Customer Terms and Conditions Privacy Policy Addendum

1 What does this Addendum cover?

The General Data Protection Regulation (’GDPR’) imposes mandatory contractual obligations on the relationship between Data Controller and Data Processor. These are required to be incorporated into any contract between these parties for the contract and the processing to be and remain GDPR compliant.

This Addendum will be contractually applicable to the provision of your services and incorporates the required GDPR provisions, it takes priority over your existing agreements with us.

This Addendum also applies to how we use your Personal Data while you remain a customer and includes details about the data we store and the steps we take in securing the information.

2 Data Controller’s Obligations

As the Data Controller for data you provide us with, you shall:

  • Be solely responsible for determining the means and the purpose of the processing.
  • Ensure that you implement appropriate policies to inform the Data Subjects of the purpose for collecting and processing the Personal Data, the Data Subject’s rights in relation to GDPR and shall ensure that such policy and information as required by GDPR is available to the Data Subject prior to collecting the Personal Data.
  • The Data Controller shall implement appropriate technical and organisational measures for ensuring that by default, only Personal Data which are necessary for the specific purpose of the processing are processed. This applies to the amount of Personal Data collected, the extent of the processing, the storage period and accessibility.
  • Ensure that you have in place such systems and processes to support your obligations under Article 32-36 of the GDPR.
  • Access and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the Data Subjects represented by the processing, including as appropriate:
    • The pseudonymisation and/or encryption of Personal Data.
    • The ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services.
    • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

3 Data Processor’s Obligations

We may sub-contract our duties or obligations arising under this Addendum without the prior written consent of the Data Controller. Details regarding any (if any) sub-contracting relationships will be supplied to the Data Controller as reasonably required.

As the Data Processor of data you provide us with, we shall:

  • Only process the Personal Data in accordance with the terms of this Addendum or any further documented instructions from the Data Controller and solely in relation to the performance thereof. If in the reasonable opinion of the Data Processor any such term or instruction infringes the GDPR the Data Processor shall immediately inform the Data Controller of such infringement and may suspend its processing.
  • Ensure that persons employed to process the Personal Data have been required to commit themselves in writing via an employment agreement or some other contractual document to confindentially or are under an appropriate statutory obligation of confidentiality.
  • Assess and implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the Data Subject represented by the processing.
  • The Data Processor shall, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, to enable the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.
  • The Data Processor shall assist the Data Controller in the compliance of its obligations pursuant to Article 32-36 of the GDPR.
  • The Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of the Services, and delete existing copies unless copies of the Personal Data need to be retained for compliance with the Data Processor’s statutory obligations.
  • The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and, if requested, contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
  • The Data Processor must keep compileable electronic records, such as raw emails, of its processing activities performed on behalf of the Data Controller, including:
    • The details of the Data Controller/ Data Processor and any representatives, sub-processors and data protection officers.
    • The categories of processing activities performed.
    • Information regarding cross-border data transfers, if any.
    • A description of the technical and organisational security measures implemented in respect of the processed data.
  • The Data Processor must notify any Data Breach to the Data Controller (at the Data Protection Officer details), as soon as possible after it becomes aware of the same. Such notice can be given verbally but must be followed up in writing within a reasonable time with the following details: the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.

Regarding transfers of Personal Data to a third party or an international organisation, such shall only be undertaken on the instruction of the Data Controller, save where the Data Processor is required to do so by law, in which case, the Data Processor shall inform the Data Controller of that legal requirement before processing,unless that law prohibits such information on important grounds of public interest.

4 How do we use your data?

Our use of your Personal Data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your Personal Data (e.g. by subscribing to emails), or because it is in our legitimate interests.

All Personal Data is processed and stored with reasonable securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the GDPR at all times.

We may have to share your Personal Data with the parties set out below:

  • Other companies in our group who provide services to us.
  • Service providers who provide IT and system administration services.
  • Professional advisers including lawyers, bankers, HR advisors, auditors and insurers
  • Government bodies that require us to report processing activities.
  • Third parties to whom we sell, transfer, or merge parts of our business or our assets.

We require all third parties to whom we transfer your data to respect the security of your Personal Data and to treat it in accordance with the law. We only allow such third parties to process your Personal Data for specified purposes and in accordance with our instructions.

Some or all of your data may be stored outside of the European Economic Area (”the EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein). You are deemed to accept and agree to this by using our site and submitting information to us. If we do store data outside the EEA, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK under the GDPR legislation

Personal Data means any information capable of identifying an individual. It does not include anonymised data.

5 Marketing Communications

With your permission and/or where permitted by law, we may also use your data for marketing purposes which may include contacting you by email, telephone and post with information, news and offers on our products and services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that we fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However you can still opt out of receiving marketing emails from us at any time.

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you OR by emailing us at ’[email protected]’at any time.

If you opt out of receiving marketing communications this opt-out does not apply to Personal Data provided as a result of other transactions, such as purchases etc.

6 Data Retention

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure and the processing purposes, if these can be achieved by other means and legal requirements.

For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.

In some circumstances, we may anonymise your Personal Data for research or statistical purposes, in which case, we may use this information indefinitely without further notice to you.

7 Data Protection Warranties and Survival

Notwithstanding any other provision of this Addendum, the Parties warrant that, upon receipt of Personal Data, each shall duly observe all its obligations as a Data Controller and/or Data Processor under the Data Protection Act (“DPA”) and the GDPR, which arise in connection with the Processing and the performance of its respective rights and obligations under this Addendum.

The provisions of this Addendum are expressly agreed by the Parties to survive any termination of this addendum, howsoever arising. This Addendum shall be governed by the laws of Wales and the parties hereby submit to the exclusive jurisdiction of the English Courts.