Vantage Online – Variation Agreement
Vantage Online – Variation Agreement
With immediate effect the parties agree to amend the Agreement by:
1. Deleting the definition of “Personal Data” in clause 1.1;
2. Inserting the following definitions into clause 1.1 of the Agreement:
“Agreed Purpose” has the meaning given to it in Clause 14.6;
“Applicable Law” has the meaning given to it in Clause 14.10(c);
“Data Protection Legislation” means all applicable laws, regulations, directives and codes of practice relating to the processing of personal data and privacy including, but not limited to the Data Protection Act 1998, the GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and the Electronic Communications Data Protection Directive (2002/58/EC) including any relevant primary, subordinate or implementing laws, regulations, directives, or codes of practice and any replacement/subsequent European and/or UK legislation, as amended from time to time;
“GDPR” means the General Data Protection Regulation (EU/2016/679);
“Sensitive Personal Data” has the meaning given to it in the Data Protection Legislation, including any Personal Data which falls within the special categories of personal data as set out in Article 9(1) GDPR.
3. Inserting a new clause 1.2 which reads:
1.2 The terms Personal Data, Data Controller, Data Processor, Data Subject, and Process have the meaning given in the Data Protection Legislation
4. Deleting the entire text of Clause 14 and replacing it with the following:
14.1 The parties consider the sharing of the Customer Personal Data is necessary for the fulfilment of the Provider’s obligations under the Agreement, which forms the subject matter of the Agreement.
14.2 This Clause 14 sets out the framework for the processing of the Customer Personal Data by the parties as Data Controller (the Customer) and Data Processor (the Provider).
14.3 In the event that the Data Protection Legislation changes in a way that this Clause 14 is no longer adequate for the purpose of governing lawful data Processing exercises, the parties will negotiate in good faith to amend this clause in light of such new legislation.
14.4 The terms and conditions set out in this Clause 14 are in addition to and do not relieve, remove or replace a party’s obligations under the Data Protection Legislation.
14.5 Both parties shall comply with all applicable requirements of the Data Protection Legislation.
14.6 The table below sets out the nature and purpose of the Processing of the Customer Personal Data by the Provider under the Agreement, the duration of the Processing, the types of Personal Data and the categories of Data Subject.
14.7 The Provider shall not Process the Customer Personal Data in a way that is incompatible with the Agreed Purpose described in the above table.
14.8 The Parties shall each be responsible for maintaining a record of individual requests made by Data Subjects as set out under Articles 15, 16, 17, 18, 20, 21 and/or 22 of the GDPR, the decisions made and any information that was exchanged. Records must include copies of the request, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.
14.9 The Customer:
(a) warrants to the Provider that it has the legal right to disclose all Customer Personal Data that it does in fact disclose to the Provider under or in connection with the Agreement, and that the Processing of that Personal Data by the Provider for the Agreed Purpose in accordance with the Agreement will not breach the Data Protection Legislation;
(b) shall be responsible for maintaining the accuracy of the Customer Personal Data. The Provider shall promptly comply with any request from the Customer requiring the Provider to amend or transfer the Customer Personal Data.
14.10 The Provider warrants and undertakes to the Customer that it shall:
(a) ensure that it has in place and implements throughout the Term appropriate technical and organisational measures sufficient to guarantee that its Processing of the Customer Personal Data meets the requirements of the Data Protection Legislation and to ensure the protection of the rights of the Data Subjects;
(b) maintain and make available to the Customer complete and accurate records and information to demonstrate its compliance with the obligations laid down in the Data Protection Legislation and this Schedule and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer;
(c) Process the Customer Personal Data only in accordance with written instructions given by the Customer during the Term, unless the Provider is required by the national laws of any member of the European Union or by the laws of the European Union applicable to the Provider to Process the Customer Personal Data (“Applicable Law”). Where the Provider is relying on Applicable Law as the basis for Processing the Customer Personal Data, the Provider shall promptly notify the Customer of the same before performing such Processing unless the Applicable Law prohibits the Provider from notifying the Customer;
(d) immediately inform the Customer in the event the Provider reasonably believes that the Customer’s instructions breach the Data Protection Legislation;
(e) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data , appropriate to the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the Customer Personal Data, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(f) taking into account the nature of Processing and the information available to the Provider, provide the Customer with full co-operation and assistance in ensuring compliance with the obligations laid down in the Data Protection Legislation concerning the security of Processing;
(g) ensure that access to the Customer Personal Data is limited to those Provider personnel who have a reasonable need to access the Customer Personal Data to enable the Provider to perform its duties under the Agreement; any access to the Customer Personal Data must be limited to such part or parts of the Customer Personal Data as are strictly necessary and that such personnel are obliged to keep the Customer Personal Data confidential. The Provider shall take reasonable steps to ensure the reliability of any Provider personnel who have access to the Customer Personal Data. Without prejudice to this general obligation, the Provider shall ensure that all relevant Provider personnel are informed of the confidential nature of the Customer Personal Data, have undertaken training in the laws relating to handling Personal Data, and are aware of the Provider’s duties in respect of that Personal Data;
(h) not transfer the Customer Personal Data outside of the European Economic Area without the Customer’s prior written authorisation and provided that where authorisation is given such transfer is undertaken only in compliance with the Data Protection Legislation;
(i) promptly inform the Customer of any complaints, requests or enquiries received from Data Subjects under the Data Protection Legislation, including but not limited to requests made pursuant to Chapter III of the GDPR, and shall provide the Customer with full co-operation and assistance in relation to such complaints, requests or enquiries;
(j) assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(k) notify the Customer without undue delay, and in any event within 24 hours, upon becoming aware of a personal data breach (the accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, or any other unlawful form of Processing) and co-operate fully with the Customer to the extent required with regard to the notification of the data breach to the relevant supervisory authority and the communication of the data breach to the affected Data Subject(s);
(l) not retain or Process the Customer Personal Data for longer than is necessary to carry out the Agreed Purpose and at the written direction of the Customer, delete or return the Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless required by Applicable Law to store the Customer Personal Data;
(m) at the Customer’s request, provide to the Customer a copy of the Customer Personal Data held by it in connection with the Agreement, in the format and on the media reasonably specified by the Customer; and
(n) not authorise any third party sub-contractor to Process the Customer Personal Data under the Agreement unless:
(i) the prior written authorisation of the Customer has been obtained; and
(ii) the sub-contractor’s contract is on terms which are substantially the same as those set out in this Clause 14; and
(iii) the sub-contractor’s contract terminates automatically on termination of the Agreement for any reason; and
(iv) the Provider shall at all times be fully liable to the Customer for the performance by the sub-contractor of its obligations, as if the Provider were performing those obligations itself.
14.11 The parties shall review the effectiveness of this Clause 14 every 12 months, having consideration to the Agreed Purpose. The parties shall continue, amend or terminate the Agreement depending on the outcome of this review.
14.12 The review of the effectiveness of this Clause 14 will involve:
(a) assessing whether the purposes for which the Customer Personal Data is being Processed are still the ones listed in the table at Clause 14.6;
(b) assessing whether the Customer Personal Data is still as listed in the table at Clause 14.6;
(c) assessing whether the Data Protection Legislation insofar as it governs data quality, retention, and Data Subjects’ rights are being complied with; and
(d) assessing whether Personal Data breaches have been handled in accordance with this Schedule and the Data Protection Legislation.
SIGNED by TONY MILFORD
for and on behalf of VANTAGE COMPUTING LIMITED