GDPR and Data Protection Policy
Applicable Data Protection Laws: means:
- a. To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
- b. To the extent the EU GDPR applies, the law of the law of the European Union or any member state of the European Union to which the Supplier is subject, which relates to the protection of personal data.
For the purposes of this policy, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.
Both Parties will comply with all applicable requirements of the Applicable Data Protection Laws. This policy is in addition to, and does not relieve, remove or replace, a Party’s obligations or rights under Applicable Data Protection Laws.
The Parties have determined that for the purposes of Applicable Data Protection Laws:
- the Supplier shall process the personal data as set out in paragraph 1 of the Schedule (bottom of this page) as processor on behalf of the Client; and
- the Supplier shall act as controller of the personal data set out in paragraph 1 of Schedule (bottom of this page).
Should the determination in Section 4 change, the Parties shall use all reasonable endeavours make any changes that are necessary to this policy.
Without prejudice to Section 3, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Supplier Personal Data and Client Personal Data to the Supplier and lawful collection of the same by the Supplier for the duration and purposes of the Contract.
In relation to the Client Personal Data, the Schedule (bottom of this page) sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
Without prejudice to Section 3, the Supplier shall, in relation to Client Personal data:
- process that Client Personal Data only on the documented instructions of the Client, which shall be to process the Client Personal Data for the purposes set out in the Schedule (bottom of this page) unless the Supplier is required by Applicable Laws to otherwise process that Client Personal Data (Purpose). Where the Supplier is relying on Applicable Laws as the basis for processing Client Processor Data, the Supplier shall notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Client on important grounds of public interest. The Supplier shall inform the Client if, in the opinion of the Supplier, the instructions of the Client infringe Applicable Data Protection Laws;
- implement the technical and organisational measures set out in the Schedule (bottom of this page) to protect against unauthorised or unlawful processing of Client Personal Data and against accidental loss or destruction of, or damage to, Client Personal Data, which the Client has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
- warrant that:
- it has in place and shall maintain appropriate technical and organizational measures to inspect Supplier’s products for the presence of any malicious code, commands, instructions, programs or other internal components (e.g. a computer “virus” computer “worm” computer “time bomb”, “Trojan horse”, “back door”, or malware) or any blended or convergent combination thereof; and
- it shall not introduce into any computer equipment of the Client any computer virus or harmful or malicious or hidden program or data locks, time bombs including without limitation, any hardware or software device or code which shall compromise data security or prevent the Client from accessing or using the Services or any part of it, nor restrict, disable, damage, destroy or otherwise impair the operation of any of the Client’s computer equipment or systems;
- maintain security procedures designed to protect Client Data from unauthorized access, use and disclosure. Supplier must have in place information security programs designed to ensure the security and confidentiality of the Client Data, to protect against any anticipated threats or hazards to the security or integrity of the Data and to protect against unauthorized access to or use of such Data. Such controls include but are not limited to building and maintaining a secure network, protecting stored Data and encrypting transmission of Data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks (including third party quarterly vulnerability tests and annual penetration tests), and maintaining a written information security policy. Supplier’s security program must be compliant with recognized information security standards such as ISO 27001, or SOC 2 or SOC 3, and such program must be assessed annually by a qualified third party. Including but not limited to:
- Upon request, Supplier will provide such certifications, test results, reports or assessments to the Client. Supplier must address vulnerabilities within a reasonable timeframe.
- Supplier must keep its software and systems relevant and necessary for the performance of this Contract reasonably up to date. Unsupported or deprecated applications, protocols, or operating systems must be removed from the service in a timely manner. At no point will Supplier require the Client to use an unsupported, deprecated, or insecure application or protocol under this Contract.
- Supplier must implement physical security controls to prevent unauthorized entry to its facility and access to systems. Supplier must ensure that access is controlled with badge readers or other systems or devices, including authorized lock and key.
- Supplier will participate and cooperate with any vendor management performed by the Client, including onsite reviews, questionnaires, and requests for documents and policies and procedures.
- ensure that any personnel engaged and authorised by the Supplier to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
- assist the Client insofar as this is possible (taking into account the nature of the processing and the information available to the Supplier), and at the Client’s cost and written request, in responding to any request from a data subject and in ensuring the Client’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify the Client without undue delay on becoming aware of a personal data breach involving the Client Personal Data;
- at the written direction of the Client, delete or return Client Personal Data and copies thereof to the Client on termination of the agreement unless the Supplier is required by Applicable Law to continue to process that Client Personal Data. For the purposes of this Section 8 main bullet 6, Client Personal Data shall be considered deleted where it is put beyond further use by the Supplier; and
- maintain records to demonstrate its compliance with this policy.
The Client provides its prior, general authorisation for the Supplier to:
- appoint processors to process the Client Personal Data, provided that the Supplier:
- shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Supplier in this clause 7;
- shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and
- shall inform the Client of any intended changes concerning the addition or replacement of the processors, thereby giving the Client the opportunity to object to such changes provided that if the Client objects to the changes and cannot demonstrate, to the Supplier’s reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Client shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection.
- transfer Client Personal Data outside of the UK as required for the Purpose, provided that the Supplier shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Client shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the Commissioner from time to time (where the UK GDPR applies to the transfer).
Either Party may, at any time on not less than 30 days’ notice, revise this clause 7 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to the Contract).
Schedule: Processing, Personal Data and Data Subjects
1) Parties’ roles
Where the Supplier acts as a processor: Processing the personal data of the Client’s employees, contractors and other workers in relation to the travel management and consultancy services provided to the Client.
Where the Supplier acts as a controller: Processing the personal data related to the main contact(s) at the Client who will liaise with the Supplier regarding the provision of Services, management of the relationship and administration of the Contract.
2) Particulars of processing
Scope: Supplier shall process the personal data for the purpose of providing travel management and consultancy services and related support services to the Client.
Nature: the processing of personal data in relation to the employees, contractors and other workers of the Client by the collection, storage and use of the personal data to provide the Services to the Client. This will also include sharing personal data with third parties who provide services to the Supplier which supplement the Services provided to the Client.
Purpose of processing: to provide travel management and consultancy services and related support services.
Duration of the processing: for as long as the data subject is employed or engaged by the Client.
Types of personal data: includes (but is not limited to) title; full name (including any middle name(s)); date of birth; nationality; business telephone numbers (landline and mobile); and business email address.
Categories of data subject: employees, contractors and other workers of the Client.
3) Technical and organisational measures