Data Processing Terms & Conditions

ECOSALV Limited is a company registered in England, company registration number 14256388  

 

1: DEFINITIONS

The terms of agreement shall apply unless specifically amended by this contract or the context demands otherwise.

Applicable Laws

means any other law or regulation that may apply to the processing of Personal Data. 

Appointed Agent

means any auditor or third party, formally appointed by the Data Controller to perform a range of tasks associated with the validation of the performance of the Data Processor. 

Confidential Information

means all confidential information imparted by the Data Controller to the Data Processor during the term of this Contract or coming into existence because of the Controllers obligations hereunder which is either marked as confidential or which ought reasonably to be regarded as confidential. 

Contract

means this Data Processing Contract. 

Data

means all data processed by the Processor on behalf of the Controller under the terms of this data processing contract 

Data Controller

means “controller” as defined in Article 4 (7) of the GDPR 

Data Processor

means “processor” as defined in Article 4 (8) of the GDPR 

Data Subject

“Data Subject” means “data subject” as defined in Article 4 (1) of the GDPR. 

 

Data Sub Processor

means a “processor” as defined in Article 4 (8) of the GDPR.

 

Data Subject Rights Request

means a request under Chapter 3 of GDPR which relates to the processing of Personal Data by Processor on behalf of the Data Controller. 

Personal Data Breach

means a ‘’Personal Data Breach’’ as defined by Article 4 (12) of the GDPR 

GDPR

means the General Data Protection Regulation Directive 2016/679. 

Personal Data

means “personal data” as defined by Article 4 (1) of the GDPR and which is processed by the Processor on behalf of the Data Controller and imparted to the Sub Processor 

Party

‘’Party’’ or “Parties” means a party or the parties to this Contract 

Service

means the provision of data processing services to the Controller, deemed to be the subject matter as per Article 28 GDPR 

Third Party

means a party which is not Controller or Processor or the Data Subject to whom the Personal Data relates

 

In this Contract unless otherwise expressly stated:
  • references to Clauses are to clauses of this Contract;
  • reference to the Schedules are to the schedules to this Contract which form part of this Contract and are incorporated herein;
  • references to the singular include references to the plural and vice versa;
  • headings are inserted for convenience only and shall not affect the construction or interpretation of this Contract;
  • any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression are illustrative and do not limit the sense of the words preceding those terms and such terms shall be deemed to be followed by the words “without limitation”;
  • references to a statute, or any section of any statute, include any statutory amendment, modification or re-enactment and instruments and regulations under it in force from time to time;
  • references to regulatory rules include any amendments or revisions to such rules from time to time; and
  • references to regulatory authorities refer to any successor regulatory authorities 

2: SUBJECT AND SCOPE

2.1   Processor processes the Data exclusively on behalf of and on the instruction of the Controller in accordance with Article 28 (1) GDPR (Commissioned Data Processing). The Data Controller remains the controller for the purposes of data protection law.
2.2  Schedule 1 contained in the Service Level Agreement to this Contract contains an exhaustive list of which types of Data the Processor may process, the nature and purpose of processing, the permitted duration of processing, and to which categories of data subjects the Controller Data relate as per Article 28 (3).
2.3 The processing of Data will take place exclusively in the territory of the United Kingdom. Data processing in other countries may only take place where the Controller has provided their prior written consent and, where applicable, additionally the requirements of Article. 44 to 47 GDPR are fulfilled, or there is an exception in accordance with Article. 49 GDPR.

3: TECHNICAL AND OPERATIONAL STANDARDS 

  • Processor hereby undertakes to the Controller that it will undertake the Services on behalf of the Controller in accordance with this Contract using all reasonable skill and care.
  • Processor hereby provides sufficient guarantees to implement appropriate technical and organisation measures in such a manner that processing meets the requirements of Article 28 (1) of GDPR. These guarantees are listed in Schedule 2 of the Service Level Agreement to this contract.

