DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 This Clause 20 applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider. 20.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.3 to 20.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor. 20.3 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation. 20.4 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include: (a) a systematic description of the envisaged processing operations and the purpose of the processing; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
Appears in 2 contracts
Samples: Conditions of Funding (Grant), Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 This Clause 20 applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
20.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.3 to 20.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.3 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.4 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.5 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.5.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.5.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.5.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(c) the Data Subject has enforceable rights and effective legal remedies;
(d) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(e) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.5.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.6 Subject to Clause 20.7, the Data Processor must notify the Data Controller immediately if it:
20.6.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner data);
20.6.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.6.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.6.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.6.6 becomes aware of a Data Loss Event.
20.7 The Data Processor’s obligation to notify under Clause 20.6 will include the provision of further information to the Data Controller in phases, as details become available.
20.8 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.6 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.8.1 the Data Controller with full details and copies of the complaint, communication or request;
20.8.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.8.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.8.4 assistance as requested by the Data Controller following any Data Loss Event;
20.8.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.9 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.9.1 the Data Controller determines that the processing is not occasional;
20.9.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
20.9.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.10 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.11 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.12 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.12.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.12.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.12.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.12.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.13 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.14 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.16 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.17 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.18 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.19 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.20 In the circumstances set out in Clause 36.8.1, the Department may elect to take the role of Data Controller.
Appears in 2 contracts
Samples: Conditions of Funding (Grant), Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 This Clause 20 applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
20.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.3 to 20.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.3 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.4 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
20.5 If requested by the Department’s Agreement Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Agreement:
20.5.1 process that Personal Data only in accordance with Schedule 6, unless the Data Processor is required to do otherwise by Law. If it is so required the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
20.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject will not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
20.5.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 6);
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this clause;
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Agreement; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
20.5.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
20.5.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Agreement unless the Data Processor is required by Law to retain the Personal Data.
20.6 Subject to Clause 20.7, the Data Processor must notify the Data Controller immediately if it:
20.6.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Agreement only (submission of learner data);
20.6.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Agreement Manager;
20.6.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
20.6.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Agreement;
20.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
20.6.6 becomes aware of a Data Loss Event.
20.7 The Data Processor’s obligation to notify under Clause 20.6 will include the provision of further information to the Data Controller in phases, as details become available.
20.8 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.6 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
20.8.1 the Data Controller with full details and copies of the complaint, communication or request;
20.8.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
20.8.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
20.8.4 assistance as requested by the Data Controller following any Data Loss Event;
20.8.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
20.9 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Data Processor employs fewer than 250 staff, unless:
20.9.1 the Data Controller determines that the processing is not occasional;
20.9.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
20.9.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
20.10 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
20.11 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
20.12 Before allowing any Data Sub-Processor to process any Personal Data related to this Agreement (submission of learner data), the Data Processor must:
20.12.1 notify the Data Controller’s Agreement Manager in writing of the intended Data Sub-Processor and processing;
20.12.2 obtain the written consent of the Data Controller’s Agreement Manager;
20.12.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 20 such that they apply to the Data Sub-Processor; and
20.12.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
20.13 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
20.14 The Data Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which will apply when incorporated by attachment to this Agreement).
20.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than 30 Working Days’ notice to the Data Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
20.16 Where the Provider is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Provider is required to provide to the Secretary of State for Work and Pensions. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.17 Where the Provider is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education.
20.18 Where the Provider is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Provider is required to provide to the Secretary of State for Education. This Clause 20 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Provider on its behalf.
20.19 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
20.20 In the circumstances set out in Clause 36.1.7, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 This Clause 20 applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
20.2 22.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 5 (UK GDPR and Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.3 22.2 to 20.15 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 65 (UK GDPR and Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 5 (UK GDPR and Data Protection) by the Department and may not be determined by the Data Processor.
20.3 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.4 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
22.4 If requested by the Department’s Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Contract:
22.4.1 process that Personal Data only in accordance with Schedule 5 (UK GDPR and Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required, the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule 5 (UK GDPR and Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this Clause 22 (Data Protection and Protection of Personal Data);
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
22.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Data Protection Legislation) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Contract unless the Data Processor is required by Law to retain the Personal Data.
