New Contractual Commitments for the General Data Protection Regulation
GDPR places certain obligations on Civil & Corporate Security Ltd as a data processor including the requirement for a Data Sharing Agreement where we share personal data with a Data Processor.  This agreement should set out the guiding principles and standards for sharing data between the parties, including the purposes for sharing of data. 
Based on the services that our company provides to our clients, it is important for us to meet our own obligations as a Data Processor under the GDPR.
Because our processing involves data or information that identifies an individual (e.g. name, email, address, phone, etc.), that data is considered personal data under the GDPR. One of the changes that the new Regulation will deliver is a new statutory obligation for data security that data processors must observe, above and beyond contractual duties agreed with data controller customers.
We therefore include our Processor Terms for your review.


Addressing Article 28 GDPR (Processor Terms)


This Data Protection Addendum forms part of the Contractual Agreement between the following parties:

  • Civil & Corporate Security Ltd.
60 High Street, Amersham, HP7 0DS
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Contractual Agreement. Except where the context requires otherwise, references in this Addendum to the Contractual Agreement are to the Contractual Agreement as amended by, and including, this Addendum.
    1. In this Agreement the expressions set out in Annex 3 shall have the meanings set out in Annex 3 unless the context otherwise requires:
  1. Scope of the Agreement
    1. The DPA forms part of the written or electronic agreement document between Civil & Corporate Security Ltd and yourself detailing the Services agreed and is to reflect the parties’ agreement regarding the Processing of Personal Data.
    3. Civil & Corporate Security Ltd acknowledges that The Client shall solely be responsible for the following decisions and determinations:
  2. THE CLIENT’S Obligations as the DataController
    1. The Client warrants that the Personal Data
  4. CIVIL & CORPORATE SECURITY LTD’S Obligations as Data Processor
      • All Processing undertaken by the Civil & Corporate Security Ltd of personal data provided by The Client must be in accordance with instructions provided by The Client. When requested by The Client, Civil & Corporate Security Ltd shall demonstrate and/or document that it complies with the requirements of the Data Privacy Laws.
      • Civil & Corporate Security Ltd must ensure that its employees comply with this Agreement and limit the access of personal data to its employees and affiliates for whom access to the data is necessary in order to fulfil its contractual obligations. Civil & Corporate Security Ltd must ensure that employees authorised to process any personal data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
      • Civil & Corporate Security Ltd shall:
        • only Process Personal Data on behalf of The Client in accordance with the Data Privacy Laws;
        • provide The Client or any relevant regulator with a copy of all Personal Data on demand;
        • make all reasonable efforts to ensure that the Personal Data is accurate and up-to-date at all times;
        • not keep Personal Data for longer than is necessary in accordance with The Client’s instructions so as to comply with the principle of data minimisation.
        • Not, by its act or omission, cause The Client to be in breach of the Data Privacy Laws and shall use all reasonable endeavours to assist The Client to comply with any obligations imposed on The Client by the Data Privacy Laws;
        • comply with any requests by Data Subjects to exercise their rights under the Data Privacy Laws (including but not limited to their rights to access, or to cease or not begin processing, rectify, block, erase, destroy or object to the processing of their personal data, each a Data Subject Request);
        • ensure that the Personal Data is deleted or corrected if it is incorrect (or, The Client does not agree that it is incorrect, to have recorded the fact that the relevant person considers the Personal Data to be incorrect within 5 (five) days' of being requested to do so by The Client; and/or
        • communicate with or obtain the approval of the Information Commissioner's Office (ICO) in relation to the Processing of Personal Data where necessary;
        • if requested, provide a copy to The Client of a Data Subject's Personal Data in a machine readable portable format promptly, and in any event within twenty-four (24) hours of receipt of any request or correspondence, inform The Client about the receipt of any Data Subject Requests or any correspondence received from any Supervisory Authority (“ICO Correspondence”);
        • not disclose any Personal Data in response to any Data Subject Request or ICO Correspondence, or respond in any way to such a request without first consulting with, and obtaining the consent of, The Client unless obligated to do so by Union or Member State law;
        • assist The Client should The Client carry out a data protection impact assessment and shall provide the output of its own data protection impact assessment(s) where relevant on request at any time and on the expiry or termination of this Agreement, it shall (at no cost to The Client) at The Client option either return to The Client all Personal Data and copies of it in such format as The Client may require or securely dispose of the Personal Data; and at The Client’s option (and at no cost to The Client), delete or return to The Client following the completion, termination or expiry of any Services, all Personal Data within Civil & Corporate Security Ltd’s possession or control relating to the provision of the completed, terminated or expired Services and shall be entitled to retain any of those data to the extent required to comply with applicable law (and on condition that such retention complies with Data Privacy Laws and Civil & Corporate Security Ltd provides The Client with written notice containing full written details of such retention, to the extent such notice is permitted by applicable law).
