Definitions
For the purpose of this Schedule, the following definitions shall apply:
|
Applicable Laws |
means the laws of England and Wales, the laws of the European Union so long as these apply in England and Wales, and any other laws or regulations, regulatory policies, guidelines or industry codes which apply to the provision of the Services; |
|
Complaint |
means a complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority; |
|
Controller |
means the natural or legal person which, alone or jointly with others, determines the purposes and means of processing of Protected Data; |
|
Data Protection Laws |
means any Applicable Law relating to the processing, privacy, and use of Personal Data, as applicable to ICAEW, the Supplier and/or the Services, including: (a) in the United Kingdom:
(b) in member states of the European Union: the GDPR and the ePrivacy Directive, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority; |
|
Data Protection Losses |
means all liabilities and other amounts, including all: (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); (b) loss or damage to reputation, brand or goodwill; (c) to the extent permitted by Applicable Law:
the costs of loading ICAEW Data [and [insert any other relevant categories of loss, eg replacement of ICAEW materials and equipment]], to the extent the same are lost, damaged or destroyed, and any loss or corruption of ICAEW Data (including the costs of rectification or restoration of ICAEW Data); |
|
Data Subject |
means a natural person to whom Personal Data relates; |
|
Data Subject Request |
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws; |
|
International Organisation |
means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries; |
|
International Recipient |
has the meaning given to that term in clause 6.1; |
|
Personal Data |
means any information relating to an identified or identifiable natural person; |
|
Personal Data Breach |
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data; |
|
Processing |
means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, including (without limitation) collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, combining, restricting, erasing or destroying (and related terms such as process have corresponding meanings); |
|
Processing Instructions |
has the meaning given to that term in clause 2.1.1; |
| Processor | means a natural or legal person which processes Personal Data on behalf of others; |
|
Protected Data |
means Personal Data received from or on behalf of ICAEW, or otherwise obtained in connection with the performance of the Supplier’s obligations under this Agreement; |
| Standard Contract Clauses |
means contract clauses that have been approved by the UK Government and/or the European Commission (as applicable) as providing adequate safeguards for the transfer of Protected Data to overseas jurisdictions; |
|
Sub-Processor |
means any agent, subcontractor or other third party engaged by the Supplier (or by any other Sub-Processor) to carry out any processing activities in respect of the Protected Data on behalf of the Supplier; |
| Supplier | |
| Supplier Personnel |
means employees, agents and/or representatives of the Supplier; and |
|
Supervisory Authority |
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; |
| Valid Adequacy Mechanism |
means a mechanism to protect Personal Data that is recognised by the UK government and/or European Commission (as applicable) as providing adequate safeguards for Personal Data transferred outside the UK and/or European Union (as applicable). |
Specific interpretive provisions
In clauses 1 to 10 (inclusive)
- references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including particularly the GDPR and/or the Revised UK DP Law) and the equivalent terms defined in such Applicable Laws, once in force and applicable;
- a reference to a law includes all subordinate legislation made under that law; and
- clauses 1 to 10 (inclusive) shall survive termination (for any reason) or expiry of this Agreement (or of any of the Services).
Data processing provisions
1. Data Processor and Data Controller
1.1 The parties agree that, for the Protected Data, ICAEW shall be the Data Controller and the Supplier shall be the Data Processor. The details of such processing are set out in the Work Statement.
1.2 The Supplier shall comply with all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement and shall not by any act or omission cause ICAEW (or any other person) to be in breach of any Data Protection Laws.
1.3 ICAEW shall comply with all Data Protection Laws in respect of the performance of its obligations under this Agreement.
2. Instructions and details of processing
2.1 Insofar as the Supplier processes Protected Data on behalf of ICAEW, the Supplier:
2.1.1 unless required to do otherwise by Applicable Law, shall (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with ICAEW’s documented instructions as set out in this clause 2 and the Work Statement (Data Processing Activities), and as updated from time to time by the written agreement of the parties (Processing Instructions); and
2.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify ICAEW of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest).
