fbpx

THIS AGREEMENT IS BETWEEN:

  • Client as mentioned and detailed in the Quotation (“the Client”) and
  • Ocean Telecom Limited, whose registered office is at Eldo Hous, Kempson Way, Bury St Edmunds, Suffolk, IP32 7AR (“Data Processor”)

WHEREAS:

  • The parties agree that Client is at all times the data controller and Ocean Telecom Limited is at all times the Data Processor in relation to the personal data that Data Processor processes in the course of providing the Services to the Client.
  • Under an agreement between the Client and Data Processor (“the Quoatation”) Data Processor will process personal data on the beahalf of the Client in accordance with the Data Processing Services described in Schedule 1.

(3)          This Data Processor Agreement (“Agreement”) forms part of the main agreement between the Client and Data Processor and does not replace it at any way. This Data Processor Agreement is effective when the agreement between the Client and Data Processor is agreed to.

(4)          This Data Processor Agreement is to ensure compliance with  applicable Data Protection Law and Data Protection Law requirements in relation to processing of the personal data by Data Processor for the Client.

(5)          The terms of this Agreement are to apply to all processing of personal data carried out for the Client by Data Processor and to all personal data held by Data Processor in relation to all such processing.

IT IS AGREED as follows:                                                                                                                         

  1. Definitions and Interpretation
    1. In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:
“Data Protection Law”           “Data Controller”, “Data Processor”, “processing”, and “data subject”means the UK GDPR and the Privacy & Electronic Communication Regulations 2003 and other applicable data protection legislation, including but not limited to the EU GDPR 2016. This also includes any replacement legislation that may come into affect from time to time.   shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively under data protection law;
“Supervisory Authority”  means the UK’s supervisory authority, the Information Commissioner’s Office or other applicable supervisory authority;
“Personal Data”means all such “personal data”, as defined under data protection law, as is, or is to be, processed by Data Processor on behalf of the Client, as described in Schedule 1;
“Data Processing Services”means the data processing activities described in Schedule 1 which are provided by Data Processor to the Client in connection to the main agreement agreed to by Client and Data Processor
“Sub-Processor”means a sub-processor appointed by Data Processor to process the personal data; and
“Sub-Processing Agreement”means an agreement between Data Processor and a Sub-Processor governing the personal data processing carried out by the Sub-Processor, as described in Clause 9.
  1. Unless the context otherwise requires, each reference in this Agreement to:
    1. “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
      1. a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
      1. “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;
      1. a Schedule is a schedule to this Agreement; and
      1. a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
      1. a “Party” or the “Parties” refer to the parties to this Agreement.
    1. The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
    1. Words imparting the singular number shall include the plural and vice versa.
    1. References to any gender shall include all other genders.
    1. References to persons shall include corporations.
  2. Scope and Application of this Agreement
    1. The provisions of this Agreement shall apply to the processing of the personal data described in Schedule 1, carried out for the Client by Data Processor, and to all personal data held or accessed by Data Processor in relation to all such processing whether such personal data is held at the date of this Agreement or received afterwards.
    1. This Agreement shall continue in full force and effect for so long as Data Processor is processing personal data on behalf of the Client, and thereafter as provided in Clause 10.
  3. Provision of the Data Processing Services and Processing Personal Data

Data Processor is only to carry out the Data Processing Services described in Schedule 1, and only to process the personal data received from the Client:

  • for the purposes of those Data Processor Services and not for any other purpose;
    • to the extent and in such a manner as is necessary for those purposes; and
    • strictly in accordance with the express written authorisation and instructions of the Client (which may be specific instructions or instructions of a general nature or as otherwise notified by the Client to Data Processor).
  • Data Protection Compliance
    • All instructions given by the Client to Data Processor shall be made in writing and shall at all times be in compliance with applicable data protection law. Data Processor  shall act only on such written instructions from the Client unless the Data Processor is required by law to do otherwise.
    • Data Processor shall promptly comply with any request from the Client requiring Data Processor to amend, transfer, delete, or otherwise dispose of the personal data.
    • Data Processor shall transfer all personal data to the Client on the Client’s request in the formats, at the times, and in compliance with the Client’s written instructions.
    • Both Parties shall comply at all times with applicable data protection law and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under data protection law.
    • Data Processor agrees to comply with any reasonable measures required by the Client to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force  and any best practice guidance issued by the ICO or other supervisory authority.
    • Data Processor shall provide all reasonable assistance to the Client in complying with its obligations under data protection law  respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with supervisory authorities.
    • When processing the personal data on behalf of the Client, Data Processor shall:
      • not process the Personal Data outside the UK or European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) without the prior written consent of the Client and, where the Client consents to such a transfer to a country that is outside of the UK or EEA, to comply with the obligations of Data Processor under the provisions applicable to transfers of Personal Data to third countries providing an adequate level of protection to any Personal Data that is transferred;
      • not transfer any of the Personal Data to any third party without the written consent of the Client and, in the event of such consent, the personal data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 9;
      • process the personal data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Client or as may be required by law (in which case, Data Processor shall inform the Client of the legal requirement in question before processing the personal data for that purpose unless prohibited from doing so by law);
      • implement appropriate technical and organisational measures and take all steps necessary to protect the personal data against any unauthorised processing, including any accidental or unlawful loss, destruction, damage, alteration, disclosure or access. In assessing the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for Data Subjects. Data Processor shall at least implement the technical and organisational measures specified in Schedule 2 and shall inform the Client in advance of any material changes to such measures:
      • if so requested by the Client acting reasonably (and within the timescales required by the Client) supply further details of the technical and organisational systems in place to safeguard the security of the personal data held and to prevent unauthorised access;
      • keep detailed records of all processing activities carried out on the personal data;
      • make available to the Client any and all such information as is reasonably required and necessary to demonstrate Data Processor’s compliance with data protection law;
      • on reasonableprior notice, submit to audits and inspections and provide the Client with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of data protection law; and
      • inform the Client immediately if it is asked to do anything that infringes any  applicable data protection legislation.
  • Data Subject Access, Complaints, DPIAs and Breaches
    • Data Processor shall assist the Client in complying with its obligations under data protection law. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
    • Data Processor shall notify the Client without undue delayif it receives:
      • a subject access request from a data subject; or
      • any other complaint or request relating to the processing of the personal data.
    • Data Processor shall cooperate fully with the Client and assist as required in relation to any subject access request, complaint, or other request, including by:
      • providing the Client with full details of the complaint or request;
      • providing the necessary information and assistance in order to comply with a subject access request;
      • providing the Client with any personal data it holds in relation to a data subject upon reasonable notice; and
      • providing the Client with any other information reasonably requested by the Client.
    • Data Processor shall notify the Client as soon as possible  if it becomes aware of any form of a data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the personal data.
    • Data Processor shall provide reasonable assistance with any Data Protection Impact Assessments (DPIAs) requested by the Client upon reasonable written notice.
  • Liability and Indemnity
  • Subject to any limitations of liability in the Services Agreement or any other terms and conditions entered into between the parties, Data Processor shall indemnify, the Client, against all losses  suffered or incurred by the Client arising out of the failure by Data Processor or its employees or agents to comply with of its obligations under this Agreement (“Claims”). Each party acknowledges that Claims include any claim or action brought by a data subject arising from Data Processor’s breach of its obligations under this Agreement.
  • Intellectual Property Rights