4: THE TERM AND TERMINATION

4.1 This Contract shall continue in full force unless or until terminated by the Controller or Processor, having given 90 days termination  notice to the other party. 
4.2 Controller shall instruct Processor at point of termination as to its requirements for any data held at that time by the Processor. 
4.3  Termination of this Contract shall not affect any rights or obligations of either Party which have accrued prior to the date of termination and all provisions which are expressed to, or do by implication, survive the termination of this Contract shall remain in full force and effect. 

5: OBLIGATIONS 

CONTROLLER
5.1  Controller shall provide such information as Processor may reasonably require to  provide the Services outlined in Schedule 2 of the Service Level Agreement to this contract.
  • Controller shall instruct Processor generally in written or text form which includes email communication. If required, the Controller may also issue instructions orally or via telephone. Instructions issued orally or via telephone require, however, immediate confirmation by Controller in written or text form.

PROCESSOR 

  • Processor undertakes to Controller that it shall process the Personal Data only on Controllers instructions as given from time to time, and in accordance with the terms of this Contract and all Applicable Laws.

  • Any instructions issued by Controller to Processor shall be done so in accordance with 5.2 and shall be documented by Processor to be evidenced to Controller on request.

  • If Processor is of the reasonable opinion that an instruction by Controller breaches this Agreement, an earlier instruction, or applicable data protection laws, Processor must inform Controller in writing of this immediately.

  • Processor shall ensure that only such of its employees who may be required by Processor to assist it in meeting its obligations under this Contract shall have access to the Personal Data. Processor shall ensure that all employees used by it to provide the Services (i) have undergone training in the laws of data protection and in the care and handling of the Personal Data in accordance with such laws, and (ii) have undergone vetting to an appropriate level.

  • In particular, Processor undertakes to Controller that it will not disclose the Personal Data or any part thereof to any Third Party unless and only to the extent instructed to do so in writing by Controller.

  • Processor undertakes to Controller that it will not export the Personal Data or any part thereof outside the European Economic Area in any circumstances other than at the specific written request of Controller. If Processor intends to transfer Data to a third country or an international organisation without having been instructed to this end by Controller, Processor will inform Controller without undue delay and as soon as possible about the purpose, legal ground and affected Data, to such an extent and insofar as such notification is not legally prohibited on the grounds of a substantial public interest.

  • For the mutual benefit of both Parties, and to ensure compliance with this Contract and the Applicable Laws, Controller and Processor will liaise regularly, and Processor will allow its data processing facilities, procedures and documentation to be reviewed by Controller or its auditors.

  • If at any time Processor is unable to meet any of its obligations under this Contract, it undertakes to inform Controller immediately by notice in writing.

  • Processor is not permitted to make any copies or duplicates of the Data without prior written approval by Controller. This excludes copies which are necessary for the orderly performance of this agreement as well as copies which are necessary for compliance with statutory retention obligations.

  • Should Processor be required to provide information to a public authority or a person relating to the processing of Data, or to otherwise cooperate with a public authority, Controller shall support Processor at the first request with the provision of such information or the fulfilment of other obligations to cooperate. This applies to immediate provision of all information and documents relating to technical and organisational measures taken in line with Article. 32 GDPR relating to the technical procedure for the processing of the Data, the sites at which Data are processed, and relating to the employees involved in processing the

  • Controller will support Processor in any activity, relevant to services being carried out by Processor, which Processor or appointed agents must undertake to comply with GDPR such as Data Privacy Impact Assessment and Register of Processing Activities.

  • Processor must have a Data Protection Officer or equivalent responsible person throughout the term of this contract and inform Controller of the contact details of this appointment. Should the Processor make any changes to the Data Protection Officer this information must be passed onto Controller without undue delay.

  1. ASSIGNMENT & SUBCONTRACTING

    1. Processor shall be entitled to assign this Contract and all or any of its rights or obligations hereunder, without the prior written consent of Controller.

    2. Processor shall be entitled to sub-contract performance of its obligations hereunder without Controllers prior written consent and Processor shall, at all times, be responsible as between itself and Controller for the observance by its assignees of the obligations contained in this Contract as if such sub-contractor was the Processor.

