DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor. 20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation. 20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include: (a) a systematic description of the envisaged processing operations and the purpose of the processing; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement: 20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law; 20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the: (a) nature of the data to be protected; (b) harm that might result from a Data Loss Event; (c) state of technological development; and (d) cost of implementing any measures; 20.4.3 ensure that: (a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6); (b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they: (i) are aware of and comply with the Data Processor’s duties under this clause; (ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor; (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and (iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and 20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled: (a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and (d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data; 20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data. 20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it: 20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data); 20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager; 20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement; 20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 20.5.6 becomes aware of a Data Loss Event. 20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available. 20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing: 20.7.1 the Data Controller with full details and copies of the complaint, communication or request; 20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; 20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject; 20.7.4 assistance as requested by the Data Controller following any Data Loss Event; 20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office. 20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless: 20.8.1 the Data Controller determines that the processing is not occasional; 20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or 20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor. 20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation. 20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must: 20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing; 20.11.2 obtain the written consent of the Data Controller’s Agreement Manager; 20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and 20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require. 20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors. 20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement). 20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf. 20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. 20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf. 20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing. 20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 3 contracts
Samples: Funding Agreement, Education & Skills Agreement, Funding Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 16.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller data controller and not on behalf of the DepartmentESFA. Clauses 20.2 16.2 to 20.14 16.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 16.2. The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 16.3. The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 16.4. If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 16.5. Subject to Clause 20.6clause 16.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission Contract only(submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 16.6. The Data Processor’s obligation to notify under Clause 20.5 will clause 16.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 16.7. Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 clause 16.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 16.8. The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 16.9. The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 16.10. Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 16.11. Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor Sub- processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 16 such that they apply to the Data Sub-ProcessorSub- processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 16.12. The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-ProcessorsSub- processors.
20.13 16.13. The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 16.14. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 16.15. Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller data controller in relation to Personal Data Data, which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 16 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its their behalf.
20.16 16.16. Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller data controller in relation to Personal Data, Data which the Provider Contractor is required to provide to the Secretary of State for EducationJustice.
20.17 16.17. Where the Provider Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller data controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 16 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 16.18. The Data Processor will comply with any further written instructions or additional conditions from the DepartmentESFA’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 2 contracts
Samples: Contract for Services, Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.736.1.7, the Department may elect to take the role of Data Controller.
Appears in 2 contracts
Samples: Conditions of Funding (Grant), Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider College is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider College (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 20.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 20.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 20.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 20.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 2 contracts
Samples: Conditions of Funding (Grant), Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Sub- Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Sub- Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 2 contracts
Samples: Funding Agreement, Funding Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. e.g. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 20.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) 20.4.4 are aware of and comply with the Data Processor’s duties under this clause;
(ii) 20.4.5 are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iii) 20.4.6 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) 20.4.7 have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 20.4.8 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 20.4.9 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the submission of learner data for changes in-year and via the Agreement ManagerManager for closed years;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement (submission of learner data data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processorprocessor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor Sub- processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-ProcessorsSub- processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 2 contracts
Samples: Funding Agreement, Funding Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 2 contracts
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 : process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ; ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 and not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 ; at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 : receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data data);
20.5.2 ; receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 Laws; receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 ; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 or becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 : the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 ; such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 Laws; the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 ; assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 ; assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 : the Data Controller determines that the processing is not occasional;
20.8.2 ; the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 or the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data data), the Data Processor must:
20.11.1 : notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Sub- Processor and processing;
20.11.2 ; obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 ; enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Sub- Processor; and
20.11.4 and provide the Data Controller with such information regarding the Data Sub-Sub- Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Sub- Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 2 contracts
Samples: Funding Agreement, Funding Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, training e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the DepartmentESFA. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 17.2. The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3. The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4. If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5. Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6. The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7. Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 17.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8. The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9. The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10. Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 17.11. Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 17.12. The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 17.13. The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 17.15. Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its their behalf.
20.16 17.16. Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, Data which the Provider Contractor is required to provide to the Secretary of State for EducationJustice.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 23.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider College is the Data Processor only for the processing set out in Schedule 6 4 (UK GDPR/Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider College (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 23.2 to 20.14 23.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 64 (UK GDPR/Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 4 (UK GDPR/Data Protection) by the Department and may not be determined by the Data Processor.
20.2 23.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 23.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 23.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 23.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 23.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 23.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 23.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 23.4.1 process that Personal Data only in accordance with Schedule 64 (UK GDPR/Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 23.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 23.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 64(UK GDPR/Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 23.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 23.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 23.5 Subject to Clause 20.623.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 23.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner Learner data);
20.5.2 23.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner Learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 23.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 23.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 23.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 23.5.6 becomes aware of a Data Loss Event.
20.6 23.6 The Data Processor’s obligation to notify under Clause 20.5 23.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 23.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 23.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 23.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 23.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 23.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 23.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 23.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 23.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 23.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 23.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions Convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 23.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 23.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 23.10 Each Party will designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 23.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner Learner data), the Data Processor must:
20.11.1 23.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 23.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 23.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 23 such that they apply to the Data Sub-Processor; and
20.11.4 23.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 23.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 23.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 23.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 23.15 Where the Provider College is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider College is required to provide to the Secretary of State for Work and Pensions. This Clause 20 23 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.16 23.16 Where the Provider College is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education.
