,] assist the Data Controller in complying with its obligations under the Data Protection Legislation. In particular, the provisions of this Clause 5 shall apply to:
      • the exercise by data subjects of their rights (including subject access rights, the rights to rectification and erasure of personal data, the rights to object to processing, restrict processing, and rights relating to automated processing), complaints, and personal data breaches; and
      • notices served on the Data Controller by the ICO or any other applicable supervisory authority under the Data Protection Legislation.
    • The Data Processor shall notify the Data Controller immediately if it receives any complaint, notice, or other communication concerning the processing of the Personal Data (whether directly or indirectly) or either Party’s compliance with the Data Protection Legislation.
    • The Data Processor shall notify the Data Controller without undue delay and, in any event, within 30 days, if it receives a data subject access request or a request from a data subject to exercise any of their other rights under the Data Protection Legislation.
    • The Data Processor shall [, at the Data Controller’s cost,] cooperate fully with the Data Controller and assist as required in relation to any complaint, notice, communication, or data subject request, including by:
      • providing the Data Controller with full details of the complaint, notice, communication, or request;
      • providing the necessary information and assistance in order to comply with the complaint, notice, communication, or request;
      • providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and
      • providing the Data Controller with any other information requested by the Data Controller.
    • The Data Processor shall promptly and without undue delay notify the Data Controller if any of the Personal Data is lost or destroyed, or becomes damaged, corrupted, or otherwise unusable. Any Personal Data so affected shall be restored by the Data Processor at the Data Processor’s own cost.
    • The Data Processor shall notify the Data Controller immediately if it becomes aware of any accidental, unauthorised, or unlawful processing of the Personal Data, or of any personal data breach. The following information shall also be provided to the Data Controller without undue delay:
      • a full description of the nature of the event, including the category or categories of Personal Data concerned, the category or categories of data subject concerned, and the approximate number of both Personal Data records and data subjects involved;
      • details of the likely consequences; and
      • details of the measures taken, or planned, to address the event, including those intended to mitigate possible adverse effects.
    • Immediately following any event under sub-Clause 5.6, the Data Controller and the Data Processor shall jointly investigate that event. In particular, the Data Processor shall [, at the Data Controller’s cost] cooperate fully with the Data Controller and assist as required, including by:
      • assisting with any investigation;
      • providing the Data Controller with access to any premises, facilities, and/or operations involved;
      • facilitating interviews with any of the Data Processor’s personnel, former personnel, and any other individuals involved;
      • providing or making available to the Data Controller any and all relevant records, logs, files, reports, and other documentation and materials required to comply with the Data Protection Legislation or other such materials reasonably required by the Data Controller; and
      • taking all reasonable steps, promptly, to mitigate the effects of the event and to minimise any damage arising from it.
    • The Data Processor shall not inform any third party of any Personal Data breach without the prior written consent of the Data Controller unless it is required to do so by law.
    • The Data Controller shall have the sole right to determine the following:
      • whether or not to notify Personal Data breaches to data subjects, the ICO or other applicable supervisory authorities, regulators, law enforcement agencies, or others, as required by law or at the Data Controller’s discretion;
      • the content and means of delivery of any such notice under sub-Clause 5.9.1; and
      • whether or not to offer a remedy to affected data subjects and, where such a remedy is to be offered, the nature and extent thereof.

 

  1. [Appointment of a Data Protection Officer
    • [The Data Controller has appointed a Data Protection Officer in accordance with Article 37 of the GDPR, whose details are to be provided when requested by The Data Processor]
    • [The Data Processor shall appoint a Data Protection Officer in accordance with Article 37 of the GDPR and shall supply the details of the Data Protection Officer to the Data Controller prior to the commencement of the processing if and when requested by The Data Controller.]