2.2 The Supplier shall immediately inform ICAEW in writing if, in the Supplier’s opinion, a Processing Instruction infringes the Data Protection Laws or any other Applicable Laws relating to data protection and explain the reasons for its opinion, provided that this shall be without prejudice to clause 1.2.
2.3 The processing to be carried out by the Supplier under this Agreement shall comprise the processing set out in the Work Statement (Data Processing Activities), and such other processing as agreed by the parties in writing from time to time.
3 Technical and organisational measures
3.1 The Supplier shall implement and maintain, at its cost and expense, appropriate technical and organisational measures in relation to the processing of Protected Data by the Supplier:
3.1.1 such that the processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of Data Subjects;3.1.2 so as to ensure a level of security in respect of Protected Data processed by it that is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Protected Data transmitted, stored or otherwise processed; and
3.1.3 without prejudice to clause 5.1, insofar as is possible, to assist ICAEW in the fulfilment of ICAEW’s obligations to respond to Data Subject Requests relating to Protected Data.
3.2 Without prejudice to clause 3
.1, the Suppli
er shall, in respect of the Protected Data processed by it under this Agreement comply with the requirements regarding security of processing set out in Data Protection Laws (as applicable to Data Processors), all relevant ICAEW Policies and in this Agreement.
4. Using Sub-Processors and Personnel
4.1 The Supplier shall not provide access or permit any processing of Protected Data by any Sub-Processor without the prior specific written authorisation of that Sub-Processor by ICAEW.
4.2 Where authorisation has been granted by ICAEW to the Supplier to engage any Sub-Processor in accordance with clause 4.1, the Supplier shall, prior to the Sub-Processor carrying out any processing activities in respect of the Protected Data;
4.2.1 undertake due diligence on the Sub-Processor to ensure the Sub-Processor has all appropriate technical and organisational measures in place as are required to enable compliance with the requirements of Data Protection Laws and the terms of this Agreement; and
4.2.2 Appoint the Sub-Processor under a binding written contract, with enforceable data protection obligations on the same terms as apply to the Supplier under this Agreement.
4.3 Clause 4.2 includes an obligation on the Supplier to ensure that the contract with a Sub-Processor requires that the Sub-Processor at all times:
- processes Protected Data only on and in accordance with the Processing Instructions and complies with the same obligations as the Supplier (as amended from time to time and including, without limitation, all obligations relating to security, audits, compliance with Applicable Laws, notifications, keeping of records and the destruction or deletion of Protected Data)
- provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Protected Data will meet the requirements of Data Protection Laws; and
- is obliged to obtain the specific prior written consent of ICAEW and comply with the conditions referred to in this clause 4.3 for engaging another Processor (including any replacement).
4.4 The Supplier shall promptly upon request by ICAEW provide the relevant details of any such Sub-Processor to ICAEW.
4.5 The Supplier shall immediately cease using a Sub-Processor upon receiving written notice from ICAEW requesting that the Sub-Processor ceases processing Protected Data for security reasons or concerns about the Sub-Processor’s ability to carry out the relevant processing in compliance with Data Protection Laws or this Agreement.
4.6 The Supplier shall, and shall procure that each Sub-Processor that has access to Protected Data shall, comply with the Supplier’s obligations under clauses 1 to 10 (inclusive) (including that all obligations and responsibilities relating to Supplier Personnel shall apply to employees, agents or representatives of each Sub-Processor (Sub-Processor Personnel)). The Supplier shall, where that Sub-Processor fails to fulfil its obligations in accordance with any Sub- Processor Contract, remain fully liable to ICAEW for the performance of that Sub-Processor’s obligations. The acts or omissions of any Sub-Processor or Sub-Processor Personnel in connection with the processing of Protected Data shall be deemed the act or omission of the Supplier.
4.7 The Supplier shall ensure that the Supplier Personnel and all other persons authorised by it, or by any person acting on its behalf (including by any Sub-Processor pursuant to clause 4.1), to process Protected Data are subject to a binding written contractual obligation with the Supplier or with the Sub-Processor that has engaged them to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Supplier shall, where practicable and not prohibited by Applicable Law, notify ICAEW of any such requirement before such disclosure).