20.17 23.17 Where the Provider College is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education. This Clause 20 23 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.18 23.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 23.19 In the circumstances set out in Clause 37.1.733.9, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Accountability Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider College is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider College (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 20.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 20.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 20.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 20.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider College is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider College is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.16 Where the Provider College is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education.
20.17 Where the Provider College is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.736.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Employer is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Employer (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processorprocessor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processorsprocessors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider Employer is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Employer is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Employer on its behalf.
20.16 Where the Provider Employer is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Employer is required to provide to the Secretary of State for Education.
20.17 Where the Provider Employer is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Employer is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Employer on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, training e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller data controller and not on behalf of the DepartmentESFA. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 17.2. The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3. The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4. If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5. Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6. The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7. Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 17.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8. The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9. The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10. Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 17.11. Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor Sub- processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-ProcessorSub- processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 17.12. The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-ProcessorsSub- processors.
20.13 17.13. The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 17.15. Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller data controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its their behalf.
20.16 17.16. Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller data controller in relation to Personal Data, Data which the Provider Contractor is required to provide to the Secretary of State for EducationJustice.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 16.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller data controller and not on behalf of the DepartmentESFA. Clauses 20.2 16.2 to 20.14 16.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 16.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 16.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 16.4 If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 16.5 Subject to Clause 20.616.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 16.6 The Data Processor’s obligation to notify under Clause 20.5 will 16.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 16.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 16.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 16.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 16.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 16.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 16.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement (submission Contract(submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor Sub- processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 16 such that they apply to the Data Sub-ProcessorSub- processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 16.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processorsprocessors.
20.13 16.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 16.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 16.15. Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners Apprentices who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller data controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 16 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the Department. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 2 by the Department and may not be determined by the Data Processor.
20.2 17.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4 If requested by the Department’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer Ttransfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5 Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6 The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (17.5, and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in in; the Data Protection Legislation; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 17.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 17.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 17.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 17.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners Apprentices who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 17.16 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 17.17 In the circumstances set out in Clause 37.1.725.13, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Hei Adult Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 16.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller data controller and not on behalf of the Department. Clauses 20.2 16.2 to 20.14 16.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 2 by the Department and may not be determined by the Data Processor.
20.2 16.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 16.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 16.4 If requested by the Department’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 16.5 Subject to Clause 20.616.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 16.6 The Data Processor’s obligation to notify under Clause 20.5 will 16.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 16.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 16.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 16.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 16.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 16.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 16.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 16 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 16.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 16.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 16.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 24.1 This clause applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
24.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 4 (UK GDPR/Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 24.3 to 20.14 24.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 64 (UK GDPR/Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 4 (UK GDPR/Data Protection) by the Department and may not be determined by the Data Processor.
20.2 24.3 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 24.4 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 24.5 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 24.5.1 process that Personal Data only in accordance with Schedule 64 (UK GDPR/Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 24.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 24.5.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 64 (UK GDPR/Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 24.5.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 24.5.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 24.6 Subject to Clause 20.624.7, the Data Processor must notify the Data Controller immediately if it:
20.5.1 24.6.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner Learner data);
20.5.2 24.6.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner Learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 24.6.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 24.6.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 24.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 24.6.6 becomes aware of a Data Loss Event.
20.6 24.7 The Data Processor’s obligation to notify under Clause 20.5 24.6 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 24.8 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 24.6 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 24.8.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 24.8.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 24.8.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 24.8.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 24.8.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 24.9 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 24.9.1 the Data Controller determines that the processing is not occasional;
20.8.2 24.9.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 24.9.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 24.10 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 24.11 Each Party will designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 24.12 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner Learner data), the Data Processor must:
20.11.1 24.12.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 24.12.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 24.12.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 24 such that they apply to the Data Sub-Processor; and
20.11.4 24.12.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 24.13 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 24.14 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 24.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 24.16 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 24 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 24.17 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 24.18 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 24 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 24.19 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 24.20 In the circumstances set out in Clause 37.1.734.9, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Education & Skills Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider College is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider College (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 20.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 20.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 20.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 20.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor I UHTXHVWHG E\A grWeeKmHen t M'aHnaSgeDr,UthWe DPaHtaQPrWoc¶esVsor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s 3URFHVVRU¶V duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the 3URFHVVRU¶V REOLJDCWlauLseRQ20 .5 WwiRll incQludReWthLe I\ XQG provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation CommissionHU¶V 2IILFH RU DQ\ by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.&RQWUROOHU¶Vud itoGr. HVLJQDWHG D
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Controller¶AVgreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Controller¶VAgreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, &RQWUROOHU PD\ DW DQ\ WLPH RQ QRW OH revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less &RPPLVVLRQHU¶DVat a 2CoIntIroLlleFr mHa y o n7noKt Hles s than 30 Working Days’ notice to the Data Processor amend 'D\V¶ QRWDLaFtaHP rocWesRso r WamKeHnd this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.it
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data FRQGLWLRQV IURP DWatKa HC ont'roHlleSr iDn UreWlaPtioHn QtoWth¶eVd ata processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Funding Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.736.9, the Department may elect to take the role of Data Controller.
