Including GDPR
The Parties are ourselves, Sales Made Easy Limited (Supplier), and yourself, the Member subscribing to our Services (Customer).
Data Protections.
Part 1.
Definitions
Data Protection Legislation means the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) under our contract with you; and
UK Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic communications Directive 002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
1. Data Protection.
1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This paragraph 1.1 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. In this paragraph 1, “Applicable Laws” means (for so long as and to the extent that they apply to the parties) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.
1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor. Part 2 of this Schedule 2 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject.
1.3 Without prejudice to the generality of paragraph 1.1, the Customer will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Customer for the duration and purposes of this agreement.
1.4 Without prejudice to the generality of paragraph 1.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
1.4.1 process that Personal Data only on the documented written instructions of the Customer which are given by the Customer from time to time or which are set out in Part 2 of this Schedule 2 unless the Supplier is required by Applicable Laws to otherwise process that Personal Data. Where the Supplier is relying on Applicable Laws as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer;
1.4.2 ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
1.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
1.4.4 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
1.4.4.1 the Customer or the Supplier has provided appropriate safeguards in relation to the transfer;
1.4.4.2 the Data Subject has enforceable rights and effective legal remedies;
1.4.4.3 the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
1.4.4.4 the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
1.4.5 assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
1.4.6 notify the Customer without undue delay and in any event no later than 48 hours on becoming aware of a Personal Data Breach;
1.4.7 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
1.4.8 maintain complete and accurate records and information to demonstrate its compliance with this paragraph 1 and allow for audits by the Customer or the Customer’s designated auditor and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation. For the purposes of allowing any such audit, the Supplier shall provide (or procure)
access to all the Supplier’s relevant premises, systems, personnel and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice and provide and procure (insofar as it is able) all further reasonable co-operation, access and assistance in relation to any such audit or inspection.
1.5 The Customer consents to the Supplier appointing third-party processors of Personal Data under this agreement provided that the Supplier has entered or (as the case may be) will enter with each third-party processor into a written agreement substantially on that third party’s standard terms of business which the Supplier confirms (or as the case may be undertakes) reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this paragraph 1.
1.6 The parties may, at any time by agreement, revise this paragraph 1 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Contract).
Part 2.
Processing the Supplier
2.1 Scope
Delivery of Membership Services under the Membership Agreement
2.2 Nature
Processing of Personal Data incidental to the provision of the Services to the Customer.
2.3 Purpose of Processing
To deliver the Services
2.4 Duration of the Processing
The term of the Contract
3. Types of Personal Data
Generally: Name, address, telephone number, email address and date of birth, but we may ask for additional information from time to time such as but not limited to salary and employment details in relation with our Services.
4. Categories of Data Subject
Employees and contractors of the Customer who is to receive the benefit of the Services.