Data Processing Schedule
1 Processing of personal data
1.1 In this clause 1:
Controller, Data Subject, Personal Data, Processor and processing shall have the respective meanings given to them in applicable Data Protection Laws from time to time (and related expressions, including process, processed, processing, and processes shall be construed accordingly) and international organisation and Personal Data Breach shall have the respective meanings given to them in the GDPR;
Customer means the person or Company to which the supplier is providing cleaning services.
Data Protection Laws means, as binding on either of the Supplier or Customer:
– the Directive 95/46/EC (Data Protection Directive) and/or Data Protection Act 1998 or the GDPR;
– any laws which implement any such laws; and
– any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
GDPR means the General Data Protection Regulation (EU) 2016/679;
Protected Data means Personal Data and Sensitive Personal Data received from the Customer or on its behalf in connection with the performance of the Supplier’s obligations to the Customer;
Sub-Processor means any agent, subcontractor or other third party (excluding its employees) engaged by the Supplier for carrying out any processing activities on its behalf in respect of the Protected Data; and
Sensitive Personal Data or “special categories of data” includes
• information about a person’s physical or mental health or condition
• racial or ethnic origin or religious or similar information
• political opinions
• information about a person’s sexual life
• information about a person’s criminal record or criminal proceedings
• whether a person is a trade union member or not
• biometric information (such as that used for security purposes to access the workplace)
• genetic information (such as information about a genetically inherited illness)
Services means the services provided to the Customer by the Supplier from time to time; and
Supplier means Privilged Properties Limited.
Compliance with Data Protection Laws
1.2 Both parties agree that the Customer is a Controller and that the Supplier is a Processor for the purposes of processing Protected Data pursuant to this Agreement. The Customer shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data. The Customer shall ensure all instructions given by it to the Supplier in respect of Protected Data (including the terms of this Agreement) shall at all times be in accordance with Data Protection Laws.
1.3 The Supplier shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of this Agreement.
1.4 The Customer shall indemnify and keep indemnified the Supplier against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Customer of its obligations under this clause 1.
1.5 Clauses 1.6.2, 1.10, 1.12 and 1.13 shall apply from when the GDPR applies on 25 May 2018, but not earlier.
1.6 The Supplier shall:
1.6.1 only process (and shall ensure any of its personnel only process) the Protected Data in accordance with the Appendix and this Agreement (and not otherwise unless alternative processing instructions are agreed between the parties in writing) except where otherwise required by applicable law (and shall inform the Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest); and
1.6.2 without prejudice to clause 1.2, if the Supplier believes that any instruction received by it from the Customer is likely to infringe the Data Protection Laws it shall promptly inform the Customer and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing.
1.7 Taking into account the state of technical development and the nature of processing, the Supplier shall implement and maintain the technical and organisational measures set out in Part B of the Appendix to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
Sub-processing and personnel
1.8 The Supplier shall:
1.8.1 not permit any processing of Protected Data by any agent, subcontractor or other third party (except its or its Sub-Processors’ own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior written authorisation of the Customer;
1.8.2 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this clause 1 that is enforceable by the Supplier and ensure each such Sub-Processor complies with all such obligations;
1.8.3 remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor as if they were its own; and
1.8.4 ensure that all persons authorised by the Supplier or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
1.9 From time to time, for the Customer’s benefit, the Customer may authorise the Supplier to obtain support from other consultants or professionals. The Supplier shall only share data with these approved consultants or professionals in such circumstances where it has the authority from the Customer to do so.
1.10 The Supplier shall (at the Customer’s cost):
1.10.1 assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the processing and the information available to the Supplier; and
1.10.2 taking into account the nature of the processing, assist the Customer (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.
1.11 The Supplier shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the United Kingdom or to any international organisation without the prior written consent of the Customer.
Audits and processing
1.12 The Supplier shall, in accordance with Data Protection Laws, make available to the Customer at the Customer’s cost such information that is in its possession or control as is necessary to demonstrate the Supplier’s compliance with the obligations placed on it under this clause 1 and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to a maximum of one audit request in any 12 month period under this clause 1.12).
1.13 The Supplier shall notify the Customer without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.
1.14 On the end of the provision of the Services relating to the processing of Protected Data, at the Customer’s cost and the Customer’s option, the Supplier shall either return all of the Protected Data to the Customer or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the Supplier to store such Protected Data. This clause 1 shall survive termination or expiry of this Agreement.
The Appendix – Part A
Data processing details
Processing of the Protected Data by the Supplier under this Agreement shall be for the subject-matter, duration, nature and purposes, and involve the types of personal data and categories of Data Subjects set out in this Part A.
1 Subject-matter of processing:
To maintain customer records in order to provide an appropriate cleaning service.
2 Duration of the processing:
During the contract between the Supplier and the Customer. Data will be retained thereafter for the purposes of evidencing the service given for a period of 6 years.
3 Nature and purpose of the processing:
Processing will either be necessary to perform and administer the contract the Supplier has entered into with the Customer or arise as a result of a legal obligation on the Customer or Supplier or the processing will be necessary in the legitimate interests of the Supplier.
4 Type of Personal Data:
• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses or company email addresses;
• Date of birth;
• Sensitive Personal Data (as defined in the Schedule);
• Any other data disclosed to the Supplier by the Customer in order for the Supplier to carry out their services to the Customer.
5 Categories of Data Subjects:
Employees, workers, self-employed contractors, job applicants, volunteers, interns, suppliers, and those on work experience.
6 Specific processing instructions:
These will be issued by the Customer to the Supplier on a case by case basis in relation to individual instructions given under this Agreement.
Technical and organisational security measures
1 The Supplier shall implement and maintain the following technical and organisational security measures to protect the Protected Data:
1.1 In accordance with the Data Protection Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Protected Data to be carried out under or in connection with this Agreement, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Protected Data transmitted, stored or otherwise processed, the Supplier shall implement appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(a) to 32(d) (inclusive) of the GDPR and without limitation:
• Staff are trained in relation to the importance of privacy and data security;
• Electronic files can only be accessed by appropriate employees;
• Not using USB or other devices to store data;
• Files in lockable offices that only management have access to;
• Attachments to emails are password protected where they contain personal data;
• Verification of recipients of emails before they are sent;
• Verification of callers before anything is discussed over the telephone;