Our data processing agreement
Our Data Protection Policy
We take our responsibilities in processing and protecting personal data very seriously and we are currently working on new process and procedures within our organisation to ensure we maintain secure and compliant systems in accordance with GDPR regulations.
The personal information we hold is stored and processed securely in line with the UK government’s guidelines for Cyber security controls, Cyber Essentials. For more information about Cyber Essentials please visit: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
In the meantime if you have any questions about our data protection, security or privacy policies please contact us at GDPR@edgecumbe.co.uk or call our Data Protection Officer, Johannah Palmer on 0117 3328 255.
Our Data Processing Agreement
1.1 Edgecumbe and yourselves have entered into a “Framework Service Agreement”, hereafter referred to as “the Main Agreement”.
1.2 Through the above-mentioned Main Agreement you are afforded access to Personal Data for which Edgecumbe is the “Data Processor” on behalf of its clients who shall be the Data Controllers.
1.3 Edgecumbe hereby assigns yourselves as the Sub-Processor to process Personal Data in accordance with the conditions of this Data Processing Agreement hereafter “the DPA”.
The following terms in this DPA shall have the following meaning:
“Applicable data privacy laws” means any national or internationally binding data privacy laws or regulations applicable at any time during the term of this DPA on, as the case may be, the Data Processor or the Sub-Processor.
“Applicable data privacy laws” includes the forthcoming European Union General Data Protection Regulation (GDPR) when it enters into force, on the 25th May 2018. Before the GDPR enters into force the national privacy law in which the Data Processor is established (the UK Data Protection Act 1998) shall be applicable to this DPA.
“Data Controller(s)” means the legal entity/entities which, under this DPA, determines the purposes and means of the processing of Personal Data;
“Data Processor” means the legal entity processing Personal Data on behalf of the Data Controller(s) under this DPA; “Sub-Processor” means a third party subcontractor engaged by the Data Processor which, as part of the subcontractor’s role of delivering the services, will process Personal Data on behalf of the Data Controller.
“Personal Data” means any information relating to an identified or identifiable natural person;
“Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Processing of Personal Data
3.1 The Sub-Processor undertakes to only process Personal Data in accordance with documented instructions communicated from time to time by the Data Processor. The Data Processor’s initial instructions to the Sub-Processor regarding the subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are set forth in this DPA.
3.2 The Sub-Processor shall, when processing Personal Data under this DPA, comply with any applicable data privacy laws and applicable recommendations by the Information Commissioner’s Office or other competent authorities. The Sub-Processor shall accept to make any changes and amendments to this DPA that are required under applicable data privacy laws.
3.3 The Sub-Processor shall assist the Data Processor in fulfilling its legal obligations under applicable data privacy laws, including but not limited to the Data Controller’s obligation to respond to requests for exercising the data subject’s rights to request information (register extracts) and for Personal Data to be corrected, blocked or erased at their request.
3.4 The Sub-Processor shall in addition not carry out any act that causes the Data Processor to act in breach of applicable data privacy laws.
3.5 The Sub-Processor shall immediately inform the Data Processor if the Sub-Processor does not have an instruction for how to process Personal Data in a particular situation or if an instruction provided under this DPA infringes applicable data protection laws.
3.6 If data subjects, competent authorities or any other third parties request information from the Sub- Processor regarding the processing of Personal Data covered by this DPA, the Sub- Processor shall refer such request to the Data Processor. The Sub-Processor may not in any way act on behalf of or as a representative of the Data Processor and may not, without prior instructions from the Data Processor, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party. In the event the Sub-Processor, according to applicable laws and regulations, is required to disclose Personal Data that Sub-Processor processes on behalf of the Data Processor, Sub-Processor shall be obliged to inform the Data Processor thereof immediately and request confidentiality in conjunction with the disclosure of requested information.