 

 

  1. Confidentiality
    • The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.
    • If the Data Processor is required by law, a court, regulator, the ICO, or any other applicable supervisory authority to disclose or process any of the Personal Data, the Data Processor shall inform the Data Controller before making any such disclosure or carrying out any such processing, giving the Data Controller the opportunity to object to or challenge the requirement, unless the Data Processor is prohibited from doing so by law.

 

  1. Data Processor’s Personnel
    • The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data:
      • are aware both of the Data Processor’s duties and obligations, and of their own individual duties and obligations under this Agreement and the Data Protection Legislation;
      • have been given suitable training on the Data Protection Legislation with respect to the handling of Personal Data and how the Data Protection Legislation applies to their particular duties; and
      • are contractually obliged to keep the Personal Data confidential.
    • The Data Processor shall take reasonable steps to ensure the reliability, integrity, and trustworthiness of all personnel who are to access and/or process any of the Personal Data [, carrying out background checks permissible by law where appropriate].

 

  1. Security

The Data Processor shall implement suitable technical and organisational security measures in order to protect the Personal Data against unauthorised or unlawful access, processing, disclosure, copying, alteration, storage, reproduction, display, or distribution; and against loss, destruction, or damage, whether accidental or otherwise. Such measures shall include, but not be limited to, those set out in Schedule 3. Such measures shall be fully documented in writing by the Data Processor and be reviewed at least every 6 months to ensure that they remain up-to-date, complete, and appropriate. The Data Processor shall inform the Data Controller in advance of any changes to such measures.

 

  1. Appointment of Sub-Processors
    • The Data Processor shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Data Controller.
    • In the event that the Data Processor appoints a Sub-Processor (with the written consent of the Data Controller), the Data Processor shall:
      • enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Data Processor by this Agreement and which shall permit both the Data Processor and the Data Controller to enforce those obligations;
      • provide copies of any and all Sub-Processing Agreements entered into to the Data Controller;
      • ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the Data Protection Legislation and does not process any of the Personal Data except on the instructions from the Data Controller.
    • The Data Processor shall maintain control over all Personal Data transferred to any Sub-Processor.
    • In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement.
    • Any and all Sub-Processing Agreements entered into shall terminate automatically on termination of this Agreement for any reason.
    • The Data Processor shall, on the Data Controller’s written request, audit the compliance of any Sub-Processor with its obligations with respect to the Personal Data and shall provide the Data Controller with the results of such audits.
    • [[The Sub-Processor] OR [Those Sub-Processors] that have been approved by the Data Controller at the commencement of this Agreement are set out in Schedule 4. The Data Processor shall include the name, location, and contact information for the data protection officer or other individual responsible for privacy and data protection compliance in Schedule 4.]

 

  1. Cross-Border Transfers of Personal Data
    • The Data Processor shall not transfer or otherwise process any of the Personal Data outside of the European Economic Area (“EEA”) without the prior written consent of the Data Controller.
    • In the event that the Data Controller consents to such a transfer or processing, the Data Processor may only process (or permit the processing) of the Personal Data outside of the EEA if one or more of the following conditions are satisfied:
      • the Data Processor is processing the Personal Data in a territory that is subject to a current finding by the European Commission under the Data Protection Legislation that said territory provides adequate protection for the privacy rights of individuals. The [territory] OR [territories] subject to such a finding are identified in Schedule 4; or
      • the Data Processor participates in a valid cross-border transfer mechanism under the Data Protection Legislation under which the Data Processor (and the Data Controller, where appropriate) can ensure that appropriate safeguards are in place to ensure an adequate level of data protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR. The transfer mechanism enabling such transfers is identified in Schedule 4. The Data Processor shall immediately inform the Data Controller of any changes thereto; or
      • the transfer of the Personal Data otherwise complies with the Data Protection Legislation for the reasons set out in Schedule 4.
    • In the event that any transfer of Personal Data between the Data Controller and the Data Processor requires execution of Standard Contractual Clauses in order to comply with the Data Protection Legislation (that is, where the Data Controller is exporting the Personal Data to the Data Processor, which is located outside of the EEA), the Parties shall complete all relevant details contained in the Standard Contractual Clauses set out in Schedule 5, execute the same, and take any and all other actions required to legitimise the transfer of the Personal Data.
    • [In the event that the Data Controller consents to the Data Processor (that is located within the EEA) appointing a Sub-Processor, in accordance with the provisions of Clause 10, and the Sub-Processor is located outside of the EEA, the Data Controller hereby authorises the Data Processor to enter into Standard Contractual Clauses, as set out in Schedule 5, with the Sub-Processor in the Data Controller’s name and on the Data Controller’s behalf. The Data Processor shall make said executed Standard Contractual Clauses available to the Data Controller on request.]

