1. Definitions

1.1 Words and phrases defined in the Terms shall apply in this Schedule in addition to the following further definitions:

Data Protection Legislation
the Data Protection Act 1998, the Data Protection Directive (95/46/EC), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003), the General Data Protection Regulation (EU/2016/679), the Data Protection Bill 2016-19 (if enacted, in whatever form) or any successor or replacement legislation to any of the foregoing, and all other applicable laws and regulations relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction.
We and You, each a "Party”.
Security Breach
any security breach relating to Content unless reasonably determined by Us to be insufficiently serious or substantial to justify notification to the Information Commissioner or other relevant supervisory authority in accordance with the Data Protection Legislation.
Standard Contractual Clauses
the standard contractual clauses for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.

Data Subject, Data Controller, Controller, Data Processor, Processor, personal data, processing, Data Protection Impact Assessment and appropriate technical and organisational measures shall bear the meanings given to those terms respectively in the Data Protection Legislation from time to time.

2. Data Processing

2.1 Both Parties will comply with all applicable requirements of the Data Protection Legislation. The Parties acknowledge that for the purposes of the Data Protection Legislation, You are the Controller/Data Controller and We are the Processor/Data Processor.

2.2 We shall only act on written instructions (which may be specific or general) given by You from time to time during the Term. You acknowledge that We are under no duty to investigate the completeness, accuracy or sufficiency of any instructions or Content.

2.3 We shall keep accurate records of all processing of Content carried out by Us and shall ensure that such records are sufficient to enable You to verify Our compliance, and demonstrate Your own compliance, with Data Protection Legislation.

2.4 Each Party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of, and against accidental loss or destruction of, or damage to, Content (in each case appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

2.5 If either Party:

  • becomes aware of any unauthorised or unlawful processing of any Content or that any Content is lost or destroyed or has become damaged, corrupted or unusable; or
  • becomes aware of any Security Breach; or
  • considers that any of Your instructions may lead to a Security Breach or otherwise infringe Data Protection Legislation

that Party shall, at its own expense, promptly notify the other Party and We shall fully co-operate with You to remedy the issue as soon as reasonably practicable, including:

  • assisting with any investigation; and
  • providing You or Your agents with access to any facilities, operations, employees or other individuals involved in the matter; and
  • making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by You.

2.6 We shall:

  • only make copies of Content to the extent reasonably necessary for the provision of the Service (which, for clarity, includes back-up, mirroring (and similar availability enhancement techniques), security, disaster recovery and testing of Content);
  • not extract, re-utilise, use, exploit, redistribute, re-disseminate, copy or store Content other than as necessary for the provision of the Service;
  • comply at all times with all applicable laws, regulations and regulatory codes, including Data Protection Legislation;
  • ensure that all personnel who have access to and/or process Content are obliged to keep Content confidential.
  • ensure that access to Content is limited to:
    • those employees who need access to Content to meet Our obligations under this Agreement; and
    • in the case of any access by any employee, such part or parts of Content as is or are strictly necessary for performance of that employee’s duties; and
    • have received appropriate training relating to handling personal data; and
    • are aware both of Our duties and their personal duties and obligations under such laws and this Agreement;
  • promptly comply with any request from You requiring Us to amend, transfer (in such format and on such media reasonably specified by You) or delete Content;
  • promptly assist You in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. If We receive any complaint, notice, request or communication that relates directly or indirectly to the processing of Content or to either Party’s compliance with any Data Protection Legislation, We shall immediately notify You and We shall provide You with full co-operation and assistance in relation to such;

2.7 We shall, on request, provide all reasonable assistance to You in the preparation of any Data Protection Impact Assessment, including:

  • a systematic description of the envisaged processing operations and the purpose of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the provision of the Service;
  • an assessment of the risks to the rights and freedoms of Data Subjects; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

2.8 We will not transfer or otherwise process any Content outside the UK or the EEA.

2.9 We may appoint sub-Processors to process any Content provided We enter into a written agreement with the sub-Processor which applies the terms of this Schedule to the sub-Processor.

Last updated 19th July 2018.