- Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.
- Data Protection
- The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the data controller and the Provider is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Schedule 1 sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject.
- Without prejudice to the generality of clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the duration and purposes of this agreement.
- Without prejudice to the generality of clause 1.1, the Provider warrants and undertakes that it shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under this agreement:
- process that Personal Data only on the written instructions of the Customer unless the Provider is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Provider to process Personal Data (Applicable Laws). Where the Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Provider shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer;
- ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
- ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
- not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
- the Customer or the Provider has provided appropriate safeguards in relation to the transfer;
- the data subject has enforceable rights and effective legal remedies;
- the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
- the Provider complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
- assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify the Customer without undue delay on becoming aware of a Personal Data breach;
- at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
- maintain complete and accurate records and information to demonstrate its compliance (and allow for audits by the Customer or the Customer's designated auditor).
- Either party may, at any time on not less than 30 days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).
- Each party agrees to indemnify and keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses incurred by the other party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations under this clause.
Processing, Personal Data and Data Subjects
- Processing by the Provider
For all these kinds of personal data you, the customer, are the Data Controller.
- Enquiry Data – Your website visitor’s personal data is collected through the Contact Form(s) on your website.
- Account Data - If your website has a User Account system on your website this is another method by which your website will collect and store personal data.
- Client Contact Data - You may also wish us to run lead generation campaigns for you. For example, you may provide us contact data so we can provide a Direct Mail Campaign for your business.
- Purpose of processing
- The data may be processed by us for the purposes of operating your website, providing our services to you including; lead generation services, ensuring the security of our website and services, and maintaining back-ups of our databases, and communicating with you.
- Duration of the processing
- As the Data Controller it is your responsibility to manage the duration of the processing. IE we will continue to process the data until you tell us when to stop processing this data.
- Also, as the Data Controller it is your responsibility to either delete the data in accordance with the duration set out in your Data Protection Policy or alternatively, you can ask us to do this for you as a paid service.
- Types of personal data
- Contact Form Data - this data is generally the name of the contact, their employer, and the persons contact details (usually but not limited to telephone number and email address).
- User Account Data - this is likely to be more detailed data and could contain information on the user’s interests and gender for example.
- Client Contact Data - this data is generally the name of the contact, their employer, and the persons contact details (usually but not limited to telephone number and email address).
- Categories of data subject
- The data is collected from your customers and / or prospects visiting the website or by your company in other ways for use in lead generation campaigns. We process this data solely for the purposes of offering our services to you
If you have any questions, please contact your account manager.
Richard Hall - email@example.com
Marc Hughes - firstname.lastname@example.org
Ian Powell - email@example.com
Aspire Creative ICO Registration reference: ZA028629