Donate

This Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Contractor will process Personal Data when providing services under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of UK GDPR (as defined below) for contracts between controllers and processors.

Agreed Terms

This agreement includes the following:

1. Definition and Interpretation
2. Compliance
3. Contractors Obligations
4. Ownership
5. Information Security
6. Employees
7. Assignment
8. Audit and Inspection
9. General
10. Termination
11. Records
12. Indemnity
13. Jurisdiction

1. Definition and Interpretation

The following definitions and rules of interpretation apply in this Agreement:

  • 1.1 For the purposes of this Agreement, “data controller”, “data processor”, “data subject”, “Personal Data”, “processing”, “notification” and “data protection principles” shall have the meaning ascribed to them in the Data Protection Legislation.
  • 1.2 Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
  • 1.3 Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.
  • 1.4 Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
  • 1.5 Records: has the meaning given to it in Clause 11.
  • 1.6 UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
  • 1.7 UK GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.
  • 1.8 This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.
  • 1.9 The Schedules form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.
  • 1.10 In the case of conflict or ambiguity between any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.

2. Compliance

  • 2.1 The parties acknowledge that for the purposes of the Data Protection Legislation, the Data Controller is the data controller and the Contractor is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). The Schedule attached sets out the scope, nature and purpose of processing by the Contractor, the duration of the processing and the types of Personal Data (as defined in the Data Protection Legislation) and categories of Data Subject.
  • 2.2 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.2 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
  • 2.3 Without prejudice to the generality of clause 2.2, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Contractor for the duration and purposes of this agreement.

3. Contractors Obligations

  • 3.1 The Contractor shall process Personal Data strictly in accordance with instructions from the Data Controller as set out in the contract, including this agreement and as otherwise notified to the Contractor by the Data Controller from time to time. Except as provided in the contract or with the prior written consent of the Data Controller, the Contractor shall not carry out any other processing, use or disclosure of the Personal Data unless the Contractor is required by the laws of the UK or any member of the European Union or by the laws of the European Union applicable to the Contractor to process Personal Data (Applicable Laws). Where the Contractor is relying on laws of the UK or a member of the European Union or European Union law as the basis for processing Personal Data, the Contractor shall promptly notify the Data Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Contractor from so notifying the Data Controller.
  • 3.2 The Contractor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Data Controller or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires the Contractor to process or disclose the Personal Data to a third-party, the Contractor must first inform the Data Controller of such legal or regulatory requirement and give the Data Controller an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
  • 3.3 The Contractor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Data Controller or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires the Contractor to process or disclose the Personal Data to a third-party, the Contractor must first inform the Data Controller of such legal or regulatory requirement and give the Data Controller an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

4. Ownership

  • 4.1 All information and Personal Data supplied by the Data Controller to the Contractor and used by the Contractor directly or indirectly in the performance of this agreement shall remain at all times the property of the Data Controller.
  • 4.2 All information and Personal Data supplied by the Data Controller to the Contractor and used by the Contractor directly or indirectly in the performance of this agreement shall remain at all times the property of the Data Controller.

5. Information Security

  • 5.1 At all times the Contractor shall maintain appropriate technical and organisational security measures against the unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
  • 5.2 The Contractor shall not transfer any Personal Data outside of the UK and European Economic Area unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
    • 5.2.1 the Data Controller or the Contractor has provided appropriate safeguards in relation to the transfer;
    • 5.2.2 the data subject has enforceable rights and effective legal remedies;
    • 5.2.3 the Contractor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
    • 5.2.4 the Contractor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data.
  • 5.3 The Contractor shall assist the Data Controller, at the Data Controller’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
  • 5.4 The Contractor shall notify the Data Controller without undue delay on becoming aware of a Personal Data Breach. The Contractor shall also provide the Data Controller with the following information:
    • a) description of the nature of the Personal Data Breach, including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
    • b) the likely consequences; and
    • c) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

    The Contractor will not inform any third party of any Personal Data Breach without first obtaining the Data Controller ‘s prior written consent, except when required to do so by law.