22.5 Subject to Clause 22.6, the Data Processor must notify the Data Controller immediately if it:
22.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Contract only (submission of learner data);
22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Contract Manager;
22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Contract;
22.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
22.5.6 becomes aware of a Data Loss Event.
22.6 The Data Processor’s obligation to notify under Clause 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this Clause 22 (Data Protection and Protection of Personal Data). This requirement does not apply where the Data Processor employs fewer than two hundred and fifty (250) staff, unless:
22.8.1 the Data Controller determines that the processing is not occasional;
22.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Data Protection Legislation or Personal Data relating to criminal convictions and offences referred to in the Data Protection Legislation; or
22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
22.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Contract (submission of Learner data), the Data Processor must:
22.11.1 notify the Data Controller’s Contract Manager in writing of the intended Data Sub-Processor and processing;
22.11.2 obtain the written consent of the Data Controller’s Contract Manager;
22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 22 (Data Protection and Protection of Personal Data) such that they apply to the Data Sub-Processor; and
22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
22.13 The Data Controller may, at any time on not less than thirty (30) Working Days’ notice, revise this Clause 22 (Data Protection and Protection of Personal Data) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than thirty (30) Working Days’ notice to the Data Processor amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
22.15 Where the Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on its behalf.
22.16 Where the Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Contractor is required to provide to the Secretary of State for Education.
22.17 Where the Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Contractor is required to provide to the Secretary of State for Education. This Clause 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on its behalf.
22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
22.19 In the circumstances set out in Clause, 41.1.7 the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 This Clause 20 applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
20.2 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider is the Data Processor only for the processing set out in Schedule 6 (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider (i.e. Learner enrolment or delivering education & training, e.g. e-e- portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.3 to 20.15 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 6, and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 by the Department and may not be determined by the Data Processor.
20.3 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.4 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
Appears in 1 contract
Samples: Conditions of Funding (Grant)
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 This Clause 20 applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
20.2 22.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 5 (UK GDPR and Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.3 22.2 to 20.15 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 65 (UK GDPR and Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 5 (UK GDPR and Data Protection) by the Department and may not be determined by the Data Processor.
20.3 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.4 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
22.4 If requested by the Department’s Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Contract:
22.4.1 process that Personal Data only in accordance with Schedule 5 (UK GDPR and Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required, the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule 5 (UK GDPR and Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this Clause 22 (Data Protection and Protection of Personal Data);
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
22.4.4 not transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Contract unless the Data Processor is required by Law to retain the Personal Data.
22.5 Subject to Clause 22.6, the Data Processor must notify the Data Controller immediately if it:
22.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Contract only (submission of learner data);
22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Contract Manager;
22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Laws;
22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Contract;
22.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
22.5.6 becomes aware of a Data Loss Event.
22.6 The Data Processor’s obligation to notify under Clause 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Laws and any complaint, communication or request made under Clause 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Laws;
22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this Clause 22 (Data Protection and Protection of Personal Data). This requirement does not apply where the Data Processor employs fewer than two hundred and fifty (250) staff, unless:
22.8.1 the Data Controller determines that the processing is not occasional;
22.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
22.10 Each Party will designate its own data protection officer if required by the Data Protection Laws.
22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Contract (submission of Learner data), the Data Processor must:
22.11.1 notify the Data Controller’s Contract Manager in writing of the intended Data Sub-Processor and processing;
22.11.2 obtain the written consent of the Data Controller’s Contract Manager;
22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 22 (Data Protection and Protection of Personal Data) such that they apply to the Data Sub-Processor; and
22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
22.13 The Data Controller may, at any time on not less than thirty (30) Working Days’ notice, revise this Clause 22 (Data Protection and Protection of Personal Data) by replacing it with any applicable Data Controller to Data Processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than thirty (30) Working Days’ notice to the Data Processor amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
22.15 Where the Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on its behalf.
22.16 Where the Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Contractor is required to provide to the Secretary of State for Education.
22.17 Where the Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Contractor is required to provide to the Secretary of State for Education. This Clause 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on its behalf.
