By you (“Supplier“) continuing to supply goods or services to MAP Trading Limited (“Customer”) in accordance with the terms and conditions of sale or purchase in place between Supplier and Customer from time to time (‘Business Dealings’), Supplier hereby agrees to comply with the following obligations in respect of the Processing of Personal Information (as defined below) to the extent that such Processing Personal Information occurs as part of the Business Dealings.
“Personal Information” means Personal Data which is provided or otherwise made available to the Supplier by or on behalf of the Customer in connection with the provision of goods or services as part of the Business Dealings
“Processing” has the meaning given under the Regulation (and “Process“, “Processed” and “Processes” shall be construed accordingly)
“Controller“, “Processor“, “Personal Data” and “Data Subject” have the meanings given under the Regulation
“Data Privacy Laws” means all laws that relate to data protection, privacy, the use of information relating to individuals, and/or the information rights of individuals including, without limitation, the Data Protection Act 1998, the European Commission Directive 95/46/EC and the Regulation, and all laws implementing them, in each case as may be replaced, extended or amended, as well as all applicable formal or informal guidance, rules, requirements, directions, guidelines, recommendations, advice, codes of practice, policies, measures or publications of the Information Commissioner’s Office, other relevant regulator, and/or relevant industry body, in each case in any relevant jurisdiction(s)
“Regulation” means the General Data Protection Regulation (EU) 2016/679
“Supplier Personnel” means all staff, contractors, employees, agents, sub-contractors and sub-processors of the Supplier.
2 DATA PROTECTION
2.1 The parties agree that:
(a) the Customer is the Controller and the Supplier is the Processor to the extent that Personal Information is Processed in connection with the Business Dealings; and
(b) Personal Information shall be treated as confidential information of the Customer for the purposes of the Business Dealings.
2.2 The Supplier shall, and shall procure that its sub-processors shall, comply with all Data Privacy Laws in connection with the Business Dealings.
2.3 The Supplier acknowledges that the Customer shall solely be responsible for determining the purpose(s) for which and the manner in which Personal Information is Processed.
3 PROCESSING OBLIGATIONS
3.1 The Supplier shall, and shall procure that the Supplier Personnel shall, at no additional cost to the Customer:
(a) only Process Personal Information for the purposes of the Business Dealings and the express instructions of the Customer from time to time and not use Personal Information for its own purposes;
(b) except to the extent required by Data Privacy Laws, return or delete, at the Customer’s sole discretion, all Personal Information upon the termination of the Processing carried out for the purposes of the Business Dealings, and promptly provide the Customer with confirmation in writing that it has done so;
(c) at the request of the Customer, promptly make available to the Customer and the Information Commissioner’s Office or any other relevant regulator (“ICO“) all information necessary to demonstrate the Supplier’s compliance with Data Privacy Laws;
(d) maintain a record of all categories of Processing it undertakes for the purposes of the Business Dealings and provide a copy of such record to the Customer for inspection on demand;
(e) maintain a record of all Data Breaches and provide a copy of such record to the Customer for inspection on demand;
(f) provide the Customer with a copy of any or all Personal Information processed for the purposes of the Business Dealings on demand, in a format requested by the Customer;
(g) make all reasonable efforts to ensure that the Personal Information is accurate and up-to-date at all times;
(h) not keep Personal Information for longer than is necessary for the purposes of the Business Dealings and in accordance with the Customer’s instructions, so as to comply with the principle of data minimisation; and
(i) promptly cease Processing the Personal Information, if so requested by the Customer.
3.2 If the Supplier believes that the Customer’s instructions conflict with the requirements of Data Privacy Laws, the Supplier must immediately inform the Customer in writing.
3.3 The Supplier shall ensure that all Supplier Personnel who are engaged in Processing Personal Information shall have agreed in writing to obligations of confidentiality no less onerous than those to which the Supplier is bound under the terms of the Business Dealings.
4 SECURITY, TECHNICAL & ORGANISATIONAL MEASURES
4.1 The Supplier shall, having regard to the state of technological development, take all appropriate technical, security, and organisational measures necessary or desirable to ensure that Personal Information is protected against loss, destruction and damage, and against unauthorised access, use, removal, copying, modification, disclosure or other misuse.
4.2 The Supplier shall not make any material changes the security, technical and organisational measures used by the Supplier pursuant to clause 4.1 without the Customer’s prior written consent.
4.3 No later than 5 business days following a request from the Customer, the Supplier shall provide a written description of the measures in place pursuant to this clause 4.
4.4 The Supplier shall assist the Customer by implementing appropriate technical and organisational measures to enable the Customer to respond to requests from Data Subjects exercising their rights under the Data Privacy Laws (including but not limited to the right to access, or to cease or not begin Processing, rectify, block, erase, destroy or object to the Processing of Personal Data) (each a “Data Subject Request“).
