Data Protection Policy

These data processing terms (Data Processing Terms) set out the terms, requirements and conditions on which the Supplier will process personal data when providing Services under the Supplier’s Terms and Conditions of Business. These Data Processing Terms contain the mandatory clauses required by Article 28(3) of the UK GDPR and the EU GDPR for contracts between controllers and processors.

Unless otherwise defined, capitalised terms used in these Data Processing Terms shall have the meaning given to them in the Supplier’s Terms and Conditions of Business.

These Data Processing Terms are supplemental to the Supplier’s Terms and Conditions of Business and, subject to these Data Processing Terms taking precedence in connection with the processing of any personal data as part of or in connection with the Services, the Supplier’s Terms and Conditions of Business shall remain in full force and effect.

DEFINITIONS

The following definitions and rules of interpretation apply in these Data Processing Terms:

Applicable Laws:	means: to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom; and to the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier is subject.
Applicable Data Protection Laws:	means the Data Protection Act 2018 and: to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom; and to the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier is subject. and any other applicable law concerning data protection, privacy or confidentiality and any subordinate or related legislation.
Customer Personal Data:	any personal data which the Supplier processes in connection with these Data Processing Terms, in the capacity of a processor on behalf of the Customer.
EU GDPR:	the General Data Protection Regulation ((EU) 2016/679).
UK GDPR:	has the meaning given to it in the Data Protection Act 2018

1.1 For the purposes of this clause 1, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.

1.2 Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 1.2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Applicable Data Protection Laws.

1.3 The parties have determined that, for the purposes of Applicable Data Protection Laws, the Supplier shall process the personal data set out in Schedule 1, as a processor on behalf of the Customer in respect of the processing activities set out in Schedule 1.

1.4 Should the determination in clause 1.3 change, then each party shall work together in good faith to make any changes which are necessary to these Data Processing Terms or Schedule 1.

1.5 Without prejudice to the generality of clause 1.2, the Customer warrants that:

it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Supplier and lawful collection of the same by the Supplier for the duration and purposes of these Data Processing Terms; and
Customer Personal Data will never comprise special categories of personal data or criminal conviction data and no such data will be transferred to the Supplier.

1.6 In relation to the Customer Personal Data, Schedule 1 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.

1.7 Without prejudice to the generality of clause 1.2 the Supplier shall, in relation to Customer Personal Data:

process that Customer Personal Data only on the documented instructions of the Customer, which shall be to process the Customer Personal Data for the purposes set out in Schedule 1, unless the Supplier is required by Applicable Laws to otherwise process that Customer Personal Data. Where the Supplier is relying on Applicable Laws as the basis for processing Customer Processor Data, the Supplier shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer on important grounds of public interest. The Supplier shall inform the Customer if, in the opinion of the Supplier, the instructions of the Customer infringe Applicable Data Protection Laws;
implement technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and 3 the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Supplier), and at the Customer’s cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless the Supplier is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 1.7(f), Customer Personal Data shall be considered deleted where it is put beyond further use by the Supplier. Any specific format requests for the return of data shall be accommodated insofar as possible and at the Customer’s expense; and
maintain records to demonstrate its compliance with this clause 1.7(g) and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this purpose, on reasonable written notice.

1.8 The Customer hereby provides its prior, general authorisation for the Supplier to:

appoint processors (including the Approved Sub-processors, defined at clause 1.9 below) to process the Customer Personal Data, provided that the Supplier:
1. shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Supplier in this clause 1.8(a)(i);
2. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and
3. shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Supplier’s reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection.
transfer Customer Personal Data outside of the UK as required for the purpose of performing the Services under the Supplier’s Terms and Conditions of Business, 4 provided that the Supplier shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).

1.9 A list of sub-processors approved by the Customer is included in Schedule 1 (Approved Subprocessors).

1.10 Either party may, at any time on not less than 30 days’ notice, revise clause 1.8(b) by replacing it (in whole or part) with any applicable standard clauses approved by the EU Commission or the UK Information Commissioner’s Office or forming part of an applicable certification scheme or code of conduct (Amended Terms). Such Amended Terms shall apply when replaced by attachment to these Data Processing Terms, but only in respect of such matters which are within the scope of the Amended Terms.

1.11 The total aggregate liability the Supplier in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of these Data Processing Terms or any collateral contract insofar as it relates to the obligations set out in these Data Processing Terms, or Applicable Data Protection Laws shall be subject to the exclusions and limitations of liability set out in clause 8 (Limitation of liability) of the Supplier’s Terms and Conditions of Business.

1.12 The Supplier shall have no liability (subject to clause 8 (Limitation of liability) of the Supplier’s Terms and Conditions of Business) for any loss or damage caused by or arising from or in connection with:

the Supplier processing Customer Personal Data in accordance with the Customer’s instructions, or for any consequences in the event that such processing otherwise infringes Applicable Data Protection Laws;
the Supplier refusing to comply with the Customer’s instructions in respect of processing Customer Data due to concerns that compliance will cause a breach of Applicable Data Protection Laws.

1.13 These Data Processing Terms will remain in full force and effect for the duration of the Supplier’s Terms and Conditions of Business.

1.14 If a change in any Applicable Data Protection Laws prevent either party from fulfilling all or part of its obligations under these Data Processing Terms or the Supplier Terms and Conditions of Business, the parties may agree to suspend the processing of Customer Personal Data until that processing complies with the new requirements. If the parties are unable to bring the processing of Customer Personal Data into compliance with Applicable Data Protection Laws within a reasonable period of time, the Supplier may terminate its Terms and Conditions of Business on written notice to the Customer.

1.15 These Data Processing Terms will be construed in accordance with the law of England and Wales and the English courts will have exclusive jurisdiction in relation to any disputes arising out of these Data Processing Terms.

SCHEDULE 1- PARTICULARS OF THE PROCESSING

1. Particulars of processing

1.1 Scope and purpose of processing The Supplier processes Customer Personal Data for the purpose of providing the Services set out in its Terms and Conditions of Business.

1.2 Nature of processing The Supplier provides a company formation and secretarial software application for the purpose of enabling the Customer to incorporate and manage the corporate secretarial affairs of companies within England and Wales. Providing this application and the Services requires that the Supplier imports, exports and displays Customer Personal Data relating to Customer staff members, Customer clients and the officers and members of the companies the Client incorporates or instructs the Supplier to incorporate on its behalf.

1.3 Duration of processing The Supplier will process the Customer Personal Data for the duration of the Supplier Terms and Conditions of Business (or its performance of the Services under those Terms, whichever is the greater) or as may otherwise be required by Applicable Laws.

2. Types of personal data

Full name
Date of birth
Nationality
Occupation
Email address
Residential address
Business address
Telephone number
Copy passport

3. Categories of data subject

Customer personnel (including officers, employees and self-employed contractors and agents).
Customer clients and their personnel (including officers, employees and self-employed contractors and agents of Customer clients).
Individual officers and members of the companies the Client incorporates or instructs the Supplier to incorporate on its behalf.

4. Approved Sub-Processors

The CoSec House Limited (CRN: 07586921)