New Contractual Commitments for the General Data Protection Regulation
 
GDPR places certain obligations on Civil & Corporate Security Ltd as a data processor including the requirement for a Data Sharing Agreement where we share personal data with a Data Processor.  This agreement should set out the guiding principles and standards for sharing data between the parties, including the purposes for sharing of data. 
 
Based on the services that our company provides to our clients, it is important for us to meet our own obligations as a Data Processor under the GDPR.
 
Because our processing involves data or information that identifies an individual (e.g. name, email, address, phone, etc.), that data is considered personal data under the GDPR. One of the changes that the new Regulation will deliver is a new statutory obligation for data security that data processors must observe, above and beyond contractual duties agreed with data controller customers.
 
We therefore include our Processor Terms for your review.
 

 

Addressing Article 28 GDPR (Processor Terms)

 

This Data Protection Addendum forms part of the Contractual Agreement between the following parties:

 

• Civil & Corporate Security Ltd.

60 High Street, Amersham, HP7 0DS
  
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Contractual Agreement. Except where the context requires otherwise, references in this Addendum to the Contractual Agreement are to the Contractual Agreement as amended by, and including, this Addendum.
 
 

1. 1. In this Agreement the expressions set out in Annex 3 shall have the meanings set out in Annex 3 unless the context otherwise requires:
   2.  
2. Scope of the Agreement
   1. The DPA forms part of the written or electronic agreement document between Civil & Corporate Security Ltd and yourself detailing the Services agreed and is to reflect the parties’ agreement regarding the Processing of Personal Data.
   2.  
   3. Civil & Corporate Security Ltd acknowledges that The Client shall solely be responsible for the following decisions and determinations:
      • the purpose(s) for which and the manner in which the Personal Data will be Processed or used;
      • what Personal Data to collect and the legal basis for doing so;
      • which items (or content) of Personal Data to collect;
      • which individuals to collect Personal Data about;
      • whether to disclose the Personal Data, and if so, who to;
      • whether subject access and other individuals' rights apply including the application of any exemptions;
      • how long to retain the Personal Data; and
      • whether to make non-routine amendments to the Personal Data.
      •  
3. THE CLIENT’S Obligations as the DataController
4.  
   1. The Client warrants that the Personal Data
   2.  
5. CIVIL & CORPORATE SECURITY LTD’S Obligations as Data Processor
6.  
   1. • All Processing undertaken by the Civil & Corporate Security Ltd of personal data provided by The Client must be in accordance with instructions provided by The Client. When requested by The Client, Civil & Corporate Security Ltd shall demonstrate and/or document that it complies with the requirements of the Data Privacy Laws.
      •  
      • Civil & Corporate Security Ltd must ensure that its employees comply with this Agreement and limit the access of personal data to its employees and affiliates for whom access to the data is necessary in order to fulfil its contractual obligations. Civil & Corporate Security Ltd must ensure that employees authorised to process any personal data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
      •  
      • Civil & Corporate Security Ltd shall:
        • only Process Personal Data on behalf of The Client in accordance with the Data Privacy Laws;
        • provide The Client or any relevant regulator with a copy of all Personal Data on demand;
        • make all reasonable efforts to ensure that the Personal Data is accurate and up-to-date at all times;
        • not keep Personal Data for longer than is necessary in accordance with The Client’s instructions so as to comply with the principle of data minimisation.
        •  
        • Not, by its act or omission, cause The Client to be in breach of the Data Privacy Laws and shall use all reasonable endeavours to assist The Client to comply with any obligations imposed on The Client by the Data Privacy Laws;
        •  
        • comply with any requests by Data Subjects to exercise their rights under the Data Privacy Laws (including but not limited to their rights to access, or to cease or not begin processing, rectify, block, erase, destroy or object to the processing of their personal data, each a Data Subject Request);
        •  
        • ensure that the Personal Data is deleted or corrected if it is incorrect (or, The Client does not agree that it is incorrect, to have recorded the fact that the relevant person considers the Personal Data to be incorrect within 5 (five) days' of being requested to do so by The Client; and/or
