These terms and conditions apply between you, the User of this Website (including any sub-domains, unless expressly excluded by their own terms and conditions), and The Foundation for Education Development, the owner and operator of this Website. Please read these terms and conditions carefully, as they affect your legal rights. Your agreement to comply with and be bound by these terms and conditions is deemed to occur upon your first use of the Website. If you do not agree to be bound by these terms and conditions, you should stop using the Website immediately.
In these terms and conditions, User or Users means any third party that accesses the Website and is not either (i) employed by The Foundation for Education Development and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to The Foundation for Education Development and accessing the Website in connection with the provision of such services.
You must be at least 18 years of age to use this Website. By using the Website and agreeing to these terms and conditions, you represent and warrant that you are at least 18 years of age.
Intellectual property and acceptable use
- All Content included on the Website, unless uploaded by Users, is the property of The Foundation for Education Development, our affiliates or other relevant third parties. In these terms and conditions, Content means any text, graphics, images, audio, video, software, data compilations, page layout, underlying code and software and any other form of information capable of being stored in a computer that appears on or forms part of this Website, including any such content uploaded by Users. By continuing to use the Website you acknowledge that such Content is protected by copyright, trademarks, database rights and other intellectual property rights. Nothing on this site shall be construed as granting, by implication, estoppel, or otherwise, any license or right to use any trademark, logo or service mark displayed on the site without the owner’s prior written permission
- You may, for your own personal, non-commercial use only, do the following:
- retrieve, display and view the Content on a computer screen
- download and store the Content in electronic form on a disk (but not on any server or other storage device connected to a network)
- print one copy of the Content
- You must not otherwise reproduce, modify, copy, distribute or use for commercial purposes any Content without the written permission of The Foundation for Education Development.
- You may not use the Website for any of the following purposes:
- in any way which causes, or may cause, damage to the Website or interferes with any other person’s use or enjoyment of the Website;
- in any way which is harmful, unlawful, illegal, abusive, harassing, threatening or otherwise objectionable or in breach of any applicable law, regulation, governmental order;
- making, transmitting or storing electronic copies of Content protected by copyright without the permission of the owner.
- You must ensure that the details provided by you on registration or at any time are correct and complete.
- You must inform us immediately of any changes to the information that you provide when registering by updating your personal details to ensure we can communicate with you effectively.
- We may suspend or cancel your registration with immediate effect for any reasonable purposes or if you breach these terms and conditions.
- You may cancel your registration at any time by informing us in writing to the address at the end of these terms and conditions. If you do so, you must immediately stop using the Website. Cancellation or suspension of your registration does not affect any statutory rights.
Availability of the Website and disclaimers
- Any online facilities, tools, services or information that The Foundation for Education Development makes available through the Website (the Service) is provided “as is” and on an “as available” basis. We give no warranty that the Service will be free of defects and/or faults. To the maximum extent permitted by the law, we provide no warranties (express or implied) of fitness for a particular purpose, accuracy of information, compatibility and satisfactory quality. The Foundation for Education Development is under no obligation to update information on the Website.
- Whilst The Foundation for Education Development uses reasonable endeavours to ensure that the Website is secure and free of errors, viruses and other malware, we give no warranty or guaranty in that regard and all Users take responsibility for their own security, that of their personal details and their computers.
- The Foundation for Education Development accepts no liability for any disruption or non-availability of the Website.
- The Foundation for Education Development reserves the right to alter, suspend or discontinue any part (or the whole of) the Website including, but not limited to, any products and/or services available. These terms and conditions shall continue to apply to any modified version of the Website unless it is expressly stated otherwise.
Limitation of liability
- Nothing in these terms and conditions will: (a) limit or exclude our or your liability for death or personal injury resulting from our or your negligence, as applicable; (b) limit or exclude our or your liability for fraud or fraudulent misrepresentation; or (c) limit or exclude any of our or your liabilities in any way that is not permitted under applicable law.
- We will not be liable to you in respect of any losses arising out of events beyond our reasonable control.
