FAVERSHAM HOUSE LTD STANDARD DATA PROCESSING CLAUSES

We are aware that Faversham House Limited including its various brands (“FH”) are bound by data protection and privacy laws around the world including without limitation the UK and/or EU General Data Protection Regulations, as applicable (“GDPR”)” with regard to personal data of FH’s customers, suppliers, employees, contractors, agents,  representatives etc.

Personal data means any information concerning the personal or material circumstances of an identified or identifiable individual. Examples of personal data include without limitation e-mail addresses, phone numbers, names, postal addresses. As part of our obligations under the relevant data protection and privacy laws (“Laws”), we declare that we will at all times be compliant with applicable requirements under these Laws when providing goods and/or services to FH. This agreement does not include anything that relieves either party of any direct responsibilities and liabilities under the GDPR or other relevant Laws.

A processor is a natural or legal person or organisation which processes personal data on behalf of a controller. A controller is defined as a natural or legal person or organisation which determines the purposes and means of processing personal data. Where the purpose and means of processing personal data is shared by both parties they are Co-controllers.

This document outlines the clauses that will apply to data processing between Faversham House Limited and its customers if there is no specific separate agreement in place.

This includes two potential scenarios:

A)     Faversham House Ltd. is the data processor and the customer (as identified in the signed booking form) is the controller

B)     Faversham House Ltd. and the customer (as identified in the signed booking form) are Co-controllers

If Scenario A) applies the standard clauses in Section A) of this document apply. For detail on the scope, nature, purpose, duration and types of data included in this processing agreement please see the signed booking form.

If scenario B) applies the standard clauses in Section B) of this document apply. For detail on the scope, nature, purpose, duration and types of data included in this processing agreement please see the signed booking form.

Section A

FAVERSHAM HOUSE LTD. AS THE DATA PROCESSOR

Parties:

1.      Faversham House Ltd. (registered no. 00692570) the registered office of which is at Windsor Court, Wood Street, East Grinstead, West Sussex, RH19 1UZ (the “Data Processor”)

2.                The customer whose details are stated in the signed booking form (the “Data Controller”)

Background:

The Data Processor provides services to the Data Controller which include the processing of personal data on its behalf and has agreed to the following terms to govern such processing in accordance with Article 28(3) of the UK GDPT and/or the EU GDPR (as each is defined below).

Agreed Terms:

1.                This Agreement is supplemental to the Main Agreement between the parties listed in the signed booking form and lasts for the same period.  In the case of any inconsistency between the Main Agreement and this Agreement, the terms of this Agreement prevail.
2.                In this Agreement:
2.1             “Applicable Laws” means (for so long as and to the extent that they apply to the Data Processor) the law of the United Kingdom, any part of the United Kingdom, the European Union, any member state of the European Union and/or part of the European Economic Area;
2.2             “Data Protection Legislation” means:
2.2.1        to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data;
2.2.2        to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union or part of the European Economic Area to which the Data Controller or Data Processor is subject, which relates to the protection of personal data;
2.3             “EU GPPR” means the General Data Protection Regulation ((EU) 2016/679);
2.4             “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
3.                Both parties will comply with all applicable requirements of the Data Protection Legislation.  This Agreement in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
4.                The signed booking form sets out the scope, nature and purpose of processing by the Data Processor, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation: “Personal Data”) and categories of Data Subject.
5.                Without prejudice to the generality of Clause 3, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Data Processor for the duration and purposes of the Main Agreement.
6.                Without prejudice to the generality of Clause 3, the Data Processor shall, in relation to any Personal Data processed in connection with the performance by the Data Processor of its obligations under the Main Agreement:
6.1             process that Personal Data only on the written instructions of the Data Controller unless the Data Processor is required by Applicable Laws to process Personal Data.  Where the Data Processor is relying on Applicable Laws as the basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller;
6.2             ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Data Controller, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
6.3             ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
6.4             not transfer (a) any Personal Data held in the United Kingdom outside of the United Kingdom and/or (b) any Personal Data held in the European Economic Area outside of the European Economic Area unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled:
6.4.1        the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer;
6.4.2        the data subject has enforceable rights and effective legal remedies;
6.4.3        the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
6.4.4        the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data;
6.5             assist the Data Controller, at the Data Controller’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
6.6             notify the Data Controller without undue delay on becoming aware of a Personal Data breach;
6.7             at the written direction of the Data Controller, delete or return Personal Data and copies thereof to the Data Controller on termination of the Main Agreement unless required by Applicable Law to store the Personal Data; and
6.8             maintain complete and accurate records and information to demonstrate its compliance with this Clause 6 and allow for audits by the Data Controller or the Data Controller’s designated auditor.
7.                The Data Controller does not consent to the Data Processor appointing any third party processor of Personal Data under this Agreement, except for the Sub-processors listed in the Schedule.  The Data Processor confirms that it has entered or (as the case may be) will enter with any such Sub-processor into a written agreement incorporating terms which are substantially similar to those set out in this Agreement.  As between the Data Controller and the Data Processor, the Data Processor shall remain fully liable for all acts or omissions of any Sub-processor appointed by it pursuant to this Clause 7.

