Controller to processor data sharing schedule
Last updated: 12 January 2018
This Schedule forms part of the Processor Agreement entered into between the Processor and ICAEW, effective from the Commencement Date (the “Agreement”).
Pursuant to the terms of the Agreement each Party wishes to share certain Personal Data (as hereafter defined). Each Party wishes to ensure that the other Party complied with its legal obligation in connection with such Personal Data and otherwise agrees the responsibilities set out in this Schedule. Accordingly, in consideration of the benefits of the Parties of the sharing of Personal Data, the Parties agree to comply with the following terms.
1 DEFINITIONS AND INTERPRETATION
Any words defined in the Agreement and used in this Schedule shall have the meaning given in the Agreement. Otherwise, in this Schedule, unless the context otherwise requires, the following words and expressions shall have the following meanings:
|Complaint||means a complaint or request relating to either party’s obligations under Data Protection Legislation relevant to this Schedule, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority;|
|Data Controller||has the meaning given to that term (or to the term ‘controller’) in Data Protection Legislation;|
||has the meaning given to that term (or to the term ‘processor’) in Data Protection Legislation;|
|Data Protection Legislation||means any Applicable Law relating to the processing, privacy, and use of Personal Data, as applicable to ICAEW, the Processor and/or the Processorship Services, including:
(a) in the United Kingdom:
(i) the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive) or Directive 2002/58/EC (ePrivacy Directive); and/or
(ii) the General Data Protection Regulation (EU) 2016/679 (GDPR), and/or any corresponding or equivalent national laws or regulations (Revised UK DP Law);
(b) in member states of the European Union: the Data Protection Directive or the GDPR, once applicable, and the ePrivacy Directive, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and
(c) any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority;
|Data Protection Losses||
means all liabilities and other amounts, including all:
|Data Subject||has the meaning given to that term in Data Protection Legislation;|
|Data Subject Request
||means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation;
||means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
||has the meaning given to that term in clause 7.1;|
||has the meaning given to that term in Data Protection Legislation;
|Personal Data Breach
||means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
||has the meanings given to that term in Data Protection Legislation (and related terms such as process have corresponding meanings);|
||has the meaning given to that term in clause 3.1.1;
|Processor, Processor Personnel
||means employees of the Processor|
||means Personal Data received from or on behalf of ICAEW, or otherwise obtained in connection with the performance of the Processor’s obligations under this Agreement;|
||means any agent, subcontractor or other third party engaged by the Processor (or by any other Sub-Processor) to carry out any processing activities in respect of the Protected Data on behalf of the Processor.
||means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Legislation.
Specific interpretive provisionsIn clauses 2 to 11 (inclusive)
(a) references to any Applicable Laws (including to the Data Protection Legislation and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including particularly the GDPR and/or the Revised UK DP Law) and the equivalent terms defined in such Applicable Laws, once in force and applicable;
(b) a reference to a law includes all subordinate legislation made under that law; and
(c) clauses 2 to 11 (inclusive) shall survive termination (for any reason) or expiry of this Agreement (or of any of the Processor Services).
2 Data Processor and Data
Controller 2.1 The parties agree that, for the Protected Data, ICAEW shall be the Data Controller and the other party shall be the Data Processor. The details of such processing are set out in the Agreement.
2.2 The Processor shall comply with all Data Protection Legislation in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement and shall not by any act or omission cause ICAEW (or any other person) to be in breach of any Data Protection Legislation.
2.3 ICAEW shall comply with all Data Protection Legislation in respect of the performance of its obligations under this Agreement.
3 Instructions and details of processing
3.1 Insofar as the Processor processes Protected Data on behalf of ICAEW, the Processor:
- 3.1.1 unless required to do otherwise by Applicable Law, shall (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with ICAEW’s documented instructions as set out in this clause 3 and the Data Processing Activities set out in), and as updated from time to time by the written agreement of the parties (Processing Instructions); and
- 3.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify ICAEW of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest).