- To the maximum extent permitted by law,The Foundation for Education Development accepts no liability for any of the following:
- any business losses, such as loss of profits, income, revenue, anticipated savings, business, contracts, goodwill or commercial opportunities;
- loss or corruption of any data, database or software;
- any special, indirect or consequential loss or damage.
- You may not transfer any of your rights under these terms and conditions to any other person. We may transfer our rights under these terms and conditions where we reasonably believe your rights will not be affected.
- These terms and conditions may be varied by us from time to time. Such revised terms will apply to the Website from the date of publication. Users should check the terms and conditions regularly to ensure familiarity with the then current version.
- The Contracts (Rights of Third Parties) Act 1999shall not apply to these terms and conditions and no third party will have any right to enforce or rely on any provision of these terms and conditions.
- If any court or competent authority finds that any provision of these terms and conditions (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of these terms and conditions will not be affected.
- Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
- This Agreement shall be governed by and interpreted according to the law of England and Walesand all disputes arising under the Agreement (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the English and Welsh
The Foundation for Education Development details
- The Foundation for Education Development is a company incorporated in England and Wales with registered number 12193966 whose registered address is Mitten Clarke, Festival Way, Staffordshire, ST1 5SQ and it operates the Website fed.education.
You can contact The Foundation for Education Development by email on [email protected].
Definitions and interpretation
|Data||collectively all information that you submit to The Foundation for Education Development via the Website. This definition incorporates, where applicable, the definitions provided in the Data Protection Laws;|
|Cookies||a small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website. Details of the cookies used by this Website are set out in the clause below (Cookies);|
|Data Protection Laws||any applicable law relating to the processing of personal Data, including but not limited to the Directive 96/46/EC (Data Protection Directive) or the GDPR, and any national implementing laws, regulations and secondary legislation, for as long as the GDPR is effective in the UK;|
|GDPR||the General Data Protection Regulation (EU) 2016/679;|
|The Foundation for Education Development,|
we or us
|The Foundation for Education Development, a company incorporated in England and Wales with registered number 12193966 whose registered office is at Mitten Clarke, Festival Way, Staffordshire, ST1 5SQ;|
|UK and EU Cookie Law||the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011;|
|User or you||any third party that accesses the Website and is not either (i) employed by The Foundation for Education Development and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to The Foundation for Education Development and accessing the Website in connection with the provision of such services; and|
|Website||the website that you are currently using, www.fed.education, and any sub-domains of this site unless expressly excluded by their own terms and conditions.|
- the singular includes the plural and vice versa;
- a reference to a person includes firms, companies, government entities, trusts and partnerships;
- “including” is understood to mean “including without limitation”;
- reference to any statutory provision includes any modification or amendment of it;
- For purposes of the applicable Data Protection Laws, The Foundation for Education Developmentis the “data controller”. This means that The Foundation for Education Development determines the purposes for which, and the manner in which, your Data is processed.
- We may collect the following Data, which includes personal Data, from you:
- job title;
- contact Information such as email addresses and telephone numbers;
How we collect Data
- We collect Data in the following ways:
- data is given to us by you; and
- data is collected automatically.
Data that is given to us by you
- The Foundation for Education Developmentwill collect your Data in a number of ways, for example:
- when you contact us through the Website, by telephone, post, e-mail or through any other means;
- when you use our services;
Data that is collected automatically
- To the extent that you access the Website, we will collect your Data automatically, for example:
- we automatically collect some information about your visit to the Website. This information helps us to make improvements to Website content and navigation, and includes your IP address, the date, times and frequency with which you access the Website and the way you use and interact with its content.
- we will collect your Data automatically via cookies, in line with the cookie settings on your browser. For more information about cookies, and how we use them on the Website, see the section below, headed “Cookies”.
Our use of Data
- Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website. Specifically, Data may be used by us for the following reasons:
- communications in relation to FED events;
- We may use your Data for the above purposes if we deem it necessary to do so for our legitimate interests. If you are not satisfied with this, you have the right to object in certain circumstances (see the section headed “Your rights” below).
