These data processor clauses form part of the contract between Bevan Brittan LLP (BB) and any expert or other third party (Service Provider), as required under Article 28 of the General Data Protection Regulation (GDPR) and any data protection legislation in force in the United Kingdom, including the Data Protection Act 2018, or any successor legislation (UK data protection legislation). GDPR and UK data protection legislation shall be referred to, together, as "Data Protection Legislation" elsewhere in this document.
The following terms: "data controller", "data processor", "data subjects", "personal data", "personal data breach", "processing" and "special categories of personal data" shall have the same meaning as how these terms are defined and used in GDPR. A contravention of the terms of these data processor clauses shall entitle BB to terminate the contract.
1. BB and the Service Provider agree to comply with Data Protection Legislation. Notwithstanding this, the following paragraphs further clarify the rights and obligations of BB and the Service Provider.
2. The Service Provider will receive from BB personal data necessary for the provision of the services under the contract. BB will be the data controller of that personal data. The Service Provider will be the data processor.
3. The Service Provider shall process the personal data provided to it by BB solely for the purposes of providing the services, unless the Provider is required, or permitted, by Data Protection Legislation (or other laws) to otherwise process that Personal Data.
4. The attached appendix confirms the nature, purpose, duration and types of processing by the Service Provider. It also confirms the categories of data subjects whose data will be processed.
5. The Service Provider shall have in place appropriate technical and organisational measures for ensuring the security of data it processes, as described in paragraphs 2-4 above. Such measures must comply with Data Protection Legislation, and all/any encryption and security standards applicable to the Service Provider’s area of work/industry.
6. The Service Provider shall ensure that all the personal data provided to it by BB is accessible only by persons who reasonably require that access. The Service Provider shall ensure that all such persons are under obligations of confidentiality in respect of that personal data and that they process that personal data only on the instructions of BB or the Service Provider.
7. The Service Provider shall not disclose, transfer nor make available any personal data provided to it by BB to any third party (including other data processors, and sub-processors) without the written authorisation of BB, or otherwise required by Data Protection Legislation (or other laws). It is the responsibility of the Service Provider to address and document the obligations of any other data processors it engages with (assuming obligations imposed in the previous have been complied with), on terms that are the same as or equivalent to these. The Service Provider agrees that it remains responsible for the actions of any other processor it engages with, and it shall remain fully liable to BB in this regard.
8. The Service Provider shall not transfer any personal data provided to it by BB outside the European Economic Area without the written authorisation of BB. Likewise, the Service Provider must ensure that appropriate safeguards are in place before any transfer takes place, and that the rights granted to data subjects under Data Protection Legislation remain unaffected.
9. Where any personal data provided to the Service Provider by BB has been subject to a personal data breach, or where the Service Provider has cause for suspecting that the same may have occurred, the Service Provider shall inform BB immediately. The Service Provider shall provide BB with all information BB reasonably requires to understand and address the incident. The Service Provider shall co-operate with BB in taking steps to mitigate any risks or prejudicial consequences arising.
10. Upon the termination of the contract, BB shall instruct the Service Provider to delete or return the personal data it provided under the contract and any other information held by the Service Provider that contains or reflects that personal data, such that the Service Provider ceases to hold any of the personal data provided by BB. Except where permitted or required by Data Protection Legislation, the Service Provider shall comply with that instruction promptly and within a reasonable period. The Service Provider shall confirm in writing that it has complied with that instruction.
11. If the Service Provider is contacted by an individual whose personal data is held by the Service Provider pursuant to the contract with BB and who seeks to exercise rights of subject access, rectification, erasure or any other right under Data Protection Legislation, the Service Provider shall inform BB without delay. The Service Provider shall inform the individual that BB is the data controller of that personal data and that the individual’s communication should be directed to BB. The Service Provider shall not provide any substantive response to the request.
12. Upon written request from BB, the Service Provider shall provide BB promptly with any information BB reasonably requires in order for BB to:
12.1. comply with requests from data subjects to exercise rights of subject access, or any other right
under Data Protection Legislation;
12.2. comply with its duties under Data Protection Legislation; and
12.3. assess the Service Provider’s compliance with these clauses or for audits and inspections to be
undertaken by or on behalf of BB.
APPENDIX TO DATA PROCESSING CLAUSES
1 THE NATURE AND PURPOSE OF THE PROCESSING
1.1 The nature and purpose of the processing carried out by the Service Provider includes any operation that lawfully enables it to use personal data supplied by BB to allow the performance of the contract, subject to the obligations imposed by Data Protection Legislation.
2 THE DURATION OF THE PROCESSING
2.1 The processing of personal data by the Service Provider shall persist from the date that the personal data is provided by BB until the date that the contract is completed, remains in effect or is terminated, subject to the effect of paragraph 10 in the data processing clauses.
3 THE TYPES OF PERSONAL DATA TO BE PROCESSED
3.1 The types of personal data that shall be processed in accordance with the data processing clauses include one or more of the following: names, contact details (e.g. telephone numbers, addresses), identification numbers (e.g. from passports or national insurance), financial information, location data, online identifiers, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subjects mentioned in section 4, below.
3.2 The types of special categories of personal data, relating to the natural persons mentioned in section 4, below, that shall be processed in accordance with the data processing clauses include at least one of the following: information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying such data subjects, data concerning health or data concerning the sex life or sexual orientation of such data subjects.
4 CATEGORIES OF DATA SUBJECTS TO WHOM PERSONAL DATA RELATES
4.1 The categories of individuals whose personal data is processed in accordance with the data processing clauses are: BB's employees, consultants, agents, and clients (including their family members, employers, employees, co-workers, business partners and those with whom the client has been involved for the purposes of property or commercial transactions or for medical treatment). Additionally, BB may also provide personal data relating to solicitors, agents or other persons working on particular matters, but who are not employed by or otherwise linked with BB.