      • Civil & Corporate Security Ltd will (and will ensure that Civil & Corporate Security Ltd Personnel will) promptly (but in all cases within 24hours) notify The Client (with full details), if Civil & Corporate Security Ltd (or Civil & Corporate Security Ltd Processor Personnel as the case may be):becomes aware that a disclosure of Personal Data may be required under Data Privacy Laws;receives a complaint relating to The Client’s obligations under the Data Privacy Laws; and/or of any notices received by it relating to the Processing of any Personal Data, including any requests, or correspondence and provide such information, co-operation and assistance as The Client may require in relation to such notices (at no cost to The Client) including in connection with any approval of any supervisory authority to any Processing of Personal Data, or any request, action, notice or investigation by supervisory authority. For the avoidance of doubt, in no event shall Civil & Corporate Security Ltd or any of Civil & Corporate Security Ltd Personnel respond directly to any such notices without The Client’s prior written consent unless and to the extent required by law.Civil & Corporate Security Ltd shall provide and implement technical and organisational measures to help The Client fulfil its obligations in relation to such notices from or on behalf of Data Subjects in connection with the rights conferred on them by Data Privacy Laws;
        • if any Personal Data, whether potentially or actually, has been disclosed in breach of this Agreement or if it is lost, becomes corrupted, is damaged or is deleted in error;
        • becomes aware of a breach of this Agreement or any Data Privacy Laws.
      • If Civil & Corporate Security Ltd breaches or potentially breaches its obligations set out in this Agreement or there occurs any threat to the security of the Personal Data, Civil & Corporate Security Ltd shall:
        • take immediate steps to remedy the breach or prevent the potential breach or remove the threat;
        • promptly take measures to ensure there is no repetition of the incident in the future;
        • promptly provide The Client with full details in writing of the steps and measures taken; and
        • comply (at no cost to The Client) with all requests made by The Client in respect of the breach or threat.
      • Civil & Corporate Security Ltd shall segregate Personal Data in accordance with the principles of corporate separateness.
      • Civil & Corporate Security Ltd shall (at no cost to The Client) restore or recreate (in a timely manner and in accordance with good industry practice) all Personal Data which is lost, deleted or corrupted by Civil & Corporate Security Ltd or any of Civil & Corporate Security Ltd Personnel in breach of this Agreement.
      • In the event that Civil & Corporate Security Ltd believes that Civil & Corporate Security Ltd instructions conflict with the requirements of Data Privacy Laws, Civil & Corporate Security Ltd must immediately inform The Client.
    1. Civil & Corporate Security Ltd shall:
      • Immediately (and in any case within 24 hours) inform The Client in writing of any unauthorized or unlawful processing of Personal Data and/or material incident of Personal Data loss, corruption, destruction, alteration, disclosure, access or damage ("Data Breach") or any action that causes or could reasonably be deemed to cause a Data Breach and shall liaise with The Client in managing such Data Breach (including by providing sufficient information, cooperation, analysis and support) and shall ensure all such notices include full and complete details relating to such Data Breach, in particular:
        • the nature and facts of such Data Breach including the categories and number of Personal Data records and, if applicable, Data Subjects concerned;
        • the contact details of the data protection officer or other representative duly appointed by Civil & Corporate Security Ltd from whom The Client can obtain further information relating to such breach;
        • the likely consequences or potential consequences of such breach; and
        • the measures taken or proposed to be taken by Civil & Corporate Security Ltd and/or any Supplier Personnel to address such breach and to mitigate any possible adverse effects and the implementation dates for such measures.
      • provide The Client with such co-operation (at no additional cost to The Client) in relation to the (i) The Client notifying the individual or the Supervisory Authority (or relevant regulator) of the Data Breach, including by providing The Client with a detailed description of the nature of the Data Breach and the identity of the affected person(s) and (ii) Civil & Corporate Security Ltd’s efforts to investigate, remediate, and mitigate the effects of any Data Breach; and
      • shall not make any public announcement regarding such incident as set out in this clause 4.3 without prior consultation with The Client and subject to The Client written consent.