5 COMPLIANCE WITH DATA PRIVACY LAWS
5.1 The Supplier shall:
(a) comply with all Data Privacy Laws;
(b) not cause the Customer to be in breach of the Data Privacy Laws and shall use all reasonable endeavours to assist the Customer to comply with any obligations imposed on the Customer by the Data Privacy Laws;
(c) provide the Customer with reasonable assistance in complying with Data Subject Requests, communicating with or obtaining approvals from the ICO in relation to the Processing of Personal Information (“ICO Correspondence“);
(d) promptly, and in any event within 24 hours of receipt of any request or correspondence, inform the Customer about the receipt of any Data Subject Requests or ICO Correspondence; and
(e) not disclose any Personal Information in response to any Data Subject Request or ICO Correspondence, or respond in any way to such a request without first consulting with, and obtaining the consent of, the Customer.
5.2 The Supplier will (and will ensure that its Supplier Personnel will) promptly (but in all cases within 24 hours) notify the Customer, if the Supplier (or Supplier Personnel as the case may be):
(a) becomes aware that a disclosure of Personal Information may be required under Data Privacy Laws;
(b) receives a complaint relating to the Customer’s obligations under the Data Privacy Laws; or
(c) becomes aware of a breach of clauses 1 to 9.
5.3 The Supplier will co-operate with the Customer (at no additional cost to the Customer) in promptly investigating and dealing with any complaint or request under this clause 5 in order to ensure that the relevant individual’s rights under the Data Privacy Laws are satisfied.
6 TRANSFERS OF PERSONAL INFORMATION OUTSIDE OF THE UK
6.1 The Supplier shall not transfer Personal Information which has been obtained by or made available to the Supplier to any country outside the United Kingdom (“UK“) without the prior written consent of the Customer, such consent may be subject to and given on such terms as the Customer may in its absolute discretion prescribe.
6.2 In the event that the Customer consents to the transfer of Personal Information from the Supplier to a country outside of the UK the Supplier shall comply with the following additional provisions:
(a) the Supplier shall confirm in writing:
(i) the Personal Information which will be transferred to and/or Processed in outside of the UK;
(ii) any sub-processors or other third parties who will be processing and/or receiving Personal Information outside of the UK;
(iii) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Information that will be processed in and/or transferred outside of the UK so as to ensure the Customer’s compliance with the Data Privacy Laws;
(b) the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including:
(i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Privacy Laws) into the terms of the Business Dealings or a separate data processing agreement between the Parties; and
(ii) procuring that any sub-processor or other third party who will be processing and/or receiving or accessing the Personal Information outside of the UK either enters into a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Supplier relating to the relevant Personal Information transfer.
7 DATA BREACHES
In the case of an unauthorised loss, corruption, damage, destruction, alteration, disclosure or access to any Personal Information, any unauthorised or unlawful processing of Personal Information or any breach of the Data Privacy Laws (each a “Data Breach“), or any action that causes or could reasonably be deemed to cause a Data Breach, the Supplier shall at the earliest opportunity notify the Customer and in any event no later than 24 hours after the Data Breach.
8.1 The Supplier shall, during the term of the Business Dealings permit without charge, access by the Customer to all records, files, tapes, computer systems, or any other information howsoever held by the Supplier in respect of the Supplier’s activities relating to the Business Dealings, for the purposes of reviewing compliance with the Data Privacy Laws; and provide without charge all reasonable assistance to the Customer in complying with any direction, requirement or request made by the ICO to do or not to do any act, or to provide any information in respect of any obligation of the Supplier under the terms of the Business Dealings, including, where necessary, giving the ICO (including its representatives or appointees) reasonable access to any records, files, tapes, computer systems, or any other information howsoever held.
8.2 The Supplier agrees that the Customer may appoint a third party independent auditor to audit the Supplier’s compliance with clauses 1 to 9and the Data Privacy Laws and to determine the accuracy and completeness of the statements and records submitted by the Supplier under the Business Dealings.
9 APPOINTMENT OF SUB-PROCESSORS
9.1 Any appointment of a sub-contractor or sub-processor by the Supplier under the Business Dealings is subject to the Customer’s prior written consent and the fulfilment of the following conditions:
(a) the Supplier having provided the Customer with full details of the sub-processor (including the results of the due diligence undertaken) before its appointment and having procured the Customer’s prior written consent to such appointment;
(b) the Supplier having undertaken thorough due diligence on the proposed sub-processor, including a risk assessment of the information governance related practices and processes of the sub-processor, and the Supplier having paid due regard to the results of that due diligence in reaching its decision to appoint the proposed sub-processor; and
(c) the Supplier having duly executed an agreement with the relevant sub-processor which includes data processing provisions that are equivalent to those in this Supplier Agreement and to which the Customer is named as a third party beneficiary.
9.2 The Supplier shall not disclose Personal Information to a third party in any circumstances other than to a sub-processor appointed in accordance with this clause 9 or as expressly authorised in advance in writing by the Customer.
9.3 The Supplier shall remain liable for the Processing activities of such sub-processor.
10 SURVIVAL OF TERMS
The provisions of clauses 1 to 9 above will survive termination or expiry of the Business Dealings.