Customer: means any individual, firm, partnership, company or organisation or any other undertaking, which orders or receives from the Supplier any goods or services pursuant to the Main Agreement.
Customer Data: means any information or data, in whatever form, which is held on, entered into, processed by, or retrievable from computer, communication or other systems or equipment of the Customer including Customer Personal Data and data processed by the Customer in providing goods or services to its clients and customers.
Customer Personal Data: means any Personal Data of which the Customer is the Data Controller or which the Customer is processing on behalf of another Data Controller (such as another company in the Customer’s group or a customer of the Customer, or any of their customers or group companies) and which is processed by the Supplier as Data Processor on behalf of the Customer under or in connection with the Main Agreement, including the information more particularly described in the Schedule.
Data Protection Legislation: means (i) until the GDPR is directly applicable in the United Kingdom, the Data Protection Act 1998; (ii) once the GDPR is directly applicable in the United Kingdom and unless and until the GDPR is no longer directly applicable in the United Kingdom, the GDPR and any national implementing laws, regulations and secondary legislation in the United Kingdom relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time; and then (iii) any successor legislation to the GDPR or the Data Protection Act 1998.
GDPR: means the General Data Protection Regulation ((EU) 2016/679).
Main Agreement: means the one or more agreements which the Supplier has entered into with the Customer to provide goods and/or services to the Customer as is agreed in that agreement or those agreements, as the case may be.
Supplier: means ThinkBDA Limited (company registration number 02721714).
1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1.1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, to the extent the Supplier is processing Customer Personal Data, the Customer is the Data Controller (or is processing on behalf of the Data Controller), the Supplier is a Data Processor (for the Customer or, through the Customer, for another Data Controller) (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation) and the Customer appoints the Supplier to process the Customer Personal Data. The Schedule sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data (as defined in the Data Protection Legislation, Personal Data) and categories of data subject (as defined in the Data Protection Legislation, Data Subject).
1.3 Without prejudice to the generality of clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data and Customer Data to the Supplier for the duration and purposes of the Main Agreement and the supplementary agreement between the parties pursuant to these data processing terms (this Processing Agreement). As such, the Customer confirms that it is entitled to transfer the Customer Personal Data and Customer Data to the Supplier so that the Supplier may lawfully use, process and transfer the Customer Personal Data and Customer Data on the Customer’s behalf in accordance with this Processing Agreement.
1.4 Without prejudice to the generality of clause 1.1, the Customer shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all Customer Personal Data and Customer Data provided for processing.
1.5 Without prejudice to the generality of clause 1.1, the Supplier shall, in relation to any Customer Personal Data processed in connection with the performance by the Supplier of its obligations under the Main Agreement and this Processing Agreement:
- (a) process that Customer Personal Data only on the written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process the Customer Personal Data (Applicable Laws). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing the Customer Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer;
- (b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting the Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to the Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
- (c) ensure that all personnel who have access to and/or process the Customer Personal Data are obliged to keep the Customer Personal Data confidential; and
- (d) not transfer any Customer Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
- (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer;
- (ii) the Data Subject has enforceable rights and effective legal remedies;
- (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Customer Personal Data that is transferred; and
- (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Customer Personal Data;
- (e) reasonably and timeously assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- (f) notify the Customer without undue delay on becoming aware of a Personal Data breach;
- (g) at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Main Agreement or this Processing Agreement unless required by Applicable Law to store the Customer Personal Data; and
- (h) maintain complete and accurate records and information to demonstrate its compliance with this clause 1.5 and allow for audits by the Customer or the Customer's designated auditor.
1.6 The Customer does not consent to the Supplier appointing any third party processor of the Customer Personal Data or the Customer Data under this Processing Agreement. If the Customer does in the future consent to the Supplier appointing a third-party processor of the Customer Personal Data or the Customer Data under this Processing Agreement, the Supplier confirms that it will enter into a written agreement with the third-party processor incorporating terms which are substantially similar to those set out in this Processing Agreement. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 1.6.
1.7 In the event of any loss or damage to any Customer Personal Data and Customer Data, the Customer’s sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Personal Data and Customer Data from the latest back-up of such Customer Personal Data and Customer Data maintained by the Supplier.