4.8 Without prejudice to any other provision of clauses 1 to 10 (inclusive), the Supplier shall ensure that the Supplier Personnel processing Protected Data are reliable and have received adequate training on compliance with clauses 1 to 10 (inclusive) and the Data Protection Laws applicable to the processing.
4.9 The Supplier shall ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services.
4.10 The Supplier remains fully liable to ICAEW under this Agreement for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own
4.11 The Supplier remains fully liable to ICAEW under this Agreement for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own.
5. Assistance with ICAEW’s compliance and Data Subject rights
5.1 The Supplier shall (at no cost to ICAEW):
5.1.1 promptly record and then refer all Data Subject Requests it receives to ICAEW within two Business Days of receipt of the request;
5.1.2 provide such information and cooperation and take such action as ICAEW reasonably requests in relation to each Data Subject Request, within the timescales reasonably required by ICAEW; and
5.1.3 not respond to any Data Subject Request or Complaint without ICAEW’s prior written approval.
5.2 Without prejudice to clause 2.1, the Supplier shall, at its cost and expense, provide such information, co-operation and other assistance to ICAEW as ICAEW reasonably requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with ICAEW’s obligations under Data Protection Laws, including with respect to:
5.2.1 security of processing;
5.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
5.2.3 prior consultation with a Regulator regarding high risk processing; and
5.2.4 any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or Complaint, including (subject in each case to ICAEW's prior written authorisation) regarding any notification of the Personal Data Breach to Regulators and/or communication to any affected Data Subjects.
6. International data transfers
6.1 here the Supplier is located in a country that is not recognised by the UK Government as offering adequate protection for Personal Data, the parties shall enter into the relevant Standard Contractual Clauses prior to any Protected Data being transferred to the Supplier. If, during the term of this Agreement, the form of the Standard Contractual Clauses executed by the parties is superseded by a new set of Standard Contractual Clauses, the parties shall, promptly execute the new set of Standard Contractual Clauses.
6.2 The Supplier shall not transfer any Protected Data to any country outside the United Kingdom and/or European Economic Area or to any International Organisation without the ICAEW’s prior written consent. 6.3 Where the ICAEW authorises the Supplier to transfer Protected Data to recipients outside of the UK and/or the EEA (Overseas Recipients) as set out in Annex 2 (Data Transfer Records) for the purposes of fulfilling its obligations under this, pursuant to clause 6.1:
6.3.1 security of processing; he Supplier shall take all necessary steps to ensure that transfers of Protected Data outside the UK and/or the EEA are effected by way of Valid Adequacy Mechanisms;
6.3.2 the Supplier shall maintain accurate and comprehensive records of all transfers of Protected Data outside of the UK and the EEA and shall document the adequacy mechanism relied upon in each case (together referred to as the Data Transfer Records);
6.3.3 if there are any changes to the Data Transfer Records during the term of this agreement, the Supplier shall promptly provide an updated copy of the Data Transfer Records to the ICAEW;
6.3.4 The Supplier shall take all necessary steps to ensure that the Overseas Recipient can comply with the Valid Adequacy Mechanism relied upon, including (without limitation) by carrying out and documenting due diligence on all recipients of Protected Data prior to any transfer occurring and carrying out an assessment of the laws of the country to which Protected Data are being transferred to ensure that public authorities in that country will not be permitted to access the Protected Data;
6.3.5 if, as a result of the due diligence and the assessment carried out pursuant to clause 6.2.4, and taking into account regulatory guidance, the Supplier identifies that additional supplementary measures need to be put in place to protect Protected Data from unauthorised access by public authorities, the Supplier shall put in place all necessary supplementary measures and shall include details of those measures in the Data Transfer Records;
6.3.6 if it is not possible to protect Protected Data from unauthorised access by public authorities in a particular location, the Supplier shall not transfer any Protected Data to that location;
6.3.7 upon request, the Supplier shall provide a copy of the due diligence and the assessment carried out pursuant to clause 6.3.4 to the ICAEW;
