Data protection schedule

  1. DEFINITIONS

    1. In this Schedule the following terms have the following meanings: “Data” means all data processed by the Sub-Contractor or provided to the Sub-Contractor for processing or which may be made (directly or indirectly) available to the Sub-Contractor as part of or relating to the Sub-Contract Works;
    2. “Data Protection Laws” means the General Data Protection Regulation, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 together with any other laws applicable to the protection of personal data in force from time to time in England and Wales and any related regulations, guidance and all subordinate legislation, regulations, statutory orders, codes of practice made pursuant to or in connection with any of them as from time to time amended, extended, re-enacted or consolidated;
    3. The terms “personal data”, “process”, “data controller”, “data processor”, “data subject” have the meanings attributed to them in the Data Protection Laws.
  2. DATA PROTECTION
    1. The provisions of this clause 2 shall only apply in relation to Data where the Sub-Contractor acts as the data processor of the Contractor. They shall not apply to the extent that each party is acting as a data controller under this Agreement.
    2. The parties believe that whilst the Sub-Contractor will act as the data processor of the Contractor in relation to the carrying out of works on behalf of the Contractor the parties agree that the Contractor will never act as a data processor for the Sub-Contractor.
    3. The purpose for the Sub-Contractor to process the Data will be to carry out the Sub-Contract Works at properties as notified to the Sub-Contractor by the Contractor in relation to the performance of this Agreement and to achieve this the Sub-Contractor will process the Data as follows to make appointments with owners, tenants and/or occupiers to carry out works, in carrying out the works, to provide any guarantees to the Contractor and to keep records of the works carried out. The categories of data subjects to which personal data within the Data relates will be representatives of the Contractor and the owners, tenants and/or occupiers of the properties in which the works are to be carried out and the categories of personal data which will be processed are names and contact details for representatives of the Contractor, names and contact details for the owners, tenants and/or occupiers of the properties where the works are to be carried out and details of the works carried in their properties. The SubContractor shall only process the Data for a maximum period which is equal to the duration of this Agreement.
    4. The Sub-Contractor agrees to:
    5. only process personal data in accordance with the relevant principles under the Data Protection Laws;
    6. only process the personal data for and on behalf of the Contractor for the purposes of performing this Agreement with the Contractor and in accordance with any other instructions issued by the Contractor in writing from time to time unless otherwise required by law or any 2 other regulatory body (in which case the Sub-Contractor shall, where permitted, inform the Contractor of that legal requirement before processing);
    7. not permit any third party to process any of the personal data without the Contractor’s prior written consent except to the extent that the third party is acting as a data processor for the Contractor;
    8. (where consent is provided pursuant to the clause above) impose upon each such third party sub-processor (and procure each such third party sub-processor’s compliance with) the terms of this clause 2 as if the processing being carried out by the sub-processor was being carried out by the Sub-Contractor;
    9. where legally possible ensure that the Contractor has the right to directly enforce any terms relating to processing of the personal data against any such third party sub-processor;
    10. not transfer or allow the transfer of the personal data outside the European Economic Area without the Contractor’s prior written consent;
    11. notify the Contractor from time to time of the location of the personal data and, where relevant of any computer system on which the personal data is held by the Sub-Contractor except to the extent it is held on the computer systems of the Contractor;
    12. ensure that only such of the Sub-Contractor’s personnel who may be required by the SubContractor to assist it in meeting its obligations under this Agreement shall have access to the personal data. The Sub-Contractor shall ensure that all the Sub-Contractor’s personnel used by it in relation to this Agreement have undergone training in data protection and in the care and handling of personal data and are obliged to comply with the terms of this agreement. Where required the Sub-Contractor shall provide the Contractor with details of such personnel;
    13. immediately notify and provide full details to the Contractor of any breach or potential breach of this clause, take all measures necessary to remedy or address the breach or potential breach and cooperate with the Contractor to resolve such issue;
    14. immediately notify and provide full details to the Contractor of any potential or actual loss of personal data, take all measures necessary to remedy or address the loss or potential loss and cooperate with the Contractor to resolve such issue;
    15. from time to time on request provide full details in writing of the Sub-Contractor’s data processing activities in respect of the personal data, including the address of all locations where such processing takes place, and allow its data processing facilities, procedures and documentation which relate to the processing of the personal data to be inspected and audited (on reasonable written notice) by the Contractor, a representative or auditor of the Contractor or a regulatory body in order to ascertain compliance with Data Protection Laws and the terms of this Agreement; and
    16. to the extent that any personal data is held outside of the Contractor’s systems, on termination of this Agreement return (or, at the Contractor’s discretion at any time upon instruction from the Contractor, permanently delete) all personal data processed on behalf of the Contractor pursuant to this Agreement (and permanently delete any copies, save to the extent retention is required by law).
    17. The Sub-Contractor will keep, and provide to the Contractor upon request, a complete, accurate and up-to-date record of all processing activities carried out by the Sub-Contractor utilising personal data from the Contractor including but not limited to a general description of the security measures implemented in respect of the personal data.
    18. Where the Contractor requires assistance from the Sub-Contractor in order to respond to requests, queries and/or investigations in respect of the personal data within the Data or requires that the Sub-Contractor help the Contractor in reconstructing and/or otherwise safeguarding the personal data within the Data or requires that the Sub-Contractor assists the Contractor in complying with Data Protection Laws, the Sub-Contractor shall (at its cost) provide the Contractor with such assistance as the Contractor reasonably requests within any timescales specified by the Contractor. If no time scales are specified, the Sub-Contractor must promptly respond to and comply with the Contractor’s request to allow the Contractor to comply with its obligations under the Data Protection Laws.
    19. The Sub-Contractor shall:
    20. implement and at all times maintain an information security management system that operates and has robust back up and disaster recovery procedures in place; is able to comply with any rights of data subjects exercised under Data Protection Laws; and includes all appropriate technical and organisational measures necessary or desirable to ensure a level of security appropriate to the risk against unauthorised or unlawful processing, accidental loss or destruction of or damage to personal data, protect the rights of the data subject and enable the personal data to be processed in compliance with obligations equivalent to those imposed by the Data Protection Laws and ensure that all personal data processed by it is subjected to the controls of the information security management system implemented and maintained in accordance with this clause;
    21. immediately notify the Contractor of any contact with or investigation or audit of the SubContractor in relation to data processing and/or personal data by any regulatory authority prior to providing any information, unless it is prevented from doing so by law or court of competent jurisdiction;
    22. co-operate with any regulatory authority for data processing; and
    23. not do or omit to do anything which will place the Contractor in breach of any Data Protection Laws.
    24. Without prejudice to any other right or remedy the Contractor may have, the Sub-Contractor will indemnify and keep indemnified (on a full indemnity basis) the Contractor (and any member of the Contractor’s group who has provided the Sub-Contractor with Data) against any and all claims, demands, penalties, fines, actions, proceedings, damages, lost profits, damage to goodwill, costs (including professional and legal costs), expenses, special, indirect, and consequential loss and any other loss and/or liability suffered or incurred by or awarded against the Contractor (and any relevant member of the Contractor’s group) arising out of or in connection with any breach of this Schedule, any tortious act and/or omission and/or any breach of statutory duty by the Sub-Contractor, whether or not such losses were foreseeable or foreseen at the date of this Agreement.