    3. Civil & Corporate Security Ltd mustnotifyThe Clientwherethereisaninterruptioninoperation,asuspicionthatdata protection rules or the Data Privacy Laws have been breached, or other irregularities in connection with the Processing of the Personal Data. If requested by The Client, Civil & Corporate Security Ltd shall assist in clarifyingthescopeofthesecuritybreach,includingpreparationofanynotificationtotherelevantData Protection Agency(-ies) and/or datasubjects.
      • During the useorreceiptofservices, if any party doesnothavetheabilitytocorrect, amend, block or delete Personal Data, each party shall comply with any commercially reasonable requesttofacilitatesuchactionstotheextentall parties arelegallypermittedtodo
  1. Certifications and Audits
    1. Unless The Client is a competitor of Civil & Corporate Security Ltd, The Client is entitled, at its own expense, to have the processingofpersonaldatareviewedannuallybyanindependentthirdparty.
    2. The Client (or The Client’s independent, third-party auditor) is entitled, at its own cost, to request information regarding Civil & Corporate Security Ltd’s compliance with the obligations set in this DPA in the form of third-party certifications and audits. Any appointed auditor shall, upon request, sign a non-disclosure agreement and treat all information obtained or received fromconfidentially.
    3. The Client shall reimburse Civil & Corporate Security Ltd for any time spent by on audits, at the organisations current professional services rates. Before the commencement of any such on-site audit, all parties shall mutually agree upon the scope, timing, and duration of the audit in additiontothereimbursementrateforwhichThe Client shallberesponsible.
  2. The use of Sub-data processors
    1. Civil & Corporate Security Ltd is not entitled to disclose or transfer Personal Data to third parties or data processors withoutthepriorwritteninstructionofThe Client,unlesssuchdisclosureortransferisstipulatedby law.
    2. Details on sub-data processors used by Civil & Corporate Security Ltd are set or are to be provided in Annex 2. Once the agreement has been reviewed and signed by all parties,The Clientagreestouseofthesesub-dataprocessors.
    3. Civil & Corporate Security Ltdisliableforthedataprocessingactivitiesperformedbythesub-dataprocessoronbehalfof The Client,wheresuchdataprocessingactivitiesaresubjectthisDPA.Civil & Corporate Security Ltdmustensurethat the sub-data processor it enlists has executed its own DPA in which the sub-data processor undertakes to be bound by terms similar to the requirements under this DPA.
    4. Civil & Corporate Security Ltd must inform The Client of any intended changes concerning the addition or replacementofasub-dataprocessorbyprovidingapriorwrittennoticeoftwomonths.
    1. Civil & Corporate Security Ltd shall not transfer Personal Data which has been obtained by or made available to Civil & Corporate Security Ltd to any country outside the European Economic Area (EEA) without the prior written consent of The Client, such consent may be subject to and given on such terms as The Client may in its absolute discretion prescribe.
    2. In the event that The Client consents to the transfer of Personal Data from Civil & Corporate Security Ltd to a country outside of the EEA Supplier shall comply with the following additional provisions:
in each case which Civil & Corporate Security Ltd acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the Data Privacy Laws) and technical and organisation measures which The Client deems necessary for the purpose of protecting Personal Data.
    1. None of the parties are entitled to claim damages for any indirect or consequential loss, irrespective of whether The Client, Civil & Corporate Security Ltd or any third parties suffer such indirect or consequential loss. Any loss of business opportunities, loss of profits, operating loss, loss of revenue, goodwill and data, including loss in connection with the retrieval of data, must at all times be deemed to constitute indirect/consequentialloss.
    2. Civil & Corporate Security Ltd shall indemnify, defend and hold harmless The Client and its respective directors, officers, agents, successors and assigns from any and all Data Protection Losses arising from or in connection with:
      • any Data Breach;
      • any breach by Civil & Corporate Security Ltd, any sub-data-processor and/or Civil & Corporate Security Ltd Personnel of the obligations set out in this Agreement; and/or
      • any breach of the Data Privacy Laws (whether by supplier or by any sub-data-processor.
      • any breach of the Data Privacy Laws by The Client caused by the act or omission of Civil & Corporate Security Ltd or any sub-data-processor.
      • Civil & Corporate Security Ltd (or any person acting on its behalf) acting outside or contrary to the lawful instructions of The Client in respect of the processing of Personal Data
    3. Nothing in this clause shall relieve Civil & Corporate Security Ltd of any liability for the acts or omissions of Civil & Corporate Security Ltd Personnel in relation to the Personal Data.