6.3.8 if the ICAEW is not satisfied with the due diligence or the assessment carried out by the Processor, the Supplier, ICAEW may require the Supplier to take additional steps to ensure that adequate measures are in place to protect Protected Data transferred outside of the UK or the EEA or may require the Supplier to immediately cease all transfers of Protected Data to the relevant Overseas Recipient(s) and to procure the return of Protected Data;
6.3.9 [Omit this clause if ICAEW is processor?: the the Supplier shall put in place a written contract with the Overseas Recipient that shall contain the data transfer clauses set out in Annex 3 (Data Transfer Clauses), shall procure that the Overseas Recipient complies with those clauses and shall put in place appropriate measures to monitor compliance;]
6.3.10 if the Valid Adequacy Mechanism relied upon becomes invalid or if the Overseas Recipient is not able to comply with the requirements of the Valid Adequacy Mechanism or the obligations set out in the data transfer clauses due to local laws or for any other reason, the Supplier shall immediately stop all transfers of Protected Data to the relevant Overseas Recipient and shall either put in place an alternative adequacy mechanism to the reasonable satisfaction of the ICAEW or immediately cease all data transfers and demand immediate return of all Protected Data from that Overseas Recipient. If it is not possible to put in place an alternative adequacy mechanism or return all Protected Data, the ICAEW shall be entitled to terminate this agreement immediately;
6.3.11 upon request, the Supplier shall provide evidence of compliance with the obligations set out in this clause; and
6.3.12 the Supplier shall indemnify on demand ICAEW from and against all damages, liability, demands, costs and expenses (including legal and other professional fees, costs and expenses), claims, actions and proceedings suffered or incurred by ICAEW arising out of or in connection with:
(a) any breach of this clause 6 by the Supplier
(b) any failure by the Overseas Recipient to comply with the requirements of the adequacy mechanism or the data transfer clauses;
(c) any third-party claims arising in relation to the transfer of Protected Data by the Supplier to a recipient outside of the UK or the EEA; and
(d) any regulatory investigations, to the extent that such investigations relate to the transfer of Protected Data by the Supplier to a recipient outside of the UK or the EEA
7 Records, information and audit
7.1 The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of ICAEW, containing such information as ICAEW may reasonably require, including:
7.1.1 the name and contact details of the Supplier’s representative and data protection officer (if any); 7.1.2 the categories of processing carried out on behalf of ICAEW;
7.1.3 where applicable, details of transfers of Protected Data to an International Recipient; and
7.1.4 a general description of the technical and organisational security measures referred to in clause 3.1.
7.2 The Supplier shall make available to ICAEW on request in a timely manner (and in any event within three Business Days):
7.2.1 copies of the records under clause 7.1; and
7.2.2 such other information as ICAEW reasonably requires to demonstrate the Supplier’s and ICAEW’s compliance with their respective obligations under Data Protection Laws and this Agreement.
7.3 The Supplier shall at no cost to ICAEW:
7.3.1 allow for and contribute to audits, including inspections, conducted by ICAEW or another auditor mandated by ICAEW for the purpose of demonstrating compliance by the Supplier and ICAEW with their respective obligations under Data Protection Laws and under clauses 1 to 10 (inclusive); and
7.3.2 provide (and procure) reasonable access for ICAEW or such other auditor (where practicable, during normal business hours) to:
- the facilities, equipment, premises and sites on which Protected Data and/or the records referred to in clause 7.1 are held, and to any other equipment or facilities used in the provision of the Services (in each case whether or not owned or controlled by the Supplier); and
- to the Supplier Personnel,
provided that ICAEW gives the Supplier reasonable prior notice of such audit and/or inspection.
7.4 If any audit or inspection reveals a material non-compliance by the Supplier with its obligations under Data Protection Laws or a breach by the Supplier of any of clauses 1 to 10 (inclusive), the Supplier shall pay the reasonable costs of ICAEW or its mandated auditors, of the audit or inspection.
7.5 The Supplier shall promptly resolve, at its own cost and expense, all data protection and security issues discovered by ICAEW and reported to the Supplier that reveal a breach or potential breach by the Supplier of its obligations under any of clauses 1 to 10 (inclusive).
7.6 If the Supplier is in breach of its obligations under any of clauses 1 to 10 (inclusive) or clause 7.5, ICAEW may suspend the transfer of Protected Data to the Supplier until the breach is remedied.
