Data Processing Conditions
Ashbury Data Processing Conditions
- 1.1 The definitions and rules of interpretation in this clause apply in these conditions and in any other agreement between the parties.
“Ashbury” means Ashbury Labelling Limited, registered under company number 07454234.
“Business Day” means a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
“Data Controller” shall have the meaning given in the Data Protection Legislation.
“Data Processor” shall have the meaning given in the Data Protection Legislation.
“Data Protection Legislation” means (i) all UK legislation currently in force relating to data protection matters, including without limitation the Data Protection Act 2018; (ii) GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time in the UK; and (iii) any successor legislation to the GDPR and/or the Data Protection Act 2018 from time-to-time.
“Data Subject” shall have the meaning given in the Data Protection Legislation.
“GDPR” means the General Data Protection Regulation ((EU) 2016/679)
“Personal Data” shall have the meaning given in the Data Protection Legislation.
“Process” and “Processing” shall have the meaning given under the Data Protection Legislation.
“Services” means any and all services to be provided by the Supplier to Ashbury under any agreements or other arrangements.
“Supplier” shall mean any person or entity providing Services to Ashbury.
- 1.2 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
- 1.3 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time and shall include all subordinate legislation made from time to time under that statute or statutory provision.
- 1.4 A reference to writing or written includes faxes and e-mail.
- 1.5 Any words following the terms including, include, in particular, for example, or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
These conditions shall govern any and all Processing of Personal Data performed by the Supplier for or on behalf of Ashbury, whether or not such Processing forms part of any other contract or agreement.
3. DATA PROTECTION
- 3.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 3 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
- 3.2 The parties acknowledge that for the purposes of the Data Protection Legislation, Ashbury is the Data Controller and the Supplier is the Data Processor.
- 3.3 Without prejudice to the generality of clause 3.1, Ashbury will ensure that it has all necessary consents and/or notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of these conditions.
- 3.4 Without prejudice to the generality of clause 3.1, the Supplier shall, in relation to any Personal Data Processed in connection with the performance by the Supplier of the Services:
- 3.4.1 The process that Personal Data only on the written instructions of Ashbury unless the Supplier is required to Process the applicable Personal Data by the Data Protection Legislation. Where the Supplier is relying on the Data Protection Legislation as the basis for Processing Personal Data, the Supplier shall promptly notify Ashbury of this before performing the Processing required by the Data Protection Legislation, unless the Data Protection Legislation prohibits the Supplier from so notifying Ashbury;
- 3.4.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the Personal Data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
- 3.4.3 ensure that all personnel who have access to and/or process Personal Data are contractually obliged to keep the Personal Data confidential; and
- 3.4.4 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of Ashbury has been obtained and the following conditions are fulfilled:
- 220.127.116.11 the Supplier has provided appropriate safeguards in relation to the transfer;
- 18.104.22.168 the Data Subject has enforceable rights and effective legal remedies;
- 22.214.171.124 the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
- 126.96.36.199 the Supplier complies (and procures compliance by the transferee) with reasonable instructions notified to it in advance by Ashbury with respect to the Processing of the Personal Data;
- 3.4.5 assist Ashbury without charge in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- 3.4.6 at the written direction of Ashbury, delete or return Personal Data and copies thereof to Ashbury on termination of the agreement; and
- 3.4.7 maintain complete and accurate records and information to demonstrate its compliance with this clause 3 and allow for audits by Ashbury or Ashbury’s designated auditor.
- 3.5 Ashbury does not consent to the Supplier appointing any third-party processor of Personal Data under these conditions. If such consent (which must be in writing) is subsequently given by Ashbury, then as between Ashbury and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 3. Any such consent will be subject to a condition that the third-party processor is bound by a legally-enforceable agreement at least as stringent as these conditions.
4. Supplier’s employees
- 4.1 The Supplier will ensure that all employees, officers, contractors and other personnel:
- 4.1.1 are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
- 4.1.2 have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
- 4.1.3 are aware both of the Supplier’s duties and their personal duties and obligations under the Data Protection Legislation and these conditions.
- 4.2 The Supplier will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of the Supplier’s employees with access to the Personal Data.
