(for contract terms entered into prior to GDPR - May 2018)
This Data Protection Addendum forms part of the Agreement (“Agreement”) entered into previously between Eazy Collect Services Limited (“ECS”) and the Company (“Company”) in relation to the services provided thereunder (“Services”).
In the course of providing the Services to the Company pursuant to the Agreement, ECS may Process Personal Data on behalf of the Company and the parties agree to comply with the following provisions with respect to any Personal Data.
In this Data Protection Addendum, the following defined terms shall have the meanings ascribed to them:
“Data Protection Legislation”: the DPA and all other applicable laws and regulations from time to time in force relating to data protection, privacy and the processing of personal data, including the GDPR on and from 25 May 2018, the date upon which the GDPR applies (as set out in Article 99 (Entry into force and application) of the GDPR), together with all legally binding guidance and codes of practice issued by a regulator with jurisdiction over the data processing arrangements contemplated in this Agreement;
“DPA”: the Data Protection Act 1998 (as amended from time to time);
“GDPR”: the European General Data Protection Regulation, namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and
"Safe Countries": the countries that comprise the European Economic Area and, in the event that the United Kingdom or any part of it falls outside the European Economic Area, those countries and the United Kingdom or that part of it.
- The terms, “Data Subject”, "Data Processor", "Data Controller", "Personal Data" and "Process(ing)" shall have the meanings given to them under the DPA and GDPR (as applicable from time to time) for the purposes of this Agreement.
- Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2 is in addition to, and does not relieve, remove or replace, each party's obligations under the Data Protection Legislation.
- The Company is the Data Controller and ECS is the Data Processor in relation to all Personal Data processed under this Agreement.
- Without prejudice to the generality of clause 2, the Company will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the Personal Data to ECS for the duration of this Agreement.
- The Company shall only provide instructions to ECS that are in accordance with the terms of the Agreement and this Data Protection Schedule. Such instructions shall be limited to the subject matter of the relevant Services under the Agreement.
- The Company acknowledges that as Data Controller it is solely responsible for determining the lawful processing condition upon which it shall rely in providing instructions to ECS to process the Personal Data for the purposes of carrying out the Services as set in the Agreement.
- ECS shall, in relation to any Personal Data processed in connection with the performance by ECS of its obligations under this Agreement:
- only process the Personal Data to the extent necessary to perform its obligations under this Agreement and to provide the Services, and as otherwise instructed by the Company in writing (including as set out in this Agreement);
- immediately notify the Company in writing if, in ECS's reasonable opinion:
- ECS's compliance with paragraph 5(a) would breach a requirement of applicable law (including Data Protection Legislation); or
- an instruction from the Company breaches a requirement of applicable law (including Data Protection Legislation), unless that law prohibits the disclosure of such information on important grounds of public interest; provide (at the Company's request and at the Company's cost) such assistance to the Company as is contemplated by Article 28(3)(e) and (f) (Processor) of the GDPR on and from the date the GDPR applies (as set out in Article 99 (Entry into force and application));
- implement and maintain all technical and organisational measures appropriate to the level of risk to ensure the security, integrity and confidentiality of the Personal Data and prevent the unauthorised or unlawful processing of the Personal Data (including accidental loss damage or destruction of the Personal Data), and such measures shall (at a minimum) meet the requirements of the Data Protection Legislation (including the requirements of Article 32 (Security of processing) of the GDPR on and from the date the GDPR applies (as set out in Article 99 (Entry into force and application) of the GDPR);
- ensure that all of its (and, subject to the terms of this paragraph 3, its subprocessor's) personnel who have access to the Personal Data are committed to, or statutorily bound by, a duty of confidence to maintain the confidentiality of the Personal Data at least to the standard required by this Agreement;
- not transfer, access or process any Personal Data outside the Safe Countries unless the prior written consent of the Company has been obtained and the following conditions are fulfilled:
- the Company or ECS has provided appropriate safeguards in relation to the transfer (which may include the execution of any data transfer agreement in a form approved by the European Commission from time to time as providing appropriate safeguards);
- the data subject has enforceable rights and effective legal remedies;
- ECS complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
- ECS complies with reasonable instructions notified to it in advance by the Company with respect to the processing of the Personal Data; and
- maintain complete and accurate records and information to demonstrate its compliance with this clause 5 and allow for audits by the Company or the Company's designated auditor in accordance with clause 12 below.
