Sentinel Data Data Processing Obligations

“Personal Data”, “Data Controller”, “Data Processor”, “Data Subject” and “Process” shall have the meanings set out in all relevant Data Protection Legislation.

  1. You shall be the Data Controller and we shall be the Data Processor in respect of Personal Data Processed by us on your behalf in performing the obligations under this Agreement. You shall be solely responsible for determining the purposes for which, and the manner in which, such Personal Data is Processed. However, we shall further be authorised to Process the Personal Data where it is required to do so by the laws of the UK or of any member state of the EU, or by the laws of the EU applicable to us (“Applicable Laws”). Where we rely on laws of the UK, or a member state of the EU or EU law as the basis for Processing Personal Data, we shall promptly notify you of this before performing the Processing required by the Applicable Laws unless those Applicable Laws prohibit us from notifying you.
  2. You will ensure that you have all necessary appropriate consents and notices in place to enable the lawful transfer of the Personal Data to us and the Processing of the Personal Data by us (or any of our authorised sub-processors) for the purposes of this Agreement.
  3. We shall both at all times during the term of this Agreement comply with all applicable requirements of Data Protection Legislation in relation to the Processing of Personal Data.
  4. We will maintain a written record of all Processing of Personal Data performed by us on your behalf, and provide you with a copy of such record on request. The record shall include the following information:
    • the categories of Processing carried out on your behalf,
    • a list of any transfers of Personal Data to a third party outside the EEA and UK (including the name of the relevant non-EEA country and organisation), and documentation of the suitable safeguards in place for such transfers. For the avoidance of doubt, all such transfers are subject always to your consent in accordance with this Agreement,
    • where possible, a general description of the technical and organisational security measures referred to under these obligations.
  5. Where we Process Personal Data on your behalf, we shall, in respect of such Personal Data:
    • not access or use Personal Data except as is necessary to provide the Services, and then only as reasonably necessary for the performance of these obligations,
    • act strictly in accordance with these obligations and on your written instructions received from time to time,
    • comply promptly with any request from you to amend, delete or transfer Personal Data,
    • not disclose Personal Data to any employee, director, agent, contractor or affiliate of ours (“our Personnel”), or any third party, except as is necessary for the performance of the Services, or to comply with applicable laws, or with your prior written consent,
    • implement and maintain appropriate technical and organisational measures:
      • to protect the security and confidentiality of Personal Data Processed by us in providing the Services,
      • to protect Personal Data at all times against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, access, or Processing,
      • as required under the Data Protection Legislation.
    • notify you of any request made by a Data Subject under Data Protection Legislation in relation to or in connection with Personal Data processed by us on your behalf and at all times cooperate with and assist you to execute your obligations under Data Protection Legislation in relation to such Data Subject requests.
    • process the Personal Data in accordance with the specified duration, purpose, type and categories of Data Subjects as set out in the table below, or as otherwise notified by you to us.

Data Processing Information table

1

Subject matter of the processing

In the course of the provision of IT Maintenance Services, as defined in the Existing Agreement

2

Duration

For the term of the Existing Agreement

3

Nature and Purpose of the processing

The Personal Data described below will be processed by us in the course of providing the IT Maintenance services

4

Types of Personal Data processed

Name of Employee Business email address Business telephone number and address

5

Categories of Data Subjects in relation to Personal Data Processed

Your Employees

  1. We shall within 24 hours, or earlier if reasonably practical, of becoming aware notify you in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. The notice provided will specify:
    • the categories and number of individuals and the records concerned,
    • the likely consequences of the breach,
    • any steps taken to mitigate and address the breach,
    • specify an appropriate point of contact within our organisation who you can contact about the breach.
  • In the occurrence of a breach we will promptly give you the detail you request to allow you to understand the impact of the breach. We will promptly comply with any instructions provided by you, and cooperate with you, in relation to the breach.
  • We must obtain your prior written consent before engaging a subcontractor to Process Personal Data on your behalf. Where that consent is given, it will be conditional upon our having executed a written contract with the third party which contains terms for the protection of Personal Data which are no less protective than the terms set out in these obligations.

9    We shall not, and shall warrant that our subcontractors shall not, transfer or Process any Personal Data outside the EEA and/or the UK unless your prior written consent has been obtained and the following conditions are fulfilled:

  • appropriate safeguards are in place relating to the transfer,
  • the data subject has enforceable rights and effective legal remedies,
  • we comply with our obligations under Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred,
  • we comply with reasonable instructions notified to us in advance by you with respect to the processing of the Personal Data.
  • We shall provide you with such reasonable assistance as you require in relation to any complaints made by Data Subjects or investigations or enquiries made by any regulator or supervisory authority relating to you or your obligations under Data Protection Legislation.
  • In relation to Personal Data processed by us under these obligations, we shall co-operate with you to the extent that is reasonably necessary to enable you to adequately discharge your responsibility as a data controller under Data Protection Legislation (including in respect of the preparation of data protection impact assessments).
  • You shall have the right to audit us and relevant records and materials as necessary to demonstrate our compliance with these obligations and our Service Agreement and Data Protection Legislation. At any time we will co-operate fully to allow and assist such audits, including on-site inspections of our business premises or processing facilities, conducted by you or your auditor.
  • We will tell you immediately if we are asked to do something which might infringe Data Protection Legislation or other data protection law of the UK, EU or EU Member State.
  • We shall ensure that any of our Personnel with access to Personal Data are both bound by confidentiality obligations in respect of access, use or processing of such Personal Data, and have received appropriate training.
  • At your request, we shall provide a copy of all Personal Data held by us in the format and on the media reasonably specified by you.
  • On termination or expiry of our Service Agreement, at your request, we shall delete or return to you all Personal Data processed by us on your behalf, and we shall delete existing copies of such Personal Data except where necessary to retain such Personal Data strictly for the purposes of compliance with UK, EU or EU Member State Laws applicable to us.
  • We shall each be responsible for bearing the costs of our obligations under this Agreement.
  • The provisions of these obligations shall survive termination of our Service Agreement.
  • We will each agree to any reasonable amendment to these obligations required to bring them into line with any amendment to or re-enactment of any Data Protection Legislation, in particular to reflect the GDPR, or to allow each of the Parties to comply with any requirement or recommendation of the Information Commissioner or any other data protection or supervisory authority in relation to the Processing of Personal Data.