7.7 ICAEW shall be entitled to share any notification, details, records or information provided by or on behalf of the Supplier under any of clauses 1 to 10 (inclusive) (including under clauses 7 or 8) with its professional advisors and/or the Supervisory Authority(ies).
8 Breach notification
8.1 In respect of any Personal Data Breach, the Supplier shall:
8.1.1 notify ICAEW of the Personal Data Breach without undue delay (but in no event later than 12 hours after becoming aware of the Personal Data Breach); and
8.1.2 provide ICAEW without undue delay (wherever possible, no later than 24 hours after becoming aware of the Personal Data Breach) with such details as ICAEW reasonably requires regarding: provided that, (without prejudice to the above obligations) if the Supplier cannot provide all these details within the timeframes set out in this clause 8.1.2, it shall (before the end of such timeframes) provide ICAEW with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give ICAEW regular updates on these matters.
- the nature of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Protected Data records concerned;
- any investigations into such Personal Data Breach;
- the likely consequences of the Personal Data Breach; and
- any measures taken, or that the Supplier recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects,
8.2 In the event of a Personal Data Breach, and without prejudice to clause 8.3, the parties will co-ordinate with each other to investigate the matter and the Supplier shall reasonably co-operate with ICAEW (at no cost to ICAEW) in ICAEW’s handing of the matter
8.2.1 assisting with any investigation;
8.2.2 providing the ICAEW with physical access to any facilities and operations affected;
8.2.3 facilitating interviews with the Supplier Personnel;
8.2.4 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the ICAEW; and
8.2.5 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful processing.
8.3 ICAEW shall at its sole discretion determine whether to provide notification to the Data Subject, any third party or Regulator(s) and the Supplier shall not notify the Data Subject, any third party or Regulator(s) unless such disclosure by the Supplier is required by law or is otherwise approved by ICAEW. ICAEW shall approve all notifications to Data Subjects, third parties or Regulator(s) which it determines are required or appropriate.
8.4 In the event of any loss, unintended destruction or damage, corruption, or unusability of part or all of the Protected Data, the Supplier shall without undue delay notify ICAEW. The Supplier will restore such Protected Data at its own expense as soon as possible.
9. Deletion or return of Protected Data and copies
9.1 The Supplier shall (and shall ensure that all Sub-Processors and all Supplier Personnel shall) immediately (and in any event within 3 days), at ICAEW’s written request, either securely delete or securely return all the Protected Data to ICAEW in such form as ICAEW reasonably requests after the earlier of:
9.1.1 the end of the provision of the relevant Services related to processing of such Protected Data; or
9.1.2 once processing by the Supplier of any Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under this Agreement,
and securely delete existing copies (unless storage of any data is required by Applicable Law and, if so, the Supplier shall inform ICAEW of any such requirement).
9.2 The Supplier shall provide written confirmation to ICAEW of its compliance with clause 9.1.
10 Liability and indemnities
10.1 The Supplier shall indemnify and keep indemnified ICAEW in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, ICAEW arising from or in connection with:
10.1.1 any breach by the Supplier of any of its obligations under clauses 1 to 9 (inclusive); or
10.1.2 the Supplier (or any person acting on its behalf) acting outside or contrary to the lawful Processing Instructions of ICAEW in respect of the processing of Protected Data.
10.2 This clause 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
10.2.1 permitted by Applicable Law (including Data Protection Laws); and
10.2.2 that it does not affect the liability of either party to any Data Subject.
11. Conflicts
11.1 Unless otherwise expressly stated in this Agreement:
11.1.1 the Supplier’s obligations and ICAEW’s rights and remedies under clauses 1 to 10 (inclusive) are cumulative with, and additional to, any other provisions of this Agreement
11.1.2 agreement relieves the Supplier of any responsibilities or liabilities under any Data Protection Laws; and
11.1.3 clauses 1 to 10 (inclusive) shall prevail over any other provision of this Agreement in the event of any conflict.