  • 5.5 The Contractor shall at the written direction of the Data Controller, delete or return Personal Data and copies thereof to the Data Controller on termination of the agreement unless required by Applicable Law to store the Personal Data.
  • 5.6 The Contractor shall take all reasonable precautions to preserve the integrity and prevent any corruption or loss, damage or destruction of the Personal Data.
  • 5.7 The information security regime implemented by the Contractor shall be compliant with all relevant Data Protection Legislation and other legislation and shall conform to recognised industry information security standards.
  • 5.8 The Contractor shall provide the Data Controller with a written description of the technical and organisational methods employed to safeguard the Personal Data (within timescales required by the Data Controller).
  • 5.9 In the event any Personal Data related to this agreement in the possession of the Contractor becomes lost, corrupted or rendered unusable for any reason, the Contractor undertakes to promptly restore such Personal Data using its back up and/or disaster recovery procedures at no cost to the Data Controller. To notify the Data Controller immediately of any such breach of security and/or failure to comply with any data protection requirements which could give rise to enforcement measures and/or a complaint against the Data Controller and, as a minimum, to comply with the time limits specified in clauses 9.1 and 9.2.

6. Employees

  • 6.1 The Contractor shall take all reasonable steps to ensure the reliability of any employees who may have access to Personal Data and ensure that all employees have received relevant training in data protection and in the care and handling of Personal Data and understand how this relates to the Contractors’ contractual obligations.
  • 6.2 The Contractor shall ensure that only those employees who may assist in carrying out its obligations under the contract shall have access to the Personal Data.
  • 6.3 The Contractor shall ensure that only those employees who may assist in carrying out its obligations under the contract shall have access to the Personal Data.

7. Assignment

  • 7.1 This agreement is personal to the Contractor. It shall not be transferred or assigned to another contractor except with the prior written permission of ShelterBox, which if provided shall be at the absolute discretion of ShelterBox. In any event sub-contracting any part of the contract shall not relieve the Contractor from any of the obligations imposed by this agreement. The Data Controller does not consent to the Contractor appointing any third party processor of Personal Data under the contract except with the prior written consent of the Data Controller and subject to the Contractor entering into an agreement with the third party processor that contains terms substantially the same as those set out in this Agreement.

8. Audit and Inspection

  • 8.1 The Contractor shall comply with all reasonable requests from the Data Controller including access to its premises (upon giving reasonable notice) as the Data Controller may reasonably require to inspect and audit the Personal Data processing activities in order to satisfy itself that the Contractor is in full compliance with its obligations under this agreement.
  • 8.2 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 8.1 and allow for audits by the Data Controller or the Data Controller’s designated auditor.

9. General

  • 9.1 The contractor undertakes to notify the Data Controller immediately upon receiving any complaint, notice or communication from an individual, supervisory or government body which relates directly or indirectly to the processing of the Personal Data and
    • a) provide the Data Controller with any necessary information on a timely basis;
    • b) if required, respond to the request/complaint in accordance with any instructions given by the Data Controller.
  • 9.2 Specifically, the Contractor shall notify the Data Controller within one working day of:
    • (i) A request from a data subject to access their data; or
    • (ii) A complaint or notice from any source relating to the Data Controller’s obligations under the Data Protection Legislation.
  • 9.3 The Contractor undertakes not to transfer any of the Personal Data to any country or territory outside the UK or the European Economic Area without the prior written consent of the Data Controller.
  • 9.4 The Contractor agrees to promptly carry out any request from the Data Controller to amend, transfer or delete all or any part of the Personal Data

10. Termination

  • 10.1 This agreement shall terminate once the contract has been cancelled. The Contractor will immediately cease all processing of Personal Data and will return to the Data Controller in the format specified, or destroy such Personal Data as ShelterBox may instruct

11. Records

  • 11.1 The Contractor will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Data Controller, including but not limited to, the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any approved transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in 5.1 records
  • 11.2 The Contractor will ensure that the Records are sufficient to enable the Data Controller to verify the Contractor’s compliance with its obligations under this Agreement and the Contractor will provide the Data Controller with copies of the Records upon request.

12. Indemnity

  • 12.1 The Contractor shall indemnify the Data Controller for any breach of this agreement by the Contractor or any third party processor appointed pursuant to clause 7 which renders ShelterBox liable for any costs, fines, monetary penalties, claims, or expenses howsoever arising.
  • 12.2 Any limitation of liability set forth in the Master Agreement will not apply to this Agreement’s indemnity or reimbursement obligations.

13. Jurisdiction

  • 13.1 This Agreement and any non-contractual obligations and other matters arising from or in conjunction with it shall be governed by and construed in accordance with the law of England and Wales and the parties shall submit to the exclusive jurisdiction of the Courts of England and Wales including in relation to any non-contractual disputes or claims.