To the extent that we are acting as a Processor on your instructions (typically where you are providing personal data to us so that we may provide the Goods accordingly) the following terms will apply.
1 - Definitions
“Data Controller”Has the meaning given to ‘Data Controller’, or ‘Controller’ as appropriate, in the Data Protection Laws.
“Data Breach”Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
“Data Processor”Has the meaning given to ‘Data Processor’, or ‘Processor’ as appropriate, in the Data Protection Laws.
“Data Protection Laws”Means all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426);
“GDPR”Means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC as updated, superseded, or repealed from the time to time.
“Personal Data”Has the meaning given in the Data Protection Laws.
2 - Data Processing
2.1 Where we pursuant to this Agreement, process Personal Data on behalf of you, you acknowledge that you are the Data Controller and the owner of such Personal Data, and that we are the Data Processor.
3 - COMPLIANCE WITH DATA PROTECTION LAWS
3.1 The Processor shall comply with the requirements of the applicable Data Protection Laws.
3.2 In respect of any Personal Data to be processed by the Data Processor pursuant to this Agreement for which you are the Data Controller, the Data Processor shall:
3.2.1. have in place and always maintain appropriate technical and organisational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk.
3.2.2.not engage any sub-processor without your prior specific or general written authorisation and in the case of general written authorisation; the Data Processor shall inform you of any intended changes concerning the addition or replacement of other processors and you shall have the right to object (acting reasonably) to such changes. If the Parties cannot resolve the objection, then the Data Controller shall have the right to terminate any agreement affected using the sub-processor.
3.2.3. ensure that all persons authorised to process the Personal Data are subject to obligations of confidentiality.
3.2.4. ensure that terms similar to those in this Schedule are incorporated into each agreement with any sub-processor and that each sub-processor shall be obligated to act at all times in accordance with duties and obligations of the Data Processor under this Schedule. The Data Processor shall at all times be and remain liable for the performance of the sub-processor’s obligations.
3.2.5. process that Personal Data only on behalf of you in accordance with your documented instructions and to perform our obligations under this Agreement or other documented instructions from you and for no other purpose save to the limited extent required by law.
3.2.6. upon request, following termination or expiry of this Schedule, destroy or return (as you direct) all Personal Data and delete existing copies except to the extent that the Data Processor is required to retain a copy of the Personal Data by law.
3.2.7. make available to you all information reasonably necessary to demonstrate compliance with the obligations laid out in Article 28 of GDPR and this Schedule and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, of the Data Processor’s data processing facilities in order to ascertain compliance with Article 28 GDPR and this Schedule. Such audits and inspections to be subject to the following conditions:
a) the Data Processor shall be given at least fourteen (30) days’ notice prior to any audit or inspection.
b) audits and inspections shall take place during the normal business hours of the Data Processor as set by the Data Processor.
c) you and/or your mandated auditor shall, prior to carrying out an audit or inspection, agree to any reasonable non-disclosure agreement required by the Data Processor; and
d) you shall be liable for all costs in relation to such an audit or inspection.
3.2.8 immediately inform you if, in our opinion, an instruction infringes Data Protection Laws.
3.2.9. taking into account the nature of the processing and the information available to the Data Processor, provide assistance to you in connection with the fulfilment of your obligation as Data Controller to respond to requests for the exercise of data subjects’ rights, to the extent applicable.
3.2.10. provide you with assistance upon request in ensuring your compliance with your obligations concerning security of processing, data breach notification, communication of a personal data breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities, to the extent applicable to you, taking into account the nature of the processing and the information available to the Data Processor.
3.2.11. assist you (where requested) in connection with any regulatory or law enforcement authority audit, investigation, or enforcement action in respect of the Personal Data.
3.2.12. without undue delay, notify you in writing about:
a) any Data Breach or any accidental loss, disclosure, or unauthorised access of which the Data Processor becomes aware in respect of Personal Data that it processes on behalf of you.
b) any request for disclosure of the Personal Data by a law enforcement authority (unless otherwise prohibited).
c)any access request or complaint received directly from a data subject (without responding unless authorised to do so).
3.2.13. The Data Processor shall be entitled to charge you a fee for carrying out its obligations in relation to paragraphs 3.2.7, 3.2.9, 3.2.10, and 3.2.11 of this Schedule. Such fee shall cover the costs reasonably incurred by the Data Processor in complying with those obligations.
3.2.14. You shall indemnify us against all liabilities, claims, costs, expenses, damages, and losses (including any direct, indirect, or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses) suffered or incurred by us for which we may become liable as a result of or in connection with any failure by you to comply with this Schedule or Data Protection Laws.
4 - INTERNATIONAL DATA TRANSFERS
4.1 In respect of any Personal Data to be processed by the Data Processor pursuant to this Agreement for which you are the Data Controller, the Data Processor shall not transfer the Personal Data outside the EEA or to an international organisation without ensuring appropriate levels of protection, including any appropriate safeguards if required, are in place for the Personal Data in accordance with the Data Protection Laws.
5 - DETAILS OF PROCESSING ACTIVITIES
5.1 The following table sets out the details of processing authorised by the Data Controller, as required by Article 28 of GDPR:
|Purposes for which the Personal Data shall be processed Please specify the purposes for which the Data Processor intends to process the Personal Data.||We will process your Personal Data for the purposes specified/as agreed in this Agreement, or as otherwise instructed by you. This shall principally consist of processing your Personal Data for compliance with the terms and conditions of this rental and maintenance agreement and its obligations|
|Description of the categories of the data subjects Please specify the categories of data subject whose Personal Data shall be processed under this Agreement.||Data subjects are those individuals who will utilise the Goods, being principally collection of the monthly rental payment by direct debit, credit checks and monitoring, and marketing of our products/services and communications of yours.|
|Description of the categories of Personal Data Please specify the categories of Personal Data that shall be processed under this Agreement.||The Personal Data to be processed shall be as set out in this Schedule or as otherwise communicated to us by you. You shall not provide Personal Data unless it is necessary for the fulfilment of this Agreement and shall anonymise or pseudonymise Personal Data wherever possible.|
|The envisaged duration of the processing of Personal Data Please specify how long you think the Personal Data will be retained for, where possible.||Processing shall continue until termination of this Agreement and removal of the Personal Data pursuant to paragraph 3.2.6 of this Schedule.|
|Authorised Sub-Processors List the sub-processors who will process Personal Data.||The Data Controller hereby gives permission for the use of the following specific sub-processors by the Data Processor:
· Monnoyeur SAS
· reg no 384,783,239