Where clients are controllers and Fresh Minds Talent Limited are the processor
Contents
Definitions and Interpretation
Personal data types and processing purposes
Fresh Minds’s obligations
Fresh Minds’s employees
Security
Personal data breach
Cross-border transfers of personal data
Subcontractors
Complaints, data subject requests and third-party rights
Term and termination
Data return and destruction
Records
Audit
Notice
This Agreement is made on [insert day and month] 2022
(2) [CLIENT] incorporated and registered in England and Wales with company number [NUMBER] whose registered office is at [REGISTERED OFFICE ADDRESS] (“the Client”).
The parties agree:
The following definitions and rules of interpretation apply in this agreement.
“Business Purposes” the services to be provided by Fresh Minds to the Client as described in the Master Agreement and any other purpose specifically identified in writing between the parties;
“Commissioner” the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” have the meanings given to them in the Data Protection Legislation.
“Data Protection Legislation”
(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Client or Fresh Minds is subject, which relates to the protection of Personal Data.
“EU GDPR” the General Data Protection Regulation ((EU) 2016/679).
“EEA” the European Economic Area.
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 This agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this agreement.
The Annexes form part of this agreement and will have effect as if set out in full in the body of this agreement. Any reference to this agreement includes the Annexes.
1.3 A reference to writing or written includes faxes and email.
In the case of conflict or ambiguity between:
1.3.1 any provision contained in the body of this agreement and any provision contained in the Annexes, the provision in the body of this agreement will prevail;
the terms of any accompanying invoice or other documents annexed to this agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
1.3.2 any of the provisions of this agreement and the provisions of the Master Agreement, the provisions of this agreement will prevail.
2 Personal data types and processing purposes
2.1 The Client and Fresh Minds agree and acknowledge that for the purpose of the Data Protection Legislation:
2.1.1 the Client is the Controller and Fresh Minds is the Processor.
the Client retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Fresh Minds.
2.1.2 Appendix 1 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Fresh Minds shall process the Personal Data to fulfil the Business Purposes.
3.1 Fresh Minds will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client’s written instructions.
Fresh Minds shall comply promptly with any Client written instructions requiring Fresh Minds to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.2 Fresh Minds agrees to maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Client or this agreement specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Commissioner).
Fresh Minds will reasonably assist the Client, at the Client’s cost, with meeting the Client’s compliance obligations under the Data Protection Legislation, taking into account the nature of Fresh Minds’ processing and the information available to Fresh Minds, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.
4.1 Fresh Minds will ensure that all of its employees:
4.1.1 are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties.
5.1 Fresh Minds shall implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
Fresh Minds must implement such measures to ensure a level of security appropriate to the risk involved.
6.1 Fresh Minds will promptly and in any event without undue delay notify the Client in writing if it becomes aware of:
6.1.1 the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. Fresh Minds will restore such Personal Data at its own expense as soon as possible.
any accidental, unauthorised or unlawful processing of the Personal Data; or
6.1.2 any Personal Data Breach.
6.2 Where Fresh Minds becomes aware of 6.1.1, 6.1.2, or 6.1.3 above, it will, without undue delay, also provide the Client with the following written information:
6.2.1 description of the nature of 6.1.1, 6.1.2, or 6.1.3 , including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
the likely consequences; and
6.2.2 a description of the measures taken or proposed to be taken to address 6.1.1, 6.1.2, or 6.1.3 including measures to mitigate its possible adverse effects.
6.3 Fresh Minds will reasonably co-operate with the Client, in the Client’s handling of the matter and at Client’s cost, including but not limited to:
6.3.1 assisting with any investigation;
making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Client; and
6.3.2 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
6.4 Fresh Minds will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Client’s written consent, except when required to do so by domestic or EU law.
Fresh Minds agrees that the Client has the sole right to determine:
6.4.1 whether to provide notice of the accidental, unauthorised or unlawful processing and/or thePersonal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Client’s discretion, including the contents and delivery method of the notice; and
whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
7 Cross-border transfers of personal data
Fresh Minds (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or, the EEA without obtaining the Client’s prior written consent.
8.1 Fresh Minds may only authorise a third-party (subcontractor) to process the Personal Data if:
8.1.1 the Client is provided with an opportunity to object to the appointment of each subcontractor within 10 (ten) working days after Fresh Minds supplies the Client with full details in writing regarding such subcontractor;
Fresh Minds enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Client’s written request, provides the Client with copies of the relevant excerpts from such contracts;
8.1.2 Fresh Minds maintains control over all of the Personal Data it entrusts to the subcontractor; and
the subcontractor’s contract terminates automatically on termination of this agreement for any reason.
8.2 The Parties agree that Fresh Minds will be deemed by them to control legally any Personal Data controlled practically by or in the possession of its subcontractors.
9 Complaints, data subject requests and third-party rights
9.1 Fresh Minds must notify the Client if it receives a complaint, notice or communication that relates to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
Fresh Minds must notify the Client if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
Fresh Minds will give the Client, its reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request at the cost of the Client.
Fresh Minds must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Client’s written instructions, or as required by domestic or EU law.
10.1 This agreement will remain in full force and effect so long as:
10.1.1 the Master Agreement remains in effect; or
Fresh Minds retains any of the Personal Data related to the Master Agreement in its possession or control (“Term”).
10.2 Any provision of this agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.
If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation either party may terminate the Master Agreement with immediate effect, on written notice to the other party.
11 Data return and destruction
11.1 At the Client’s request, Fresh Minds will give the Client, or a third-party nominated in writing by the Client, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Client.
On termination of the Master Agreement for any reason or expiry of its term, Fresh Minds will securely delete or destroy all or any of the Personal Data related to this agreement in its possession or control.
11.2 If any law, regulation, or government or regulatory body requires Fresh Minds to retain any documents, materials or Personal Data that Fresh Minds would otherwise be required to return or destroy, it will notify the Client in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
12.1 Fresh Minds will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (“Records”).
Fresh Minds will ensure that the Records are sufficient to enable the Client to verify Fresh Minds’ compliance with its obligations under this agreement and the Data Protection Legislation and Fresh Minds will provide the Client with copies of the Records upon request.
12.2 The Client and Fresh Minds must review the information listed this agreement once a year to confirm its current accuracy and update it when required to reflect current practices.
13.1 At least once a year, Fresh Minds will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
On the Client’s written request, Fresh Minds will make all of the relevant audit reports available to the Client for review. The Client will treat such audit reports as Fresh Minds’ confidential information under the Master Agreement.
13.2 Fresh Minds will address any exceptions noted in the audit reports.
14.1 Any notice or other communication given to a party under or in connection with this agreement must be in writing and delivered to:
For the Client: [CLIENT DATA PRIVACY CONTACT]
For Fresh Minds: [FRESH MINDS DATA PRIVACY CONTACT]
This agreement has been entered into on the date stated at the beginning of it.
Signed by [NAME] |
|
|
Authorised signatory for and on behalf of [CLIENT] |
| Name |
Signed by [NAME] |
|
|
Authorised signatory for and on behalf Fresh Minds Talent Limited |
| Name |
APPENDIX 1
Personal Data processing purposes and details
Subject matter of processing:
Duration of Processing:
Nature of Processing:
Business Purposes:
Personal Data Categories:
Data Subject Types:
Security measures
Physical access controls.
System access controls.
Data access controls.
Transmission controls.
Input controls.
Data backups.
Data segregation.