Appears in 1 contract
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 22.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 22.2 to 20.14 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 22.4 If requested by the Department’s Agreement Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 22.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 22.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 22.5 Subject to Clause 20.622.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 22.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement Contract only (submission of learner data);
20.5.2 22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Contract Manager;
20.5.3 22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this AgreementContract;
20.5.5 22.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 22.5.6 becomes aware of a Data Loss Event.
20.6 22.6 The Data Processor’s obligation to notify under Clause 20.5 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 22.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 22.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 22.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner data), the Data Processor must:
20.11.1 22.11.1 notify the Data Controller’s Agreement Contract Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 22.11.2 obtain the written consent of the Data Controller’s Agreement Contract Manager;
20.11.3 22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 22 such that they apply to the Data Sub-Processor; and
20.11.4 22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 22.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.less
20.15 22.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 22 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.16 22.16 Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education.
20.17 22.17 Where the Provider Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 22 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 22.19 In the circumstances set out in Clause 37.1.741.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 24.1 This clause applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
24.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 4 (UK GDPR/Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 24.3 to 20.14 24.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 64 (UK GDPR/Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 4 (UK GDPR/Data Protection) by the Department and may not be determined by the Data Processor.
20.2 24.3 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 24.4 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 24.5 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 24.5.1 process that Personal Data only in accordance with Schedule 64 (UK GDPR/Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 24.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 24.5.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 64 (UK GDPR/Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 24.5.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 24.5.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 24.6 Subject to Clause 20.624.7, the Data Processor must notify the Data Controller immediately if it:
20.5.1 24.6.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner Learner data);
20.5.2 24.6.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner Learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 24.6.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 24.6.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 24.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 24.6.6 becomes aware of a Data Loss Event.
20.6 24.7 The Data Processor’s obligation to notify under Clause 20.5 24.6 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 24.8 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 24.6 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 24.8.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 24.8.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 24.8.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 24.8.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 24.8.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 24.9 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 24.9.1 the Data Controller determines that the processing is not occasional;
20.8.2 24.9.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 24.9.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 24.10 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 24.11 Each Party will designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 24.12 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner Learner data), the Data Processor must:
20.11.1 24.12.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 24.12.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 24.12.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 24 such that they apply to the Data Sub-Processor; and
20.11.4 24.12.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 24.13 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 24.14 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 24.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 24.16 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 24 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 24.17 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 24.18 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 24 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 24.19 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 24.20 In the circumstances set out in Clause 37.1.734.9, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Accountability Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 : process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ; ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 and not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 ; at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 : receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 ; receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 Laws; receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 ; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 or becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 : the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 ; such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 Laws; the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 ; assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 ; assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 : the Data Controller determines that the processing is not occasional;
20.8.2 ; the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 or the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 : notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 ; obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 ; enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 and provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Funding Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 16.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller data controller and not on behalf of the DepartmentESFA. Clauses 20.2 16.2 to 20.14 16.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 16.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 16.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 16.4 If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 16.5 Subject to Clause 20.616.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 16.6 The Data Processor’s obligation to notify under Clause 20.5 will 16.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 16.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 16.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 16.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 16.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 16.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 16.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement (submission Contract(submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor Sub- processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 16 such that they apply to the Data Sub-ProcessorSub- processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 16.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processorsprocessors.
20.13 16.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 16.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 22.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 5 (UK GDPR and Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-e- portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 22.2 to 20.14 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 65 (UK GDPR and Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 5 (UK GDPR and Data Protection) by the Department and may not be determined by the Data Processor.
20.2 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 22.4 If requested by the Department’s Agreement Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 22.4.1 process that Personal Data only in accordance with Schedule 65 (UK GDPR and Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required required, the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 65 (UK GDPR and Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clauseClause 22 (Data Protection and Protection of Personal Data);
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 22.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 22.5 Subject to Clause 20.622.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 22.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement Contract only (submission of learner data);
20.5.2 22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Contract Manager;
20.5.3 22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this AgreementContract;
20.5.5 22.5.5 receives a request from any third Party party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 22.5.6 becomes aware of a Data Loss Event.
20.6 22.6 The Data Processor’s obligation to notify under Clause 20.5 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clauseClause 22 (Data Protection and Protection of Personal Data). This requirement does not apply where the Data Processor employs fewer than 250 two hundred and fifty (250) staff, unless:
20.8.1 22.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 22.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 22.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner Learner data), the Data Processor must:
20.11.1 22.11.1 notify the Data Controller’s Agreement Contract Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 22.11.2 obtain the written consent of the Data Controller’s Agreement Contract Manager;
20.11.3 22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 22 (Data Protection and Protection of Personal Data) such that they apply to the Data Sub-Processor; and
20.11.4 22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 22.13 The Data Controller may, at any time on not less than 30 thirty (30) Working Days’ notice, revise this clause Clause 22 (Data Protection and Protection of Personal Data) by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 thirty (30) Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 22.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.16 22.16 Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education.