    3. In the event that Processor requires Controllers prior written consent in pursuance of Clause 6, Controller shall be entitled, at its discretion, to withhold such consent and prior to issuing such consent Controller may require the party that Processor proposes to sub-contract the performance (or any part thereof) of its obligations hereunder, to enter into a direct contractual relationship with Controller in respect of the processing of any Personal Data by such party.

    4. INTENTIONALLY BLANK

6.5  For the assessment of such approval, Controller must provide Processor with a copy of the intended commissioned data processing agreement between Controller and the further commissioned data Processor. Controller must obligate the further commissioned data processor in that written agreement in exactly the same manner as the former is obligated on the basis of this Agreement and include the requirements set out in Clause 13.

6.6  Controller is obligated to only select  and should Processor approve, to make use of – those further commissioned data processors which offer sufficient guarantees that the appropriate technical and organisational measures will be implemented in such a manner that the processing of Data takes place in accordance with the requirements of the GDPR. Processor must satisfy itself prior to the commencement of the processing of compliance with the technical and organisational measures by the further commissioned data processor and will confirm by means of a request for approval by Processor. Upon request, Controller will provide evidence to Processor to this end.

6.7  There is no right or claim to the granting of approval. The statutory liability of Processor in their capacity as commissioned data processor remains unaffected by any approval granted.

6.8 Processor must also be granted audit and examination rights in relation to subcontractors in accordance with Clause 5 of this Contract. Processor may request from Controller information about the essential terms and conditions of the subcontract and the implementation of the subcontractor's obligations relating to data protection, if necessary also by inspection of the relevant contractual documentation.

7. SECURITY OF PROCESSING

7.1 Processor warrants that it undertakes appropriate technical and organisational measures to ensure a suitable level of protection for the Data corresponding to the risk. This must be in consideration of the state of the art, implementation costs and the type, scope, circumstances, and aims of the processing as well as the varying likelihood of occurrence and severity of the risk to the rights and freedoms of data subjects. These measures include, inter alia, the following:

  1. the pseudonymisation and encryption of Data;

  2. the ability to permanently ensure the confidentiality, integrity and availability of the systems, services and Data in connection with the processing;

  3. the ability to rapidly recover the availability of the Data and access to them, should a physical or technical disruption occur;

  4. a process for the regular review, assessment, evaluation and evidence of the effectiveness of the technical and organisational measures for the purposes of ensuring the security of the processing.

7.2 Processor guarantees that it has, prior to the commencement of the processing of the  Data, provided evidence to Controller that it has taken the appropriate technical and organisational measures to protect the data which is being processed. This evidence could be the accreditation of its Data Processing Service by an industry recognised accreditation scheme. (Article 28 (5) GDPR) Processor guarantees that it will maintain these during the term of the Agreement.

7.3 Processor guarantees that it adheres to an approved code of conduct [Article 28 (5)] prior to the commencement of the contract.

7.4  Processor guarantees that as technology and threat evolves, by means of continual assessment, the technical and organisational measures in place are assessed for appropriateness. Because of this assessment Processor is permitted to implement alternative, adequate measures, if they do not fall below the security level of the measures agreed at the start of this Agreement. Any alternative measures are subject to the prior clauses of this contract and evidenced to Controller as per 7.1 and 7.2.

8. TRANSFER OF PERSONAL DATA


Before transferring any Personal Data to Processor, Controller will establish with Processor the appropriate method of transfer or transmission, and will securely transfer or transmit the Personal Data to Processor in line with Controllers requirements.

9. DATA SUBJECT REQUESTS

  • Controller shall be responsible for responding to all Data Subject Requests in accordance with Article 12. GDPR (“data subject rights”) which may be received from Data Subjects to which the Personal Data relates.
  • Processor hereby agrees to assist Controller with all applicable Data Subject Requests which may be received from the Data Subjects to which the Personal Data relates as per Schedule 1 of the Service Level Agreement to this contract.
  • If Processor receives a Data Subject Request from a Data Subject relating to the Personal Data processed on behalf of the Controller it shall immediately and without undue delay, forward it to the person nominated by Processor under clause 19 of this Contract.
  • Where Processor considers that it is necessary for copies of the Personal Data to be transferred to it to respond to a Data Subject Request, Processor will inform Controller that it requires copies to be transferred. Before transferring the copies, Controller will establish with Processor the appropriate method of transfer and will securely transfer the copies of the Personal Data to Processor in line with Controllers requirements, to arrive no more than 10 working days from the date of Processors request to Controller. 

