DATA PROCESSING SCHEDULE
For the purposes of this Schedule, the following terms shall have the following meanings:
“Controller“, “Data Subject“, “Personal Data Breach“, “Processor“, “Processing“, and have the meaning given to those terms in the Data Protection Legislation, and “Process” and “Processed” are construed accordingly;
“Candidate Personal Data” means the Personal Data of a Candidate Processed by the parties, under, or in connection with, the Conditions (as may be more particularly described in Appendix 2 (Data Protection Particulars));
“Contact Data” means the Personal Data of each party’s Employees Processed by the other under, or in connection with, the Conditions (as may be more particularly described in Appendix 2 (Data Sharing Particulars);
“Data Protection Legislation” means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated, replaced or re-enacted from time to time) which relates to the protection of individuals with regards to the Processing of Personal Data and direct marketing to which a party is subject, including without limitation the GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586 )the Data Protection Act 2018 and the GDPR ( the latter being defined as the “UK GDPR“)(; and (b) any court or tribunal ruling, or code of practice or guidance published by the applicable Regulator or the European Data Protection Board, binding on a party from time to time;
“Data Subject Request” means an actual or purported request or notice or complaint (in any form) from or on behalf of a Data Subject exercising his rights under Data Protection Legislation in relation to Personal Data including without limitation: the right of access by the Data Subject, the right to rectification, the right to erasure, the right to restriction of Processing, the right to data portability and the right to object;
“Employees” means all staff, including without limitation directors, officers and employees, as well as the agents and workers of either party together with the directors, officers and employees of such party’s sub-contractors, agencies or suppliers and further down any contractual chain, and “Employee” shall mean any one of them individually as the context dictates;
“Fair Processing Notices” means the transparency information required to be given by a Controller under Articles 12, 13 and 14 of the GDPR and otherwise under the Data Protection Legislation;
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data. Where references are made to in this Appendix to articles within the GDPR this shall be interpreted to mean such article as contained within the GDPR or where applicable to a Controller based in the UK the UK GDPR;
“Government Access” means (a) a request for disclosure of Personal Data transferred in accordance with paragraph 4 by a public authority under the laws of the country of destination; or (b) direct access to Personal Data transferred in accordance with paragraph 4 by a public authority under the laws of the country of destination;
“Permitted Country” means a country, territory or jurisdiction which is (a) within the European Economic Area (“EEA“) or (b) the UK or (c) is not a Restricted Country;
“Permitted Recipients” means the third parties to whom each party is permitted to disclose the Personal Data, as set out in more detail in Appendix 2 (Data Sharing Particulars);
“Personal Data” shall have the meaning given in Data Protection Legislation and for the purposes of this Schedule shall include (a) Contact Data and (b) Candidate Personal Data, and in each case shall include any special categories of personal data as described in Article 9 of the GDPR and any personal data relating to criminal convictions and offences, as described in Article 10 of the GDPR (as such Personal Data is more particularly described in Appendix 2 (Data Sharing Particulars));
“Regulator” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Legislation, including without limitation (where applicable) in the UK, the Information Commissioner’s Office, or any successor or replacement body from time to time;
“Regulator Correspondence” means any correspondence from the Regulator in relation to the Processing of the Personal Data;
“Restricted Country” means a country, territory or jurisdiction which is (a) not covered by an adequacy determination by a competent authority with jurisdiction over the party who wishes to export the data outside of a Permitted Country or (b) otherwise in relation to which a transfer restriction applies under the applicable laws of the data exporter;
“Standard Contractual clauses” means (a) the Standard Contractual clauses approved by the European Commission for transfers from Controllers in the European Economic Area to Controllers outside the European Economic Area as updated and/or amended from time to time (being the paragraphs contained in the European Commission’s Decision 2004/915//EC), for transfers of personal data from a controller to a controller established outside of the EEA as updated and/or amended from time to time and in their current form attached as Appendix 3; or (b) the standard contractual clauses adopted by the government of the United Kingdom, or approved by the government of the United Kingdom as updated, replaced, consolidated and/or amended from time to time, for transfers of personal data from a UK controller to a controller in a Restricted Country or (c) any standard contractual clauses adopted under the applicable laws to which a data exporter is subject, as updated and/or amended from time to time, for transfers of Personal Data from a data exporter acting as a Controller to a Controller in a Restricted Country;
“Third party Request” means a request (in any form) from any third party for disclosure of Personal Data, including a Government Access request, where compliance with such request is required or purported to be required by law or regulation.