3.2 The Processor shall immediately inform ICAEW in writing if, in the Processor’s opinion, a Processing Instruction infringes the Data Protection Legislation or any other Applicable Laws relating to data protection and explain the reasons for its opinion, provided that this shall be without prejudice to clause 2.2.
3.3 The processing to be carried out by the Processor under this Agreement shall comprise the processing set out in Data Processing Activities set out in the Agreement, and such other processing as agreed by the parties in writing from time to time.
4 Technical and organisational measures
4.1 The Processor shall implement and maintain, at its cost and expense, appropriate technical and organisational measures in relation to the processing of Protected Data by the Processor:
- 4.1.1 such that the processing will meet the requirements of Data Protection Legislation and ensure the protection of the rights of Data Subjects;
- 4.1.2 so as to ensure a level of security in respect of Protected Data processed by it that is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed; and
- 4.1.3 without prejudice to clause 6.1, insofar as is possible, to assist ICAEW in the fulfilment of ICAEW’s obligations to respond to Data Subject Requests relating to Protected Data.
4.2 Without prejudice to clause 4.1, the Processor shall, in respect of the Protected Data processed by it under this Schedule comply with the requirements regarding security of processing set out in Data Protection Legislation (as applicable to Data Processors) ,all relevant ICAEW Policies and in this Schedule.
5 Using Sub-Processors and Personnel
5.1 The Processor shall not provide access or permit any processing of Protected Data by any agent, subcontractor or other third party without the prior specific written authorisation of that Sub-Processor by ICAEW.
5.2 Where authorisation has been granted by ICAEW to the Processor to engage any Sub-Processor in accordance with clause 5.1, the Processor shall, prior to the Sub-Processor carrying out any processing activities in respect of the Protected Data;
5.2.1 Undertake due diligence on the Sub-Processor equivalent to the due diligence undertaken on the Processor by ICAEW under this Agreement; and
5.2.2 Appoint the Sub-Processor under a binding written contract, with enforceable data protection obligations on the same terms as apply to the Processor under this Agreement.
5.3 Clause 5.2 includes an obligation on the Processor to ensure that the contract with a Sub-Processor requires that the Sub-Processor at all times:
(a) processes Protected Data only on and in accordance with the Processing Instructions and complies with the same obligations as the Processor (as amended from time to time and including, without limitation, all obligations relating to security, audits, compliance with Applicable Laws, notifications, keeping of records and the destruction or deletion of Protected Data)
(b) provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Protected Data will meet the requirements of Data Protection Legislation; and
(c) is obliged to obtain the specific prior written consent of ICAEW and comply with the conditions referred to in this clause 5.3 for engaging another Data Processor (including any replacement).
5.4 The Processor shall promptly upon request by ICAEW provide the relevant details of any such Sub-Processor Contact to ICAEW.
5.5 The Processor shall immediately cease using a Sub-Processor upon receiving written notice from ICAEW requesting that the Sub-Processor ceases processing Protected Data for security reasons or concerns about the Sub-Processor’s ability to carry out the relevant processing in compliance with Data Protection Legislation or this Agreement.
5.6 The Processor shall, and shall procure that each Sub-Processor that has access to Protected Data shall, comply with the Processor’s obligations under clauses 1 to 10 (inclusive) (including that all obligations and responsibilities relating to Processor Personnel shall apply to employees, agents or representatives of each Sub-Processor (Sub-Processor Personnel)). The Processor shall, where that Sub-Processor fails to fulfil its obligations in accordance with any Sub- Processor Contract, remain fully liable to ICAEW for the performance of that Sub-Processor’s obligations. The acts or omissions of any Sub-Processor or Sub-Processor Personnel in connection with the processing of Protected Data shall be deemed the act or omission of the Processor.’