10. COMPLAINTS

  • Processor shall be responsible for the handling of and responding to processing any complaints or expressions of dissatisfaction which may be received from the Data Subjects to which the Personal Data relates or others, in relation to the processing of the Personal Data under this Contract.
  • Controller hereby agrees to assist Processor with any applicable complaints or expressions of dissatisfaction which may be received from the Data Subjects to which the Personal Data relates or others, in relation to the processing of the Personal Data under this Contract as per Schedule 1 of the Service Level Agreement to this contract.

  • If Processor receives any complaints or expressions of dissatisfaction, relating to the Personal Data processed on behalf of the Controller it shall immediately and without undue delay, forward it to the Data Protection Officer nominated by Controller in Schedule 3 of the Service Level Agreement to this contract.

  • Where Processor considers that it is necessary for copies of the Personal Data to be transferred to it to allow it to respond to a complaint or expression of dissatisfaction, Processor will inform Controller that it requires copies to be transferred. Before transferring the copies, Processor will establish with Controller the appropriate method of transfer and will securely transfer the copies of the Personal Data to Processor in line with Controllers requirements, to arrive no more than 5 working days from the date of Processors request to Controller.

11. BREACH IDENTIFICATION & NOTIFICATION


Under the context of this contract a Data Breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

    • Processor will ensure that there are sufficient checks being made on processing activities to ensure that data is being protected at all time as per clause 7.

    • Processor will without undue delay inform Controller if the former becomes aware of an incident which under the definition of 11.1, constitutes a data breach. This communication will be made to the Data Protection Officer nominated by Controller in Schedule 3 of the Service Level Agreement to this contract and be classed as “Initial Notification”.

    • Data Controller will be responsible for informing the Local Supervisory Authority as denoted in Clause 17. This notification will be made no later than 72 hours from the “Initial Notification’ as per Article 33 GDPR.

    • Processor must inform Controller within 24 hours of initial notification the following details where possible; nature of personal breach including categories and approximate number of data subjects concerned, names and contact details of the Data Protection Office or other contact point, likely consequences of personal data breach and any measures taken or proposed to be taken to mitigate the adverse effects of the data breach. Where it is not possible to provide this information in full within 24 hours, a clearly articulated plan of activities and timelines for obtaining any missing information should be submitted to Controller within the 24-hour window.

    • Processor will support the Controller or Controller’s appointed agent, in the investigation of any data breach incident unless such activities contravene legal or contractual obligations already in place. In such situations, a written explanation supporting the Processor’s position is required.

    12. RETENTION & DISPOSAL OF PERSONAL DATA

    Processor undertakes to retain and dispose of the Personal Data in line with the Retention and Disposal Guidelines, as contained in Schedule 2 of the Service Level Agreement to this Contract.

    13. EVIDENCE & INSPECTIONS

    13.1 Processor shall provide Controller with all necessary information to prove compliance with  Controllers obligations under this Agreement upon request. Upon request of Controller, Processor shall provide Controller immediately with all relevant certificates and audit reports.

    13.2 Controller is entitled to receive information from the Data Protection Officer of Processor relating to all aspects regarding the processing of Data, including the technical and organisational measures taken in accordance with Clause 5.

    13.3 Controller or appointed agent is entitled, with reasonable notice, to enter the business premises of Processor during normal business hours (Mondays to Fridays from 09:00 until 18:00) and inspect the technical and organisational measures as well as the processes of Processor, to satisfy themselves of the compliance with the provisions of this Agreement as well as the relevant statutory data protection provisions by Processor.

    13.4 Processor guarantees Controller, or appointed agent, the access rights, information rights, and inspection rights necessary for this purpose. Processor will guarantee access to the data processing facilities, files, and other documents to allow for monitoring and auditing of the relevant data processing facilities, files and other documentation relating to the processing of the Data. Processor will provide Controller, or an agent appointed by the same, with all information necessary for the inspection.

