1. Background
- The parties entered into an agreement for the provision of Services (Agreement).
- This DPA is made on the date of execution of the last Agreement.
- The Supplier is a provider of in-person and remote DSE workstation assessments and other related consulting services (Services). For the avoidance of doubt, the Services do not include the Supplier’s online self-assessment software(www.ergofy.co.uk).
- The parties have agreed to enter into this DPA in relation to the processing of personal data by the Supplier in the course of providing the Services. The terms of this DPA are intended to apply in addition to and not in substitution of the terms of the Agreement.
2. Agreement:
Meanings
In this DPA, the following words are defined:
Any entity that directly or indirectly controls, or is controlled by, or is under common control with the subject entity. 'Control' for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
All laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom applicable to the Processing of Personal Data under the Agreement, including, but not limited to EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; and,
To the extent applicable, the data protection or privacy laws of any other country.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the EU GDPR); and,
The EU GDPR as implemented or adopted under the laws of the United Kingdom (UK GDPR) (General Data Protection Regulation).
In relation to a party, those of its employees, workers, agents, consultants, contractors, sub-contractors, representatives or other persons employed or engaged by that party on whatever terms.
Any entity (whether or not an Affiliate of the Supplier, but excluding the Supplier’s Personnel) appointed by or on behalf of the Supplier to process Personal Data on behalf of the Customer under this DPA.
Any day, other than a Saturday, Sunday, or public holiday in England and Wales.
3. Processing Customer Personal Data
- Terms such as “Data Subject”, “Processing”, “Personal Data”, “Controller”, and “Processor”, "Supervisory Authority" and "Personal Data Breach" shall have the same meaning as ascribed to them in the Data Protection Law.
- In this DPA unless the context requires a different interpretation:
- the singular includes the plural and vice versa;
- references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this DPA;
- a reference to a person includes firms, companies, government entities, trusts and partnerships;
- 'including' is understood to mean 'including without limitation';
- reference to any statutory provision includes any modification or amendment of it;
- the headings and subheadings do not form part of this DPA; and
- 'writing' or 'written' will include fax and email unless otherwise stated.
4. Processing Customer Personal Data
- For the purpose of Data Protection Law, the Customer shall be the Controller and the Supplier shall be the Processor.
- The Supplier and each Supplier Affiliate shall:
- comply with all applicable Data Protection Law in the Processing of Customer Personal Data; and
- only Process Personal Data on the Customer's documented instructions, unless Processing is required by any applicable law to which the Supplier is subject (in which case, the Supplier shall, to the extent permitted by applicable law, inform the Customer of such legal requirement before undertaking the Processing).
- The Supplier and each Supplier Affiliate shall take reasonable steps to ensure the reliability of Personnel who have access to the Personal Data, ensuring in each case that such Personnel is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they Process the Personal Data in compliance with all applicable law and only for the purpose of delivering the Services under the Agreement.
5. Term
- The Processor will only process Personal Data for the term of the DPA. The term of this DPA shall continue in force until the later of:
- The term of the Agreement; and
- the period that the Processor has any Personal Data in its possession or control.
6. Security
- The Supplier will establish data security in relation to the Processing of Personal Data under this DPA. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of the Processing, and the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons must be taken into account. Such measures may include, as appropriate:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
- In assessing the appropriate level of security, the Supplier shall take into account any risks that are presented by the Processing, in particular, from a Personal Data Breach.
- The Supplier has laid down the technical and organisational measures in Schedule 2 of this DPA. Technical and organisational measures are subject to technical progress and further development. In this respect, the Processor may implement alternative adequate measures from time to time.
7. Sub-Processors
- The Customer authorises the Supplier and each Supplier Affiliate to appoint the Sub-processors listed in Schedule 3 (if any) and any new Sub-processors in accordance with the subsequent provisions.
- With respect to each Sub-processor, the Supplier, or the Supplier Affiliate shall:
- carry out appropriate due diligence prior to the Processing by such Sub-processor to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by the terms of the Agreement and this DPA;
- enter into a written agreement with the Sub-processor incorporating terms which are substantially similar (and no less onerous) than those set out in this DPA and which meet the requirements of Article 28(3) of UK GDPR; and
- remain fully liable to the Customer for all acts or omissions of such Sub-processor as though they were its own.
- The Supplier and each Supplier Affiliate may continue to use Sub-processors already engaged by the Supplier or Supplier Affiliate as at the date of this DPA subject to the Supplier or Supplier Affiliate meeting the obligations set forth in the preceding clause as soon as reasonably practicable.
- The Supplier shall give the Customer prior written notice of the appointment of any new Sub-processor, including the name of the Sub-processor it seeks to appoint and the Processing activity to be undertaken by the Sub-processor.
- If within 30 days of receipt of notice under the preceding clause, the Customer (acting reasonably and in good faith) notifies the Supplier in writing of any objections to the proposed appointment:
- the parties will work in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of the proposed Sub-processor without unreasonably burdening the Supplier; and
- where such a change cannot be made within 30 days of the Supplier's receipt of the Customer's notice, the Customer may, notwithstanding the terms of the Agreement, serve written notice on the Supplier to terminate the applicable order form(s) to the extent that the provision of the Services is or would be affected by the appointment. The Supplier will refund the Customer any prepaid fees covering the remainder of the term of such order form(s) with respect to the terminated Services.