        • communicate with or obtain the approval of the Information Commissioner's Office (ICO) in relation to the Processing of Personal Data where necessary;
        • if requested, provide a copy to The Client of a Data Subject's Personal Data in a machine readable portable format promptly, and in any event within twenty-four (24) hours of receipt of any request or correspondence, inform The Client about the receipt of any Data Subject Requests or any correspondence received from any Supervisory Authority (“ICO Correspondence”);
        • not disclose any Personal Data in response to any Data Subject Request or ICO Correspondence, or respond in any way to such a request without first consulting with, and obtaining the consent of, The Client unless obligated to do so by Union or Member State law;
        • assist The Client should The Client carry out a data protection impact assessment and shall provide the output of its own data protection impact assessment(s) where relevant on request at any time and on the expiry or termination of this Agreement, it shall (at no cost to The Client) at The Client option either return to The Client all Personal Data and copies of it in such format as The Client may require or securely dispose of the Personal Data; and at The Client’s option (and at no cost to The Client), delete or return to The Client following the completion, termination or expiry of any Services, all Personal Data within Civil & Corporate Security Ltd’s possession or control relating to the provision of the completed, terminated or expired Services and shall be entitled to retain any of those data to the extent required to comply with applicable law (and on condition that such retention complies with Data Privacy Laws and Civil & Corporate Security Ltd provides The Client with written notice containing full written details of such retention, to the extent such notice is permitted by applicable law).
        •  
      • Civil & Corporate Security Ltd will (and will ensure that Civil & Corporate Security Ltd Personnel will) promptly (but in all cases within 24hours) notify The Client (with full details), if Civil & Corporate Security Ltd (or Civil & Corporate Security Ltd Processor Personnel as the case may be):becomes aware that a disclosure of Personal Data may be required under Data Privacy Laws;receives a complaint relating to The Client’s obligations under the Data Privacy Laws; and/or of any notices received by it relating to the Processing of any Personal Data, including any requests, or correspondence and provide such information, co-operation and assistance as The Client may require in relation to such notices (at no cost to The Client) including in connection with any approval of any supervisory authority to any Processing of Personal Data, or any request, action, notice or investigation by supervisory authority. For the avoidance of doubt, in no event shall Civil & Corporate Security Ltd or any of Civil & Corporate Security Ltd Personnel respond directly to any such notices without The Client’s prior written consent unless and to the extent required by law.Civil & Corporate Security Ltd shall provide and implement technical and organisational measures to help The Client fulfil its obligations in relation to such notices from or on behalf of Data Subjects in connection with the rights conferred on them by Data Privacy Laws;
        • if any Personal Data, whether potentially or actually, has been disclosed in breach of this Agreement or if it is lost, becomes corrupted, is damaged or is deleted in error;
        • becomes aware of a breach of this Agreement or any Data Privacy Laws.
      • If Civil & Corporate Security Ltd breaches or potentially breaches its obligations set out in this Agreement or there occurs any threat to the security of the Personal Data, Civil & Corporate Security Ltd shall:
        • take immediate steps to remedy the breach or prevent the potential breach or remove the threat;
        • promptly take measures to ensure there is no repetition of the incident in the future;
        • promptly provide The Client with full details in writing of the steps and measures taken; and
        • comply (at no cost to The Client) with all requests made by The Client in respect of the breach or threat.
      • Civil & Corporate Security Ltd shall segregate Personal Data in accordance with the principles of corporate separateness.
      •  
      • Civil & Corporate Security Ltd shall (at no cost to The Client) restore or recreate (in a timely manner and in accordance with good industry practice) all Personal Data which is lost, deleted or corrupted by Civil & Corporate Security Ltd or any of Civil & Corporate Security Ltd Personnel in breach of this Agreement.
