This DATA PROCESSING AGREEMENT forms part of the Contract between Metricreg Ltd’s Customers (“the Customer”) and Metricreg Ltd, incorporated and registered in England and Wales with company number 08597223 whose registered office is at Unit 19 Brockley Cross Business Centre, Endwell Road, London (“the Processor”) and governs the processing of personal data by Metricreg Ltd on behalf of the Customer in connection with the Services.
The Customer and the Processor are hereinafter collectively referred to as “Parties” and individually as “Party”.
References to the term “Data Processing Agreement” means this Agreement and the following schedules attached hereto:
The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the applicable data protection legislation (“Data Protection Legislation”) relating to the processing of Personal Data in relation to all processing of Personal Data by the Processor for the Customer in fulfilment of its obligations under the Software Agreement.
This Agreement, together with the Purchase Order and the Terms and Conditions of Sale, form the Contract between Metricreg Ltd and its Customer.
The terms and expressions set out in this Agreement shall have the following meanings:
Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK, including the Data Protection Act 2018 and (ii) any successor legislation to the GDPR or the Data Protection Act 2018;
“Controller”, “Processor”, “Processing” and “Data Subject” shall have the meanings given to them in the Data Protection Legislation;
ICO means the Information Commissioner’s Office;
Personal Data means all such “personal data” as defined in the Data Protection Legislation as is, or is to be, processed by the Processor on behalf of the Customer;
Services means those services described in Schedule 1 which are provided by the Processor to the Customer and which the Customer uses for the purposes described in Schedule 1.
“Security Measures” means the security measures set out in Schedule 2.
“Software Agreement” means any agreement between the Parties pursuant to which the Processor may process Personal Data on behalf of the Customer in order to provide the Services.
Clause, Schedule and paragraph headings shall not affect the interpretation of this agreement.
A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.
A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
It Is Agreed as follows:
Scope of Processing
The Controller determines the purposes and means of the processing of Personal Data. The Customer may be the Controller or the main Processor of the personal data that is to be processed by the Processor under this Agreement. The Customer, where it is the Controller, shall comply with its obligations pursuant to Data Protection Legislation, including its responsibility to ensure a necessary legal basis for the collection, processing and transfer of Personal Data.
The terms of this Agreement supersede any other arrangement, understanding or agreement made between the Parties at any time relating to protection of Personal Data.
This Agreement concerns the Processor’s processing of Personal Data on behalf of the Customer in connection with the Processor’s provision of the Services or otherwise as described in Schedule 1.
The nature and the purpose of the processing, including operations and activities, are specified in Schedule 1 but the Processor is only to carry out the Services, and only to process Personal Data received from the Customer:
The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Customer and in compliance with its documented instructions and in accordance with the Data Processing Agreement, unless otherwise stipulated in applicable statutory laws.
The Processor shall immediately inform the Customer if, in the Processor’s opinion, an instruction infringes the Data Protection Legislation.
The Processor shall promptly comply with any request from the Customer requiring the Processor to amend, transfer or delete the Personal Data. The Customer acknowledges that it shall be responsible for ensuring the accuracy of all Personal Data.
The Processor agrees to comply with any reasonable measures required by the Customer to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and all applicable legislation from time to time in force and any best practice guidance issued by the ICO.
Where the Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Customer it shall:
2.9.1 not process the Personal Data outside the European Union without the prior written consent of the Customer and, where the Customer consents to such a transfer, to comply with the transfer obligations of Chapter V of the Data Protection Legislation;
2.9.2 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Customer or as is required by law or any regulatory body including but not limited to the ICO;
2.9.3 implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested by the Customer;
2.9.4 any transfer of Personal Data is subject to the Data Protection Legislation’s standard contractual clauses or other legal basis for such transfer or disclosure; and
2.9.5 if so requested by the Customer (and within the timescales required by the Customer) supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access.
2.10 On at least 7 days’ prior notice, the Processor shall permit persons authorised by the Customer to enter into any premises on which the Personal Data provided by the Customer to the Processor is processed, and to inspect the Processor’s facilities, equipment, documents and electronic data relating to the processing of the Personal Data. The requirement to give notice will not apply if the Customer believes that the Processor is in breach of any of its obligations under this Agreement.