20.17 22.17 Where the Provider Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 22.19 In the circumstances set out in Clause 37.1.741.1.6, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 24.1 This clause applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
24.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 4 (UK GDPR/Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 24.3 to 20.14 24.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 64 (UK GDPR/Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 4 (UK GDPR/Data Protection) by the Department and may not be determined by the Data Processor.
20.2 24.3 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 24.4 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 24.5 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 24.5.1 process that Personal Data only in accordance with Schedule 64 (UK GDPR/Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 24.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 24.5.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 64 (UK GDPR/Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 24.5.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 24.5.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 24.6 Subject to Clause 20.624.7, the Data Processor must notify the Data Controller immediately if it:
20.5.1 24.6.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner Learner data);
20.5.2 24.6.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner Learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 24.6.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 24.6.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 24.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 24.6.6 becomes aware of a Data Loss Event.
20.6 24.7 The Data Processor’s obligation to notify under Clause 20.5 24.6 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 24.8 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 24.6 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 24.8.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 24.8.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 24.8.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 24.8.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 24.8.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 24.9 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 24.9.1 the Data Controller determines that the processing is not occasional;
20.8.2 24.9.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 24.9.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 24.10 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 24.11 Each Party will designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 24.12 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner Learner data), the Data Processor must:
20.11.1 24.12.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 24.12.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 24.12.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 24 such that they apply to the Data Sub-Processor; and
20.11.4 24.12.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 24.13 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 24.14 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 24.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 24.16 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 24 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 24.17 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 24.18 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 24 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 24.19 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 24.20 In the circumstances set out in Clause 37.1.734.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Accountability Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Employer is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Employer (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider College is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider College (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 20.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 20.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 20.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 20.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider College is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider College is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.16 Where the Provider College is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education.
20.17 Where the Provider College is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.736.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Employer is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Employer (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processorprocessor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processorsprocessors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider Employer is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Employer is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Employer on its behalf.
20.16 Where the Provider Employer is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Employer is required to provide to the Secretary of State for Education.
20.17 Where the Provider Employer is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Employer is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Employer on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 16.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller data controller and not on behalf of the Department. Clauses 20.2 16.2 to 20.14 16.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 2 by the Department and may not be determined by the Data Processor.
20.2 16.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 16.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 16.4 If requested by the Department’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 16.5 Subject to Clause 20.616.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 16.6 The Data Processor’s obligation to notify under Clause 20.5 will 16.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 16.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 16.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 16.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 16.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 16.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 16.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 16 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 16.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 16.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 16.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 24.1 This clause applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
24.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 4 (UK GDPR/Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 24.3 to 20.14 24.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 64 (UK GDPR/Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 4 (UK GDPR/Data Protection) by the Department and may not be determined by the Data Processor.
20.2 24.3 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 24.4 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 24.5 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 24.5.1 process that Personal Data only in accordance with Schedule 64 (UK GDPR/Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 24.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 24.5.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 64 (UK GDPR/Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 24.5.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 24.5.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 24.6 Subject to Clause 20.624.7, the Data Processor must notify the Data Controller immediately if it:
20.5.1 24.6.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner Learner data);
20.5.2 24.6.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner Learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 24.6.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 24.6.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 24.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 24.6.6 becomes aware of a Data Loss Event.
20.6 24.7 The Data Processor’s obligation to notify under Clause 20.5 24.6 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 24.8 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 24.6 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 24.8.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 24.8.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 24.8.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 24.8.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 24.8.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 24.9 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 24.9.1 the Data Controller determines that the processing is not occasional;
20.8.2 24.9.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 24.9.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 24.10 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 24.11 Each Party will designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 24.12 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner Learner data), the Data Processor must:
20.11.1 24.12.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 24.12.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 24.12.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 24 such that they apply to the Data Sub-Processor; and
20.11.4 24.12.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 24.13 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 24.14 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 24.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 24.16 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 24 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 24.17 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 24.18 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 24 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 24.19 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 24.20 In the circumstances set out in Clause 37.1.734.9, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Accountability Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 16.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the DepartmentESFA. Clauses 20.2 16.2 to 20.14 16.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 16.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 16.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 16.4 If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 16.5 Subject to Clause 20.616.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement ManagerILR for changes in-year and via the nominated contact for closed years;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 16.6 The Data Processor’s obligation to notify under Clause 20.5 will 16.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 16.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 16.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 16.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 16.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 16.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 16.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement (submission Contract(submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor Sub- processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 16 such that they apply to the Data Sub-ProcessorSub- processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 16.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processorsprocessors.
20.13 16.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 16.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 23.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider College is the Data Processor only for the processing set out in Schedule 6 4 (UK GDPR/Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider College (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 23.2 to 20.14 23.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 64 (UK GDPR/Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 4 (UK GDPR/Data Protection) by the Department and may not be determined by the Data Processor.
20.2 23.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 23.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 23.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 23.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 23.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 23.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 23.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 23.4.1 process that Personal Data only in accordance with Schedule 64 (UK GDPR/Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 23.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 23.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 64(UK GDPR/Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 23.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 23.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 23.5 Subject to Clause 20.623.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 23.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner Learner data);
20.5.2 23.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner Learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 23.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 23.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 23.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 23.5.6 becomes aware of a Data Loss Event.