5.7 The Processor shall ensure that the Processor Personnel and all other persons authorised by it, or by any person acting on its behalf (including by any Sub-Processor pursuant to clause 5.1), to process Protected Data are subject to a binding written contractual obligation with the Processor or with the Sub-Processor that has engaged them to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Processor shall, where practicable and not prohibited by Applicable Law, notify ICAEW of any such requirement before such disclosure).
5.8 Without prejudice to any other provision of clauses 2 to 11 (inclusive), the Processor shall ensure that the Processor Personnel processing Protected Data are reliable and have received adequate training on compliance with clauses 2 to 11 (inclusive) and the Data Protection Legislation applicable to the processing.
5.9 The Processor shall ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services.
5.10 The Processor remains fully liable to ICAEW under this Agreement for all the acts and omissions of each Sub-Processor and each of the Processor Personnel as if they were its own.
6 Assistance with ICAEW’s compliance and Data Subject rights
6.1 The Processor shall (at no cost to ICAEW):
- 6.1.1 promptly record and then refer all Data Subject Requests it receives to ICAEW within two Business Days of receipt of the request;
- 6.1.2 provide such information and cooperation and take such action as ICAEW reasonably requests in relation to each Data Subject Request, within the timescales reasonably required by ICAEW; and
- 6.1.3 not respond to any Data Subject Request or Complaint without ICAEW’s prior written approval.
6.2 Without prejudice to clause 3.1, the Processor shall, at its cost and expense, provide such information, co-operation and other assistance to ICAEW as ICAEW reasonably requires (taking into account the nature of processing and the information available to the Processor) to ensure compliance with ICAEW’s obligations under Data Protection Legislation, including with respect to:
- 6.2.1 security of processing;
- 6.2.2 data protection impact assessments (as such term is defined in Data Protection Legislation);
- 6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
- 6.2.4 any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or Complaint, including (subject in each case to ICAEW's prior written authorisation) regarding any notification of the Personal Data Breach to Supervisory Authorities and/or communication to any affected Data Subjects.
7 International data transfers
7.1 The Processor shall not transfer any Protected Data to any country outside the United Kingdom and/or European Economic Area or to any International Organisation (an International Recipient) without ICAEW’s prior written consent.
8 Records, information and audit
8.1 The Processor shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of ICAEW, containing such information as ICAEW may reasonably require, including:
- 8.1.1 the name and contact details of the Data Processor(s) and of each Data Controller on behalf of which the Data Processor is acting, and of the Processor representative and data protection officer (if any);
- 8.1.2 the categories of processing carried out on behalf of each Data Controller;
- 8.1.3 where applicable, details of transfers of Protected Data to an International Recipient; and
- 8.1.4 a general description of the technical and organisational security measures referred to in clause 4.1.
8.2 The Processor shall make available to ICAEW on request in a timely manner (and in any event within three Business Days):
- 8.2.1 copies of the records under clause 8.1; and
- 8.2.2 such other information as ICAEW reasonably requires to demonstrate the Processor's and ICAEW’s compliance with their respective obligations under Data Protection Legislation and this Agreement.
8.3 The Processor shall at no cost to ICAEW:
8.3.1 allow for and contribute to audits, including inspections, conducted by ICAEW or another auditor mandated by ICAEW for the purpose of demonstrating compliance by the Processor and ICAEW with their respective obligations under Data Protection Legislation and under clauses 2 to 11 (inclusive); and 8.3.2 provide (and procure) reasonable access for ICAEW or such other auditor (where practicable, during normal business hours) to: (a) the facilities, equipment, premises and sites on which Protected Data and/or the records referred to in clause 8.1 are held, and to any other equipment or facilities used in the provision of the Processorship Services (in each case whether or not owned or controlled by the Processor); and (b) to the Processor Personnel, provided that ICAEW gives the Processor reasonable prior notice of such audit and/or inspection.
8.4 If any audit or inspection reveals a material non-compliance by the Processor with its obligations under Data Protection Legislation or a breach by the Processor of any of clauses 2 to 11 (inclusive), the Processor shall pay the reasonable costs of ICAEW or its mandated auditors, of the audit or inspection.