1 Arrangement between the parties
The parties acknowledge that the factual arrangements between them dictate the role of each party in respect of Data Protection Legislation. Notwithstanding the foregoing, each party agrees that the nature of the Processing under the Conditions will be as follows:
the Client shall be an independent Controller of (i) the Candidate Personal Data for its own internal business purposes and in relation to its Engagement of any Candidate (ii) its own Employee’s Contact Data for its own internal business purposes and (iii) where it is Processed by it in accordance with paragraph 1.2 the Contact Data of the Company; and
the Company shall be an independent Controller of (i) the Candidate Personal Data for its own internal non-exclusive business purposes and in relation to the fulfilment of its obligations under the Conditions (ii) its own Employee’s Contact Data for its own internal business purposes and (iii) where it is Processed by it in accordance with paragraph 1.2 the Contact Data of the Client.
Each party shall Process the other party’s Contact Data (in its capacity as a Controller) in order to (as appropriate): (a) administer, request, receive or provide the services, rights, benefits and obligations under the Conditions; (b) compile, dispatch and manage the payment of invoices relating to the Conditions; (c) manage the Conditions and resolve any disputes relating to it; (d) respond and/or raise general queries relating to the Conditions, and (e) comply with their respective obligations in law and under and in relation to the Conditions.
Given the nature of the Conditions, the parties do not envisage that either party will Process any Personal Data for or on behalf of the other party acting as a Processor, under or in connection with the Conditions. Where and to the extent that in undertaking the obligations set out in the Conditions or providing a service, either party anticipates that the other will Process any Personal Data for and on behalf of the relevant party acting as a Processor it shall notify the other party and the parties shall agree a variation to the Conditions to incorporate appropriate provisions in accordance with Article 28 of the GDPR, or as otherwise required by Data Protection Legislation.
Notwithstanding paragraph 1.1, if either party is deemed to be a joint Controller with the other in relation to the Personal Data, the parties agree that they shall be jointly responsible for the compliance obligations imposed on a Controller by Data Protection Legislation, and the parties shall cooperate to do all reasonably necessary things to comply with Article 26 of the GDPR or as otherwise required by the Data Protection Legislation to enable performance of such compliance obligations, except that each party shall be responsible, without limitation, for compliance with its data security obligations set out in paragraph 2.2.4 where Personal Data has been transmitted by it, or while Personal Data is in its possession or control.
Each of the parties acknowledges and agrees that Appendix 2 (Data Sharing Particulars) to the Conditions is an accurate description of the sharing of Personal Data envisaged under the Conditions.
Each party agrees that in performing its obligations under the Conditions, it shall independently (at its own cost) comply with each of the obligations imposed upon it under Data Protection Legislation.
2 Data Sharing Obligations
Where acting as a Controller for the purposes of the Contact Data, each party shall, on request, make available to the other a copy of their applicable Fair Processing Notices and the receiving party shall ensure that such notices are provided to the applicable Employees whose Personal Data has been shared with the other party for the purposes set out in the Conditions (particularly paragraph 1.2).