20.6 23.6 The Data Processor’s obligation to notify under Clause 20.5 23.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 23.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 23.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 23.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 23.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 23.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 23.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 23.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 23.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 23.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 23.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions Convictions and offences referred to in the Data Protection Legislation; or
20.8.3 23.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 23.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 23.10 Each Party will designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 23.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner Learner data), the Data Processor must:
20.11.1 23.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 23.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 23.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 23 such that they apply to the Data Sub-Processor; and
20.11.4 23.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 23.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 23.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 23.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 23.15 Where the Provider College is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider College is required to provide to the Secretary of State for Work and Pensions. This Clause 20 23 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.16 23.16 Where the Provider College is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education.
20.17 23.17 Where the Provider College is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education. This Clause 20 23 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.18 23.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 23.19 In the circumstances set out in Clause 37.1.733.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Accountability Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider College is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider College (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 20.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 20.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 20.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 20.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-ProcessorSub- processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processorprocessor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor Sub- processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processorsprocessors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider College is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider College is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.16 Where the Provider College is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education.
20.17 Where the Provider College is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider College is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider College on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. training i.e. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the DepartmentESFA. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 17.2. The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3. The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4. If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5. Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement ManagerILR for changes in-year and via the nominated contact for closed years;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6. The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7. Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 17.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8. The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9. The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10. Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 17.11. Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor Sub- processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-ProcessorSub- processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 17.12. The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-ProcessorsSub- processors.
20.13 17.13. The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 . Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its their behalf.
20.16 17.15. Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, Data which the Provider Contractor is required to provide to the Secretary of State for EducationJustice.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller data controller and not on behalf of the DepartmentESFA. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 17.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4 If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5 Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6 The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (17.5, and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 17.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor Sub- processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-ProcessorSub- processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor processor as the Data Controller may reasonably require.
20.12 17.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-ProcessorsSub- processors.
20.13 17.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 17.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners Apprentices who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller data controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 17.16 The Data Processor will comply with any further written instructions or additional conditions from the DepartmentESFA’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Hei Adult Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (Processing, Personal Data and Data Subjects) (i.e. submission of Learner Apprentice data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the Department. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 62 (Processing, Personal Data and Data Subjects), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 2 (Processing, Personal Data and Data Subjects) by the Department and may not be determined by the Data Processor.
20.2 17.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4 If requested by the Department’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62 (Processing, Personal Data and Data Subjects), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62 (Processing, Personal Data and Data Subjects));
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(ii) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(biii) the Data Subject has enforceable rights and effective legal remedies;
(civ) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(dv) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5 Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to the processing of their data under this Agreement Contract only (submission of learner dataILR Data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner dataILR Data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6 The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (17.5, and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10 Each Party will shall designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 17.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner dataILR Data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 17.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 17.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 17.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners Apprentices who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 17.16 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 17.17 In the circumstances set out in Clause 37.1.725.13, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Hei Adult Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1
17.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (Processing, Personal Data and Data Subjects) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, training e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the Department. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 62 (Processing, Personal Data and Data Subjects), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 2 (Processing, Personal Data and Data Subjects) by the Department and may not be determined by the Data Processor.
20.2 17.2. The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.Legislation.
20.3 17.3. The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4. If requested by the Department’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62 (Processing, Personal Data and Data Subjects), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62 (Processing, Personal Data and Data Subjects));
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(ii) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(biii) the Data Subject has enforceable rights and effective legal remedies;
(civ) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(dv) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5. Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:it:
20.5.1 (a) receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to the processing of their data under this Agreement Contract only (submission of learner dataILR Data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner dataILR Data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6. The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.available.
20.7 17.7. Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 17.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8. The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9. The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10. Each Party will shall designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 17.11. Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner dataILR Data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 17.12. The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 17.13. The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.Office.
20.15 17.15. Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its their behalf.
20.16 17.16. Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, Data which the Provider Contractor is required to provide to the Secretary of State for EducationJustice.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 22.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 5 (UK GDPR and Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 22.2 to 20.14 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 65 (UK GDPR and Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 5 (UK GDPR and Data Protection) by the Department and may not be determined by the Data Processor.
20.2 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 22.4 If requested by the Department’s Agreement Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 22.4.1 process that Personal Data only in accordance with Schedule 65 (UK GDPR and Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required required, the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 65 (UK GDPR and Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clauseClause 22 (Data Protection and Protection of Personal Data);
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 22.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) Legislation as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 22.5 Subject to Clause 20.622.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 22.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement Contract only (submission of learner data);
20.5.2 22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Contract Manager;
20.5.3 22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this AgreementContract;
20.5.5 22.5.5 receives a request from any third Party party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 22.5.6 becomes aware of a Data Loss Event.
20.6 22.6 The Data Processor’s obligation to notify under Clause 20.5 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clauseClause 22 (Data Protection and Protection of Personal Data). This requirement does not apply where the Data Processor employs fewer than 250 two hundred and fifty (250) staff, unless:
20.8.1 22.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 22.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 22.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner Learner data), the Data Processor must:
20.11.1 22.11.1 notify the Data Controller’s Agreement Contract Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 22.11.2 obtain the written consent of the Data Controller’s Agreement Contract Manager;
20.11.3 22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 22 (Data Protection and Protection of Personal Data) such that they apply to the Data Sub-Processor; and
20.11.4 22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 22.13 The Data Controller may, at any time on not less than 30 thirty (30) Working Days’ notice, revise this clause Clause 22 (Data Protection and Protection of Personal Data) by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 thirty (30) Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 22.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.16 22.16 Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education.
