Educated Households
1. Definitions
1.1 In this Schedule, the following words shall have the following meanings:
“Act”
Means the Data Protection Act 2018.
“Associate”
Means any corporate or other form of organisation or any individual person with whom the Agency or the Client has an association which does, or could, entail the transfer of personal data for processing.
“ICO”
Means the Information Commissioner’s Office.
“Associate”
Means any corporate or other form of organisation or any individual person with whom the Agency or the Client has an association which does, or could, entail the transfer of personal data for processing.
“Data Protection Legislation”
means all or any of:
(a) the UK GDPR,
(b) the Act,
(c) regulations made under the Act
(d) regulations made under section 2(2) of the European Communities Act 1972 which relate to the EU GDPR or the Law Enforcement Directive.
“The UK GDPR”
Means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
“The EU GDPR”
Means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it has effect in EU law.
“Law Enforcement Directive”
Means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
1.2 “Data controller”, “data processor”, “sub-processor”, “data subjects”, “personal data”, “process”, “processed” and “processing” shall have the meanings respectively, as defined in the Act.
1.3 In this agreement, “personal data”, is limited to data which comes into the control of each party in some way connected to this agreement.
2. Data Protection
2.1 The obligations described in this Schedule are in addition to the parties’ obligations under the Data Protection Legislation.
2.2 To enable the Agency to provide the Services under this Agreement, the Client authorises the Agency to process personal data on his/her behalf and vice versa.
2.3 The Agency and the Client agree that personal data may move between the Agency and the Client in such a way that either of the Agency and the Client may be controller of some personal data and processor of others.
2.4 Details of the anticipated processing activities are set out at Appendix 1 to this Schedule.
3. How the Agency and the Client shall process data
Each of the Agency and the Client agrees that the Agency and Client shall at all times comply with the provisions and obligations imposed by the Data Protection Legislation and, in particular, shall:
3.1 Process personal data only to the extent necessary to provide their respective services under this Agreement and only in accordance with prior written instructions of the other (if required);
3.2 Immediately inform the other party if, its instruction infringes the Data Protection Legislation;
3.3 Ensure that every person processing personal data under this Agreement does so strictly on a need-to-know basis, has received training on their obligations relating to handling of personal data and is bound by confidentiality obligations no less stringent than our confidentiality obligations under this Agreement;
3.4 In order to use commonly accepted international communications and money transfer protocols, it will be necessary to use sub-contractors for certain service provision. The parties shall not necessarily be aware of the identity of every organisation involved in the train of communications. When that happens, each of the Agency and the Client accepts full responsibility for compliance with the Data Protection Legislation;
3.5 Subject to the exceptions mentioned in the last previous sub-paragraph, the Client will not use subcontractors for personal data processing under this Agreement without prior written consent of the Agency;
3.6 Wherever possible, enter into a written contract with each such sub-processor, which includes the same obligations on the sub-processor as those imposed on each of the Agency and the Client under this Agreement;
3.7 Subject to the other provisions of this Schedule, not process personal data or permit any third party to process personal data outside of the United Kingdom unless:
3.7.1 UK standard contractual clauses approved by the ICO are entered into between the Agency and the Client or relevant Associate as data exporter, and the relevant recipient of the personal data as data importer; or
3.7.2 The recipient of the personal data has entered into a data processing agreement with the data exporter; or
3.7.3 The recipient of the personal data is regulated within the United States of America solely by the U.S. Department of Commerce, is certified under the UK/US Privacy Shield framework, and continues to be certified for the period within which it processes the personal data; or
3.7.4 The recipient of the personal data has entered into binding corporate rules, which are valid in respect of the processing of personal data under this agreement and have been approved by the ICO; or
3.7.5 The transfer is to a recipient located within a jurisdiction whose law relating to the processing of personal data has been approved by the ICO (subject to any applicable restrictions).
3.8 Have in place at all times appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by processing the personal data, to prevent accidental, unauthorised or unlawful destruction, loss, alteration, or access to personal data, including as a minimum whatever security measures the Agency and the Client requires of each other and notify to that other. Examples of such measures are:
3.8.1 The pseudonymisation and encryption of personal data;
3.8.2 The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and
3.8.3 A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing;
3.9 Maintain a written record of all categories of processing activities carried out on behalf of the other party and when that other party asks, copy the record to it. The record shall contain:
3.9.1 Name and contact details and (where applicable) those of the Client’s and Agent’s approved sub-processors and details of their respective data protection officers;
3.9.2 The categories of personal data, data subjects and processing activities carried out on behalf of the Agency and the Client or Associates;
3.9.3 Where applicable, transfers of personal data to a third country (i.e. non-EU Member State) or an international organisation, including identification of that third country and documentation evidencing implementation of suitable safeguards; and
3.9.4 A general description of the technical and organisational security measures we have installed as referred in Section 56 of the Act;
3.10 When the Agency asks, give to the Agency or to the ICO, access to the Client’s employees, data processing facilities, procedures, and records to inspect and audit compliance with the Data Protection Legislation and the terms of this Agreement. The Agency and the Client agrees that each of the Agency and the Client shall (and shall ensure any sub-processor shall) give all reasonable cooperation and assistance.