Without limiting the generality of the obligation set out in paragraph 1.7, in particular each party, in relation to the Processing which relates directly or indirectly to the Personal Data under, or in connection with, the Conditions, shall, independently:
ensure that all Fair Processing Notices have been given (and/or, as applicable, consents obtained or other lawful basis are demonstrably in place), and are sufficient in scope to enable each party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under the Conditions in accordance with Data Protection Legislation. For the avoidance of doubt the Company does not warrant to the Client that any use of the Personal Data outside the scope of the Conditions or as otherwise specified in writing by the Company, shall be compliant with Data Protection Legislation;
ensure it is not subject to any prohibition or restriction which would:
(a) prevent or restrict it from disclosing or transferring the Personal Data to the other party as required under the Conditions;
(b) prevent or restrict it from granting the other party access to the Personal Data as required under the Conditions; or
(c) prevent or restrict either party from Processing the Personal Data, as envisaged under the Conditions;
where required, make due notification to the Regulator, including without limitation in relation to its use and Processing of the Personal Data and comply at all times with Data Protection Legislation;
ensure that appropriate operational and technical measures are in place to safeguard against any Personal Data Breach, and where requested each party shall provide to each other evidence of its compliance with such requirements promptly, and in any event within forty-eight (48) hours of the request;
notify the other party promptly, and in any event within forty-eight (48) hours of receipt of any Data Subject Request or Regulator Correspondence and together with such notice, provide a copy of such Data Subject Request or Regulator Correspondence to the other party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this paragraph 2.2.5 each party shall provide the other party with all reasonable co-operation and assistance required by the relevant party in relation to any such Data Subject Request or Regulator Correspondence. For the avoidance of doubt, each party shall be independently responsible for its response to any Data Subject or Regulator (in accordance with the Data Protection Legislation) and, unless otherwise agreed in writing, the parties do not anticipate that they have joint control of Personal Data held within each parties respective information storage network or record keeping systems;
use reasonable endeavours to notify the other party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law;
notify the other party in writing without undue delay and, in any event, within twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from the other party and shall, within such timescale to be agreed by the parties (acting reasonably and in good faith):
(a) implement reasonable measures necessary to restore the security of compromised Personal Data; and
(b) support the other party to make any required notifications to the applicable.
take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data;
not do anything which shall damage the reputation of the other party or that party’s relationship with the Data Subjects or a Regulator;
subject to paragraph 4 not transfer any Personal Data it is Processing to a Restricted Country;
hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such party holds other Personal Data Processed by it; and
without prejudice to paragraph 3 and 4 not disclose the Personal Data to a third party (including without limitation a sub-contractor) in any circumstances without the other party’s prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii) subject to paragraph 3 Third party Requests The Company shall put in place reasonable procedures to ensure that all Candidate Personal Data disclosed or transferred to, or accessed by, the Client in connection with the Conditions are up-to-date, as well as adequate, relevant and not excessive to enable the Client to Process the Candidate Personal Data and obtain the benefit of its rights, as envisaged under the Conditions.
For the avoidance of doubt, the Client is independently responsible for undertaking any privacy impact assessment obligations under the Data Protection Legislation in relation to any Processing activities which are considered suitable for such risk assessment by a Regulator under the Data Protection Legislation.
The Company shall notify the Client without undue delay if, in its reasonable opinion any Client instruction may breach the Data Protection Legislation, but without any obligation on the Company to provide and/or obtain legal advice or undertaking legal researches). The Company shall have no liability for any Processing which it is specifically instructed to undertake by the Client following such notification by the Company.
3 Third Party Request
Where either party receives a Third Party Requests or becomes aware of Government Access in relation to the Personal Data shared between them under and subject to these Conditions, it shall where possible promptly notify the other party and provide all information available to it (including in the case of a request the requesting authority, legal basis of the request and any initial response provided).
Where the receiving party is prohibited from notifying the other party it shall use its best efforts to obtain a waiver of the prohibition to notify the other party.
The receiving party shall:
review the legality of the request and exhaust all remedies to challenge the request if it concludes there are grounds under the laws of the country of receipt to do so. No disclosure shall be made until required under applicable procedural rules.
document its assessment and challenge of the request for disclosure and to the extent permitted make this available to the other party) and any required Regulator;
where mandated only provide the minimum amount of information possible, based on a reasonable interpretation of the request.
Where notification is initially prohibited but is subsequently permitted, the receiving party shall provide notification to the other party of all the requisite details and actions taken as soon as practicable.
The obligations set out in paragraph 3.1 to 3.4 shall apply to any sub-contractors or any Permitted Recipients. The relevant party shall ensure appropriate terms are included within the applicable data processing or sharing agreements with such third parties.
4 Transfer of Personal Data to a Restricted Country
Notwithstanding the generality of paragraphs 1.7 and 2.2.10, the parties acknowledge and agree that where the Personal Data are disclosed or transferred by one party to the other and the exporting party is based in a Permitted Country, and the importing party is based in a Restricted Country, the parties shall undertake all requisite risk assessments required under the Data Protection Legislation in respect of the proposed Personal Data Processing within the Restricted Country, including assessing:
the laws of the importing country(ies) to ensure that they respect the fundamental rights and freedoms of the Data Subjects; and
assuring that such local laws do not exceed what is necessary and proportionate in a democratic society to safeguard the objectives set out in GDPR Art 23(1) and are not in contradiction with the Data Protection Legislation.