22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
22.19 In the circumstances set out in Clause 41.1.6, the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 This Clause 20 applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
20.2 22.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 5 (UK GDPR and Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.3 22.2 to 20.15 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 65 (UK GDPR and Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 5 (UK GDPR and Data Protection) by the Department and may not be determined by the Data Processor.
20.3 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
20.4 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
22.4 If requested by the Department’s Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Contract:
22.4.1 process that Personal Data only in accordance with Schedule 5 (UK GDPR and Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required, the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule 5 (UK GDPR and Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this Clause 22 (Data Protection and Protection of Personal Data);
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
22.4.4 not make a Restricted Transfer unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018;
(b) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Data Controller;
(c) the Data Subject has enforceable rights and effective legal remedies;
(d) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(e) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Contract unless the Data Processor is required by Law to retain the Personal Data.
22.5 Subject to Clause 22.6, the Data Processor must notify the Data Controller immediately if it:
22.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request) in relation to processing their data under this Contract only (submission of learner data);
22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Contract Manager;
22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Contract;
22.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
22.5.6 becomes aware of a Data Loss Event.
22.6 The Data Processor’s obligation to notify under Clause 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this Clause 22 (Data Protection and Protection of Personal Data). This requirement does not apply where the Data Processor employs fewer than two hundred and fifty (250) staff, unless:
22.8.1 the Data Controller determines that the processing is not occasional;
22.8.2 the Data Controller determines the processing includes special categories of data as referred to in the Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
22.10 Each Party will designate its own data protection officer if required by the Data Protection Legislation.
22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Contract (submission of Learner data), the Data Processor must:
22.11.1 notify the Data Controller’s Contract Manager in writing of the intended Data Sub-Processor and processing;
22.11.2 obtain the written consent of the Data Controller’s Contract Manager;
22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 22 (Data Protection and Protection of Personal Data) such that they apply to the Data Sub-Processor; and
22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
22.13 The Data Controller may, at any time on not less than thirty (30) Working Days’ notice, revise this Clause 22 (Data Protection and Protection of Personal Data) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than thirty (30) Working Days’ notice to the Data Processor amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
22.15 Where the Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on its behalf.
22.16 Where the Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Contractor is required to provide to the Secretary of State for Education.
22.17 Where the Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Contractor is required to provide to the Secretary of State for Education. This Clause 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on its behalf.
22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
22.19 In the circumstances set out in Clause, 41.1.7 the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 20.1 This Clause 20 applies to the Services except to the extent that it relates to the payment of the Sixth Form Grant to a sixth form by the Provider.
20.2 22.1 The Parties acknowledge that for the purposes of the Data Protection LegislationLaws, the Department on behalf of the Secretary of State for Education is the Data Controller and the Provider Contractor is the Data Processor only for the processing set out in Schedule 6 5 (UK GDPR and Data Protection) (i.e. submission of Learner data to the Department). Any other processing of Personal Data undertaken by the Provider Contractor (i.e. Learner enrolment or delivering education & training, e.g. e-portfolios) will be as a Data Controller and not on behalf of the Department. Clauses 20.3 22.2 to 20.15 22.14 below apply only in relation to the processing of Personal Data on behalf of the Department as set out in Schedule 65 (UK GDPR and Data Protection), and the only processing that the Data Processor is authorised to do on behalf of the Department is listed in Schedule 6 5 (UK GDPR and Data Protection) by the Department and may not be determined by the Data Processor.
20.3 22.2 The Data Processor must notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection LegislationLaws.
20.4 22.3 The Data Processor must provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
22.4 If requested by the Department’s Contract Manager, the Data Processor must, in relation to any Personal Data processed in connection with its obligations under this Contract:
22.4.1 process that Personal Data only in accordance with Schedule 5 (UK GDPR and Data Protection), unless the Data Processor is required to do otherwise by Law. If it is so required, the Data Processor will promptly notify the Data Controller before processing the Personal Data unless prohibited by Law;
22.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Data Controller may reasonably reject (but failure to reject shall not amount to approval by the Data Controller of the adequacy of the Protective Measures), having taken account of the:
(a) nature of the data to be protected;
(b) harm that might result from a Data Loss Event;
(c) state of technological development; and
(d) cost of implementing any measures;
22.4.3 ensure that:
(a) the Data Processor Personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule 5 (UK GDPR and Data Protection));
(b) it takes all reasonable steps to ensure the reliability and integrity of any Data Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Data Processor’s duties under this Clause 22 (Data Protection and Protection of Personal Data);
(ii) are subject to appropriate confidentiality undertakings with the Data Processor or any Data Sub-Processor;
(iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Data Controller or as otherwise permitted by this Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and
22.4.4 not transfer Personal Data outside of the EU unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
(a) the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article 37) as determined by the Data Controller;
(b) the Data Subject has enforceable rights and effective legal remedies;
(c) the Data Processor complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and
(d) the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
22.4.5 at the written direction of the Data Controller, delete or return Personal Data (and any copies of it) to the Data Controller on termination of the Contract unless the Data Processor is required by Law to retain the Personal Data.