 

  1. Liability and Indemnity
    • The Data Controller shall be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Processor [and any Sub-Processor] arising directly or in connection with:
      • any non-compliance by the Data Controller with the Data Protection Legislation or other applicable legislation;
      • any Personal Data processing carried out by the Data Processor [or Sub-Processor] in accordance with instructions given by the Data Controller that infringe the Data Protection Legislation or other applicable legislation; or
      • any breach by the Data Controller of its obligations under this Agreement,

except to the extent that the Data Processor [or Sub-Processor] is liable under sub-Clause 12.2.

  • The Data Processor shall be liable for, and shall indemnify (and keep indemnified) the Data Controller in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Controller arising directly or in connection with:
    • any non-compliance by the Data Processor with the Data Protection Legislation or other applicable legislation;
    • any failure by the Data Processor or any of its employees, agents, or sub-contractors to comply with any of its obligations under this Agreement; or
    • the Data Processor’s Personal Data processing activities that are subject to this Agreement:
      • only to the extent that the same results from the Data Processor’s [or a Sub-Processor’s] breach of this Agreement; and
      • not to the extent that the same is or are contributed to by any breach of this Agreement by the Data Controller.
    • The Data Controller shall not be entitled to claim back from the Data Processor [or Sub-Processor] any sums paid in compensation by the Data Controller in respect of any damage to the extent that the Data Controller is liable to indemnify the Data Processor [or Sub-Processor] under sub-Clause 12.1.
    • Nothing in this Agreement (and in particular, this Clause 12) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the Data Protection Legislation. Furthermore, the Data Processor hereby acknowledges that it shall remain subject to the authority of the ICO and any other applicable supervisory authorities, and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the Data Protection Legislation may render it subject to the fines, penalties, and compensation requirements set out in the Data Protection Legislation.
    • No limitation of liability set out in the Service Agreement shall apply to the indemnity provisions or reimbursement obligations of this Agreement.

 

  1. [Intellectual Property Rights

All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Data Controller or the Data Processor) shall belong to the Data Controller or to any other applicable third party from whom the Data Controller has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). The Data Processor is licensed to use such Personal Data under such rights only [for the term of the Service Agreement,] for the purposes of the Services, and in accordance with this Agreement.]

 

  1. Term and Termination
    • This Agreement shall remain in full force and effect:
      • for as long as the Service Agreement remains in effect; or
      • for as long as the Data Processor retains any Personal Data relating to the Service Agreement in its possession or control,

whichever period is longer.

  • Where any provision of this Agreement, whether expressly or by implication, either comes into force, or continues in force on or after the termination of the Service Agreement in order to protect the Personal Data, that provision shall remain in full force and effect.
  • Any failure by the Data Processor to comply with the terms of this Agreement shall be deemed to be a material breach of the Service Agreement. In the event of such a breach, the Data Controller shall have the right to terminate [the Service Agreement] OR [any part of the Service Agreement under which the Data Processor processes the Personal Data], such termination to be effective immediately on written notice to the Data Processor, without further liability or obligation.
  • If any change to the Data Protection Legislation prevents either Party from fulfilling any of its obligations under the Service Agreement, the processing of the Personal Data shall be suspended until such processing can be made to comply with the Data Protection Legislation, as amended. If such processing cannot be made to comply [within 14 days] the Parties may terminate the Service Agreement on written notice to one another.