Who we share Data with
- We may share your Data with the following groups of people for the following reasons:
- our employees, agents and/or professional advisors – to participate in group events organised and/or hosted by third-party companies;
- Participants in Round Table discussions prior to and following each event, including Name and Company/Organisation details – to facilitate group discussion and recognise participants.
Keeping Data secure
- We will use technical and organisational measures to safeguard your Data, for example:
- access to your account is controlled by a password and a username that is unique to you.
- we store your Data on secure servers.
- Technical and organisational measures include measures to deal with any suspected data breach. If you suspect any misuse or loss or unauthorised access to your Data, please let us know immediately by contacting us via this e-mail address: [email protected]
- If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
- Even if we delete your Data, it may persist on backup or archival media for legal, tax or regulatory purposes.
- You have the following rights in relation to your Data:
- Right to access– the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is “manifestly unfounded or excessive.” Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.
- Right to correct– the right to have your Data rectified if it is inaccurate or incomplete.
- Right to erase– the right to request that we delete or remove your Data from our systems.
- Right to restrict our use of your Data– the right to “block” us from using your Data or limit the way in which we can use it.
- Right to data portability– the right to request that we move, copy or transfer your Data.
- Right to object– the right to object to our use of your Data including where we use it for our legitimate interests.
- To make enquiries, exercise any of your rights set out above, or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via this e-mail address: [email protected]
- If you are not satisfied with the way a complaint you make in relation to your Data is handled by us, you may be able to refer your complaint to the relevant data protection authority. For the UK, this is the Information Commissioner’s Office (ICO). The ICO’s contact details can be found on their website at https://ico.org.uk/.
- It is important that the Data we hold about you is accurate and current. Please keep us informed if your Data changes during the period for which we hold it.
Links to other websites
Changes of business ownership and control
- We may also disclose Data to a prospective purchaser of our business or any part of it.
- In the above instances, we will take steps with the aim of ensuring your privacy is protected.
- All Cookies used by this Website are used in accordance with current UK and EU Cookie Law.
- Before the Website places Cookies on your computer, you will be presented with a message bar requesting your consent to set those Cookies. By giving your consent to the placing of Cookies, you are enabling The Foundation for Education Developmentto provide a better experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however certain features of the Website may not function fully or as intended.
- This Website may place the following Cookies:
|Type of Cookie||Purpose|
|Strictly necessary cookies||These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.|
- You can find a list of Cookies that we use in the Cookies Schedule below.
- You can choose to enable or disable Cookies in your internet browser. By default, most internet browsers accept Cookies, but this can be changed. For further details, please consult the help menu in your internet browser.
- You can choose to delete Cookies at any time; however, you may lose any information that enables you to access the Website more quickly and efficiently including, but not limited to, personalisation settings.
- It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.
- For more information generally on cookies, including how to disable them, please refer to aboutcookies.org. You will also find details on how to delete cookies from your computer.
- Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
- This Agreement will be governed by and interpreted according to the law of England and Wales. All disputes arising under the Agreement will be subject to the exclusive jurisdiction of the English and Welsh courts.
- Below is a list of the cookies that we use. We have tried to ensure this is complete and up to date, but if you think that we have missed a cookie or there is any discrepancy, please let us know.
We use the following strictly necessary cookies:
|Description of Cookie||Purpose|
|Session Cookie||We use this session cookie to remember you and maintain your session whilst you are using our website.|
1. Data Protection
Our Data Protection Policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
We are committed to:
- ensuring that we comply with the eight data protection principles, as listed below:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- meeting our legal obligations as laid down by the Data Protection Act 1998 and General Data Protection Regulations 2016
- ensuring that data is collected and used fairly and lawfully
- processing personal data only in order to meet our operational needs or fulfil legal requirements
- taking steps to ensure that personal data is up to date and accurate
- establishing appropriate retention periods for personal data
- ensuring that data subjects’ rights can be appropriately exercised
- providing adequate security measures to protect personal data
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
- ensuring that all Members are made aware of good practice in data protection
- providing adequate training for all Members responsible for personal data
- ensuring that everyone handling personal data knows where to find further guidance
- ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within the organisation.