1.8 If an amendment is required to this Processing Agreement in order to comply with the Data Protection Legislation, Applicable Laws or requirements set out by the Customer, the Customer will provide an amendment with the required changes to the Supplier. Both parties will work together in good faith to promptly execute a mutually agreeable amendment to this Processing Agreement reflecting the required amendment. In case the Supplier is not able to accommodate the requested changes, the Customer may terminate this Processing Agreement and the Main Agreement with fifteen days’ written notice.
1.9 No failure, delay or omission by either party in exercising any right, power or remedy provided by law or under this Processing Agreement shall operate as a waiver of that right, power or remedy, nor shall it preclude or restrict any future exercise of that or any other right or remedy. No single or partial exercise of any right, power or remedy provided by law or under this Processing Agreement shall prevent any future exercise of it or the exercise of any other right, power or remedy.
1.10 In case of conflict, the terms of this Processing Agreement shall prevail over the terms of the Main Agreement.
1.11 This Processing Agreement and any dispute or claim arising out of, or in connection with it, its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England and Wales.
1.12 The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of, or in connection with, this Processing Agreement, its subject matter or formation (including non-contractual disputes or claims).
Schedule – Processing, Personal Data and Data Subjects
1. Processing by the Supplier
1.1 Scope, nature and purpose of processing
The scope, nature and purpose of the processing is the provision of goods and/or services by the Supplier to the Customer under the Main Agreement.
1.2 Duration of the processing
The duration of the processing corresponds to the duration of the Main Agreement.
2. Types of Personal Data
- Identity Data including first name, maiden name, last name, username or similar identifier, marital status and dependents, title, date of birth, gender, next of kin and emergency contact information, National Insurance number and copy of driving licence.
- Contact Data including billing address, delivery address, email address and telephone numbers.
- Financial Data including bank account and payment card details.
- Transaction Data including details about payments to and from the Data Subject and other details of goods and services the Data Subject has purchased.
- Technical Data including internet protocol (IP) address, the Data Subject’s login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices the Data Subject uses to access the website of the Customer or another Data Controller.
- Profile Data including the Data Subject’s username and password, purchases or orders made by the Data Subject, the Data Subject’s interests, preferences, feedback and survey responses.
- Usage Data including information about how the Data Subject uses the website of the Customer or another Data Controller, goods and services.
- Marketing and Communications Data including the Data Subject’s preferences in receiving marketing from the Customer or another Data Controller (and third parties) and the Data Subject’s communication preferences.
- Employment Data including:
- Bank account details, payroll records and tax status information.
- Salary, annual leave, pension and benefits information.
- Start date.
- Location of employment or workplace.
- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
- Employment records (including job titles, work history, working hours, training records and professional memberships).
- Compensation history.
- Performance information.
- Disciplinary and grievance information.
- CCTV footage and other information obtained through electronic means such as swipecard records.
- Information about the Data Subject’s use of the information and communications systems of the Customer or another Data Controller.
- Special Categories of more “sensitive personal information” including:
- Information about the Data Subject’s race or ethnicity, religious beliefs, sexual orientation and political opinions.
- Trade union membership.
- Information about the Data Subject’s health, including any medical condition, health and sickness records.
- Genetic information and biometric data.
- Information about criminal convictions and offences.
3. Categories of Data Subject
- The Customer’s employees (including temporary or casual workers and applicants).
- Another Data Controller’s employees (including temporary or casual workers and applicants).
- The Customer’s group companies’ employees (including temporary or casual workers and applicants).
- The Customer’s customers and potential customers.
- Another Data Controller’s customers and potential customers.
- Employees of the Customer’s customers and potential customers.
- Employees of another Data Controller’s customers and potential customers.
- The Customer’s business partners.
- Another Data Controller’s business partners.
- Employees of the Customer’s business partners.
- Employees of another Data Controller’s business partners.
- The Customer’s visitors.
- Another Data Controller’s visitors.
- The Customer’s suppliers and sub-contractors.
- Another Data Controller’s suppliers and sub-contractors.
- Employees of the Customer’s suppliers and sub-contractors.
- Employees of another Data Controller’s suppliers and sub-contractors.
- The Customer’s agents, consultants and other professional experts and consultants.
- Another Data Controller’s agents, consultants and other professional experts and consultants.
- Individuals identified in documents processed by the Customer in providing goods or services to its customers.