    13.5 Controller and Processor are subject to public audits by the competent data protection authorities. Upon request of Controller, Processor will provide the requested information to the supervisory authorities and will also grant the latter the opportunity to audit; this includes inspections of Processor by the supervisory authorities and persons appointed by them. Processor guarantees to the competent authorities in this context the necessary access rights, information rights, and inspection rights.

    13.6 Processor shall hold relevant industry accreditations to evidence capabilities in their field.   These are to be maintained throughout the duration of this contract.

    14. INDEMNITY

    14.1 Processor hereby agrees to indemnify Controller up to a maximum of £1million per incident against all losses, costs, expenses, damages, liabilities, demands, claims, fines, penalties, actions or proceedings which Controller may incur arising out of any failure by Processor or its employees to comply with any of its obligations under this Contract.

    15. OWNERSHIP

    15.1. All right, title and interest in the Confidential Information shall vest solely with Controller or its licensees. 

    16. CONFIDENTIALITY

    16.1 Processor shall procure that all Confidential Information disclosed to it by Controller under this Contract or which at any time during the term of the Contract come into Processor’s knowledge, possession or control, shall be kept confidential and shall not be used for any purposes other than those required or permitted by this Contract and shall not be disclosed to any third party except insofar as this may be required for the proper operation of this Contract and then only under appropriate confidentiality provisions approved in writing by Controller.
    16.2 Processor will ensure, pursuant to Article. 29 GDPR, that all persons under their authority process the Data exclusively in accordance with this Agreement, as well as the instructions of the Controller.
    16.3 The obligations of confidence contained in this Clause 16 shall not prevent Processor from disclosing information to the extent required by law or for any regulatory purposes, provided that prior written notice is given to Controller of such disclosure.
    16.4 The obligations of confidence contained in this Clause 16 shall not apply to any information which:
    16.4.1. is or becomes generally available to the public through no act or default of Processor  or its directors, employees or agents; or
    16.4.2. Processor can demonstrate from its written records, prior to its receipt from Controller was in its possession and at its free lawful disposal; or
    • Processor can demonstrate from its written records, is after its receipt from Controller, generated by employees of Controller independently of, and without knowledge of, the Confidential Information; or
    • Processor can demonstrate from its written records, is subsequently disclosed to it without any obligation of confidence by a third party who has not derived it directly or indirectly from Controller.
    • The obligations of confidence contained in this Clause 16 shall survive the termination of this Contract for whatever reason for a period of: (i) three (3) years following the final disclosure of the Confidential Information by Controller to Processor; or (ii) if longer, but only to the extent reasonably required, for as long as the ongoing confidentiality of the Confidential Information, or any part thereof, remains of value to Controller and or its interests.

    17. NOTICES

    • Any notice under or in connection with this Contract shall be in writing (but not by fax, e-mail or similar means) and shall be delivered personally, or sent by courier or by recorded or registered mail to the Controller Account Manager or Processor main contact as detailed in Schedule 3 of the Service Level Agreement to this contract.

    • A notice shall become effective on the date it is delivered to the address of the recipient Party. A Party may notify the other of a change to its notice details. 

    • Local Supervisory Authority for the purposes of this contract is agreed to be the UK, Information Commissioners Office.

    18. SEVERABILITY

      • Should any provision of this Contract be held to be illegal, invalid or unenforceable in any respect by any judicial or other competent authority under the law of any jurisdiction:
      • If by substituting a shorter time period or more restricted application of the provision, it would be valid and enforceable, such shorter time period or more restricted application shall be substituted.
      • If Clause 18.1 is not applicable:
      • such provision shall, so far as it is illegal, invalid or unenforceable in any jurisdiction, be given no effect by the Parties and shall be deemed not to be included in this Contract in that jurisdiction;
      • the other provisions of this Contract shall be binding on the Parties in that jurisdiction as if such provision were not included herein;
      • the legality, validity and enforceability of the provision in any other jurisdiction shall not be affected or impaired; and
      • the Parties shall negotiate in good faith to agree an alternative provision in terms which as closely as possible achieve the intention of the Parties in the original provision, do not substantially impair the Parties’ original interests and do not render such provisions invalid or unenforceable. 