2. Data Retention and Management
The GDPR does not specify retention periods for personal data. Instead, Principle 5 states that personal data may only be kept in a form that permits identification of the individual, for no longer than is justified and necessary for the purposes for which it was obtained and processed.
For example, medical/health information, such as OH reports, or other related information, can be kept for 40 years, but other more general personal data should not be. Therefore, in deciding how long to retain personal data and any special categories of data held separately, FED based its decision on statutory retention periods, maximum periods for potential claims, and, in accordance with the aforementioned, legitimate business requirements.
All systems used by the FED, both electronic and any remaining paper records.
The FED will ensure effective management and safeguarding of personal and sensitive data in its control, and has taken steps to ensure the integrity, security and compliance measures taken by data processors acting on its behalf. System owners will manage the retention of personal data for systems that they maintain.
Legal basis for Processing Personal Data
This policy should be read in conjunction with our Privacy and website terms & conditions (above).
The GDPR definition of personal data, is any information relating to a ‘natural’ person who can be directly or indirectly identified by this data.
A wide range of ‘personal identifiers’ constitute personal data, including name, age, location, etc.
The GDPR applies to both electronic personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g. key/numerically-coded – falls within the scope of the GDPR, depending on the level of ease of attributing the pseudonym to a particular individual.
Special Categories of Personal Data
Special categories of data under GDPR, is defined as personal data, which is more sensitive, and therefore needs a higher level of protection. Such data is as follows:
- Ethnic origin
- Trade Union membership
- Biometrics (where used for ID purposes)
- Sex life
- Sexual Orientation
In order to lawfully process these special categories of data, there must be both a lawful basis under Article 6 of the GDPR and a separate condition (of 10 listed under the Regulation) for processing the special category of data under Article 9 of the GDPR. Genetic data and some biometric data is included in this category.
data relating to criminal offences and convictions (e.g. DBS disclosures) is not included in this Category. Article 10 of the GDPR sets out separate and specific safeguards for this type of data in Article 10.
These do not have to be linked. Before processing this category of data, it is vital that a reason for doing so, in accordance with the above, is documented.
Systematic Review of Personal Data
A review of Members’ data, and the data of leavers still held, will take place on an annual basis and will include all electronic and any paper records. If it is determined that there is no justification or good reason for retaining certain pieces of personal data, the data (or the unnecessary elements thereof) will be routinely deleted. A record of the deletion will be made, on the Deletion/Rectification List.
Records and Management
A Deletion / Rectification list will be held by the Executive Assistant, of Members who have requested rectification or erasure of their data, and such requests will be reviewed by the Board accordingly. As above, details of data deemed not necessary for retention and therefore deleted by the FED as part of its systematic review, will also be recorded on this list (type of data, previous storage location and reason for deletion).
Company Retention Periods
|System||Personal data||Retention Period||Purged by|
|Payroll||Employee name, NI number, bank details, address|
6 years apart from employee bank details which will be retained for no more than
90 days after leaving
(and any remaining paper HR files)
Sensitive Personal Data
Review to be conducted of leaver’s file on exit.
Basic personal information to be retained for 36 months from date of leaving.
Unless there are any ‘live’ Member Relations cases, or other claims in progress, general data will be retained for 12 months after a Member leaves, unless there are circumstances which justify retaining it for a longer period. These reasons should be recorded in full against the file.
Special categories of data, such as equal opportunities information, should be retained in accordance with need and time periods for bringing a claim in relation to the specific piece of data.
|Health & Safety||Medical and personal information||7 years||H&S|
|L&D||Personal details||No more than 12 months after the L&D event took place||L&D|
Post-Member Data Retention
36 months after a Member has left, only the following basic information will be retained, unless there are circumstances which require the data to be retained for longer:
- Date of Birth
- Dates of membership
- One method of contacting the individual, such as phone number
Any requests for erasure of the above retained data, from the Data Subject, will be considered and actioned as appropriate, by the Board.