8. Cross Border Transfers of Personal Data
- The Processor will transfer Personal Data in accordance with the Data Protection Laws.
- Without prejudice to the generality of the preceding clause, the Processor may transfer Personal Data outside the European Economic Area (EEA) or the United Kingdom.
- The Processor will only process, or permit the processing, of Personal Data outside the EEA or the United Kingdom under the following conditions:
- the Processor is processing Personal Data in a territory which is subject to a current finding by the UK government under the Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals;
- that specific contracts approved by the UK ICO which give Personal Data the same protection it has in the UK are used; or
- where the sub-processor is based in any country outside of the United Kingdom and/or EEA not otherwise covered by this clause , that Standard Contract Clauses (SCCs) deemed to be an adequate level of protection, will be put in place.
9. Data Subject Rights
- Taking into account the nature of the Processing, the Supplier and each Supplier Affiliate shall assist the Customer in the fulfilment of the Customer's obligation to respond to requests for exercising Data Subjects' rights under the Data Protection Law.
- The Supplier shall:
- promptly (and in any event, within 24 hours) notify the Customer if it (or any of its Sub-processors) receives a request from a Data Subject; and
- fully cooperate with and assist the Customer in relation to any request made by a Data Subject under the Data Protection Law in respect of Personal Data Processed by the Supplier under the terms of the Agreement or this DPA.
10. Personal Data Breaches
- The Supplier shall:
- notify the Customer without undue delay (in any event, no later than 72 hours) upon becoming aware of any Personal Data Breach affecting the Personal Data Processed by the Supplier under this DPA;
- provide sufficient information to enable the Customer to evaluate the impact of such Personal Data Breach and to meet any obligations on the Customer to report the Personal Data Breach to a Supervisory Authority and/or notify the affected Data Subjects in accordance with the Data Protection Law;
- provide the Customer with such assistance as the Customer may reasonably request; and
- cooperate with the Customer and take such reasonable commercial steps (as directed by the Customer) to assist in the evaluation, investigation, mitigation and remediation of each such Personal Data Breach.
11. Data Protection Impact Assessment and Prior Consultation
- The Supplier and each Supplier Affiliate shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent authorities which the Customer considers necessary pursuant to Articles 35 and 36 of the UK GDPR.
- Such assistance from the Supplier shall be limited, in each case, to the Processing of Personal Data under this DPA.
12. Return and Deletion of Personal Data
- Subject to the subsequent clause, the Supplier and each Supplier Affiliate shall promptly and in any event, within 30 days of the expiry or termination of the Agreement, delete or return all copies Personal Data Processed by the Supplier and/or its Sub-processors on behalf of the Customer by such means as the parties shall agree in writing.
- The Supplier (and its Sub-processors) may retain Personal Data Processed under this DPA to the extent required by any applicable law to which the Supplier (or any Sub-processor) is subject and only to the extent and for such period as required by applicable law. Where applicable, the Supplier shall notify the Customer of any such requirement and ensure the confidentiality of such Personal Data. Any Personal Data Processed under this DPA and retained by the Supplier (or any Sub-processor) in accordance with this clause shall be not Processed for any other purpose other than the purpose specified in the applicable laws.
- The Customer may require the Supplier to provide written certification confirming that it has complied in full with its obligations under this section entitled 'Return and deletion of personal data.'
13. Audits
- The Supplier and each Supplier Affiliate shall make available to the Customer on request all information deemed reasonably necessary to demonstrate compliance with this DPA.
- The Supplier shall allow for and contribute to audits, including inspections, by the Customer (or any other auditor mandated by the Customer) in relation to the Processing of Personal Data under this DPA.
- The Customer (or any other auditor mandated by the Customer) shall give the Supplier or Supplier Affiliate reasonable notice of any audit or inspection, and shall make all reasonable endeavours to avoid causing any damage, injury or disruption to the Supplier or Supplier Affiliate's premises, equipment, personnel and business in the course of the audit or inspection.
- Audits and inspections will be free of charge except where they are reasonably deemed excessive in scope, duration or frequency and/or sufficiently unwarranted so as to be unduly disruptive or burdensome to the Processor, in which case the Processor may charge the Controller a reasonable fee proportional to the disruption or costs incurred.
- Such audit rights may be exercised only once in any calendar year during the term of the Agreement.
14. Liability and Indemnity
- Nothing in this DPA limits or excludes either party's liability for death of personal injury caused by its negligence, or fraud or fraudulent misrepresentation.
- Each party shall defend, indemnify, and hold harmless the other and its Personnel against any and all claims, cost, losses, expenses (including legal fees), demands, and causes of action of any kind or character, without limitation, arising from or in connection with a breach of a party's obligations or the obligations of its Affiliates and/or Sub-processors under this DPA.