 

  1. Deletion and/or Disposal of Personal Data
    • The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:
      • the end of the provision of the Services [under the Service Agreement];
      • the termination of the Service Agreement; or
      • the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under [this Agreement] AND/OR [the Service Agreement].
    • If the Data Processor is required by law, government, or other regulatory body to retain any documents or materials that the Data Processor would otherwise be required to return, delete, or otherwise dispose of under this Agreement, the Data Processor shall notify the Data Controller in writing of the requirement. Such notice shall give details of all documents or materials that the Data Processor is required to retain, the legal basis for that retention, and the timeline for deletion and/or disposal at the end of the retention period.
    • All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed of using the following method(s): Deleted on the web hosting computer.
    • The Data Processor shall certify in writing that the Personal Data has been deleted or otherwise disposed of within 14 days of such deletion or disposal.

 

  1. Record Keeping
    • The Data Processor shall keep suitably detailed, accurate, and up-to-date written records of any and all processing of the Personal Data carried out for the Data Controller. Such records shall include, but not be limited to, access, control, security, sub-contractors, affiliates, the purpose(s) for which the Personal Data is processed, the category or categories of processing, transfers of the Personal Data to non-EEA territories and related safeguards, and details of the technical and organisational security measures referred to in Clause 9.
    • The Data Processor shall ensure that such records are sufficient to enable the Data Controller to verify the Data Processor’s compliance with the provisions of this Agreement and with the Data Protection Legislation. The Data Processor shall provide the Data Controller with copies of such records on request.
    • The Data Processor shall review the information contained in the Schedules to this Agreement at least every 6 months in order to ensure that it remains accurate and up-to-date with current practices.

 

  1. Auditing
    • The Data Processor shall permit the Data Controller and any third-party representatives that the Data Controller may from time to time appoint to audit its compliance with its obligations under this Agreement, within a [reasonable] prior notice during the Term of this Agreement.
    • The Data Processor shall provide to the Data Controller and any third-party representatives all necessary assistance in conducting such audits including, but not limited to:
      • physical and electronic access to, and copies of, records kept under Clause 16 and any other information pertaining to the processing of the Personal Data;
      • access to (and meetings with) any of the Data Processor’s personnel that are reasonably necessary to audit the Data Processor’s compliance with this Agreement; and
      • inspection of any and all infrastructure, systems, facilities, equipment, electronic data, and software used for the storage, transfer, and processing of the Personal Data.
    • Prior to commencing the processing of the Personal Data and thereafter on a 6 monthly basis, the Data Processor shall:
      • carry out an information security audit in order to identify any security deficiencies;
      • produce a written report of its audit which shall include plans to remedy any such deficiencies;
      • provide the Data Controller with a copy of the report; and
      • remedy any defects identified in its audit within 6 months period.
    • The notice requirement set out in sub-Clause 17.1 shall not apply if the Data Controller has reason to believe that a personal data breach has taken place or is taking place, or that the Data Processor is in breach of any of its obligations under this Agreement or the Data Protection Legislation.
    • In the event of a personal data breach (including if the Data Processor becomes aware of any breach of its obligations under this Agreement or the Data Protection Legislation), the Data Processor shall:
      • conduct its own audit to determine the cause of said breach within 6 months of the triggering event;
      • produce a written report of its audit which shall include plans to remedy any deficiencies identified thereby;
      • provide the Data Controller with a copy of the report; and
      • remedy any defects identified in its audit within 6 months.

 

  1. [Consideration

The Data Processor accepts the obligations in this Agreement in consideration of the payment of £1 from the Data Controller, which the Data Processor hereby acknowledges.]

