DATA PROCESSING ADDENDUM

1. Definitions

1.1 The following definitions shall apply

“Applicable EU Law” means law of the European Union (or the law of a member state of the European Union)

“Data Protection Legislation” means the Data Protection Act 1998 and the GDPR together with any amendment to them, secondary legislation passed under them, any subsequent re-enactment or other law, statute, declaration, decree, directive, enactment, order, regulation, rule, Code of Practice or other binding restriction which relates to the protection of personal data of individuals similar to the Data Protection Act 1998 or GDPR.

“GDPR” means the General Data Protection Regulation

“Subject Access Request” means a request from an individual to access their personal data in accordance with Data Protection Legislation

“Permitted Purposes” means the purpose of fulfilling the Service Agreement between ELAS and the Supplier

“Permitted Recipients” means the third parties to whom the Supplier are permitted to disclose ELAS’ data

“Particulars of Breach” means the information that must be notified in the event of a breach of GDPR as set out in Article 33(3) of GDPR

“ICO” means the Information Commissioner’s Office

“Security requirements” means the requirements regarding the security of personal data as required by Data Protection Legislation

“Third Party Request” means a written request from any third party for disclosure of personal data where compliance with such request is required by law

“ELAS” means Employment Law Advisory Services Ltd., ELAS Occupational Health Ltd., Sound Advice Health and Safety Ltd., Support Training and Services Ltd., Occupational Medicals Enterprise Ltd., Health and Safety Management Consultants Ltd. together with any other company, brand or undertaking that falls within the control of the Directors of Employment Law Advisory Services Ltd.

“Service Agreement” means any agreement between the Supplier and ELAS for the provision of services by one party to the other.

1.2 Headings in this agreement are included for convenience only and shall not affect the interpretation or construction of this Agreement

1.3 This agreement is supplemental to the Service Agreement and shall not amend or supersede the Service Agreement save as to where explicitly states and agreed under this Data Processing Agreement.

1.4 In consideration for the parties’ respective rights and obligations under this Data Processing Agreement, the parties agree to perform their obligations as set out below.

1.5 This Data Processing Agreement shall take effect on 25 May 2018.

2. Data Protection

2.1 The parties shall each process the Supplier’s Data. Each party shall comply with its obligations under the Data Protection Legislation and use all reasonable efforts to assist the other in compliance with obligations under the Data Protection Legislation. Neither party shall cause the other to breach its respective obligations under the Data Protection Legislation whether by act or omission.

2.2 Where one party acts as a processor and the other acts as a controller in accordance with the definitions laid out by the Data Protection Legislation, they shall have the responsibilities and liabilities allocated to them as defined by the Data Protection Legislation.

2.3 Where the parties act as joint controllers, the parties each acknowledge and agree they have joint responsibility for the security of personal data in its possession or control and the restrictions on transfers of personal data where that party instructed the data transfer to a third country. Both shall have responsibility for lawful, fair and transparent processing of data, that purposes are limited, that the rights of data subjects are complied with, accuracy of data and protected storage of data.

2.4 ELAS shall:

2.4.1 Implement and maintain appropriate technical and organisation measures which are sufficient to comply with the Data Protection Legislation

2.4.2 Ensure any suppliers or sub-contractors of ELAS engage in a similar Data Processing Agreement with ELAS

2.4.3 Notify the Supplier promptly in the event of a Subject Access Request which directly or indirectly relates to the Supplier.

2.4.4 Notify the Supplier promptly in the event of any actual or suspected breach, any threatened breach or any ‘near miss’ breach of Data Protection Legislation or this Data Processing Agreement

2.4.5 Shall not transfer any of the Supplier’s data outside of the European Economic Area without prior notification to the Supplier

2.4.6 Delete or permanently destroy the Supplier’s data that is no longer reasonably required to be retained by ELAS

2.4.7 Provide information to the Supplier that is reasonably requested by the Supplier to demonstrate compliance with this Agreement, the Data Protection Legislation and/or any internal or external audit

2.4.8 Shall not disclose the Supplier’s data to any third party (save as to any sub-contractors who have fulfilled the requirements of 2.4.2 above) without the prior consent of the Supplier save as to disclosures to Permitted Recipients or Third Party Requests.