8.5 The Processor shall promptly resolve, at its own cost and expense, all data protection and security issues discovered by ICAEW and reported to the Processor that reveal a breach or potential breach by the Processor of its obligations under any of clauses 2 to 11 (inclusive).
8.6 If the Processor is in breach of its obligations under any of clauses 2 to 11 (inclusive) or clause 8.5, ICAEW may suspend the transfer of Protected Data to the Processor until the breach is remedied.
8.7 ICAEW shall be entitled to share any notification, details, records or information provided by or on behalf of the Processor under any of clauses 2 to 11 (inclusive) (including under clauses 8 or 9) with its professional advisors and/or the Supervisory Authority.
9 Breach notification
9.1 In respect of any Personal Data Breach, the Processor shall:
9.1.1 notify ICAEW of the Personal Data Breach without undue delay (but in no event later than 12 hours after becoming aware of the Personal Data Breach); and
9.1.2 provide ICAEW without undue delay (wherever possible, no later than 24 hours after becoming aware of the Personal Data Breach) with such details as ICAEW reasonably requires regarding: (a) the nature of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Protected Data records concerned;
(b) any investigations into such Personal Data Breach;
(c) the likely consequences of the Personal Data Breach; and
(d) any measures taken, or that the Processor recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects, provided that, (without prejudice to the above obligations) if the Processor cannot provide all these details within the timeframes set out in this clause 9.1.2, it shall (before the end of such timeframes) provide ICAEW with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give ICAEW regular updates on these matters.
9.2 In the event of a Personal Data Breach, ICAEW shall at its sole discretion determine whether to provide notification to the Data Subject, any third party or Supervisory Authority and the Processor shall not notify the Data Subject, any third party or Supervisory Authority unless such disclosure by the Processor is required by law or is otherwise approved by ICAEW. ICAEW shall approve all notifications to Data Subjects, third parties or Supervisory Authority which it determines are required or appropriate.
10 Deletion or return of Protected Data and copies
10.1 The Processor shall (and shall ensure that all Sub-Processors and all Processor Personnel shall) immediately (and in any event within 3 days), at ICAEW’s written request, either securely delete or securely return all the Protected Data to ICAEW in such form as ICAEW reasonably requests after the earlier of:
- 10.1.1 the end of the provision of the relevant Services related to processing of such Protected Data; or
- 10.1.2 once processing by the Processor of any Protected Data is no longer required for the purpose of the Processor’s performance of its relevant obligations under this Schedule, and securely delete existing copies (unless storage of any data is required by Applicable Law and, if so, the Processor shall inform ICAEW of any such requirement).
10.2 The Processor shall provide written confirmation to ICAEW of its compliance with clause 10.1.
11 Liability and indemnities
11.1 The Processor shall indemnify and keep indemnified ICAEW in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, ICAEW arising from or in connection with:
11.1.1 any breach by the Processor of any of its obligations under clauses 2 to 10 (inclusive); or
11.1.2 the Processor (or any person acting on its behalf) acting outside or contrary to the lawful Processing Instructions of ICAEW in respect of the processing of Protected Data.
11.2 This clause 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Legislation to the contrary, except:
- 11.2.1 to the extent not permitted by Applicable Law (including Data Protection Legislation); and
- 11.2.2 that it does not affect the liability of either party to any Data Subject.
12.1 Unless otherwise expressly stated in this Agreement:
- 12.1.1 the Processor’s obligations and ICAEW’s rights and remedies under clauses 2 to 11 (inclusive) are cumulative with, and additional to, any other provisions of this Schedule;
- 12.1.2 nothing in the Agreement relieves the Processor of any responsibilities or liabilities under any Data Protection Legislation; and 12.1.3 clauses 2 to 11 (inclusive) shall prevail over any other provision of the Agreement in the event of any conflict.
- 12.1.3 clauses 2 to 11 (inclusive) shall prevail over any other provision of the Agreement in the event of any conflict.