The following definitions in this clause apply in this Data Protection Agreement:
"Act" means the Data Protection Act 1998 or statutory provision which modifies, consolidates, re-enacts or supersedes it.
"Data Controller" has the meaning set out in section 1(1) of the Act.
"Data Processor" has the meaning set out in section 1(1) of the Act.
"Data Protection Agreement" means this agreement (including any schedule or annex to it and any document referred to in it).
"Data Subject" has the same meaning as the definition of data subject under s1(1) of the Act namely, a living, identifiable individual who is the subject of Personal Data.
"Information Commissioner" means the commissioner appointed under the Act and his/her appointed officers.
"Personal Data" has the meaning set out in section 1(1) of the Act namely, ôdata which relates to a living individual who can be identified
(a) from those data; or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of the Data Controller,
and includes any expression of opinion about the individual and any indications of the intentions of the Data Controller or any other person in respect of the individualö; save that references to Data Controller in such definition shall be deemed to be references to the Data Processor for the purposes of this Data Protection Agreement.
"Processing" shall have the same meaning set out in section 1(1) of the Act, and the word ôProcessö shall be construed accordingly.
Appointment
1.1 The Supplier shall Process Personal Data in accordance with the terms of this Data Protection Agreement and/or in accordance with specific written instructions of the Customer from time to time.
1.2 This Data Protection Agreement shall commence on the Commencement Date and shall continue in full force and effect until terminated in accordance with the provisions set out in the Master Agreement.
Supplier Obligations
1.3 The Supplier shall Process the Personal Data to the extent, and in such manner, as is solely necessary for the purpose of performing the Services on behalf of the Customer or the Client, and in accordance with the provisions set out in the Master Agreement.
1.4 The Supplier agrees that:
1.4.1 it will process Personal Data in compliance with the Act and any other UK data protection legislation current from time to time;
1.4.2 it shall not transfer any Personal Data outside of the European Economic Area or to a country the subject of a European Commission finding of adequacy without the prior written consent of the Customer; and
1.4.3 it will give all reasonable assistance to the Customer or a Client in respect of any obligations imposed on a Client or the Customer by the Act, and not do or cause to be done anything which may cause or otherwise result in a breach by the Client or the Customer of the Act or any other data protection legislation in force from time to time in the UK.
1.5 The Supplier warrants that it will:
1.5.1 take appropriate technical and organisational measures against the unauthorised or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to:
(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(ii) the nature of the data to be protected including, but not limited to, the security measures set out in the Schedule.
1.5.2 take reasonable steps to ensure compliance with those measures set out in clause 3.3.1 to ensure the Client and the CustomerÆs compliance with the seventh data protection principle;
1.5.3 ensure that access to the Personal Data is limited to only such of its employees who need to have access to the Personal Data to meet its obligations under this Data Protection Agreement and the Master Agreement, and that such access is only to such parts of the Personal Data as is strictly necessary for that employeeÆs duties;
1.5.4 notify the Customer immediately if it becomes aware of any unauthorised or unlawful Processing, loss of, damage to or destruction of the Personal Data.
1.6 The Supplier agrees that upon written request from the Customer, it will inform the Customer of the technical and organisational measures that it has taken pursuant to clause 3.3 and permit the Client and the Customer at any reasonable time upon seven days written notice to have escorted access to the appropriate part of the SupplierÆs premises, systems, equipment and other materials and facilities to enable the Client and the Customer to inspect the same for the purposes of monitoring compliance with clauses 3.3 to 3.3 inclusive. For the avoidance of doubt, such inspections shall not relieve the Supplier of any of its obligations under this Data Protection Agreement.
1.7 In the event that a Data Subject exercises his or her rights under the Act in respect of Personal Data Processed by the Supplier pursuant to this Data Protection Agreement or where the Customer is required to deal or comply with any assessment, enquiry, notice, or investigation by the Information Commissioner, then the Supplier will co-operate with the Client and the Customer (at the CustomerÆs direction and expense), to enable the Client to comply with its obligations as a Data Controller which arise as the result of the exercise of such rights or as a result of such assessment, enquiry, notice or investigation.
CustomerÆs Obligations and Warranties
1.8 The Customer confirms that it has obtained consent from the Data Controller to sub-contract its obligations arising under its agreement with the Data Controller to the Supplier to the extent such consent is required.
1.9 The Customer shall, where applicable, give full and proper instructions to the Supplier to enable the Supplier to comply with its obligations set out in clauses 2 and 3 above.
Confidentiality
1.10 Each party undertakes that it shall not at any time disclose to any person any Confidential Information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by clause 5.2. For the purposes of this Data Protection Agreement, ôConfidential Informationö shall mean (i) proprietary information (whether owned by the disclosing party or a third party to whom the disclosing party owes a non-disclosure obligation), including information, know-how and software and Personal Data; (ii) such information which is marked as confidential at the time of disclosure to the receiving party, or if in oral form, is identified as confidential at the time of oral disclosure; or (iii) such information that, by the nature of the circumstances surrounding the disclosure, ought to be treated in good faith as proprietary and/or confidential.
1.11 Each party may disclose the other party's Confidential Information:
1.11.1 to its employees, officers, representatives or advisers who need to know such information for the purposes of carrying out the party's obligations under this Data Protection Agreement. Each party shall ensure that its employees, officers, representatives or advisers to whom it discloses the other party's confidential information comply with this clause 5; and
1.11.2 as may be required by law, court order or any governmental or regulatory authority.
1.12 No party shall use any other party's Confidential Information for any purpose other than to perform its obligations under this Data Protection Agreement.
Amendments to the Law
1.13 In the event that the Act is amended or replaced by subsequent legislation or regulations or in the event that case law pursuant to the Act and/or regulations enacted under it require amendments to this Agreement in the reasonable opinion of the Customer, then the Supplier will agree to such amendments to this Agreement and will enter into a deed of variation to effect such amendments. In which event, the parties shall negotiate in good faith who should bear any additional costs occasioned by any such amendments.
Governing law and jurisdiction
1.14 This Data Protection Agreement and any dispute or claim arising out of or in connection with its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with English Law, and the parties agree that the courts of England shall have exclusive jurisdiction to settle and dispute or claim arising out of this Data Protection Agreement.