2.4.9 Ensure that the Supplier data processed by ELAS is segregated from other data processed by ELAS

2.4.10 Only disclose Supplier data to ELAS personnel (save as to any sub-contractors who have fulfilled the requirements of 2.4.2 above) and shall only do so following reasonable steps to ensure the reliability and integrity of the personnel including, but not limited to, training and the read and agreeing to relevant policies covering confidential information and data security as may vary from time to time.

2.4.11 Only process data that is necessary for the fulfilment of the Service Agreement

2.5 The Supplier shall:

2.5.1 Implement and maintain appropriate technical and organisation measures which are sufficient to comply with the Data Protection Legislation

2.5.2 Ensure any suppliers or sub-contractors of the Supplier engage in a similar Data Processing Agreement with the Supplier

2.5.3 Notify ELAS promptly in the event of a Subject Access Request which directly or indirectly relates to ELAS.

2.5.4 Notify ELAS promptly in the event of any actual or suspected breach, any threatened breach or any ‘near miss’ breach of Data Protection Legislation or this Data Processing Agreement that relates to ELAS

2.5.5 Shall not transfer any of the ELAS’s data outside of the European Economic Area without prior notification to ELAS

2.5.6 Delete or permanently destroy the ELAS data that is no longer reasonably required to be retained by the Supplier

2.5.7 Provide information to ELAS that is reasonably requested by ELAS to demonstrate compliance with this Agreement, the Data Protection Legislation and/or any internal or external audit

2.5.8 Shall not disclose ELAS’s data to any third party (save as to any sub-contractors who have fulfilled the requirements of 2.4.2 above) without the prior consent of ELAS save as to disclosures to Permitted Recipients or Third Party Requests.

2.5.9 Ensure that ELAS’s data processed by the Supplier is segregated from other data processed by the Supplier

2.5.10 Only disclose ELAS’s data to the Supplier’s personnel (save as to any sub-contractors who have fulfilled the requirements of 2.4.2 above) and shall only do so following reasonable steps to ensure the reliability and integrity of the personnel including, but not limited to, training and the read and agreeing to relevant policies covering confidential information and data security as may vary from time to time.

2.5.11 Only process data that is necessary for the fulfilment of the Service Agreement

2.6 Both parties agree as far as is reasonable to assist the other in complying with their obligations imposed under this Agreement.

3. Miscellaneous

3.1 The parties agree that each provision of this Data Processing Agreement is severable and distinct from the others and that if a provision is held to be void or unenforceable, the remainder of the agreement shall continue

3.2 This Data Processing Agreement may be entered into in any number of counterparts and by the parties on separate documents all of which taken together will constitute one and the same Agreement

3.3 No forbearance or delay by either party in enforcing its rights will prejudice or restrict the rights of that party. No waiver of any rights under this Data Processing Agreement shall be deemed to be a waiver of any other right or later breach.

3.4 No variation of this Data Processing Agreement shall be effective unless it is agreed and recorded by both parties in writing.

3.5 Neither party shall be permitted to use this Data Processing Agreement to make representations for or otherwise bind the other party in any way
3.6 Save as to the companies, businesses and undertakings listed in the definition of “ELAS” above, no third party who is not a party to this agreement shall have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Data Processing Agreement.

3.7 This Data Processing Agreement, together with the Service Agreement, forms the entire Agreement between the parties.

3.8 This Data Processing Agreement shall be governed in accordance with the laws of England and Wales. The Courts of England and Wales shall have exclusive jurisdiction over any claim or matter arising under, or in connection with, this Data Processing Agreement.

Latest News

Keep in touch with the latest news affecting businesses throughout the UK

Get In Touch