5. Personal data breach
- 5.1 If any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable, then the Supplier will promptly restore such Personal Data at its own expense.
- 5.2 The Supplier will immediately notify Ashbury if it becomes aware of:
- 5.2.1 any accidental, unauthorised or unlawful processing of the Personal Data; or
- 5.2.2 any Personal Data being lost or destroyed, or becoming damaged, corrupted or unusable; either of the circumstances set out in clauses 5.2.1 and 5.2.2 being a “Personal Data Breach”.
- 5.3 Where the Supplier becomes aware of a Personal Data Breach it shall, without undue delay, also provide Ashbury with the following information:
- 5.3.1 description of the nature of the situation, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
- 5.3.2 the likely consequences; and
- 5.3.3 description of the measures taken, or proposed to be taken to address the situation, including measures to mitigate its possible adverse effects.
- 5.4 Immediately following any Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The Supplier will reasonably co-operate with Ashbury in Ashbury’s handling of the matter, including:
- 5.4.1 assisting with any investigation;
- 5.4.2 providing Ashbury with physical access to any facilities and operations affected;
- 5.4.3 facilitating interviews with the Supplier’s employees, former employees and others involved in the matter;
- 5.4.4 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Ashbury; and
- 5.4.5 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach.
- 5.5 The Supplier will not inform any third party of any Personal Data Breach without first obtaining Ashbury’s prior written consent, except when required to do so by law.
- 5.6 The Supplier agrees that Ashbury has the sole right to determine:
- 5.6.1 whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Ashbury’s discretion, including the contents and delivery method of the notice; and
- 5.6.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
- 6.1 If the Supplier does not fully comply with these conditions, whether by act or omission, then the Supplier shall indemnify and hold Ashbury harmless from and against any costs (including legal and other professional costs), expenses, liabilities, fines, penalties, compensation, damages, awards or losses of any nature whatsoever (together, “Losses”), whether such Losses arise under contract, tort (including negligence), statute, indemnity or any other legal theory.
- 6.2 Where Ashbury believe that there is a potential for any Losses to arise (“Risk”), it shall have full and absolute discretion to conduct negotiations with and reach agreement with any person in relation to such Losses and the surrounding factual matters. For the avoidance of doubt, any such agreement will not affect Ashbury’s entitlement to obtain indemnification from the Supplier under clause 6.1 above.
- 6.3 If the Supplier becomes aware of any event or circumstance which may give rise to a Risk, then it shall:
- 6.3.1 immediately notify Ashbury giving full details, and provide such further assistance as Ashbury requests;
- 6.3.2 make no comment or admission regarding the Risk or the surrounding factual circumstances without Ashbury’s prior written approval; and
- 6.3.3 hand over exclusive conduct of any and all discussions and negotiations thereto to Ashbury, except to the extent that Ashbury instructs the Supplier otherwise in writing.
- 7.1 The Supplier shall have no entitlement to any fee, charge or other payment whatsoever from Ashbury for its entry into and performance of these conditions.
- 7.2 The parties acknowledge that any payment in relation to the performance of the Services is dealt with in a separate contract or agreement.
8. TERM AND TERMINATION
These conditions shall commence on the Commencement Date. It shall continue in full force and effect until the date of final completion of all Services.
No failure or delay by a party to exercise any right or remedy provided under these conditions or by law shall constitute a waiver of that or any other right or remedy, nor shall it preclude or restrict the further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy shall preclude or restrict the further exercise of that or any other right or remedy.
Except as expressly provided in these conditions, the rights and remedies provided under these conditions are in addition to, and not exclusive of, any rights or remedies provided by law.
Except as expressly provided in these conditions, no variation of these conditions shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
- 12.1 If any provision or part-provision of these conditions is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of these conditions.
- 12.2 If any provision or part-provision of these conditions is invalid, illegal or unenforceable, the parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.
13. THIRD-PARTY RIGHTS
A person who is not a party to these conditions shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of these conditions.
14. GOVERNING LAW
These conditions and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with these conditions or its subject matter or formation (including non-contractual disputes or claims).