All copyright, database rights, and other intellectual property rights subsisting in the personal data (including but not limited to any updates, amendments, or adaptations to the personal data made by either the Client or Data Processor) shall belong to the Client or to any other applicable third party from whom the Client has obtained the personal data under licence (including, but not limited to, data subjects, where applicable). Data Processor is licensed to use such personal data under such rights only for the purposes of the Data Processor Services, and in accordance with this Agreement.

  • Confidentiality
    • Data Processor shall maintain the personal data in confidence, and in particular, unless the Client has given written consent for Data Processor to do so Data Processor shall not disclose any personal data supplied to by, for, or on behalf of, the Client to any third party. Data Processor shall not process or make any use of any personal data supplied to it by the Client otherwise than in connection with the provision of the Data Processing Services to the Client.
    • Data Processor shall ensure that all personnel who are to access and/or process any of the personal data are contractually obliged to keep the personal data confidential.
    • The obligations set out in in this Clause 8 shall continue for a period of six years after the cessation of the provision of software or services by Data Processor to the Client.
    • Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose personal data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
  • Appointment of Sub-Processors
    • The Client consents to Data Processor engaging third party subprocessors to process the personal data for the Permitted Purpose provided that Data Processor:
  • (i) maintains an up-to-date list of its subprocessors, which it shall update with details of any change in subprocessors at least 10 days prior to any such change;
  • (ii) imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by applicable Data Protection Law; and
  • (iii) remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor.
  • 9.2         The Client may object to Data Processor ‘s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to the Client’s ability to comply with applicable Data Protection Laws. In such event, Data Processor will either not appoint or replace the subprocessor or, if this is not possible, the Client may suspend or terminate this agreement (without prejudice to any fees incurred by the Client prior to suspension or termination).
  • Deletion and/or Disposal of Personal Data
    • Subject to the provisions of the Terms, upon termination or expiry of the relevant agreement, Data Processor shall (at the Client’s election) destroy or return to the Client all Personal Data in its possession or control.
    • This requirement shall not apply to the extent that Data Processor is required by applicable law to retain some or all of the personal data, or to personal data it has archived on back-up systems, which Data Processor shall securely isolate and protect from any further processing except to the extent required by law.
    • Law and Jurisdiction
      • This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
      • Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

SCHEDULE 1

Data Processing Information

Nature and purpose of processing operations

Nature of data processing; collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

Purposes of data processing;

Phone System; Personal data is needed to create accounts, technical help and support, order processing, billing support, deliveries to specific addresses.

Business Internet; Personal data is needed to create accounts, technical help and support, order processing, billing support, deliveries to specific addresses.

Categories of data subject

The Personal Data transferred concern the following categories of data subjects (please specify):

Contacts of customers; prospective, current and returning.

Categories of data

The Personal Data transferred concern the following categories of data (please specify):

Names, job details, postal addresses, contact phone numbers, email address.

Special categories of data (if appropriate)

The Personal Data transferred concern the following special categories of data (please specify):

N/A

Duration of Processing

The Personal Data shall be processed for the duration of the agreed services and this DPA, until one or both are terminated by either party.

List of Sub-processors

Client approves the following sub-processors to process Personal Data on behalf of the Supplier:

No sub-processors are used for the  Phone System and Business  Internet services.

SCHEDULE 2

Technical and Organisational Security Measures

Technical Security Measures:

  • Cyber Essentials Certification
  • IT Firewall protection
  • Anti-virus protection
  • Multi-Factor Authentication
  • Key pad access to building and secure areas
  • Username and passwords for company devices
  • Cloud servers
  • Auto-locking of company devices
  • Patch management

Organisational Security Measures:

  • Data Protection Officer
  • Data Protection Policies
  • Data Protection and Information Security Training
  • Information security policies
  • CCTV on and in-premises

T: 01284 771 555

10 Woodside Business Park,
Thetford Road,
Ingham,
Suffolk, IP31 1NR