Annex 1
Data Processing Activities
| Controller: | Processor: | ||
| Joint Controller: | Separate Controller |
Please enter company names above, only two boxes should be completed
| Sub Processer: |
Only applicable if prior written authorisation has been approved by ICAEW
| The details of the Processing taking place under this Agreement are set out below. |
| Data Subjects [Insert the categories of persons whose personal data will be processed under the agreement] |
| Categories of Personal Data [Insert the categories of personal data that will be processed under the agreement] |
| Categories of special category personal data [Insert the categories of special category personal data that will be processed under the agreement] |
| Processing purposes [insert the purposes for which data will be processed under the agreement] |
| Nature of processing [insert the type of processing that will occur under the agreement] |
| Duration of the processing [insert the duration for which personal data will be processed under the agreement] |
| Breach notification Report any data breach to the ICAEW Data Protection Office: dataprotection@icaew.com +44 (0)1908 248 250 [insert the other party’s details, where ICAEW is processor] |
Annex 2
Data Transfer Records
| Name of recipient of data (Data Recipient) | Location of Data Recipient | Valid Adequacy Mechanism relied upon | Supplementary measures in place to protect Protected Data from access by public authorities | Date and name of contract in which the Data Transfer Clauses set out in Annex 3 are incorporated |
The Supplier shall ensure that the following clauses, amended as necessary to reflect defined terms in the contract with the Overseas Recipient, are included in a legally binding written contract with Overseas Recipients of Protected Data.
Annex 3
Data Transfer Clauses
1.1 Prior to any Protected Data being transferred by the Supplier to an Overseas Recipient, the parties shall ensure there is a valid adequacy mechanism recognised by the UK government and/or the European Commission (as applicable) in place to protect the Protected Data.
1.2 The Overseas Recipient warrants and undertakes that:
1.2.1 it is able to and shall comply with all requirements of the valid adequacy mechanism;
1.2.2 the information set out in Annex A is true, accurate and complete and the Overseas Recipient shall notify the Supplier promptly if there is any change to the information set out in Annex A;
1.2.3 it shall not voluntarily co-operate with any public authorities to provide Protected Data to such authorities unless it is legally compelled to do so pursuant to a court order;
1.2.4 if the Overseas Recipient receives any requests for access to Protected Data from public authorities, the Overseas Recipient shall:
(a) review the legality of any order to disclose Protected Data, including whether the order is within the remit of the powers granted to the requesting authority;
(b) challenge the order if, after assessment, the Overseas Recipient concludes that there are grounds under applicable laws to do so;
(c) when challenging an order, seek interim measures to suspend the effect of the order until a decision is made by relevant courts on the challenge to the order;
(d) not disclose any Protected Data requested until required to do so under applicable procedural rules;
(e) inform the requesting public authority that the order is incompatible with the safeguards contained in the valid adequacy mechanism and there is therefore a conflict of obligations for the Overseas Recipient;
(f) where it is legally permitted to do so, the Overseas Recipient shall notify the Supplier that the order has been received as soon as possible;
(g) where necessary to disclose Protected Data, having followed the steps set out in this clause 1.2.4, only provide the minimum amount of Protected Data permissible when responding to the order, based on a reasonable interpretation of the order;
1.2.5 it has not created, and will not create, any back doors or similar programming that could be used by public authorities to access the Overseas Recipient’s systems and/or Protected Data held in the Overseas Recipient’s systems;
1.2.6 it has not created or changed, and will not create or change, its business processes in a manner that facilitate access to Protected Data or the Overseas Recipient’s systems by public authorities;
1.2.7 neither national law nor government policy to which the Overseas Recipient is subject require the Overseas Recipient to create or maintain back doors or to facilitate access to Protected Data or the Overseas Recipient’s systems or for the Overseas Recipient to be in possession or to hand over any encryption keys to public authorities;
1.2.8 it shall comply with the supplementary measures set out in Annex B (if applicable);
1.2.9 it shall not engage in any onward transfer of the Protected Data, whether within the same jurisdiction or to another jurisdiction, without the prior written consent of the Supplier;
1.2.10 where the Overseas Recipient is legally obliged to provide access to Protected Data to a public authority and a data subject wishes to seek access, rectification, erasure or restriction of processing of such Protected Data by the public authority, or otherwise seeks redress against the public authority, the Overseas Recipient shall provide all necessary assistance and legal support to the data subject (at the Overseas Recipient’s cost) to enable the data subject to exercise their rights and/or seek redress against the public authority.
