Guide Standard conditions of contract

Show all parts of this guide

42. Data protection

42.1   The Parties acknowledge that;

for the purposes of the Data Protection Legislation, the Council is the Controller and the Supplier is the Processor.  Unless otherwise agreed in writing, the Data Processing Operations is the only processing that the Supplier is authorised to do by the Council.


42.2  The Supplier shall notify;

the Council immediately if it considers that any of the Council's instructions infringe the Data Protection Legislation.


42.3  The Supplier shall provide;

all reasonable assistance to the Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Council, include:


42.3.1  A systematic description of the envisaged processing operations and the purpose of the processing;


42.3.2  An assessment of the necessity and proportionality of the processing operations in relation to the Services;


42.3.3  An assessment of the risks to the rights and freedoms of Data Subjects; and


42.3.4  The measures envisaged to address;

the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.


42.3.4  The Supplier shall:

in relation to any Personal Data processed in connection with its obligations under this Agreement:


42.4.1  Process that Personal Data only;

in accordance with the Data Processing Operations, unless the Supplier is required to do otherwise by Law. If it is so required the Supplier shall promptly notify the Council before processing the Personal Data unless prohibited by Law;


42.4.2  Ensure that:

it has in place Protective Measures, which have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event having taken account of the:

(a)        nature of the data to be protected;

(b)        harm that might result from a Data Loss Event;

(c)        state of technological development; and

(d)        cost of implementing any measures;


42.4.3  Ensure that:

(a)         the Supplier Personnel do not process Personal Data except in accordance with this Agreement (and in particular the Data Processing Operations);

(b)         it takes all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that they:

(i)          are aware of and comply with the Supplier’s duties under this clause;

(ii)         are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor;

(iii)        are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Agreement; and

(iv)        have undergone adequate training in the use, care, protection and handling of Personal Data; and


42.4.4   Not transfer Personal Data;

outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled:

(a)        the Council or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council;

(b)        the Data Subject has enforceable rights and effective legal remedies;

(c)        the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and

(d)        the Supplier complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data;


42.4.5   At the written direction of the Council;

delete or return Personal Data (and any copies of it) to the Council on termination of the Agreement unless the Supplier is required by Law to retain the Personal Data.


42.5      Subject to clause 42.6 the Supplier shall;

provide written notice to the Council’s Data Protection Officer (e-mail:  immediately if it:


42.5.1   Receives;

a Data Subject Access Request (or purported Data Subject Access Request);


42.5.2   Receives;

a request to rectify, block or erase any Personal Data;


42.5.3   Receives;

any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;


42.5.4   Receives;

any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;


42.5.5   Receives;

a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or


42.5.6   Becomes aware of a Data Loss Event.


42.6      The Supplier’s obligation to notify under clause 1.5 shall;

include the provision of further information to the Council in phases, as details become available.


42.7      Taking into account the nature of the processing, the Supplier shall;

provide the Council with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 42.5 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing:


42.7.1    The Council with full details and copies of the complaint, communication or request;


42.7.2    Such assistance as is reasonably requested by the Council;

to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;


42.7.3    The Council, at its request;

with any Personal Data it holds in relation to a Data Subject;


42.7.4    Assistance as requested by the Council following any Data Loss Event;


42.7.5    Assistance as requested by the Council;

with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the Information Commissioner's Office.


42.8       The Supplier shall;

maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless:


42.8.1    The Council determines that the processing is not occasional;


42.8.2    The Council determines the processing includes;

special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and


42.8.3    The Council determines that the processing;

is likely to result in a risk to the rights and freedoms of Data Subjects.


42.9       The Supplier shall;

allow for audits of its Data Processing activity by the Council or the Council’s designated auditor.


42.10     The Supplier shall;

designate a data protection officer if required by the Data Protection Legislation.


42.11     Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Supplier must:


42.11.1  Notify the Council in writing of the intended Sub-processor and processing;


42.11.2  Obtain the written consent of the Council;


42.11.3  Enter into a written agreement with the Sub-processor;

which give effect to the terms set out in this clause 0 such that they apply to the Sub-processor; and


42.11.4  Provide the Council;

with such information regarding the Sub-processor as the Council may reasonably require.


42.12     The Supplier shall;

remain fully liable for all acts or omissions of any Sub-processor.


42.13     Either Party may;

at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (in either case in accordance with Articles 28(6), 28(7), and 28(8) of the GDPR which shall apply when incorporated by attachment to this Agreement).


42.14     The Parties agree;

to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than 30 Working Days’ notice to the Supplier amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.


42.15     The Supplier shall;

indemnify the Council against all liabilities, costs, expenses, damages, and losses (and all other reasonable professional costs and expenses) suffered or incurred by the Council arising out of or in connection with:


42.15.1   Any breach of the obligations contained within this clause 0 (Data Protection); or


42.15.2   Any failure to comply with its obligations as a Processor under the Data Protection Legislation.