4. Sub-processors to the Sub-Processor
4.1 The Sub-Processor may not engage further Sub-Processors without a prior specific or general written consent of the Data Processor. In the case of a general written consent the Sub-Processor shall inform the Data Processor of any intended changes concerning the addition
or replacement of sub-processors, with a right for the Data Processor to object to such changes.
4.2 The Sub- Processor shall ensure that any approved Sub-Processors are bound by written agreements that require them to comply with the same data processing obligations as those contained in this DPA.
4.3 The Data Processor may request that the Sub- Processor audit their Sub-Processors or provide confirmation that such an audit has occurred, or, where available, obtain or assist the Data Processor in obtaining a third-party audit report concerning Sub-Processor’s operations to ensure compliance with applicable data privacy laws. The Data Processor will also be entitled, upon written request, to receive copies of the relevant terms of theSub- Processors agreement with its Sub-Processors that may process Personal Data.
4.4 The Sub- Processor shall remain fully liable to the Data Processor for the performance of its Sub-Processor’s obligations.
5. Transfer to third countries
5.1 The Sub-Processor may not, without the prior written consent of the Data Processor, transfer Personal Data outside the European Economic Area. If the Data Processor approves of such transfer, the parties shall enter into a binding agreement based on the applicable EU model clauses (Commission Decision on standard contractual clauses for the transfer of Data to third countries). Adherence to ”the Privacy Shield Framework”, adopted by the European Commission on 12 July 2016, forms an alternative to the EU model clauses for Data Processors located in the U.S.
5.2 If the Data Processor approves of Sub-Processors located outside the European Economic Area, the Sub- Processor shall, in the Data Processor name and on behalf enter into a binding agreement with the legal entity located outside the European Economic Area based on the EU model clauses.. Adherence to “the Privacy Shield Framework”, adopted by the European Commission on 12 July 2016, form an alternative to the EU model clauses for Sub-Processors located in the U.S.
5.3 The Data Processor shall within reasonable cause be entitled to withdraw its consent to third country transfers provided under clause 5.1. In such case, the Sub-Processor shall immediately cease with the transfer and shall, upon the Data Processor request, provide written confirmation of this.
6. Information security and confidentiality
6.1 The Sub-Processor shall, in order to assist the Data Processor to fulfil its legal obligations including but not limited to; security measures and privacy risk assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data which is processed and shall thereby follow any written information security requirements or policies communicated by the Data Processor from time to time. The measures shall at least result in a level of security which is appropriate taking into consideration:
- (i) existing technical possibilities;
- (ii) the costs for carrying out the measures;
- (iii) the particular risks associated with the processing of Personal Data;
- (iv) the sensitivity of the Personal Data which is processed
6.2 The Sub-Processor shall maintain adequate security for the Personal Data. The Sub- Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by Sub- Processor shall include as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
6.3 Further to the technical and organisational measures mentioned in section 6.2, the Sub- Processor shall implement the following measures:
- (i) physical access protection whereby computer equipment and removable data containing personal information at the Sub-Processor’s premises shall be locked up when not under supervision in order to protect against unauthorised use, impact and theft.
- (ii) a process for testing read back after Personal Data has been restored from backup copies.
- (iii) authorisation control whereby access to the Personal Data is managed through a technical system from authorisation control. Authorisation shall be restricted to those who need the Personal Data for their work. User IDs and passwords shall be personal and may not be transferred to anyone else. There shall be procedures for allocating and removing authorisations.
- (iv) the ability to log access to the Personal Data. It shall be possible to follow up access to the Personal Data retrospectively through a log or similar information base. It shall be possible for the Sub- Processor to check the information base and report back to the Data Processor.
- (v) secure communication whereby external data communication connections shall be protected using technical functions ensuring that the connection is authorised as well as content encryption for data in transit in communication channels outside systems controlled by the Sub-Processor.
- (vi) a processes for ensuring secure data destruction when fixed or removable storage media shall no longer be used for their purpose.
- (vii) routines for entering into confidentiality agreements with suppliers providing repair and service of equipment used to store Personal Data.