2.11 The Processor shall notify the Customer (within two working days) if it receives:
2.11.1 a request from a data subject to have access to that person’s Personal Data; or
2.11.2 a complaint or request relating to the Customer’s obligations under the Data Protection Legislation.
1.3 The Processor agrees to provide the Customer with full co-operation and assistance in relation to any complaint or request made, including by:
2.12.1 providing the Customer with full details of the complaint or request;
2.12.2 complying with a data access request within the relevant timescale and in accordance with the Customer’s instructions;
2.12.3 providing the Customer with any Personal Data it holds in relation to a data subject (within any reasonable timescales required by the Customer);
2.12.4 providing the Customer with any information reasonably requested by the Customer;
2.13 notify the Customer immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of any of the Personal Data.
2.1 The Processor shall implement appropriate technical and organisational measures as stipulated in Data Protection Legislation and/or measures imposed by the ICO to ensure an appropriate level of security and these are outlined in Schedule 2.
2.2 The Processor shall assess the appropriate level of security and take into account the risks related to the processing, including risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
2.3 All transmissions of Personal Data between the Processor and the Customer or between the Processor and any third party shall be done by means of adequate encryption, or alternative security measures to ensure confidentiality, as agreed between the Parties.
2.4 If requested, the Processor shall provide the Customer with general descriptions of the Processor’s and its Sub-processors’ (to the extent that the Processor has access to such Sub-processors information) technical and organisational measures implemented to ensure an appropriate level of security.
2.5 The Processor shall provide reasonable assistance to the Customer, taking into account relevant information available to the Processor, if the Customer is obliged to perform an impact assessment and/or consult ICO in connection with the processing of Personal Data. The Customer shall bear any costs accrued by the Processor related to such assistance.
4.1 The Processor shall notify the Customer without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed (“Personal Data Breach”). The Customer (or another Controller if the Customer is not the Controller of the Personal Data) is responsible for notifying the Personal Data Breach to the ICO within 72 hours of any such breach.
4.2 The notification to the Customer shall as a minimum describe (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences, in the reasonable opinion of the Processor, of the Personal Data Breach; (iii) the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.3 In the event the Customer (or another Controller where the Customer is the main Processor) is obliged to communicate a Personal Data Breach to the Data Subjects, the Processor shall assist the Customer and the Controller (if the Controller is not the Customer), including the provision, if available, of necessary contact information to the affected Data Subjects. The Controller shall bear any costs related to such assistance provided by the Processor and to such communication to the Data Subject. The Processor shall nevertheless bear such costs if the Personal Data Breach is caused by circumstances for which the Processor is responsible.
5.1 The Customer hereby authorises the Processor to engage in connection with exercising its rights and performing its obligations under this Data Processing Agreement and any Software Agreement those sub-processors set out in Schedule 3 (“Sub-processor“). The Processor shall inform the Company of any intended changes concerning addition or replacement of any Sub-processors, and the Customer has the right to object to such changes.
5.2 The Processor shall ensure that its data protection obligations set out in this Agreement and the Data Protection Legislation are imposed to any Sub-processors by way of a written agreement. Any Sub-processor shall in particular provide sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Legislation. The Processor shall remain fully liable to the Customer (and any Controller if the Customer is not the Controller) for the performance of any Sub-processor.
6.1 Each party warrants to the other that it will process the Personal Data in compliance with this Agreement and in accordance with the Data Protection Legislation.
6.2 The Customer shall ensure that it has all necessary and appropriate consents and notices in place to enable the lawful transfer of Personal Data to the Processor for the duration and purposes of this Agreement and any and all Software Agreements.
6.3 In entering this Data Processing Agreement, the Customer acknowledges that the Processor is reliant upon the Customer for direction as to the extent to which the Customer is entitled to use and process Personal Data under this Data Processing Agreement and the Software Agreement. The Customer shall therefore indemnify (and keep indemnified) the Processor against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demand incurred by the Processor which arises directly or in connection with any data processing activities which are subject to this Agreement and all Software Agreements.