- If ECS receives any complaint, notice, request (including any subject access request) or communication which relates directly to the processing of the Personal Data received from the Company, it shall immediately notify the Company in writing and it shall (at the Company's cost) provide the Company with full co-operation and assistance in relation to the same, and such assistance may include the provision of a copy of all or part (as directed by the Company) of the Personal Data held by ECS. ECS shall not respond to the complaint, notice, request or communication without the prior written consent of the Company (except to the extent required by law), provided that ECS may acknowledge receipt.
- Notwithstanding any other provision in this Agreement, ECS shall not subcontract the processing of Personal Data without the prior written consent of the Company, such consent not to be unreasonably withheld, conditioned or delayed.
- In the event that the Company consents to the appointment of a subprocessor, ECS shall ensure that, prior to any processing of Personal Data by the subprocessor, ECS enters into an agreement with the subprocessor on terms that provide no less protection for Personal Data than those set out in this Agreement.
- ECS shall remain fully responsible for the acts, omissions and defaults of each subprocessor as if those were the acts, omissions and defaults of ECS.
- The Company may subsequently withdraw its consent to the engagement of a subprocessor where it has reasonable grounds for doing so (including where the Company has material concerns over the ability of the subprocessor to process the Personal Data in the manner contemplated by this Agreement) and in such circumstances, upon receipt of a written request from the Company, ECS shall cease to use the subprocessor to process Personal Data.
- ECS shall provide the Company with all information reasonably requested by the Company to enable the Company to verify ECS’s (and each subprocessor's) compliance with this Agreement.
- Subject to:
- ECS' confidentiality obligations to its other clients;
- ECS' ability to meet its obligations under any existing contracts with its other clients; and
- ECS’ security-related compliance under ISO27001 and as a Payment Institution regulated by the Financial Conduct Authority
on providing at least 14 Business Days' written notice, the Company shall be entitled to test and audit, or appoint representatives to test and audit, under supervision by ECS, all facilities, premises, equipment, systems, documents and electronic data relating to the processing of Personal Data under this Agreement by or on behalf of ECS, at a time and date (which shall be during ECS' normal business hours on a Business Day) agreed between the parties. ECS shall provide (and shall use reasonable endeavours to procure that each subprocessor provides) all reasonable cooperation and assistance in relation to each such inspection, test and audit. The Company shall ensure that the conduct of each such inspection, test or audit does not unreasonably disrupt ECS, or in any way negatively impact the provision of services by ECS to any of its other clients, and that, where possible, individual tests and/or audits are co-ordinated with each other to minimise any disruption.
- Without prejudice to the Company's other rights and remedies, in the event that the Company identifies any non-compliance with this Agreement as a result of an inspection, test or audit, ECS shall, on the written request of the Company:
- remedy the non-compliance and take such steps as the Company reasonably requests for this purpose; and
- reimburse the Company for the costs and expenses reasonably incurred by the Company in connection with the inspection, test or audit.
- Upon the Company's request, on termination of this Agreement, in relation to Article 17 (Right to erasure) ECS will (as directed by the Company) securely return or securely destroy the Personal Data and any copies thereof (or that part of the Personal Data which is the subject of the Company's request) unless storage of such Personal Data is still necessary under Direct Debit Scheme Rules in relation to allowance of the unlimited time and nature that a Data Subject can make direct debit indemnity claims or if Union or Member State law requires storage.