      • In the event that Civil & Corporate Security Ltd believes that Civil & Corporate Security Ltd instructions conflict with the requirements of Data Privacy Laws, Civil & Corporate Security Ltd must immediately inform The Client.
      •  
   2. • Civil & Corporate Security Ltd must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the Personal Data is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to the Data Privacy Laws. Such measures shall as a minimum include the following obligations to:
      • prevent unauthorized persons from gaining access to data processing systems with which Personal Data are Processed;
        • prevent Civil & Corporate Security Ltd's systems from being Processed without authorisation;
        • ensure that persons entitled to use a data processing system have access only to the Personal Data to which they have a right of access;
        • ensure that Personal Data cannot be read, copied, modified or removed without authorization during any Processing;
        • ensure that it is possible to check and establish whether and by whom Personal Data has been input into data processing systems, modified or removed; and
        • ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the Personal Data to be protected
        • undertake activities to progress towards Cyber Essentials accreditation, this being a Government backed program operated by the National Cyber Security Centre. Such activities to include:
          • Developing awareness / understanding of the Cyber Essentials scheme, its definitions of Cyber Security terminology and its initial recommendations of how to secure organisations against Cyber attack
          • A milestone plan of activities to take Civil & Corporate Security Ltd’s IT infrastructure and Governance towards Cyber Essentials ‘Basic’ accreditation
          • Formal Cyber Essentials certification at the ‘Basic’ level
          • Formal Cyber Essentials certification at the ‘Plus’ level
        • make available to The Client evidence of progress towards Cyber Essentials accreditation whenever requested;
   3. Civil & Corporate Security Ltd shall:
      • Immediately (and in any case within 24 hours) inform The Client in writing of any unauthorized or unlawful processing of Personal Data and/or material incident of Personal Data loss, corruption, destruction, alteration, disclosure, access or damage ("Data Breach") or any action that causes or could reasonably be deemed to cause a Data Breach and shall liaise with The Client in managing such Data Breach (including by providing sufficient information, cooperation, analysis and support) and shall ensure all such notices include full and complete details relating to such Data Breach, in particular:
        • the nature and facts of such Data Breach including the categories and number of Personal Data records and, if applicable, Data Subjects concerned;
        • the contact details of the data protection officer or other representative duly appointed by Civil & Corporate Security Ltd from whom The Client can obtain further information relating to such breach;
        • the likely consequences or potential consequences of such breach; and
        • the measures taken or proposed to be taken by Civil & Corporate Security Ltd and/or any Supplier Personnel to address such breach and to mitigate any possible adverse effects and the implementation dates for such measures.
      • provide The Client with such co-operation (at no additional cost to The Client) in relation to the (i) The Client notifying the individual or the Supervisory Authority (or relevant regulator) of the Data Breach, including by providing The Client with a detailed description of the nature of the Data Breach and the identity of the affected person(s) and (ii) Civil & Corporate Security Ltd’s efforts to investigate, remediate, and mitigate the effects of any Data Breach; and
      • shall not make any public announcement regarding such incident as set out in this clause 4.3 without prior consultation with The Client and subject to The Client written consent.
   4.  
   5. Civil & Corporate Security Ltd mustnotifyThe Clientwherethereisaninterruptioninoperation,asuspicionthatdata protection rules or the Data Privacy Laws have been breached, or other irregularities in connection with the Processing of the Personal Data. If requested by The Client, Civil & Corporate Security Ltd shall assist in clarifyingthescopeofthesecuritybreach,includingpreparationofanynotificationtotherelevantData Protection Agency(-ies) and/or datasubjects.
   6. • During the useorreceiptofservices, if any party doesnothavetheabilitytocorrect, amend, block or delete Personal Data, each party shall comply with any commercially reasonable requesttofacilitatesuchactionstotheextentall parties arelegallypermittedtodo

