46. Data Protection and GDPR
46.1
Where applicable to the Deliverables the following Conditions apply and Schedule A (GDPR Schedule of Processing shall be incorporated herewith.
46.2
The Parties acknowledge that for the purposes of Data Protection Legislation, the Council is the Controller and the Contractor is the Processor. The only processing that the Processor is authorised to do is listed in Schedule A by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR.
46.3
The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe Data Protection Legislation.
46.4
The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include:
46.4.1 a systematic description of the envisaged processing operations and the purpose of the processing,
46.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Deliverables,
46.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
46.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
46.5
The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Contract:
46.5.1 process that Personal Data only in accordance with Schedule A, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law,
46.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject. In the event of the Controller reasonably rejecting Protective Measures put in place by the Processor, the Processor must propose alternative Protective Measures to the satisfaction of the Controller. Failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures. Protective Measures must take account of the:
46.5.3 nature of the data to be protected,
46.5.4 harm that might result from a Data Loss Event,
46.5.5 state of technological development; and
46.5.6 cost of implementing any measures.
46.5.7 ensure that:
46.5.8 the Processor Personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule A),
46.5.9 it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (a) are aware of and comply with the Processor’s duties under this Condition; (b) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (c) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (d) have undergone adequate training in the use, care, protection and handling of Personal Data; and (e) not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018; (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 DPA 2018) as determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies; (iv) the Processor complies with its obligations under Data Protection Legislation by providing an appropriate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
46.5.10 the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Contract unless the Processor is required by Law to retain the Personal Data.
46.6
Subject to Condition 46.5, the Processor shall notify the Controller immediately if it:
46.6.1 receives a Data Subject Request (or purported Data Subject Request),
46.6.2 receives a request to rectify, block or erase any Personal Data,
46.6.3 receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation,
46.6.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract,
46.6.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
46.6.6 becomes aware of a Data Loss Event.
46.7
The Processor’s obligation to notify under Condition 46.5 shall include the provision of further information to the Controller, as details become available.
46.8
Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Condition 46.5 (and insofar as possible within the timescales reasonably required by the Controller) including but not limited to promptly providing:
46.8.1 the Controller with full details and copies of the complaint, communication or request,
46.8.2 such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in Data Protection Legislation,
46.8.3 the Controller, at its request, with any Personal Data it holds in relation to a Data Subject,
46.8.4 assistance as requested by the Controller following any Data Loss Event,
46.8.5 assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.
46.9
The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Condition. This requirement does not apply where the Processor employs fewer than 250 staff, unless:
46.9.1 the Controller determines that the processing is not occasional,
46.9.2 the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
46.9.3 the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
46.10
The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor.
46.11
Each Party shall designate its own data protection officer if required by Data Protection Legislation.
46.12
Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this Condition 46 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require.
46.13
The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors.
46.14
The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may upon giving the Processor not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