7.1 The Processor shall maintain the Personal Data processed by the Processor on behalf of the Customer in confidence, and in particular, unless the Customer has given written consent for the Processor to do so, the Processor shall not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Customer to any third party. The Processor shall not process or make any use of any Personal Data supplied to it by the Customer otherwise than in connection with the provision of the Services to the Customer.
7.2 The Customer is subject to a duty of confidentiality regarding any documentation and information, received by the Processor, related to the Processor’s and its Sub-processors’ implemented technical and organisational security measures.
7.3 The obligations in this Clause 7 shall continue for a period of five years after the cessation of the provision of Services by the Processor to the Customer. Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed by the ICO or a court. Both parties shall however, where possible, discuss together the appropriate response to any request from the ICO or court for disclosure of information.
8.1 The Data Processing Agreement is valid for as long as the Processor processes Personal Data on behalf of the Customer.
8.2 The Processor shall, upon the termination of this Agreement and at the choice of the Customer (or the Controller if the Customer is not the Controller), delete or return all the Personal Data, unless stipulated otherwise in the Data Protection Legislation. The Processor shall document in writing to the Customer that deletion has taken place.
9.1 This Agreement may only be amended by the Parties subject to mutual consent and in accordance with the Data Protection Legislation.
9.2 The Processor shall not sub-contract to any third party any of its rights or obligations under this Agreement save for where permitted by the Parties under this Agreement.
9.3 Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
9.4 This Agreement shall be governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
The “Services” referred to in this Agreement are the provision of visitor, staff and/or resident management systems.
Further description of the Services is set out in the applicable Software Agreement and documentation.
The Customer uses the Services for the purpose of administering its business and providing its services to the end user.
The Personal Data will be subject to the following basic processing activities:
The Personal Data shall be processed for the duration of the Software Agreement and up to 30 days following termination of the Software Agreement.
The Personal Data processed concerns the following type and categories, including any special categories of data:
Customer’s end user’s details:
-Pupil/student o Name
-Cleaners or contractors
-Other data as may be necessary for the provision of the Services
The Personal Data processed concerns the following categories of Data Subjects:
1. The Processor will ensure that in respect of all Personal Data it receives from or processes on behalf of the Customer it maintains security measures to a standard appropriate to:
1.1 the harm that might result from unlawful or unauthorised processing or accidental loss, damage or destruction of the Personal Data; and
1.2 the nature of the Personal Data.
2. In particular the Processor shall:
2.1 have in place and comply with a security policy which:
2.1.1 defines security needs based on a risk assessment;
2.1.2 allocates responsibility for implementing the policy to a specific individual or members of a team;
2.1.3 is provided to the Customer at the Customer’s request either on or before the commencement of this Agreement;
2.1.4 is disseminated to all relevant staff; and
2.1.5 provides a mechanism for feedback and review.
2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with good industry practice;
2.3 prevent unauthorised access to the Personal Data;
2.4 ensure its storage of Personal Data conforms with good industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
2.5 have secure methods in place for the transfer of Personal Data whether in physical form (for instance, by using couriers rather than post) or electronic form (for instance, by using encryption);
2.6 put password protection on computer systems on which Personal Data is stored and ensure that only authorised personnel are given details of the password;
2.7 take reasonable steps to ensure the reliability of employees or other individuals who have access to the Personal Data;
2.8 ensure that any employees or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Agreement;
2.9 ensure that none of the employees or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer;
2.10 have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including:
2.10.1 the ability to identify which individuals have worked with specific Personal Data; 2.10.2 having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the Act; and 2.10.3 notifying the Company as soon as any such security breach occurs.
2.11 have a secure procedure for backing up and storing back-ups separately from originals;
2.12 have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print outs and redundant equipment; and 2.13 adopt such organisational, operational and technological processes and procedures as are required as appropriate to the Services provided to the Customer.
Purpose of processing:
Processing which may be necessary in order to provide support on any of the Processor’s goods and services.
Purpose of processing:
Processing which may be necessary for the purpose of integrating school data from an MIS system to the CBSECUREPASS visitor management system.