Processing of personal data
19.1 Unless otherwise expressly stated in the Contract:
19.1.1 the Supplier’s obligations and Hafod’s rights and remedies under this clause 19 are cumulative with, and additional to, any other provisions of the Contract; and
19.1.2 this clause 19 shall prevail over any other provision of the Contract in the event of any conflict.
19.2 The parties agree that Hafod is a Controller and that the Supplier is a Processor for the purposes of processing Protected Data pursuant to the Contract. Part A of the Schedule sets out the subject matter and duration of the processing, the type of Personal Data and categories of Data Subjects.
19.3 The Supplier shall, and shall ensure its Sub-Processors and each of the Supplier Personnel shall, at all times comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Deliverables and shall not by any act or omission cause Hafod (or any other person) to be in breach of any of the Data Protection Laws. Nothing in the Contract relieves the Supplier of any responsibilities or liabilities under Data Protection Laws.
19.4 The Supplier shall indemnify and keep indemnified Hafod against:
19.4.1 all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, the Information Commissioner) arising out of or in connection with any breach by the Supplier of its obligations under this clause 19; and
19.4.2 all amounts paid or payable by Hafod to a third party which would not have been paid or payable if the Supplier’s breach of this clause 19 had not occurred.
19.5 The Supplier shall only process (and shall ensure Supplier Personnel only process) the Protected Data in accordance with clause 19, the Contract and Hafod’s written instructions from time to time (including when making any transfer to which clause 19.10 relates) except where otherwise required by Applicable Law (and in such a case shall inform Hafod of that legal requirement before processing, unless Applicable Law prevents it doing so on important grounds of public interest). The Supplier shall immediately inform Hafod if any instruction relating to the Protected Data infringes or may infringe any Data Protection Laws. The Supplier shall retain records of all instructions relating to the Protected Data received from Hafod.
19.6 The Supplier shall at all times implement and maintain appropriate technical and organisational measures to protect Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
19.7 The Supplier shall:
19.7.1 not permit any processing of Protected Data by any agent, subcontractor or other third party (except its own employees that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior specific written authorisation of that Sub-Processor by Hafod and only then subject to such conditions as Hafod may require;
19.7.2 ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Deliverables;
19.7.3 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a binding written contract containing the same obligations as under this clause 19 in respect of Protected Data that (without prejudice to, or limitation of, the above):
(a) includes providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Protected Data will meet the requirements of all Data Protection Laws; and
(b) is enforceable by the Supplier,
(c) and ensure each such Sub-Processor complies with all such obligations.
19.7.4 remain fully liable to Hafod under the Contract for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own; and
19.7.5 ensure that all persons authorised by the Supplier or any Sub-Processor to process Protected Data are reliable and:
(a) adequately trained on compliance with this clause 19 as applicable to the processing;
(b) informed of the confidential nature of the Protected Data and that they must not disclose Protected Data;
(c) subject to a binding and enforceable written contractual obligation to keep the Protected Data confidential; and
(d) provide relevant details and a copy of each agreement with a Sub-Processor to Hafod on request.
19.8 The Supplier shall (at its own cost and expense):
19.8.1 promptly provide such information and assistance (including by taking all appropriate technical and organisational measures) as Hafod may require in relation to the fulfilment of Hafod’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the UK GDPR (and any similar obligations under applicable Data Protection Laws); and
19.8.2 provide such information, co-operation and other assistance to Hafod as Hafod requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with Hafod’s obligations under Data Protection Laws, including with respect to:
(a) security of processing (including with any review of security measures);
(b) data protection impact assessments (as such term is defined in Data Protection Laws);
(c) prior consultation with the Information Commissioner regarding high risk processing; and
(d) any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or any complaint or request relating to either party’s obligations under Data Protection Laws relevant to the Contract, including (subject in each case to Hafod’s prior written authorisation) regarding any notification of the Personal Data Breach to the Information Commissioner and/or communication to any affected Data Subjects.
19.9 The Supplier shall (at no cost to Hafod) record and refer all requests and communications received from Data Subjects or the Information Commissioner to Hafod which relate (or which may relate) to any Protected Data promptly (and in any event within 3 days of receipt) and shall not respond to any without Hafod’s express written approval and strictly in accordance with Hafod’s instructions unless and to the extent required by applicable law.
19.10 The Supplier shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to any country or territory outside the United Kingdom or to any International Organisation without the prior written authorisation of Hafod (which may be refused or granted subject to such conditions as Hafod deems necessary).
19.11 The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of Hafod. Such records shall include all information necessary to demonstrate its and Hafod’s compliance with this clause 19 and the Data Protection Laws, the information referred to in Articles 30(1) and 30(2) of the UK GDPR and such other information as Hafod may reasonably require from time to time. The Supplier shall make copies of such records available to Hafod promptly (and in any event within 3 Business Days on request from time to time.
19.12 The Supplier shall (and shall ensure all Sub-Processors shall) promptly make available to Hafod (at the Supplier’s cost) such information as is required to demonstrate the Supplier’s and Hafod’s compliance with their respective obligations under this clause 19 and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by Hafod (or another auditor mandated by Hafod) for this purpose at Hafod’s request from time to time. The Supplier shall provide (or procure) access to all relevant premises, systems, personnel and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice (not being more than 2 Business Days) and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection.
19.13 The Supplier shall promptly (and in any event within 24 hours):
19.13.1 notify Hafod if it (or any of its Sub-Processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data; and
19.13.2 provide all information as Hafod requires to report the circumstances referred to in clause 19.13.1 to the Information Commissioner and to notify affected Data Subjects under Data Protection Laws.
19.14 The Supplier shall (and shall ensure that each of the Sub-Processors and Supplier Personnel shall) without delay (and in any event within 3 days), at Hafod’s written request, either securely delete or securely return all the Protected Data to Hafod in such form as Hafod reasonably requests after the earlier of:
19.14.1 the end of the provision of the relevant Deliverables related to processing of such Protected Data; or
19.14.2 once processing by the Supplier of any Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under the Contract,
19.14.3 and securely delete existing copies (except to the extent that storage of any such data is required by applicable law and, if so, the Supplier shall inform Hafod of any such requirement).
19.15 This clause 19 shall survive termination or expiry of the Contract for any reason.
19.16 The Supplier shall perform all its obligations under this clause 19 at no cost to Hafod.
19.17 Nothing in this Contract affects the rights of Data Subjects under Data Protection Laws (including those in Articles 79 and 82 of the UK GDPR or in any similar Data Protection Laws) against Hafod, the Supplier or any Sub-Processor.