 

  1. Law and Jurisdiction
    • This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
    • Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

 

 

SIGNED for and on behalf of the Data Controller by:

The Customer

 

__________________________________________________
Authorised Signature

 

Date: when first order/contact ticket or email is received

 

 

SIGNED for and on behalf of the Data Processor by:

The directors

 

__________________________________________________
Authorised Signature

 

Date: when first order/contact ticket or email is received

SCHEDULE 1

 

Services

 

Marketing and Export Services of civilian UK Products.

 

SCHEDULE 2

 

Personal Data

 

Type of Personal Data Category of Data Subject Nature of Processing Carried Out Purpose(s) of Processing Duration of Processing
Personal Identification Customer Provision of Services Fraud Prevention 6 years
Location Customer Provision of Services Fraud Prevention 6 years
Postal Address Customer Provision of Services Fraud Prevention 6 years
Photo ID Customer Provision of Services Fraud Prevention 6 years

 

 

SCHEDULE 3

 

Technical and Organisational Data Protection Measures

 

The following are the technical and organisational data protection measures referred to in Clause 9:

 

  1. The Data Processor shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Data Controller, it maintains security measures to a standard appropriate to:
    • the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
    • the nature of the Personal Data.

 

  1. In particular, the Data Processor shall:
    • have in place, and comply with, a security policy which:
      • defines security needs based on a risk assessment;
      • allocates responsibility for implementing the policy to a specific individual [(such as the Data Processor’s Data Protection Officer)] or personnel;
      • is provided to the Data Controller on or before the commencement of this Agreement;
      • is disseminated to all relevant staff; and
      • provides a mechanism for feedback and review.
    • ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
    • ensure that the effectiveness of all measures detailed in this Agreement and in any specific security policy are regularly tested, assessed, and evaluated;
    • prevent unauthorised access to the Personal Data;
    • protect the Personal Data using pseudonymisation, where it is practical to do so;
    • implement such measures as are necessary to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services used to process Personal Data;
    • ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
    • have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using SSL encryption);
    • password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure (upper and lowercase characters, numbers and symbols), and that passwords are not shared under any circumstances;
    • [not allow the storage of the Personal Data on any mobile devices such as laptops or tablets unless such devices are kept on its premises at all times;]
    • take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
    • have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including, but not limited to:
      • the ability to identify which individuals have worked with specific Personal Data;
      • having a proper procedure in place for investigating and remedying personal data breaches and breaches of the Data Protection Legislation; and
      • notifying the Data Controller as soon as any such breach occurs.
    • have a secure procedure for backing up all Personal Data, whether stored electronically or otherwise, enabling Personal Data to be restored in a timely fashion, and storing back-ups separately from originals;
    • have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment; and
    • adopt such organisational, operational, and technological processes and procedures as are required to comply with the requirements of ISO/IEC 27001:2013, as appropriate to the Services provided to the Data Controller.

 

SCHEDULE 4

 

Legal Basis for Processing Personal Data Outside the EEA

 

The Data Processor’s legal basis for processing the Personal Data outside of the EEA in order to comply with cross-border transfer restrictions is as follows:

 

[The Data Processor is located in a country with a current determination of adequacy: United Kingdom.]

 

 

SCHEDULE 5

 

Standard Contractual Clauses

 

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

 

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

 

Name of the data exporting organisation: Customers Identification Documents

Address: Numerous and worldwide

Tel. Numerous and worldwide; fax Numerous and worldwide; e-mail: Numerous and worldwide

 

Other information needed to identify the organisation

As per the ID Documents submitted

 

(the data exporter)

 

And

 

Name of the data importing organisation: Gordhan Enterprises Ltd

Address: Birmingham B42 1HB, United Kingdom.

Tel. 0776 220 1179; fax None; e-mail: contact@gordhan.uk

 

Other information needed to identify the organisation:

UK Company registered number: 11337179.