Section B

FAVERSHAM HOUSE LTD. AND CUSTOMER AS CO-CONTROLLERS

Agreed Purposes: Please see the signed booking form

Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation in force at the time.

Data Protection Legislation:

a)            to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data;

b)            to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union or part of the European Economic Area to which the Data Controller or Data Processor is subject, which relates to the protection of personal data;

c)      “EU GPPR”: the General Data Protection Regulation ((EU) 2016/679);

Permitted Recipients: The parties to this agreement, the employees of each party, any third parties engaged to perform obligations in connection with this agreement.

Shared Personal Data: the personal data to be shared between the parties under clause 1.1 of this agreement. Shared Personal Data shall be confined to the categories of data defined in the signed booking form.

“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

1.                DATA PROTECTION

1.1             Shared Personal Data. This clause sets out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (the Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes.

1.2             Effect of non-compliance with Data Protection Legislation. Each party shall comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect.

1.3             Particular obligations relating to data sharing. Each party shall:

(a)         ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;

(b)         give full information to any data subject whose personal data may be processed under this agreement of the nature such processing. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees;

(c)          process the Shared Personal Data only for the Agreed Purposes;

(d)         not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;

(e)         ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;

(f)          ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;

(g)         not transfer any personal data received from the Data Discloser in the UK outside the UK unless the transferor:

(i)           complies with the provisions of Articles 26 of the UK GDPR (in the event the third party is a joint controller); and

(ii)          ensures that (i) the transfer is to a country approved by adequacy regulations under the Data Protection Act 2018 as providing adequate protection pursuant to Article 45 UK GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 UK GDPR; or (iii) one of the derogations for specific situations in Article 49 UK GDPR applies to the transfer;

(h)         not transfer any personal data received from the Data Discloser in the EEA outside the EEA unless the transferor:

(i)           complies with the provisions of Articles 26 of the EU GDPR (in the event the third party is a joint controller); and

(ii)          ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 EU GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 EU GDPR; or (iii) one of the derogations for specific situations in Article 49 EU GDPR applies to the transfer.

1.4             Mutual assistance. Each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each party shall:

(a)         consult with the other party about any notices given to data subjects in relation to the Shared Personal Data;

(b)         promptly inform the other party about the receipt of any data subject access request;

(c)          provide the other party with reasonable assistance in complying with any data subject access request;

(d)         not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other party wherever possible;

(e)         assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(f)          notify the other party without undue delay on becoming aware of any breach of the Data Protection Legislation;

(g)         at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this agreement unless required by law to store the personal data;

(h)         use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;

(i)           maintain complete and accurate records and information to demonstrate its compliance with this clause 1 [and allow for audits by the other party or the other party’s designated auditor]; and

(j)           provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Legislation.

1.5             Indemnity. Each party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other [reasonable] professional costs and expenses) suffered or incurred by the indemnified party arising out of or in connection with the breach of the Data Protection Legislation by the indemnifying party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.