    4. Civil & Corporate Security Ltd’s liability for any Data Protection Losses incurred by The Client shall be unlimited
  1. Term and Termination of theAgreement
  2. Choice of law and legalvenue
    1. This agreement will be governed by and construed in accordance with the laws of the United Kingdom and the EU,exceptforitsconflictsoflawrulesandprinciples.Intheeventofanysuitorproceedingarising outoforrelatedtothisagreement,thecourtswithin the United Kingdomwillhaveexclusivejurisdictionandtheparties will submit to the jurisdiction of thosecourts.
    1. Any provision of this agreement that is prohibited or unenforceable in any jurisdiction is ineffective to the extent of that prohibition or unenforceability in that jurisdiction. The validity, enforceability, or legalityoftheremainingprovisionswillnotbeaffected.
ANNEX 1 - The processing of personal data
This Annex constitutes The Client’s instruction to Civil & Corporate Security Ltd in connection with the agreed processing activities, and is an integrated part of the Agreement.


ANNEX 2 - Sub-Data Processors
This Annex constitutes Civil & Corporate Security Ltd’s disclosure to The Client of sub-data processors used to provide the services.

ANNEX 3 - Definitions
Data Privacy Laws means all laws that relate to data protection, privacy, the use of information relating to individuals, and or the information rights of individuals including  without limitation, the Data Protection Act 1998, the Privacy and Electronic Communication (EC Directive) Regulations 2003, the Regulation of Investigatory Powers Act 2000, the Telecommunications (lawful Business Practice) (Interception of Communications) Regulations 2000, Privacy and Electronic Communications (EC Directive) Regulations 2003, the Consumer Protection from Unfair Trading Regulations 2008, any laws in force in any relevant jurisdiction which implements the Directive, the Regulation, and all and any regulations made under those acts or regulations all applicable formal or informal guidance, rules, requirements, directions, guidelines, recommendations, advice, codes of practice, policies, measures or publications of the Information Commissioner's Office, other relevant regulator, and or relevant industry body, in each case in any relevant jurisdiction(s) and the equivalent in any other relevant jurisdictions.
Supplier Personnel means all staff, contractors, employees, agents, sub-contractors and sub-processors of Supplier
Data Protection Losses means all liabilities and other amounts, including:
  • costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage);
  • any fines, penalties, other regulatory sanctions and compensation paid to data subjects (including compensation to protect goodwill and ex gratia payments);
  • restoring, rectifying, correcting, and amending The Client's data including the costs of activating disaster recovery;
  • the costs of investigating, recovering, remedying breaches of this Agreement by Supplier, any Data Breachor breach of Data Privacy Law (including staff training, changes to systems and putting in place measures to prevent future breaches and process and other related losses);
  • setting up a dedicated helpline (including the resources and staffing costs associated with the same) and website for data subjects;
  • facilitating and paying for third party credit monitoring checks for the data subjects (for up to 12 months after a Data Breach);
  • the costs of notifying Data Subjects;
  • any additional operational and/or administrative costs and expenses incurred by The Client, including costs relating to time spent by or on behalf of The Client in dealing with the consequences of any breach of this Agreement or breach of Data Privacy Laws and any associated legal costs;
  • any wasted expenditure;
  • costs of compliance with investigations by a Supervisory Authority; and
  • the costs of loading the Personal Data, , to the extent the same are lost, damaged or destroyed, and any loss or corruption of Personal Data (including the costs of rectification or restoration of Personal Data);
Data Subject has (until 24 May 2018) the meaning given under the Directive and (from 25 May 2018) the meaning given under the Regulation
Directive means the European Commission Directive 95/46/EC with respect to the Processing of Personal Data
Personal Data means (until 24 May 2018) personal data as defined in the Directive and (from 25 May 2018) personal data as defined in the Regulation to be processed by Civil & Corporate Security Ltd for or on behalf of the The Client or in respect of services supplied by Civil & Corporate Security Ltd to the The Client (the Services).
Processing means obtaining, recording or holding Personal Data or carrying out any operation or set of operations on Personal Data (whether or not by automatic means), including:
  • organisation, adaptation or alteration of Personal Data;
  • retrieval, consultation or use of Personal Data;
  • disclosure of the information or Personal Data by transmission, dissemination or otherwise making available; or
  • alignment, combination, blocking, erasure or destruction of the Personal Data,
and Processed, Processes and Process shall be construed accordingly..
Regulation means the General Data Protection Regulation ((EU) 2016/679)).
Services means the fulfilment of a contractual obligation provided to or from The Client through a written or electronic agreement document.
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Privacy Laws;