 

(the data importer)

 

each a ‘party’; together ‘the parties’,

 

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 

Clause 1

 

Definitions

 

For the purposes of the Clauses:

 

  • ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data[1];

 

  • ‘the data exporter’ means the controller who transfers the personal data;

 

  • ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

 

  • ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

 

  • ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

 

  • ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

 

Clause 2

 

Details of the transfer

 

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

 

Clause 3

 

Third-party beneficiary clause

 

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

 

  1. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

 

  1. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

 

  1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

 

Clause 4

 

Obligations of the data exporter

 

The data exporter agrees and warrants:

 

  • that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

 

  • that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

 

  • that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

 

  • that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

 

  • that it will ensure compliance with the security measures;

 

  • that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

 

  • to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

 

  • to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

 

  • that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

 

  • that it will ensure compliance with Clause 4(a) to (i).

 

Clause 5

 

Obligations of the data importer[2]

 

The data importer agrees and warrants:

 

  • to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

 

  • that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

 

  • that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

 

  • that it will promptly notify the data exporter about:

 

  • any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

 

  • any accidental or unauthorised access; and

 

  • any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

 

  • to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

 

  • at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

 

  • to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

 

  • that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

 

  • that the processing services by the sub-processor will be carried out in accordance with Clause 11;

 

  • to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

 

Clause 6

 

Liability

 

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

 

  1. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

 

  1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

 

Indemnity[3]

 

The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

Indemnification is contingent upon:

 

  • the data exporter promptly notifying the data importer of a claim; and

 

  • the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim

 

Clause 7

 

Mediation and jurisdiction

 

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

 

  • to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

 

  • to refer the dispute to the courts in the Member State in which the data exporter is established.

 

  1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

 

Clause 8

 

Cooperation with supervisory authorities

 

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

 

  1. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

 

  1. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

 

Clause 9

 

Governing law

 

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely the United Kingdom and English law.

 

Clause 10

 

Variation of the contract

 

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

 

Clause 11

 

Sub-processing

 

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses[4]. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

 

  1. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

 

  1. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely the United Kingdom and English law.

 

  1. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

 

Clause 12

 

Obligation after the termination of personal data-processing services

 

  1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

 

  1. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

 

 

On behalf of the data exporter:

Name (written out in full): The Customer (Numerous)

Position: The Customer (Numerous)

Address: International

 

 

 

__________________________________________________
Authorised Signature

 

On behalf of the data importer:

Name (written out in full): H Gordhan

Position: Company Director

Address: Birmingham B42 1HB.

 

 

 

__________________________________________________
Authorised Signature

 

Appendix 1

to the Standard Contractual Clauses

 

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

 

Data exporter

The data exporter is:

Account Details Registration and ID confirmation for the purpose of Importing Goods from UK.

 

Data importer

The data importer is:

Keeping the relevant data needed to provide export service from UK.

 

Data subjects

The personal data transferred concern the following categories of data subjects:

Identification and Location data for exporting goods to the correct customer.

 

Categories of data

The personal data transferred concern the following categories of data:

Name

Address

Photo ID.

Telephone number.

 

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

N/A.

 

Processing operations

The personal data transferred will be subject to the following basic processing activities:

Storage and Retrieval in a web based secure client management system hosted in Los, Angeles, USA.

 

DATA EXPORTER

Name: The Customer

 

 

__________________________________________________
Authorised Signature

 

DATA IMPORTER

Name: Gordhan Enterprises Ltd

 

 

__________________________________________________
Authorised Signature

 

Appendix 2

to the Standard Contractual Clauses

 

This Appendix forms part of the Clauses and must be completed and signed by the parties.

 

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

We use a secure web server to host our web site to operate our export service to the world.

 

 

 

[1] Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.

[2] Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

[3] EU Commission Decision 2010/87/EU makes this provision optional.

[4] This requirement may be satisfied by the sub-processor co-signing the contract entered into between the data exporter and the data importer under EU Commission Decision 2010/87/EU.

Comments are closed.