GDPR: The General Data Protection Regulation (2016/679) is the new EU Regulation on Data Protection, which came into force on the 25th May 2018.
Personal Data: Information relating to a living individual who is, or can be, identified by that information, including data that can be combined with other information to identify an individual. This can be a very wide definition, depending on the circumstances, and can include data which relates to the identity, characteristics or behavior of an individual or influences the way in which that individual is treated or evaluated.
Processing: means performing any operation or set of operations on personal data, including:
a. obtaining, recording or keeping data;
b. organising or altering the data;
c. retrieving, consulting or using the data;
d. disclosing the data to a third party (including publication);
e. erasing or destroying the data.
Data Controller: A Data Controller is the person or organisation who decides the purposes for which, and the means by which, personal data is processed. The purpose of processing data involves ‘why’ the personal data is being processed and the ‘means’ of the processing involves ‘how’ the data is processed.
Data Processor: A person or organisation that processes personal data on the behalf of a data controller.
Data subject: A Data subject is the individual the personal data relates to.
1.1 This applies to all data handled by CB Group Ltd as a processor on belalf of our clients as data controllers. It also applies to CB Group Ltd in the circumstances where we are the data controllers.
2. Purpose of Processing
2.1 The Data Processor shall process the Data it receives from the Data Controller solely for the purpose agreed and listed and for no other purpose.
2.2 The subject matter of the mailing, purpose of processing the mailing, type of personal data utilised in the mailing and category of data subject shall all be outlined prior to the mailing and a record of such kept by the Data Processor.
2.3 The Data Processor shall only act on the written instructions of the Data Controller and the Data Controller shall only provide data to the processor that is covered within the above specifications.
2.4 The Data Controller confirms that only data required to fulfil the processing shall be provided to the Data Processor and no excess personal information will be shared unnecessarily. The Data Controller confirms shall only transfer data in a secure manner agreed with the Data Processor.
3. Security, Confidentiality & Accessibility of Data
3.1 The Data Processor shall use its best endeavors to safeguard the Data from unauthorised or unlawful processing or accidental loss, destruction or damage and acknowledges that it has implemented technical and organisational measures to prevent unauthorised or unlawful processing or accidental loss or destruction of the Data.
3.2 The Data Processor shall ensure that each of its employees, agents or subcontractors are made aware of its obligations regarding the security and protection of the Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this Agreement.
3.3 The Data Processor shall not divulge the Data whether directly or indirectly to any person, firm or company without the express written consent of the Data Controller except to those of its employees, agents and subcontractors who are engaged in the processing of the Data and are subject to the binding obligations referred to in 3.2.
3.4 The Data Processor shall ensure by written contract that any agent or subcontractor employed by the Data Processor to process data to which this Agreement relates also provides the Data Processor with a plan of the technical and organisational means it has adopted to prevent unauthorised or unlawful processing or accidental loss or destruction of the Data.
3.5 The Data Processor shall assist the controller in meeting its GDPR obligations in relation to the training of staff, security of processing, the notification of personal data breaches and data protection impact assessments
3.6 The Data Controller shall be responsible for subject access requests. The Data Processor shall, where possible, assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR.
3.7 The Data Processor shall not access or send personal data outside of the European Economic Area (EEA). If a need arises for data to be sent outside the EEA, a contract including at least the EU model contract clauses (as amended or replaced from time to time) shall be entered into between the parties. The Model Contract, if required, shall be completed and incorporated into the Agreement.
3.8 In line with Article 33 of the GDPR, in the event of a data breach, both the Data Processor and Data Controller shall need to assess to determine whether the mandatory breach notification obligations of the GDPR are triggered. Where no notification obligation arises, the facts relating to the breach as well as its effects and any remedial action taken should be documented and agreed by both the Data Processor and the Data Controller. In the case of data breaches which require notification, the notification will be made to the supervisory authority by the Data Controller without undue delay, and no later than 72 hours of the Data Controller becoming aware of the issue. Notifications to data subjects will also need to be made without undue delay if required, in line with Article 34 of the GDPR. The Data Processor agrees to notify the Data Controller of any data breach without undue delay after becoming aware of it, and commit to assisting the Data Controller in meeting the breach notification obligations under GDPR.
3.9 The Data Processor shall retain the data for 90 days following payment of the invoice pertaining to the job the data was processed for.
4. Recording of Processing Activities
4.1 The Data Controller and the Data Processor shall maintain a record of processing activities in line with the requirements of Article 30 of the GDPR.
5.1 The Data Processor’s liability to the Data Controller for any loss or damage of whatsoever nature suffered or incurred by the Data Controller or for any liability of the Data Controller to any other person for any loss or damage of whatsoever nature suffered or incurred by that person shall be to the extent permitted by law.
6.1 Any data held on the Data Processors system will be deleted in line with clause after a period of 90 days following the balancing of the account of the Data Controller. A Data Destruction Certificated will be issued at this point.
7.1 This Agreement shall be governed by and construed in accordance with the law of the Republic of Ireland and the parties shall submit to the exclusive jurisdiction of the Courts of Ireland.