3.11 Immediately tell the other party (and in any event within 24 hours) after becoming aware of any actual or suspected unlawful destruction, loss, alteration, disclosure of, or access to, personal data transmitted, stored or otherwise processed by the Agency or the Client or any sub-processor under this Agreement;
3.12 Provide reasonable assistance to each other in:
3.12.1 Responding to data subject’s requests to exercise their rights under the Act;
3.12.2 Responding to communications received from the ICO relating to the processing of personal data under this agreement, including notifying the other immediately of any such communication;
3.12.3 Taking measures to address data security incidents, including, where appropriate, measures to mitigate their possible adverse effects;
3.12.4 Promptly upon request, transfer personal data to a third party in compliance with a request from a data subject to exercise their right to data portability;
3.12.5 Make available to other on request all information necessary to demonstrate compliance with the obligations set out in this Schedule.
4. Post Termination
4.1 Upon termination the Agency and the Client and any sub processor shall:
4.1.1 Physically destroy all copies of media upon which any personal data was supplied and any further copies;
4.1.2 Delete all personal data stored in soft copy, by some method which prevents future re-activation of that data.
4.2 Where either the Agency and the Client or his, processor, sub-processor is required to retain personal data in order to comply with applicable law, that party will tell the other party and will retain such personal data only in the capacity as set out in this Schedule and shall comply with the obligations as far as applicable law permits.
5. Warranty and Acceptance of Liability
5.1 Each party represents and warrants that the information provided in any response to any request by other shall be complete, true and accurate, and will not misrepresent its business or practices in respect of its ability to comply with the Data Protection Legislation and its obligations under this Agreement.
5.2 If any act or omission of a party or its processors, sub-processors results in data transmitted or processed under this Agreement being lost or degraded so as to be unusable, then that party shall be liable to the other for the cost of reconstituting the data and/or it and its Associate’s costs in recreating such data.
6. Complaints and queries
6.1 Should you have any complaints, queries or observations about our Privacy Notice and procedures featured on it, please contact Educated Households’ appointed Data Controller at: info@educated-households.co.uk.
6.2 Besides, you have the right to complain regarding the way your personal data is handled by contacting the Information Commissioner’s Office: https://ico.org.uk/make-a-complaint/
For further information:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AK
Telephone: 0303 123 1113.
(“Schedule 2”: Data Protection Act 2018 Compliance)
Data Processing Activities
What either party may process in each category:
1. The Agency and the Client shall process this basic personal data
1.1 Applicant’s name, age, personal address, private email address.
1.2 All information Applicant’s gave to the Agency.
1.3 Any CV, resume, profile, application form and registration form.
1.4 Financial information processed through the banking system.
1.5 Information supplied by a third party, for example, a reference from a former employer or other source relevant to Applicant’s work.
1.6 Information relevant to the performance of Applicant’s service contract.
1.7 So far as relevant, information relating to discharge of obligations laid down by law or by collective agreements; management, planning and organisation of work; equality and diversity in the workplace; health and safety at work.
1.8 Technical information relating to electronic communication, which is personal information only when associated with the name or identity of the data subject.
2. Processing the data of these data subjects
Data of the Applicant and any other personal data, so far as that data is required in order to satisfy the Agency’s and the Client obligations under the Data Protection Legislation and comply with this contract.
3. This is why and how the Agency and the Client shall process personal data
Processing of personal data will be limited to such activity as is reasonably required to satisfy obligations under this contract.
4. Retention Period
4.1 Each of the Agency and the Client shall retain personal data, along with much other data, for the time required for legal purposes, and for the Agency for 6 years, the Agency for these reasons:
4.1.1 For accounting and taxation purposes;
4.1.2 To provide evidence if required in connection with a legal claim;
4.1.3 For any other reason where the law provides a six-year limitation period.
4.2 If any event occurs which requires the Agency and the Client lawfully to continue to retain data beyond that period, then it may do so.