Updated 30th September 2021.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).
Domestic Law: the law of the United Kingdom or a part of the United Kingdom.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
EU Law: the law of the European Union or any member state of the European Union.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
Both parties will comply with all applicable requirements of the Data Protection Legislation. This Schedule is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Controller and the Manager is the Processor. Schedule 4 sets out the scope, nature and purpose of processing by the Manager, the duration of the processing and the types of Personal Data and categories of Data Subject.
Without prejudice to the generality of clause 1.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Manager for the duration and purposes of this Agreement.
Without prejudice to the generality of clause 1.1, the Manager shall, in relation to any Personal Data processed in connection with the performance by the Manager of its obligations under this Agreement:
process that Personal Data only on the documented written instructions of the Client which are set out in Schedule 4 unless the Manager is required by Domestic Law to otherwise process that Personal Data. Where the Manager is relying on Domestic Law as the basis for processing Personal Data, the Manager shall promptly notify the Client of this before performing the processing required by the Domestic Law unless the Domestic Law prohibits the Manager from so notifying the Client;
ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
not transfer any Personal Data outside of the UK or EEA unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
the Client or the Manager has provided appropriate safeguards in relation to the transfer;
the data subject has enforceable rights and effective legal remedies;
the Manager complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
the Manager complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data;
assist the Client, at the Client’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
notify the Client without undue delay on becoming aware of a Personal Data Breach;
at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required by Domestic Law to store the Personal Data; and
maintain complete and accurate records and information to demonstrate its compliance with this Schedule and allow for audits by the Client or the Client’s designated auditor and immediately inform the Client if, in the opinion of the Manager, an instruction infringes the Data Protection Legislation.
The Client does not consent to the Manager appointing any third-party processor of Personal Data under this agreement. OR The Client consents to the Manager appointing [THIRD-PARTY PROCESSOR] as a third-party processor of Personal Data under this agreement. The Manager confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement [substantially on that third party’s standard terms of business OR incorporating terms which are substantially similar to those set out in this clause [NUMBER]] and in either case which the Manager [confirms] OR [undertakes] reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Client and the Manager, the Manager shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause [NUMBER].
Either party may, at any time on not less than 30 days’ notice, revise this Schedule by replacing it with any applicable controller to processor standard clauses or similar terms adopted under the Data Protection Legislation or forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Agreement.
Processing, Personal Data and Data Subjects
1. Processing by the Manager
The Manager will be provided with Personal Data in order to arrange and carry out the work commissioned by the Client.
Data is used to conduct the investigation commissioned by the client.
1.3 Purpose of processing
To facilitate the investigation
1.4 Duration of the processing
Processing of data will take place in a timely manner and at the conclusion of the investigation, at the point where the client accepts the final report the data will be deleted unless it is required to provide ongoing services to the client.
2. Types of Personal Data
This may include, but is not necessarily limited to Personal, Business or Financial data, including, the clients name, residential address, date of birth, copy of passport, driving licence and other documents deemed ‘acceptable documents’ by the Financial Conduct Authority to establish proof of identity and proof of residence. This may include data regarding other persons involved in the enquiry, (not being the client), considered pertinent to the enquiry.
3. Categories of Data Subject
Persons considered pertinent to the enquiry.