- Subject to the two preceding clauses, the total liability of either party to the other for any non-compliance with this DPA shall be subject to any limitation regarding monetary damages set forth in the Agreement.
15. General Terms
- Except in respect of any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after the expiry or termination of the Agreement, this DPA shall be coterminous with the Agreement.
- No party may assign, transfer or sub-contract to any third party the benefit and/or burden of the DPA without the prior written consent (not to be unreasonably withheld) of the other party.
- No variation of the DPA will be valid or binding unless it is recorded in writing and signed by or on behalf of both parties.
- No variation of the Agreement will be valid or binding unless it is recorded in writing and signed by or on behalf of both parties.
- The Contracts (Rights of Third Parties) Act 1999 does not apply to the DPA and no third party has any right to enforce or rely on any provision of the DPA.
- Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
- If any court or competent authority finds that any provision (or part) of the DPA is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of the DPA will not be affected.
- Any notice (other than in legal proceedings) to be delivered under the DPA must be in writing and delivered by pre-paid first class post to or left by hand delivery at the other party’s registered address or place of business, or sent by fax to its main fax number. Notices:
- sent by post will be deemed to have been received, where posted from and to addresses in the United Kingdom, on the second Working Day and, where posted from or to addresses outside the United Kingdom, on the tenth Working Day following the date of posting;
- delivered by hand will be deemed to have been received at the time the notice is left at the proper address; and
- sent by fax will be deemed to have been received on the next Working Day after transmission.
16. Governing Law and Jurisdiction
- This DPA will be governed by and interpreted according to the law of England and Wales and all disputes arising under the DPA (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the English and Welsh courts.
Schedule 1 - Processing Activities
This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) UK GDPR. The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Personal Data
The Supplier will Process Personal Data as necessary to provide the Services pursuant to the Agreement, and as further instructed by the Customer in its use of the Services.
The types of Personal Data to be Processed
The Customer may submit Personal Data to the Services, the extent of which, is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following types of Personal Data, including special categories of Personal Data:
- Personally identifiable information such as full name, email address and date of birth
- Employment details such as employer, role and duration of employment
- Health information and personal physical attributes as relevant to and required to provide the Services
- Photos of the Data Subject and/or their working environment and equipment
- Data Subject working hours and habits
Categories of Data Subject
The Customer may submit Personal Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
- Staff, including employees, volunteers, temporary, contract and casual workers, all to be over the age of 18 years at the time of the Services
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of the Customer (and any Customer Affiliates) are set out in the Agreement and this DPA.
Schedule 2 - Technical and Organisational Measures
The Supplier will apply and maintain the following Technical and Organisational Measures:
Confidentiality of Data
Physical Access Controls
Reception centre with entry procedures
Visitors’ procedure and logs
Physical access and security policy
Logical Access and Authorisation Controls
Username and strong password logins with central password management
Staff training and awareness programme
Encryption of all sensitive and personal data while in transit and at rest using a modern cipher suite considered to be current and secure by industry standards
Secure device configuration and patch management policy
Multifactor authentication where appropriate
Antivirus and firewall on all computer systems
Permissions management policy
Encryption of all corporate devices
Leavers and joiners policy
Automatic locking of all corporate devices
Central user profile and access management
Remote wipe capability on all corporate devices
Least privilege and proven-need principle
Secure disposal of physical and electronic assets
Data classification, handling and disposal policy
Logging and anomaly alerting systems
Data retention, protection and SAR policies
Data leak prevention technologies as appropriate
Annual network scans of internal infrastructure for vulnerabilities or misconfigurations
Logical separation of customer data
Secure separation of development, QA, staging and production environments and data
Integrity of Data and Processing
Logging of data alteration actions
Process for assignment and review of administrator/write/alteration permissions
Use of redundancy and error-detection and correction in data storage as appropriate
Appropriate training and monitoring of users with data write/alteration permissions
Availability and Resilience
Systems monitoring and performance alerting tools
Stringent selection of hosting and service providers with proven availability and resilience capabilities
Disaster Recovery and Business Continuity policies
Review, Assessment and Evaluation
Internal programme for internal verification of compliance with obligations under DPA 2018, EU and UK GDPR and other relevant data protection legislation
Appointment of an internal Data Protection Officer
Regular testing and correction of Disaster Recovery and Business Continuity policies
Background checks on new joiners
Secure Software Development Lifecycle including code review and change approval
Vendor and sub-processor vetting procedures for compliance with data protection and security obligations and requirements, preferring ISO 27001 and/or SOC II accreditation where possible
Completion of DPIAs and risk assessments for data processing
Organisational Concerns
The Supplier as an organisation implements and maintains an industry-standard framework for cybersecurity and data protection commensurate with its size, operating practices, the threat landscape and the state of the art. Currently, Ergofy has Cyber Essentials self-certification accreditation.
Aside from formal technical and organisational measures, an emphasis is placed internally on ensuring information security and cybersecurity awareness and practices are embedded into the organisation’s culture.
The Supplier also ensures it has access to the requisite skills to ensure all of these measures are implemented, maintained and improved either through internal appointments or use of trusted and qualified external partners.