The General Data Protection Regulation (’GDPR’) imposes mandatory contractual obligations on the relationship between Data Controller and Data Processor. These are required to be incorporated into any contract between these parties for the contract and the processing to be and remain GDPR compliant.
This Addendum will be contractually applicable to the provision of your services and incorporates the required GDPR provisions, it takes priority over your existing agreements with us.
This Addendum also applies to how we use your Personal Data while you remain a customer and includes details about the data we store and the steps we take in securing the information.
As the Data Controller for data you provide us with, you shall:
We may sub-contract our duties or obligations arising under this Addendum without the prior written consent of the Data Controller. Details regarding any (if any) sub-contracting relationships will be supplied to the Data Controller as reasonably required.
As the Data Processor of data you provide us with, we shall:
Regarding transfers of Personal Data to a third party or an international organisation, such shall only be undertaken on the instruction of the Data Controller, save where the Data Processor is required to do so by law, in which case, the Data Processor shall inform the Data Controller of that legal requirement before processing,unless that law prohibits such information on important grounds of public interest.
Our use of your Personal Data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your Personal Data (e.g. by subscribing to emails), or because it is in our legitimate interests.
All Personal Data is processed and stored with reasonable securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the GDPR at all times.
We may have to share your Personal Data with the parties set out below:
We require all third parties to whom we transfer your data to respect the security of your Personal Data and to treat it in accordance with the law. We only allow such third parties to process your Personal Data for specified purposes and in accordance with our instructions.
Some or all of your data may be stored outside of the European Economic Area (”the EEA”) (The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein). You are deemed to accept and agree to this by using our site and submitting information to us. If we do store data outside the EEA, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK under the GDPR legislation
Personal Data means any information capable of identifying an individual. It does not include anonymised data.
With your permission and/or where permitted by law, we may also use your data for marketing purposes which may include contacting you by email, telephone and post with information, news and offers on our products and services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that we fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Under the Privacy and Electronic Communications Regulations, we may send you marketing communications from us if (i) you made a purchase or asked for information from us about our services or (ii) you agreed to receive marketing communications and in each case you have not opted out of receiving such communications since. Under these regulations, if you are a limited company, we may send you marketing emails without your consent. However you can still opt out of receiving marketing emails from us at any time.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you OR by emailing us at ’[email protected]’at any time.
If you opt out of receiving marketing communications this opt-out does not apply to Personal Data provided as a result of other transactions, such as purchases etc.
We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When deciding what the correct time is to keep the data for we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure and the processing purposes, if these can be achieved by other means and legal requirements.
For tax purposes, the law requires us to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.
In some circumstances, we may anonymise your Personal Data for research or statistical purposes, in which case, we may use this information indefinitely without further notice to you.
Notwithstanding any other provision of this Addendum, the Parties warrant that, upon receipt of Personal Data, each shall duly observe all its obligations as a Data Controller and/or Data Processor under the Data Protection Act (“DPA”) and the GDPR, which arise in connection with the Processing and the performance of its respective rights and obligations under this Addendum.
The provisions of this Addendum are expressly agreed by the Parties to survive any termination of this addendum, howsoever arising. This Addendum shall be governed by the laws of Wales and the parties hereby submit to the exclusive jurisdiction of the English Courts.