Data Processing Agreement
Definitions:
We: South West Growth Service Limited
You: the organisation whom we provide data processing services to
Data Protection Legislation: Prior to the 25 May 2018, the Data Protection Act 1998 and after that date (i) unless and until the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.
Personal data, data controller, data processor, data subject and processing have the meanings respectively set out in the Data Protection Act 1998 (prior to 25 May 2018) and the GDPR (on or after 25 May 2018, provided that “data controller” and “data processor” shall have the meaning set out for “controller” and “processor” respectively).
1. Data protection and IT Security
1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation.
1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, we are the data processor and you are the data controller. The parties shall ensure that they complete a data processing register (if necessary) which details the scope, nature, duration and purpose of the processing prior to the transfer of any personal data.
1.3 You shall ensure that it has all necessary consents or has complied with another processing condition and has the appropriate notices in place to enable the lawful transfer of personal data to us for the duration and for the purposes of this agreement
1.4 We warrant that to the extent we process any personal data on your behalf we shall:
(a) act only on your instructions
(b) have in place appropriate technical and organisational security measures (which may be subject to approval by against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Such measures shall be appropriate to the harm that might result from the unauthorised or unlawful processing;
(c) ensure all personnel who have access to the personal data are obliged to keep it confidential;
(d) assist you to respond to a data subject’s request to enforce their rights of subject access, rectification, erasure and any other rights conferred by the Data Protection Legislation;
(e) assist you if requested with respect to security, breach notifications, impact assessments and any investigations by a supervisory authority or regulator;
(f) notify you without undue delay in the event of a data security breach and assist you with any investigations;
(g) at your direction delete or return to your all personal data and copies on termination unless required by law to retain the same;and
(h) maintain complete and accurate records to demonstrate its compliance with this clause and allow for reasonable audits by you.
1.5 We shall not appoint a third-party processor without your prior written consent. We shall ensure that any third-party processor will enter into an agreement with the same or substantially similar terms in relation to the Data Protection Legislation.
1.6 We will not transfer of any personal data outside the EU unless your prior consent has been obtained and, if required by applicable law, we and the sub-processor will enter into a data transfer agreement that is consistent with the requirements of applicable law. The Company shall also ensure that:
(a) appropriate safeguards have been provided;
(b) the data subjects have enforceable rights and effective legal remedies in relation to any transferred personal data; and
(c) adequate levels of protection in relation to any personal data that is transferred.