3. Confidentiality and Non-Disclosure
During the course of the Member relationship, the Board and Member will disclose to the other party, confidential information in relation to the purpose. Each party wishes to ensure that the other party maintains the confidentiality of its confidential information. In consideration of the benefits to the parties of the disclosure of the confidential Information, the parties have agreed to comply with the following terms in connection with the use and disclosure of confidential information.
In relation to a body corporate, any subsidiary, subsidiary undertaking or holding company of this body corporate, and any subsidiary or subsidiary undertaking of such holding company for the time being as defined in section 1159 of the Companies Act 2006
Means any knowledge, data, trade secrets, business plans, financial, operational, commercial or other information of the Disclosing Party and/or Affiliate which is disclosed by the Disclosing Party to the Receiving Party, including (without limitation) any information specifically identified in this Agreement, and any such ideas, inventions, designs, drawings, diagrams, specifications, software, compositions, formulae, schematics, methods, techniques, plans, instructions, processes, procedures, structures, research and development, test data, results, models, prototypes, and samples, and any prices, costs, statistics, or other business, financial or customer information, and any information relating to the Disclosing Party’s business, products, services, technology, plans, capabilities, and activities;
The party disclosing confidential information to the other party;
The use of confidential information wholly, necessarily and exclusively for the Purpose.
Shall mean any discussions and negotiations between the parties, concerning or in connection with the individual’s employment with FED.
The party receiving confidential information from the other party;
Directors, officers, employees, contractors, sub-contractors, agents, advisers and representatives of the Disclosing Party.
In consideration of the Disclosing Party disclosing Confidential Information to the Recipient, the Recipient undertakes:
- to use such confidential information, only for the proper use;
- to keep confidential all confidential information that it may acquire in any manner;
- to permit access to all confidential information only to such of its Members as need such confidential information for the proper use, and inform each of them of the confidential nature of the confidential information and of the recipient’s obligations;
- not disclose confidential information to any third party who has not entered into a confidentiality agreement on the same terms as those contained herein and then only with the written authority of the disclosing party;
- forthwith to notify the disclosing party of all (suspected or actual) unauthorised disclosures of the confidential information and thereafter to take all such steps to protect the confidentiality of the confidential information as the disclosing Party may reasonably require;
- to make copies of the confidential information only to the extent strictly necessary for the proper use;
- at the request of the disclosing party, made at any time, deliver to the disclosing party or destroy all documents and other material (including all copies) in the possession, custody or control of the recipient that bear or incorporate any part of the confidential information save that the recipient shall be entitled to:
- destroy any documents or material prepared by it or on its behalf for the purpose; and
- retain copies of any documents or material prepared by it or on its behalf for the purpose where this is necessary for regulatory or statutory requirements.
The recipient shall not be bound by the provisions contained in this section of this policy, if such confidential information:
was already in the lawful possession of the recipient and at its free disposal before the disclosure by the disclosing party to the recipient;
is lawfully disclosed to the recipient without any obligations of confidence by a third party;
is or becomes generally available to the public in printed publications in general circulation through no act or default on the part of the recipient or the recipient’s agents or employees;
is replicated by development independently carried out by or for it by an Member or other person without access to or knowledge of the confidential information;
is required to be disclosed in any legal proceedings or by any government body or regulatory authority or court of comparable and competent jurisdiction.
4. Information Sharing and Third Party Data Processing
The controller processes personal data in connection with its business activities;
The processor processes personal data on behalf of other businesses and organisations;
The controller may engage the services of the processor to process personal data on its behalf;
Article 28 of the General Data Protection Regulation 2016 (as hereinafter defined as ‘GDPR’) provides that, where processing of personal data is carried out by a processor on behalf of a data controller the controller must choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures;
Article 29 of the GDPR requires that where processing is carried out by a processor on behalf of a controller such processing shall be governed by a contract or legal act binding the processor to the controller stipulating, in particular, that the processor shall act only on instructions from the controller and shall comply with the technical and organisational measures required under the GDPR to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing;
In compliance with the above-mentioned provisions of Article 28 of the GDPR, the controller and processor will enter into a processing security agreement.