- (viii) routines for supervising the service performed by suppliers at the premises of the Sub-Processor. Storage media containing the Personal Data shall be removed if supervision is not possible.
6.4 The Sub-Processor shall take all necessary actions to assist and shall promptly notify the Data Processor in relation to any accidental or unauthorised access to Personal Data or any other security incidents (Personal Data breach) without undue delay and where feasible – but in no case later than 72 hours upon becoming aware of such incidents. The notification shall at least:
- (i) describe the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- (ii) communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
- (iii) describe the likely consequences of the Personal Data breach;
- (iv) describe the measures taken or proposed to be taken by the Data Processor and/or Data Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
6.5 The Sub-Processor undertakes not to, without the Data Processor prior written consent disclose or otherwise make Personal Data processed under this DPA available to any third party, except for their sub-processors engaged in accordance with this DPA.
6.6 The Sub-Processor shall be obliged to ensure that only personnel that directly require access to Personal Data in order to fulfil the Sub-Processor’s obligations in accordance with this DPA have access to such information. The Sub-Processor shall ensure that such personnel are bound by a confidentiality obligation concerning this Personal Data to the same extent as the Sub-Processor in accordance with this DPA and that they are informed how they may process the Personal Data.
6.7 The duties of confidentiality set forth in this DPA shall survive the expiry or termination of the DPA.
7. Audit Rights
The Data Processor shall be entitled, in its capacity as the Data Processor, to take measures necessary to verify that the Sub-Processor is able to comply with its obligations under this DPA, and that the Sub-Processor has in fact undertaken the measures to ensure such compliance. The Sub-Processor undertakes to make available to the Data Processor all information and all assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by the Data Processor or another auditor mandated by the Data Processor.
The provisions in this DPA shall apply during such time that the Sub-Processor processes Personal Data in respect of which the Data Processor is the Data Processor.
9. Governing law
This Agreement shall be governed by and construed in accordance with English substantive law.
10. Measures upon the completion of processing of Personal Data
10.1 Upon expiry of this DPA, the Sub-Processor shall, at the choice of the Data Processor as communicated to the Sub-Processor, delete or return all Personal Data to the Data Processor and shall ensure that any sub-processor does the same.
10.2 Upon request by the Data Processor, the Sub-Processor shall provide a written notice of the measures taken regarding the Personal Data upon the completion of the processing.
The Sub-Processor shall not be entitled to any compensation for carrying out its obligations under this DPA.
In addition to compensation for breach of contract that may otherwise ensue from this DPA and/or the Main Agreement, the Data Processor shall be entitled to obtain compensation from the Sub-Processor for all of the costs, charges and fines incurred by the Data Processor under the applicable data privacy laws, if the processing of Personal Data that forms the basis of the loss was performed by, or through, the Sub- Processor.
13.1 Upon the Data Processor’s reasonable request, the Sub-Processor shall implement additional reasonable technical and organisational security measures and adjustments to the processing activities without additional cost. The Sub-Processor shall be notified of any adjustments to the Data Processor instructions concerning security and the processing of Personal Data in a reasonable time to enable the necessary amendments to procedures to be implemented.
13.2 The Sub-Processor may not assign this agreement without the Data Processor’s approval.
14.1 All notices and other communications under this agreement from one Party to the other shall be in writing and delivered by email, messenger or registered mail to the Parties’ above-mentioned address or to the addresses last registered with the Companies House.
14.2 Notices shall be deemed to have been received by the recipient:
- a) if delivered by courier; at the time of delivery,
- b) if sent by registered mail: on the third (3) working day after submission for postal conveyance to the Party’s postal address specified in the introduction or later amended, or
- c) if sent by email: following confirmation of receipt by the other Party.
15. Dispute resolution
15.1 Any disputes resulting from this agreement shall be finally determined by arbitration administered at the local supervisory authority, which in the UK is the Information Commissioner’s Office (ICO). The Parties shall treat information about any dispute, arbitration and arbitration award confidential.