20.17 22.17 Where the Provider Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 22.19 In the circumstances set out in Clause 37.1.741.1.6, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.737.8, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Education & Skills Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Funding Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education Authority is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the DepartmentAuthority). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the DepartmentAuthority. Clauses 20.2 to 20.14 20.16 below apply only in relation to the processing of Personal Data on behalf of the Department Authority as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department Authority is listed in Schedule 6 by the Department Authority and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the DepartmentAuthority’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) 20.4.4 are aware of and comply with the Data Processor’s duties under this clause;
(ii) 20.4.5 are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iii) 20.4.6 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) 20.4.7 have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 20.4.8 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 20.4.9 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the submission of learner data for changes in-year and via the Agreement ManagerManager for closed years;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processorprocessor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor Sub- processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-ProcessorsSub- processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department Authority for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Grant Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.736.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.736.8, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. i.e. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the DepartmentESFA. Clauses 20.2 17.1 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 17.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4 If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5 Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement ManagerILR for changes in-year and via the nominated contact for closed years;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Hei Adult Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 22.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 22.2 to 20.14 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 22.4 If requested by the Department’s Agreement Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 22.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 22.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 22.5 Subject to Clause 20.622.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 22.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement Contract only (submission of learner data);
20.5.2 22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Contract Manager;
20.5.3 22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this AgreementContract;
20.5.5 22.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 22.5.6 becomes aware of a Data Loss Event.
20.6 22.6 The Data Processor’s obligation to notify under Clause 20.5 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 22.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 22.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 22.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner data), the Data Processor must:
20.11.1 22.11.1 notify the Data Controller’s Agreement Contract Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 22.11.2 obtain the written consent of the Data Controller’s Agreement Contract Manager;
20.11.3 22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 22 such that they apply to the Data Sub-Processor; and
20.11.4 22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 22.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 22.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 22 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.16 22.16 Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education.
20.17 22.17 Where the Provider Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 22 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 22.19 In the circumstances set out in Clause 37.1.741.9, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the Department. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 2 by the Department and may not be determined by the Data Processor.
20.2 17.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4 If requested by the Department’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5 Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6 The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (17.5, and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in in; the Data Protection Legislation; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 17.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 17.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 17.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 17.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners Apprentices who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 17.16 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 17.17 In the circumstances set out in Clause 37.1.725.13, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Hei Adult Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner Pupil data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Pupil enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner pupil data data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner pupil data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection LegislationLaws;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation Laws and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection LegislationLaws;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationGDPR; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection LegislationLaws.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner pupil data data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Sub- Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Sub- Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners Pupils claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners Pupils who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners Pupils who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Funding Agreement
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 22.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 22.2 to 20.14 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 22.4 If requested by the Department’s Agreement Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 22.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 22.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 22.5 Subject to Clause 20.622.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 22.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement Contract only (submission of learner data);
20.5.2 22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Contract Manager;
20.5.3 22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this AgreementContract;
20.5.5 22.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 22.5.6 becomes aware of a Data Loss Event.
20.6 22.6 The Data Processor’s obligation to notify under Clause 20.5 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 22.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 22.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 22.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner data), the Data Processor must:
20.11.1 22.11.1 notify the Data Controller’s Agreement Contract Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 22.11.2 obtain the written consent of the Data Controller’s Agreement Contract Manager;
20.11.3 22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 22 such that they apply to the Data Sub-Processor; and
20.11.4 22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 22.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 22.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 22 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.16 22.16 Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education.
20.17 22.17 Where the Provider Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 22 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 22.19 In the circumstances set out in Clause 37.1.741.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 16.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (Processing Personal Data and Data Subjects) (i.e. submission of Learner Apprentice data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller data controller and not on behalf of the Department. Clauses 20.2 16.2 to 20.14 16.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 62 (Processing Personal Data and Data Subjects), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 2 (Processing Personal Data and Data Subjects) by the Department and may not be determined by the Data Processor.
20.2 16.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 16.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 16.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 16.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 16.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 16.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 16.4 If requested by the Department’s Agreement Manager's nominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 16.4.1 process that Personal Data only in accordance with Schedule 62 (Processing Personal Data and Data Subjects), unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 16.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) 16.4.2.1 nature of the data to be protected;
(b) 16.4.2.2 harm that might result from a Data Loss Event;
(c) 16.4.2.3 state of technological development; and
(d) 16.4.2.4 cost of implementing any measures;
20.4.3 16.4.3 ensure that:
(a) 16.4.3.1 the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62 (Processing Personal Data and Data Subjects));
(b) 16.4.3.2 it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s 's duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 16.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) 16.4.4.1 the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
16.4.4.2 the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(b) 16.4.4.3 the Data Subject has enforceable rights and effective legal remedies;
(c) 16.4.4.4 the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) 16.4.4.5 the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 16.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 16.5 Subject to Clause 20.616.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 16.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 16.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 16.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 16.5.4 receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 16.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 16.5.6 becomes aware of a Data Loss Event.
