DATA PROTECTION SCHEDULE TO THE TERMS AND CONDITIONS
“Agreement”
“Data Protection Laws”
The request for Services by the Instructing Party of the Expert based up the terms and conditions.
All applicable data protection law, including the General Data Protection Regulation ((EU) 2016/679 (“GDPR”)), read in conjunction with and subject to any applicable national legislation that provides for specifications or restrictions of the GDPR’s rules, including if applicable the UK Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other sector specific data protection law, and applicable superseding or replacement legislation.
1. Both parties will comply with all applicable requirements of Data Protection Laws. This Data Protection Schedule (“Schedule”) is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Data Protection Laws.
2. The parties acknowledge that:
2.1 if the Expert processes any personal data on the Instructing Party’s behalf when performing its obligations under this Agreement, the Instructing Party is the controller and the Expert is the processor for the purposes of Data Protection Laws; and
2.2 the personal data may be transferred or stored outside the EEA or the country where the Instructing Party is located in order to carry out the Services and the Expert’s other obligations under this Agreement.
3. Without prejudice to the generality of this Schedule, the Instructing Party will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to the Expert for the duration and purposes of this Agreement so that the Expert may lawfully use, process and transfer the personal data in accordance with this Agreement on the Instructing Party’s behalf.
4. Without prejudice to the generality of this Schedule, the Expert shall, in relation to any personal data processed in connection with the performance by the Expert of its obligations under this Agreement:
4.1 process the personal data only in accordance with this Agreement and the documented instructions of the Instructing Party;
4.2 implement appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the personal data and having regard to the nature of the personal data which is to be protected;
4.3 only permit the personal data to be processed by persons who are bound by enforceable obligations of confidentiality and take steps to ensure such persons only act on the Expert’ instructions in relation to the processing;
4.4 remain entitled to appoint third party sub-processors. Where the Expert appoints a third party sub-processor, it shall, with respect to data protection obligations, ensure that the third party is subject to, and contractually bound by, at least the same obligations as the Expert.
4.5 notify the Instructing Party without undue delay after becoming aware that it has suffered a personal data breach;
4.6 at the Instructing Party’s cost, permit the Instructing Party to inspect and audit the Expert’s data processing activities to enable the Instructing Party to verify and/or procure that the Expert is complying with its obligations under this Schedule, and provided that such inspection and audit is carried out in accordance with applicable laws;
4.7 on the Instructing Party’s reasonable request and cost, assist the Instructing Party to respond to requests from data subjects who are exercising their rights under Data Protection Laws;
4.8 on the Instructing Party’s reasonable request and cost, assist the Instructing Party to comply with the Instructing Party’s obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of Data Protection Laws), comprising (if applicable): (i) notifying a supervisory authority that the Instructing Party has suffered a personal data breach; (ii) communicating a personal data breach to an affected individual; (iii) carrying out an impact assessment; and (iv) where required under an impact assessment, engaging in prior consultation with a supervisory authority; and
4.9 unless applicable law or regulation requires otherwise, upon termination of the Agreement delete all personal data provided by the Instructing Party to the Expert, or otherwise processed by the Expert in connection with this Agreement.
5. Either party may, at any time on not less than 30 days’ notice, revise this Schedule by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when imposed by attachment to this Schedule).