 

1. Certifications and Audits
   1. Unless The Client is a competitor of Civil & Corporate Security Ltd, The Client is entitled, at its own expense, to have the processingofpersonaldatareviewedannuallybyanindependentthirdparty.
   2. The Client (or The Client’s independent, third-party auditor) is entitled, at its own cost, to request information regarding Civil & Corporate Security Ltd’s compliance with the obligations set in this DPA in the form of third-party certifications and audits. Any appointed auditor shall, upon request, sign a non-disclosure agreement and treat all information obtained or received fromconfidentially.
   3. The Client shall reimburse Civil & Corporate Security Ltd for any time spent by on audits, at the organisations current professional services rates. Before the commencement of any such on-site audit, all parties shall mutually agree upon the scope, timing, and duration of the audit in additiontothereimbursementrateforwhichThe Client shallberesponsible.
2. The use of Sub-data processors
   1. Civil & Corporate Security Ltd is not entitled to disclose or transfer Personal Data to third parties or data processors withoutthepriorwritteninstructionofThe Client,unlesssuchdisclosureortransferisstipulatedby law.
   2. Details on sub-data processors used by Civil & Corporate Security Ltd are set or are to be provided in Annex 2. Once the agreement has been reviewed and signed by all parties,The Clientagreestouseofthesesub-dataprocessors.
   3. Civil & Corporate Security Ltdisliableforthedataprocessingactivitiesperformedbythesub-dataprocessoronbehalfof The Client,wheresuchdataprocessingactivitiesaresubjectthisDPA.Civil & Corporate Security Ltdmustensurethat the sub-data processor it enlists has executed its own DPA in which the sub-data processor undertakes to be bound by terms similar to the requirements under this DPA.
   4. Civil & Corporate Security Ltd must inform The Client of any intended changes concerning the addition or replacementofasub-dataprocessorbyprovidingapriorwrittennoticeoftwomonths.
3.  
4. TRANSFER OF PERSONAL DATA OUTSIDE EEA
   1. Civil & Corporate Security Ltd shall not transfer Personal Data which has been obtained by or made available to Civil & Corporate Security Ltd to any country outside the European Economic Area (EEA) without the prior written consent of The Client, such consent may be subject to and given on such terms as The Client may in its absolute discretion prescribe.
   2. In the event that The Client consents to the transfer of Personal Data from Civil & Corporate Security Ltd to a country outside of the EEA Supplier shall comply with the following additional provisions:
      • Civil & Corporate Security Ltd shall confirm in writing:
        • the Personal Data which will be transferred to and/or Processed outside of the EEA;
        • any sub-data-processor or other third parties who will be processing and/or receiving Personal Data outside of the EEA;
        • how Civil & Corporate Security Ltd will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be processed in and/or transferred outside of the EEA so as to ensure The Client's compliance with the Data Privacy Laws;
      • Civil & Corporate Security Ltd shall comply with such other instructions and shall carry out such other actions as The Client may notify in writing, including:
        • incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under theData Privacy Laws) into this Agreement or a separate data processing agreement between the Parties; and
        • procuring that any sub-data-processor or other third party who will be processing and/or receiving or accessing the Personal Data outside of the EEA either enters into:
          • a direct data processing agreement with The Client on such terms as may be required by The Client; or
          • a data processing agreement with Civil & Corporate Security Ltd on terms which are equivalent to those agreed between The Client and Civil & Corporate Security Ltd relating to the relevant Personal Data transfer, and

in each case which Civil & Corporate Security Ltd acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the Data Privacy Laws) and technical and organisation measures which The Client deems necessary for the purpose of protecting Personal Data.

1. 1. None of the parties are entitled to claim damages for any indirect or consequential loss, irrespective of whether The Client, Civil & Corporate Security Ltd or any third parties suffer such indirect or consequential loss. Any loss of business opportunities, loss of profits, operating loss, loss of revenue, goodwill and data, including loss in connection with the retrieval of data, must at all times be deemed to constitute indirect/consequentialloss.
   2. Civil & Corporate Security Ltd shall indemnify, defend and hold harmless The Client and its respective directors, officers, agents, successors and assigns from any and all Data Protection Losses arising from or in connection with:
      • any Data Breach;
      • any breach by Civil & Corporate Security Ltd, any sub-data-processor and/or Civil & Corporate Security Ltd Personnel of the obligations set out in this Agreement; and/or
      • any breach of the Data Privacy Laws (whether by supplier or by any sub-data-processor.
      • any breach of the Data Privacy Laws by The Client caused by the act or omission of Civil & Corporate Security Ltd or any sub-data-processor.
      • Civil & Corporate Security Ltd (or any person acting on its behalf) acting outside or contrary to the lawful instructions of The Client in respect of the processing of Personal Data
   3. Nothing in this clause shall relieve Civil & Corporate Security Ltd of any liability for the acts or omissions of Civil & Corporate Security Ltd Personnel in relation to the Personal Data.
   4. Civil & Corporate Security Ltd’s liability for any Data Protection Losses incurred by The Client shall be unlimited

 

1. Term and Termination of theAgreement
   1.  
   2.  
   3.  
2. Choice of law and legalvenue
   1. This agreement will be governed by and construed in accordance with the laws of the United Kingdom and the EU,exceptforitsconflictsoflawrulesandprinciples.Intheeventofanysuitorproceedingarising outoforrelatedtothisagreement,thecourtswithin the United Kingdomwillhaveexclusivejurisdictionandtheparties will submit to the jurisdiction of thosecourts.

 

1. 1. Any provision of this agreement that is prohibited or unenforceable in any jurisdiction is ineffective to the extent of that prohibition or unenforceability in that jurisdiction. The validity, enforceability, or legalityoftheremainingprovisionswillnotbeaffected.

 
 

ANNEX 1 - The processing of personal data
This Annex constitutes The Client’s instruction to Civil & Corporate Security Ltd in connection with the agreed processing activities, and is an integrated part of the Agreement.