20.6 16.6 The Data Processor’s 's obligation to notify under Clause 20.5 will 16.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 16.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 16.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 16.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 16.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 16.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 16.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 16.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s 's Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 16.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 16.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 16.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 16.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 16.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s 's designated auditor.
20.10 16.10 Each Party will shall designate its own data protection officer Data Protection Officer if required by the Data Protection Legislation.
20.11 16.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 16.11.1 notify the Data Controller’s Agreement Manager 's nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 16.11.2 obtain the written consent of the Data Controller’s Agreement Manager's nominated contact;
20.11.3 16.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 16 such that they apply to the Data Sub-Processor; and
20.11.4 16.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 16.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 16.13 The Data Controller may, at any time on not less than 30 Working Days’ ' notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 16.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s 's Office. The Data Controller may on not less than 30 Working Days’ ' notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s 's Office.
20.15 16.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners Apprentices who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller data controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 16 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 16.16 The Data Processor will comply with any further written instructions or additional conditions from the Department’s 's Data Controller in relation to the data processing.
20.19 16.17 In the circumstances set out in Clause 37.1.725.13, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, training e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the Department. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 2 by the Department and may not be determined by the Data Processor.
20.2 17.2. The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3. The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4. If requested by the Department’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5. Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6. The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7. Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 17.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8. The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9. The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10. Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 17.11. Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 17.12. The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 17.13. The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 17.15. Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its their behalf.
20.16 17.16. Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, Data which the Provider Contractor is required to provide to the Secretary of State for EducationJustice.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider College is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider College (i.e. Learner enrolment or delivering education & training, e.g. i.e. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 to 20.14 20.16 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 20.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 20.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 20.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 20.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) 20.4.4 are aware of and comply with the Data Processor’s duties under this clause;
(ii) 20.4.5 are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processorprocessor;
(iii) 20.4.6 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) 20.4.7 have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 20.4.8 not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationGDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 20.4.9 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.5 Subject to Clause 20.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement only (submission of learner data);
20.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 becomes aware of a Data Loss Event.
20.6 The Data Processor’s obligation to notify under Clause 20.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.11.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 In the circumstances set out in Clause 37.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 22.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-e- portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 22.2 to 20.14 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.2 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 22.4 If requested by the Department’s Agreement Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 22.4.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 22.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 22.5 Subject to Clause 20.622.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 22.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement Contract only (submission of learner data);
20.5.2 22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Contract Manager;
20.5.3 22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this AgreementContract;
20.5.5 22.5.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 22.5.6 becomes aware of a Data Loss Event.
20.6 22.6 The Data Processor’s obligation to notify under Clause 20.5 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 22.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 22.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.8.3 22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 22.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner data), the Data Processor must:
20.11.1 22.11.1 notify the Data Controller’s Agreement Contract Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 22.11.2 obtain the written consent of the Data Controller’s Agreement Contract Manager;
20.11.3 22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 22 such that they apply to the Data Sub-Processor; and
20.11.4 22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 22.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller controller to Data Processor processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 22.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 22 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.16 22.16 Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education.
20.17 22.17 Where the Provider Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 22 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 22.19 In the circumstances set out in Clause 37.1.741.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 23.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 5 (UK GDPR and Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.2 23.2 to 20.14 23.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 65 (UK GDPR and Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 5 (UK GDPR and Data Protection) by the Department and may not be determined by the Data Processor.
20.2 23.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 23.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) 23.3.1 a systematic description of the envisaged processing operations and the purpose of the processing;
(b) 23.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) 23.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) 23.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 23.4 If requested by the Department’s Agreement Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 23.4.1 process that Personal Data only in accordance with Schedule 65 (UK GDPR and Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required required, the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 23.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.4.3 23.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 65 (UK GDPR and Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clauseClause 23 (Data Protection and Protection of Personal Data);
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
; (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(iviii) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 23.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) Data Protection Legislation) Legislation as determined by the Data Controller;
(bc) the Data Subject has enforceable rights and effective legal remedies;
(cd) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(de) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 23.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 23.5 Subject to Clause 20.623.6, the Data Processor must notify the Data Controller immediately if it:
20.5.1 23.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Agreement Contract only (submission of learner data);
20.5.2 23.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Contract Manager;
20.5.3 23.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 23.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this AgreementContract;
20.5.5 23.5.5 receives a request from any third Party party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 23.5.6 becomes aware of a Data Loss Event.
20.6 23.6 The Data Processor’s obligation to notify under Clause 20.5 23.5 will include the provision of further information to the Data Controller in phases, as details become available.
