Introduction
Norse Commercial Services Limited (NCS) has appointed the Supplier to provide Goods/Services in accordance with the provisions of the Contract.
NCS has identified that the provision of the Goods/Services may involve the transfer and processing of Personal Data and, as a result, the parties wish to ensure that the additional provisions set out in this supplement are expressly incorporated into the terms of the Contract.
Definitions
Data Protection Legislation: the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK) the General Data Protection.
Regulation ((EU) 2016/679) and any other directly applicable European Union regulation relating to privacy.
UK Data Protection Legislation: any data protection legislation from time to time in force in the UK including the Data Protection Act 2018 or any successor legislation.
1. Data protection
1.1. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1.1 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation. In this clause 1, Applicable Laws means (for so long as and to the extent that they apply to the Supplier) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.
1.2. The parties acknowledge that for the purposes of the Data Protection Legislation, NCS is the data controller and the Supplier is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
1.3. Without prejudice to the generality of clause 1.1, NCS will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of the Contract.
1.4. Without prejudice to the generality of clause 1.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under the Contract:
(a) process that Personal Data only on the written instructions of NCS unless the Supplier is required by Applicable Laws to otherwise process that Personal Data (in which case the Supplier shall notify NCS of that requirement);
(b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by NCS, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(d) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of NCS has been obtained and the following conditions are fulfilled:
(i) NCS or the Supplier has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Supplier complies with reasonable instructions notified to it in advance by NCS with respect to the processing of the Personal Data;
(e) assist NCS, at NCS’ cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(f) notify NCS without undue delay on becoming aware of (i) a request from a Data Subject and (ii) a Personal Data breach;
(g) at the written direction of NCS, delete or return Personal Data and copies thereof to NCS on termination of the Contract unless required by Applicable Law to store the Personal Data; and
(h) maintain complete and accurate records and information to demonstrate its compliance with the above obligations and allow for audits, on reasonable notice, by NCS or NCS’ designated auditor.
1.5. The Supplier shall not appoint any third party processor of Personal Data under the Contract without the prior written consent of NCS.
1.6. Both parties agree to take account of any guidance issued by the Information Commissioner’s Office (“ICO”). NCS may on not less than 30 Working Days’ notice to the Supplier amend the Contract to ensure that it complies with any such guidance issued by the ICO.