CLAUSES FOR TRANSFER OF DATA FROM CONTROLLER TO INTEGRITY SOFTWARE SYSTEMS LIMITED (“INTEGRITY”) AS PROCESSOR – WITHIN THE EEA
1.1. Controller, Processor, Data Subject, Personal Data, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation in force at the time;
1.2. Data Protection Legislation: (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the Processing of Personal Data to which a Party is subject, including in respect of Integrity, all legislation enacted in the UK in respect of the protection of personal data (such as the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and (b) any code of practice or guidance published by the ICO (or equivalent regulatory body) from time to time and until the expiry of the Implementation Period, the GDPR and the Privacy and Electronic Communications Directive 2002/58/EC.
1.3. Data Subject Request: means an actual or purported request or notice or complaint from or on behalf of a Data Subject exercising rights under the Data Protection Legislation in relation to Personal Data;
1.4. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;
1.5. ICO: means the UK Information Commissioner's Office, or any successor or replacement body from time to time.
1.6. Implementation Period: means the implementation period as that is defined under the European Union (Withdrawal Agreement) Act 2020.
2. DATA PROTECTION
2.1. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. In this clause 2, Applicable Laws means (for so long as and to the extent that they apply to Integrity) the law of the European Union, the law of any member state of the European Union and any data protection legislation from time to time in force in the UK and any other law that applies in the UK.
2.2. The parties acknowledge that for the purposes of the Data Protection Legislation, where Personal Data is provided by the Client to Integrity for installation or support purposes, the Client is the Controller and Integrity is the Processor and these Clauses 2 and 3 and Schedule 1 relate to the processing by Integrity of such Personal Data.
2.3. Schedule 1 (Data Processing Particulars) sets out the subject matter and scope, nature and purpose of processing by Integrity, the duration of the processing and the types of Personal Data and categories of Data Subject (Data Processing Particulars). Both parties agree that Schedule I (Data Processing Particulars) is an accurate description of the Data Processing Particulars.
2.4. Without prejudice to the generality of clause 2.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Integrity for the duration and purposes of this Agreement.
3. INTEGRITY’S OBLIGATIONS
3.1. Without prejudice to the generality of clause 2.1, Integrity shall, in relation to any Personal Data processed in connection with the performance by Integrity of its obligations under this Agreement:
3.1.1. process that Personal Data only on the written instructions of the Client for the purposes of performing its obligations under the Agreement unless Integrity is required by Applicable Laws to otherwise process that Personal Data. If Integrity reasonably believes that the written instructions from the Client infringe any Applicable Law, it shall notify promptly the Client accordingly. Where Integrity is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, Integrity shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Integrity from so notifying the Client;
3.1.2. keep a record of any processing that it carries out on behalf of the Client;
3.1.3. not disclose Personal Data to a third party (including any subcontractor) without the prior written consent of the Client (save where Integrity is prevented by law from notifying the Client in advance of disclosure, in which case it shall use reasonable endeavours to notify the Client as soon as reasonably practicable);
3.1.4. ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
3.1.5. ensure that access to Personal Data is limited to those employees who need access to Personal Data to meet Integrity’s obligations under this Agreement and that all employees are informed of the confidential nature of Personal Data and are obliged to keep it confidential;
3.1.6. promptly following a request from the Client, allow its data processing facilities, procedures and documentation to be reviewed and audited by the Client (and/or its representatives, including auditors) and promptly respond to requests to provide, and so provide, such assistance, and co-operation to the Client as it may reasonably request to enable it to review, confirm and audit Integrity’s compliance with clauses 2 and 3 of this Agreement;
3.1.7. not transfer any Personal Data outside of the United Kingdom or European Economic Area;
3.1.8. in relation to the Personal Data processed by Integrity on behalf of the Client, assist the Client, at the Client’s cost,
(a) in responding to any request from a Data Subject; and
(b) in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
3.1.9. at the written direction of the Client, delete or return Personal Data and copies thereof to the Client unless required by Applicable Law to store the Personal Data.
3.2. Upon the earlier of the
3.2.1. Expiry or termination of the Agreement, or
3.2.2. The date upon which the Personal Data is no longer necessary for or relevant to the purpose for which it was transferred to Integrity,
cease processing the Personal Data and delete all Personal Data (including copies) to the Client.
Data Processing Particulars
The subject matter and duration of the Processing
Integrity shall not hold access passwords to the Personal Data. Access to the Personal Data shall be granted by the Client.
In respect of Processing for the purpose of loading, Personal Data will be Processed for the duration of the data loading process and then destroyed.
In respect of Processing for the purpose of provision of support services, Personal Data will be anonymised before or at the time of extraction. No Personal Data will be Processed by Integrity which has not been anonymised.
In respect of Processing for the purpose of hosting, Personal Data will be Processed for only so long as necessary for the provision of hosting services.
The nature and purpose of the Processing
The nature of the Processing shall include retrieval, storage, use, consultation, disclosure by transmission, erasure.
The purpose of the Processing is to:
The type of Personal Data being Processed
Any type of Personal Data which may be controlled by the Client and held within the software environment from time to time which may include identity, contact, technical, financial, family or social data
The categories of Data Subjects
Any individuals which are the employees, representatives, contractors, agents or other persons associated with the Client and its customers or suppliers and any individuals identified or identifiable in data held within the Client’s software environment