Definitions and Interpretation
“GDPR” means the General Data Protection Regulation 2016 on the protection of individuals with regard to the security and processing of personal data and on the free movement of such data;
“national law” shall mean the law of the country in which the processor is established;
“personal data” shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;
“processing of personal data” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
“sub-contract” and “sub-contracting” and shall mean the process by which either party arranges for a third party to carry out its obligations under this agreement and “Sub Contractor” or “Sub-Processor” shall mean the party to whom the obligations are subcontracted; and
“Technical and organisational security measures” shall mean measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing.
In consideration of the controller engaging the services of the processor to process personal data on its behalf, the processor will comply with the security, confidentiality and other obligations imposed on it under the Agreement and of the GDPR.
Security Obligations and Responsibilities of the Processor
- In accordance with Article 29, the processor shall only carry out those actions in respect of the personal data processed on behalf of the controller as are expressly authorised by the controller.
- The processor shall take all technical and organisational security measures required, in line with Article 32 of the GDPR, to protect personal data processed by the processor on behalf of the controller against unlawful forms of processing.
- The processor will ensure that people processing the data are subject to a duty of confidence and will take appropriate security measures to ensure the security of processing, in accordance with Article 32.
- In accordance with Article 28.2, where the processor, with the consent of the controller, sub-contracts its obligations under the agreement it shall do so only by way of a written agreement with the sub-contractor which imposes the same obligations in relation to the security of the processing on the sub-contractor as are imposed on the Processor under this Agreement.
- For the avoidance of doubt, where the sub-contractor fails to fulfil its obligations under any sub-processing agreement, the processor shall remain fully liable to the controller for the fulfilment of its obligations under the agreement and will notify the controller of any breach of personal data (Article 33).
- The processor must inform the data controller of any change of sub-processor and will afford the data controller the opportunity to object.
- The processor will assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
- The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments and will keep a record of its processing activities (Article 30.2).
- The processor must delete or return all personal data to the controller as requested at the end of the contract; and the processor must submit to audits and inspections (Article 31) and must consult with the Information Commissioner’s Office (ICO) as the UK’s supervisory authority (Article 36), provide the Controller with whatever information it needs to ensure that both processor and controller are meeting their Article 28 obligations, and tell the controller immediately and without undue delay if it is asked to do something infringing the GDPR.
- The processor will be liable for any fines, penalties and payments of compensation if it fails to meet its obligations of the GDPR where any breaches of personal data occur, in accordance with Articles 82, 83 and 84.
- In accordance with Article 35, the processor will carry out Data Protection Impact Assessments (DPIAs) and will assist the data controller in carrying out such. The processor will assist the data controller in consulting with the ICO where a DPIA indicates an unmitigated high risk to the processing (Article 36).
- The processor will designate a Data Protection Officer, as appropriate, and will provide protection from dismissal for the purpose of carrying out their duties in accordance with the GDPR. The processor will also ensure that the Data Protection Officer has the resources he/she needs to fulfil their role (Article 37).
- The processor will maintain the personal data processed by the processor on behalf of the controller, in confidence. In particular, the processor will not, without the prior written consent of the controller, disclose any personal data supplied to the processor by, for, or on behalf of, the controller to any third party.
- The processor will not make any use of any personal data supplied to it by the controller otherwise than in connection with the provision of services to the controller.
- The obligations above will continue for a period of five years after the cessation of the provision of services by the processor to the controller.
- Nothing shall prevent the data controller or the data processor from complying with its own and any legal obligation imposed by a regulator or court. Both parties shall however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.
Control and Review
- This policy is non-contractual and will be reviewed every 2 years, or in the event of changes in legislation, or company practice.