       19. VARIATION

        • No variation or amendment to this Contract shall bind either Party unless made in writing and signed by duly authorised officers of both Parties.

        20. WAIVER & REMEDIES

        • A failure to exercise or any delay in exercising any right or remedy provided by this Contract or by law does not constitute a waiver of that right or remedy or a waiver of any other rights or remedies.

        21. ENTIRE CONTRACT

          • This Contract constitutes the entire Contract and understanding of the Parties relating to its subject matter and supersedes all prior proposals, Contracts and understandings between the Parties or their advisors relating to such subject matter.

          • Each of the Parties hereby acknowledges and agrees that in entering into this Contract, it does not rely on any statement, representation, warranty, undertaking, Contract or understanding of any nature whatsoever made by any person other than as expressly included in this Contract as a warranty (a “Prior Representation”) and to the extent that it is so included that Party’s only remedy shall be a contractual one for breach of warranty under the terms of this Contract for damages. To the extent that, notwithstanding the foregoing a Prior Representation has been made and relied upon by either Party, the relevant party unconditionally and irrevocably waives any claims, rights or remedies it may have in relation thereto.

              Nothing in this Clause 21 or in this Contract shall operate to limit or exclude any liability of either Party, or the remedies available to either Party for fraud, including fraudulent acts and/or fraudulent misrepresentations.

              22. FURTHER ASSISTANCE

              • The Parties shall execute all further documents as may be reasonably necessary or desirable to give full effect to the terms of this Contract and to protect the rights of the Parties under it.

              23. GOVERNING LAW

              This Contract shall be governed in all respects by the laws of England & Wales and each Party hereby irrevocably submits for all purposes in connection with this Contract to the exclusive jurisdiction of the English & Welsh Courts.

              24. SERVICE LEVEL AGREEMENT TO THIS CONTRACT

              This document is the Service Level Agreement (‘SLA’) between The Controller and Processor  providing details of agreed service provision in support of the Data Processing Contract.

               

              Schedule 1 

              Scope & Purpose of Permitted Data Processing

               

              Type of Data

               

               

              Personal  Data

               

              Data Subject Categories

               

               

              Staff, Public, Customers

               

               

              Purpose of Processing

               

               

              Secure disposal of data held on IT equipment or media

               

              Duration of Processing

               

               

              Disposal completed within 25 Working Days maximum

              Schedule  2 
              Outline of required Processor service & description.

               

              Service Element

               

              Description of service provision  

               

              Administration 

               

              Receipt / Booking / Identification of assets

              Full Asset reporting by make, serial No. & function testing status

              Retention of erasure certificates / records

              Provision of processing information / evidence as requested by Stone

              Full traceability of all assets sold post data disposal

              Transport 

              Secure collection & transportation of data assets to own site for disposal

               

              Data Processing

              Full tracking of assets through data disposal process

              Data erasure of all assets or physical destruction as table below

              Segregation of assets prior & on completion of data disposal processing

              Asset Recycling

              Refurbishment and resale of all viable assets 

               

              Description of  Data disposal provision 

               

              MEDIA TYPE

               

              DATA CLEANSING

               

              DATA DESTRUCTION

              MAGNETIC HARD DISK DRIVES

              Certus Software

              HMG Infosec Level 5 Enhanced

              SOLID STATE HARD DRIVES

              Certus Software

              ATA Secure Erasure

              HYBRID DISK DRIVES

              Certus Software

              HMG/ATA

              SWITCHES

              IP Address removal and reset

              N/A

              MOBILE PHONES

              Certus Software/Phonecheck

              Certified Wipe

              USB / DISKS / CARDS

              Physical Shredding

              Physical Shredding

              MAGNETIC TAPES

              Physical Shredding

              Physical Shredding

              SERVER MOTHERBOARD

              Physical Shredding

              Physical Shredding

              SIM CARDS, USB, SD CARDS

              Physical Shredding

              Physical Shredding