Supplier Data Processing Agreement

 Data Protection Agreement

All Suppliers, where they are acting as processor or sub-processor under the UK Data Protection Act 2018 (as amended from time to time) (“the Act”), shall only process Personal Data (as defined under the Act) to the extent, and in such a manner, as is necessary for the purpose of any applicable agreement with ACS, and at all times in accordance with the controller’s and/or ACS’s (as applicable) written instructions and in accordance with the Act. If, in the Supplier’s opinion, the controller’s instruction would not comply with the Act, it must promptly notify ACS and/or the controller.

The Supplier must:

• promptly comply with any controller and/or ACS request or instruction requiring the Supplier to amend, transfer, delete or otherwise process the Personal Data, or stop, mitigate or remedy any unauthorised processing;

• maintain confidentiality of all Personal Data and not disclose Personal Data to third parties unless any applicable agreement specifically authorises the disclosure, or as required by law;

• assist the controller and/or ACS with meeting the controller’s and/or ACS’s compliance obligations under the Act (including Data Subject rights as defined under the Act, data protection impact assessments and reporting to and consulting with supervisory authorities as required under the Act);

• promptly notify the controller and/or ACS or any changes to the Act that may adversely affect its performance under any applicable contract;

• inform its employees (including agency workers, temporary workers and contractors) of the confidential nature of the Personal Data and are bound by obligations and use restrictions in respect of it, have undertaken training on the Act relating to handling Personal Data and how it applies to their duties, and are aware of the Supplier’s duties and their personal duties and obligations under the Act;

• conduct background checks consistent with applicable law on all individuals with access to the Personal Data;

• implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data;

• implement such measures to ensure a level of security appropriate to the risk involved;

• promptly and without undue delay notify the controller and/or ACS if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable, and restore such Personal Data at its own expense;

• immediately notify the controller and/or ACS if it becomes aware of any accidental, 2 | P a g e unauthorised or unlawful processing of the Personal Data or any Personal Data breach, and provide all information on it, fully cooperating with the controller and/or ACS;

• not inform any third party of any Personal Data breach without obtaining the controller’s and/or ACS’s prior written consent, unless required by law;

• cover all expenses associated with its performance of its obligations under these provisions;

• not transfer or otherwise process Personal Data outside the European Economic Area (EEA) without the controller’s and/or ACS’s prior written consent, and where such consent is granted, only process, or permit the processing outside the EEA if such territory is deemed to provide adequate protection for the privacy rights of individuals, for example, it is subject to a current finding by the European Commission that it does;

• execute any SCCs in order to comply with the Act and legitimise any transfer (where the controller and/or ACS is exporting Personal Data to the Supplier outside the EEA);

• only authorise subcontractors or other third parties to process the Personal Data if the controller and/or ACS has provided its prior written consent;

• enter into a written contract with any subcontractor containing terms substantially similar to those set out in this provision, and upon request provide the controller and/or ACS with copies of such contracts;

• maintain control over all Personal Data it entrusts to any subcontractor and if the contract with the controller and/or ACS terminates for any reason, ensure the contract with the subcontractor automatically terminates;

• ensure that the subcontractor fulfils its obligations under an appropriate written agreement, and remains fully liable to the controller and/or ACS for the subcontractor’s performance of its data protection obligations;

• on the controller’s and/or ACS’s written request, the Supplier will audit a subcontractor’s compliance with its obligations regarding the controller’s and/or ACS’s Personal Data, and provide the controller and/or ACS with the audit results;

• at no additional cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to the controller and/or ACS as the controller and/or ACS may reasonably require, to enable the controller and/or ACS to comply with the rights of Data Subjects (as defined under the Act), including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data, and to comply with any information or assessment notices served on the controller and/or ACS by any supervisory authority under the Act;

• notify the controller and/or ACS immediately if the Supplier receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance under the Act; • notify the controller and/or ACS immediately within 48 hours if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related 3 | P a g e rights under the Act;

• give the controller and/or ACS its full cooperation and assistance in responding to any complaint, notice, communication of Data Subject request;

• not disclose the Personal Data to any Data Subject or to a third party other than at the controller’s and/or ACS’s request or instruction, as provided for in any applicable agreement or as required by law;

• at the controller’s and/or ACS’s request, give the controller and/or ACS a copy of or access to all or part of the controller’s and/or ACS’s Personal Data in its possession or control in the format and on the media reasonably specified by the controller and/or ACS;

• on termination or expiry of any applicable agreement for any reason, securely delete or destroy or, if directed in writing by the controller and/or ACS, return and not retain all or any Personal Data related to the applicable agreement in its possession or control (unless otherwise required by law, and in such event, it shall notify the controller and/or ACS the reasons and legal basis for such retention);

• certify in writing that it has destroyed the Personal Data after it completes any such destruction following termination or expiry of any applicable agreement for any reason; • keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the controller and/or ACS, including but not limited to the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures it has implemented and uses, and provide such records to the controller and/or ACS on request;

• permit the controller and/or ACS and its third party representatives to audit the Supplier’s compliance with its obligations, on reasonable notice (unless there is an actual breach or the controller and/or ACS suspects a breach when such notice shall not be required), and the Supplier will give all necessary assistance in relation to such audits, including but not limited to physical access to, remote electronic access to, and copies of relevant records, and any other information held on the Supplier’s premises storing Personal Data, access to the Supplier’s personnel reasonably necessary to provide all explanations and perform the audit effectively, and inspection of all records and the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process or transport Personal Data;

• if becoming aware of a breach of its obligations under the Act, the Supplier will conduct its own audit to determine the cause, produce a written report detailing deficiencies and plans to remedy them, provide the controller and/or ACS with such written audit report, and remedy any deficiencies identified by the audit within 7 days;

• conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in 4 | P a g e complying with its obligations under any applicable agreement in accordance with best industry practices, promptly addressing any corrective action required, and shall make any relevant audit reports available to the controller and/or ACS on request;

• ensure its employees, subcontractors, partners, affiliates, agents and any other person accessing Personal Data on its behalf are reliable and trustworthy and have received the required training relating to it;

• process Personal Data in compliance with the Act and all other applicable legislation (including enactments, regulations, orders, standards and similar instruments);

• ensure the expected use of the Personal Data for the purposes under any applicable agreement as specifically instructed by the controller and/or ACS will comply with the Act; and

• indemnify and keep indemnified and defend at its own expense the controller and/or ACS (including its affiliates as applicable) against all costs, claims, damages or expenses (including all legal fees) incurred by the controller and/or ACS for which the controller and/or ACS may become liable due to any failure by the Supplier or its employees, subcontractors, partners, affiliates or agents to comply with any of its obligations set out above or under the Act (without any limitation of liability which shall not apply in any circumstances).

  • DEDICATED ACCOUNT MANAGERS
  • NO OBLIGATIONS
  • 25 YEARS EXPERIENCE
  • AVAILABLE 24/7

Email Us

Callback