The importing party shall provide to the exporting party details of any Government Access made to the data importer or those third parties with whom the data importer may/shall onward share the applicable Personal Data.
If any of the requirements in paragraphs 4.1.1 or 4.1.2 cannot be met no transfer of Personal Data shall be permitted.
Notwithstanding any agreement that the requirements of paragraphs 4.1.1 or 4.1.2 have been met, if at any time during the term the data importer believes that it can no longer meet such requirements (due to a change of law or otherwise) it shall immediately notify the data exporter. Upon a notification in accordance with this paragraph 4.4 the parties will seek to identify and implement alternative measures, for example technical and security measures, to ensure compliance with the Data Protection Legislation. If no such alternative measures can be ensured the exporting party may immediately on notice suspend or terminate the relevant transfer and where such transfer is necessary for the performance of the Conditions or agreement between the parties absent which the services cannot be fulfilled, the exporting party may immediate terminate the Conditions.
Where the risk assessment confirms suitable protection in the importing country and information has been provided in accordance with paragraph 4.1.2 the parties shall enter into the Standard Contractual clauses unless there is an alternative basis for ensuring that the transfer is lawful under Data Protection Legislation and the parties have agreed and documented that alternative basis;
Where the Standard Contractual clauses are to be used then the parties agree that they shall complete all relevant details in, and enter into, the Standard Contractual clauses such being incorporated into and forming part, and subject to the limitations including clause 5, of the Conditions; and
Where the importing party is based in a Permitted Country and the Standard Contractual clauses do not apply, if the importing party discloses or transfers Personal Data to any third party based in a Restricted Country (“Third party“), the importing party shall seek to impose obligations upon the Third party that are at least as stringent as the obligations in the Conditions, and in particular ensure that Third party is subject to the obligations set forth in this Schedule and shall enter into an agreement direct with the exporting party if reasonably required by the exporting party.
Lawfulness of the Transfer Mechanism
If a transfer of Personal Data to a Restricted Country is lawful but subsequently becomes unlawful (for example where the use of Standard Contractual Clauses or an adequacy determination of a competent authority in respect of a local territory are no longer lawful owing to a change in applicable law), then the parties shall use their best endeavours to promptly agree an alternative basis for the transfer so as to ensure that such transfer is lawful.
If the Standard Contractual Clauses are amended or updated by a competent authority then the parties shall use their best endeavours to promptly agree or accede to the updated Standard Contractual Clauses.
If you are established in the European Economic Area (EEA) and transfer Personal Data to us in the UK this paragraph applies. With effect from 1 January 2020, the parties acknowledge that transmission of personal data to the UK from the EEA is permitted on an interim basis pursuant to FINPROV10A of the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community of 24 December 2020. If it subsequently becomes necessary to put in place additional measures under the GDPR to effect a transfer of Personal Data from any Member State within the EEA to the UK, the parties agree that such transfer shall take effect in the following order of priority: (a) where an adequacy decision has been made by the EU in relation to the UK, subject to such decision; or absent such decision (b) where you are able to rely on a derogation under GDPR Article 49 in reliance on such derogation; or absent either: (c) we shall enter into the Standard Contractual Clauses.
DATA SHARING PARTICULARS
The subject matter and duration of the Processing
Due to the nature of the service under the Conditions and the relationship between the parties, their Employees and the Candidates, both Contact Data and Candidate Personal Data will be Processed by each party in line with their own respective retention policies, including the ongoing Engagement by the Client.
The nature and purpose of the Processing
For the Company to manage its relationship with the Candidates and provide Candidates and its service/ comply with its obligations under the Conditions.
Employees of each party
To manage and facilitate the relationship between the parties and the Conditions.
The type of Personal Data being Processed
Name, address, phone number, email address, other contact information, gender, CV including education and employment history, photograph, screening information (including without limitation criminal records checks, right to work information), vulnerable person status, right to work status, diversity information (ethnicity, sexual orientation), remuneration, PAYE/ payroll information, banking information, identity documents (passport/ driving licence), nature of employment relationship and employment terms.
Employees of each party
Name, role, business contact information including without limitation phone number and email address.
The categories of Data Subjects
Employees of each party
Data Protection Officer of the Company
Angela Hopkinson / Fiona McRae