1.2.11 it shall notify the Supplier promptly if it is not able to comply with any of the warranties and undertakings given in this clause 1.2 or if any of the warranties or undertakings are breached.
1.3 If:
1.3.1 the valid adequacy mechanism relied upon becomes invalid; or
1.3.2 the Overseas Recipient is not able to comply with the requirements of the valid adequacy mechanism due to local laws or for any other reason; or
1.3.3 the Overseas Recipient is in breach of any of the warranties and undertakings given in clause 1.2,
the Overseas Recipient shall at the request of the Supplier, put in place additional supplementary measures to protect Protected Data to the reasonable satisfaction of the Supplier or immediately return all Protected Data to the Supplier. If it is not possible to put in place additional supplementary measures to the satisfaction of the Supplier or return all Protected Data to the Supplier while continuing to fulfil the obligations under this agreement, the Supplier shall be entitled to terminate this agreement immediately.
1.4 The Overseas Recipient shall keep access and audit logs for all systems in which Protected Data is held and shall ensure that such access and audit logs distinguish between access to Protected Data carried out in connection with usual operating procedures and access to Protected Data due to orders or access requests from public authorities. The Overseas Recipient shall permit the Supplier or its appointed auditor to carry out audits and inspection of the Overseas Recipient’s data processing facilities (including access to access and audit logs) at any time to verify whether Protected Data has been disclosed to public authorities.
1.5 The Overseas Recipient shall indemnify on demand the Supplier and the Institute of Chartered Accountants in England and Wales (ICAEW) from and against all damages, liability, demands, costs and expenses (including legal and other professional fees, costs and expenses), claims, actions and proceedings suffered or incurred by the Supplier arising out of or in connection with any breach of this clause 1 by the Overseas Recipient.
1.6 The Overseas Recipient acknowledges and agrees that the data transfer provisions set out in this agreement are entered into for the benefit of the Supplier and ICAEW. ICAEW shall be entitled in its own right to enforce all of the data protection provisions in this agreement (including without limitation the provisions of this clause 1) directly against the Overseas Recipient subject to, and in accordance with, the Contracts (Rights of Third Parties) Act 1999.
Annex A
Information regarding access to data by public authorities
[Guidance note: The table below should be completed by the Overseas Recipient.]
| Location(s) in which Protected Data will be stored by the Overseas Recipient or from which it will be accessed by the Overseas Recipient (the “Data Location(s)”) | |
| Laws and regulations in the Data Locations that would permit access by public authorities to the Protected Data, in particular in the areas of intelligence, law enforcement, administrative and regulatory supervision | |
| Based on the Overseas Recipient’s experience, national case law and publicly reported cases, please provide an overview of the circumstances in which public authorities in the Data Location(s) access Protected Data of the type that will be transferred under this Agreement | |
| Measures taken by the Overseas Recipient to prevent access to Protected Data by public authorities | |
| Details of all requests to access Protected Data which the Overseas Recipient has received from public authorities in the last three years. Please provide details of the nature of the requests, data requested, requesting body and legal basis for disclosure and the extent to which Protected Data was disclosed in response to the request(s) | |
| Please specify whether the Overseas Recipient is legally prohibited from providing any of the information above. |
Annex B
Supplementary measures to safeguard Protected Data
[Guidance note: Insert details of any supplementary measures to be taken here. If additional measures are not required, then state “Not Applicable” here and delete the sections below.]
- [Insert details of any encryption requirements. If the Overseas Recipient is solely hosting the Protected Data and does not require access, then the data should be encrypted with the encryption keys solely held by the Supplier in the UK/EEA. Include details of encryption during transmission requirements.]
- [Insert details of specific retention and data deletion requirements]
- [Insert details of any anonymisation or pseudonymisation requirements]
- [Consider any other measures that could protect the data from unauthorised access by public authorities]