20.7 23.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 23.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 23.7.1 the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 23.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 23.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 23.7.4 assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 23.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 23.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clauseClause 23 (Data Protection and Protection of Personal Data). This requirement does not apply where the Data Processor employs fewer than 250 two hundred and fifty (250) staff, unless:
20.8.1 23.8.1 the Data Controller determines that the processing is not occasional;
20.8.2 23.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 23.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 23.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 23.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.11 23.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner Learner data), the Data Processor must:
20.11.1 23.11.1 notify the Data Controller’s Agreement Contract Manager in writing of the intended Data Sub-Processor and processing;
20.11.2 23.11.2 obtain the written consent of the Data Controller’s Agreement Contract Manager;
20.11.3 23.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 23 (Data Protection and Protection of Personal Data) such that they apply to the Data Sub-Processor; and
20.11.4 23.11.4 provide the Data Controller with such information regarding the Data Sub-Sub- Processor as the Data Controller may reasonably require.
20.12 23.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 23.13 The Data Controller may, at any time on not less than 30 thirty (30) Working Days’ notice, revise this clause Clause 23 (Data Protection and Protection of Personal Data) by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 23.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 thirty (30) Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 23.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 20 23 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.16 23.16 Where the Provider Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education.
20.17 23.17 Where the Provider Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 23 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 23.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.19 23.19 In the circumstances set out in Clause 37.1.743.1.6, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department ESFA on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 2 (i.e. submission of Learner Apprentice data to the DepartmentESFA). Any other processing of Personal Data undertaken by the Provider (i.e. Learner Apprentice enrolment or delivering education & training, e.g. e-portfolios) undertaken by the Contractor will be as a Data Controller and not on behalf of the DepartmentESFA. Clauses 20.2 17.2 to 20.14 17.14 below apply only in relation to the processing of Personal Data on behalf of the Department ESFA as set out in Schedule 62, and the only processing that the Data Processor is authorised to do on behalf of the Department ESFA is listed in Schedule 6 2 by the Department ESFA and may not be determined by the Data Processor.
20.2 17.2 The Data Processor must shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.3 17.3 The Data Processor must shall provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.4 17.4 If requested by the DepartmentESFA’s Agreement Managernominated contact, the Data Processor mustshall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract:
20.4.1 (a) process that Personal Data only in accordance with Schedule 62, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will shall promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.4.2 (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(ai) nature of the data to be protected;
(bii) harm that might result from a Data Loss Event;
(ciii) state of technological development; and
(div) cost of implementing any measures;
20.4.3 (c) ensure that:
(ai) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 62);
(bii) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(iA) are aware of and comply with the Data Processor’s duties under this clause;
(iiB) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iiiC) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this AgreementContract; and
(ivD) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.4.4 (d) not make a Restricted Transfer transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(ai) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection LegislationUK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(bii) the Data Subject has enforceable rights and effective legal remedies;
(ciii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(div) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.4.5 (e) at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement Contract unless the Data Processor is required by Law to retain the Personal Data.
20.5 17.5 Subject to Clause 20.617.6, the Data Processor must shall notify the Data Controller immediately if it:
20.5.1 (a) receives a Data Subject Request (or purported Data Subject Request) in relation to the processing of their data under this Agreement Contract only (submission of learner ILR data);
20.5.2 (b) receives a request to rectify, block or erase any Personal Data processed through the submission of learner ILR data. Notification in such cases should be given via the Agreement Managernominated contact;
20.5.3 (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.5.4 (d) receives any communication from the Information Commissioner or any other Regulatory Body regulatory authority in connection with Personal Data processed under this AgreementContract;
20.5.5 (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.5.6 (f) becomes aware of a Data Loss Event.
20.6 17.6 The Data Processor’s obligation to notify under Clause 20.5 will 17.5 shall include the provision of further information to the Data Controller in phases, as details become available.
20.7 17.7 Taking into account the nature of the processing, the Data Processor will shall provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.5 (17.5, and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.7.1 (a) the Data Controller with full details and copies of the complaint, communication or request;
20.7.2 (b) such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
20.7.3 (c) the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.7.4 (d) assistance as requested by the Data Controller following any Data Loss Event;
20.7.5 (e) assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.8 17.8 The Data Processor must shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.8.1 (a) the Data Controller determines that the processing is not occasional;
20.8.2 (b) the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the Data Protection Legislation UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the Data Protection LegislationUK GDPR; or
20.8.3 (c) the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.9 17.9 The Data Processor will shall allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.10 17.10 Each Party will shall designate its own data protection officer if required by the Data Protection Legislation.
20.11 17.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement Contract (submission of learner ILR data), the Data Processor must:
20.11.1 (a) notify the Data Controller’s Agreement Manager nominated contact in writing of the intended Data Sub-Processor and processing;
20.11.2 (b) obtain the written consent of the Data Controller’s Agreement Managernominated contact;
20.11.3 (c) enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 17 such that they apply to the Data Sub-Processor; and
20.11.4 (d) provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.12 17.12 The Data Processor will shall remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.13 17.13 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which will shall apply when incorporated by attachment to this AgreementContract).
20.14 17.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.15 17.15 Where the Provider Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.16 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.17 Where the Provider is providing the Services to Learners Apprentices who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider Contractor is required to provide to the Secretary of State for Education. This Clause 20 17 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider Contractor on its behalf.
20.18 17.16 The Data Processor will comply with any further written instructions or additional conditions from the DepartmentESFA’s Data Controller in relation to the data processing.
20.19 17.17 In the circumstances set out in Clause 37.1.725.13, the Department ESFA may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Hei Adult Contract for Services