22.5 Subject to Clause 22.6, the Data Processor must notify the Data Controller immediately if it:
22.5.1 receives a Data Subject Request (or purported Data Subject Request) in relation to processing their data under this Contract only (submission of learner data);
22.5.2 receives a request to rectify, block or erase any Personal Data processed through the submission of learner data. Notification in such cases should be given via the Contract Manager;
22.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Laws;
22.5.4 receives any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data processed under this Contract;
22.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
22.5.6 becomes aware of a Data Loss Event.
22.6 The Data Processor’s obligation to notify under Clause 22.5 will include the provision of further information to the Data Controller in phases, as details become available.
22.7 Taking into account the nature of the processing, the Data Processor will provide the Data Controller with full assistance in relation to either Party's obligations under Data Protection Laws and any complaint, communication or request made under Clause 22.5 (and insofar as possible within the timescales reasonably required by the Data Controller) including by promptly providing:
22.7.1 the Data Controller with full details and copies of the complaint, communication or request;
22.7.2 such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Laws;
22.7.3 the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
22.7.4 assistance as requested by the Data Controller following any Data Loss Event;
22.7.5 assistance as requested by the Data Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Data Controller with the Information Commissioner's Office.
22.8 The Data Processor must maintain complete and accurate records and information to demonstrate its compliance with this Clause 22 (Data Protection and Protection of Personal Data). This requirement does not apply where the Data Processor employs fewer than two hundred and fifty (250) staff, unless:
22.8.1 the Data Controller determines that the processing is not occasional;
22.8.2 the Data Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
22.8.3 the Data Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
22.9 The Data Processor will allow for audits of its Data Processing activity by the Data Controller or the Data Controller’s designated auditor.
22.10 Each Party will designate its own data protection officer if required by the Data Protection Laws.
22.11 Before allowing any Data Sub-Processor to process any Personal Data related to this Contract (submission of Learner data), the Data Processor must:
22.11.1 notify the Data Controller’s Contract Manager in writing of the intended Data Sub-Processor and processing;
22.11.2 obtain the written consent of the Data Controller’s Contract Manager;
22.11.3 enter into a written agreement with the Data Sub-Processor which give effect to the terms set out in this Clause 22 (Data Protection and Protection of Personal Data) such that they apply to the Data Sub-Processor; and
22.11.4 provide the Data Controller with such information regarding the Data Sub-Processor as the Data Controller may reasonably require.
22.12 The Data Processor will remain fully liable for all acts or omissions of any of its Data Sub-Processors.
22.13 The Data Controller may, at any time on not less than thirty (30) Working Days’ notice, revise this Clause 22 (Data Protection and Protection of Personal Data) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
22.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Data Controller may on not less than thirty (30) Working Days’ notice to the Data Processor amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
22.15 Where the Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on its behalf.
22.16 Where the Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data, which the Contractor is required to provide to the Secretary of State for Education.
22.17 Where the Contractor is providing the Services to Learners who are subject to claiming Industrial Injuries Disablement Benefit (IIDB), the Department for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data, which the Contractor is required to provide to the Secretary of State for Education. This Clause 22 (Data Protection and Protection of Personal Data) will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on its behalf.
22.18 The Data Processor will comply with any further written instructions or additional conditions from the Department’s Data Controller in relation to the data processing.
22.19 In the circumstances set out in Clause, 41.1.7 the Department may elect to take the role of Data Controller.
Appears in 1 contract
Samples: Contract for Services
