Data Protection Agreement
All Suppliers, where they are acting as processor or sub-processor shall have the meaning given in the Data Protection Act 2018 and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, together with any amendment, consolidation, re-enactment or replacement from time to time (“Data Protection Legislation”), shall only process Personal Data to the extent, and in such a manner, as is necessary for the purpose of any applicable agreement with ACS, and at all times in accordance with the controller’s and/or ACS’s (as applicable) written instructions and in accordance with Data Protection Legislation. If, in the Supplier’s opinion, the controller’s instruction would not comply with Data Protection Legislation, it must promptly notify ACS and/or the controller.
The Supplier must:
1. promptly comply with any request or instruction requiring the Supplier to amend, transfer, delete or otherwise process the Personal Data, or stop, mitigate or remedy any unauthorised processing;
2. maintain confidentiality of all Personal Data and not disclose Personal Data to third parties unless any applicable agreement specifically authorises the disclosure, or as required by law;
3. assist with meeting compliance obligations under Data Protection Legislation (including Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities as required);
4. promptly notify any changes to Data Protection Legislation that may adversely affect its performance under any applicable contract;
5. inform its employees (including agency workers, temporary workers and contractors) of the confidential nature of the Personal Data and are bound by obligations and use restrictions in respect of it, have undertaken training on Data Protection Legislation relating to handling Personal Data and how it applies to their duties, and are aware of the Supplier’s duties and their personal duties and obligations;
6. conduct background checks consistent with applicable law on all individuals with access to the Personal Data;
7. implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data;
8. implement such measures to ensure a level of security appropriate to the risk involved;
9. promptly notify without undue delay if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable, and restore such Personal Data at its own expense;
10. immediately notify if it becomes aware of any accidental, unauthorised or unlawful processing of the Personal Data or any Personal Data breach, providing all information and full cooperation;
11. not inform any third party of any Personal Data breach without obtaining prior written consent, unless required by law;
12. cover all expenses associated with its performance of its obligations under these provisions;
13. not transfer or otherwise process Personal Data outside the European Economic Area (EEA) without prior written consent, and where such consent is granted, only process, or permit the processing outside the EEA if such territory is deemed to provide adequate protection for the privacy rights of individuals, for example, it is subject to a current finding by the European Commission that it does;
14. execute any SCCs in order to comply with Data Protection Legislation and legitimise any transfer (where Personal Data is exported to the Supplier outside the EEA);
15. obtain prior written consent to authorise subcontractors or other third parties to process the Personal Data;
16. enter into a written contract with any subcontractor containing terms substantially similar to those set out in this provision, and upon request provide copies of such contracts;
17. maintain control over all Personal Data it entrusts to any subcontractor and if contract terminates for any reason, ensure the related contract with the subcontractor automatically terminates;
18. ensure that the subcontractor fulfils its obligations under an appropriate written agreement, and remains fully liable for the subcontractor’s performance of its data protection obligations;
19. on written request, audit a subcontractor’s compliance with its obligations regarding the Personal Data, and provide audit results;
20. at no additional cost, take such technical and organisational measures as may be appropriate to comply with the rights of Data Subjects (as defined under Data Protection Legislation), including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data, and to comply with any information or assessment notices served by any supervisory authority;
21. notify immediately if receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance;
22. notify immediately (within 48 hours) if receives any Data Subject Access Requests under Data Protection Legislation;
23. give full cooperation and assistance in responding to any complaint, notice, communication of Data Subject request;
24. not disclose the Personal Data to any Data Subject or to a third party without request or instruction, as provided for in any applicable agreement or as required by law;
25. upon request, provide a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified;
26. on termination or expiry of any applicable agreement for any reason, securely delete or destroy or, if directed in writing, return and not retain all or any Personal Data related to the applicable agreement in its possession or control (unless otherwise required by law, and in such event, it shall notify the reasons and legal basis for such retention);
27. certify in writing that it has destroyed the Personal Data after it completes any such destruction following termination or expiry of any applicable agreement for any reason;
28. keep detailed, accurate and up-to-date written records regarding any processing of Personal Data, including but not limited to the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures it has implemented and uses, and provide such records on request;
29. permit third party representatives to audit compliance with its obligations, on reasonable notice (unless there is an actual breach or suspected breach when such notice shall not be required), and the Supplier will give all necessary assistance in relation to such audits, including but not limited to physical access to, remote electronic access to, and copies of relevant records, and any other information held on the Supplier’s premises storing Personal Data, access to the Supplier’s personnel reasonably necessary to provide all explanations and perform the audit effectively, and inspection of all records and the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process or transport Personal Data;
30. if becoming aware of a breach of its obligations under Data Protection Legislation, conduct its own audit to determine the cause, produce a written report detailing deficiencies and plans to remedy them, provide written audit report, and remedy any deficiencies identified by the audit within 7 days;
31. conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under any applicable agreement in accordance with best industry practices, promptly addressing any corrective action required, and shall make any relevant audit reports available on request;
32. ensure its employees, subcontractors, partners, affiliates, agents and any other person accessing Personal Data on its behalf are reliable and trustworthy and have received the required training relating to it;
33. process Personal Data in compliance with Data Protection Legislation and all other applicable legislation (including enactments, regulations, orders, standards and similar instruments);
34. ensure the expected use of the Personal Data for the purposes under any applicable agreement as specifically instructed, will comply with the Data Protection Legislation; and
35. indemnify and keep indemnified and defend at its own expense the controller and/or ACS (including its affiliates as applicable) against all costs, claims, damages or expenses (including all legal fees) incurred by the controller and/or ACS for which the controller and/or ACS may become liable due to any failure by the Supplier or its employees, subcontractors, partners, affiliates or agents to comply with any of its obligations set out above or under Data Protection Legislation (without any limitation of liability which shall not apply in any circumstances).