Data Protection, Privacy and Security
VCG The PromoRisk People Ltd (“VCG”) acknowledge that for the purposes of the Data Protection Act, VCG is the data processor of any Personal Data provided to VCG by the Client for the purposes of enabling VCG to perform the agreed services.
VCG shall process the Personal Data only to the extent, and in such as manner, as is necessary for the purpose of performing the services under this Agreement and in accordance with the Client’s instructions from time to time and shall not process the Personal Data for any other purpose. VCG will keep a record of any processing of Personal Data it carries out on behalf of the Client.
VCG shall promptly comply with any request from the Client requiring VCG to amend, transfer and/or delete the Personal Data.
VCG shall in collecting data on behalf of the Client use a form that contains a data protection notice informing the Data Subject of the identity of the Data Controller, the identity of any data protection representative it may have appointed, the purpose or purposes for which their Personal Data will be processed and any other information which is necessary having regard to the specific circumstances in which the data is, or is to be, processed to enable Processing in respect of the Data Subject to be fair.
If VCG receives any complaint, notice or communication which relates directly or indirectly to the Processing of Personal Data or to either party’s compliance with the DP Act and the data protection principles set out therein, it shall immediately notify the Client and shall provide the Client with full co-operation and assistance in relation to any such complaint, notice or communication.
At the Client’s request, VCG shall provide to the Client a copy of all Personal Data held by it in the format and on the media reasonably specified by the Client.
VCG shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the Client
VCG shall promptly inform the Client if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable. VCG will restore such Personal Data at its own expense.
VCG shall ensure that access to Personal Data is limited to:
those of its employees who need access to the Personal Data to meet VCG’s obligations under this Agreement; and
in the case of any access by any of VCG’s employees, such part of parts of the Personal Data as is strictly necessary for the performance of that employee’s duties in furtherance of VCG’s obligations under this Agreement.
VCG shall ensure that all employees who shall have access to Personal Data:
are informed of the confidential nature of the Personal Data;
have undertaken training in the laws relating to handling Personal Data;
are aware of VCG’s duties and their personal duties and obligations under such laws and this Agreement.
VCG shall take reasonable steps to ensure the reliability and competence of any of VCG’s employees who have access to the Personal Data.
VCG shall provide the Client with full co-operation and assistance in relation to any request made by a Data Subject to have access to that person’s Personal Data.
VCG shall not disclose the Personal Data to any Data Subject or to a third party other than at the request of the Client or as agreed in writing.
VCG warrants that:
it will process the Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments and shall not do or permit anything to be done which might cause the Client to breach the terms of the DP Act;
it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of Personal Data and against the theft, accidental loss or destruction of, or damage to, Personal Data to ensure the Client’s compliance with the seventh data principle, including but not limited to technological security such an encryption.
VCG shall notify the Client immediately if it becomes aware of:
any unauthorised or unlawful processing, theft, loss of, damage to or destruction of the Personal Data;
any advance in technology and methods of working which mean that the security measures referred to in clause 1.14.2 might need to be revised.
VCG agrees to indemnify and keep indemnified and defend at its own expense the Client against all costs, claims, damages and expenses incurred by the Client or for which the Client may become liable due to any failure by VCG or its employees or agents to comply with any of the obligations under this Agreement (including for the avoidance of doubt under clause 1.19 below), the DP Act or otherwise as a result of any employee or Agent’s failure to maintain the confidential nature of the Personal Data.
Without prejudice to the generality of clause 1.16, VCG agrees to indemnify and keep indemnified the Client against any liability that the Client may incur to a third party (including any Data Subject) or as a fine or penalty imposed by the Information Commissioner in the event of a breach of data security where such breach could reasonably have been prevented by VCG bearing in mind (i) VCG’s obligations under this clause 1 and (ii) the level of technological solutions and protections available from time to time to prevent breaches of this nature and/or harm resulting from any such breaches
VCG shall take out insurance sufficient to cover any payment that may be required under clauses 1.16, 1.17, 1.20 and/or 1.21 and product the policy and receipt for premium paid, to the Client on request.
VCG may only authorise a third party or sub-contractor to process the Personal Data to the extent that the Processing of Personal Data is necessary for the delivery of the Services and has been pre-agreed by the Client in writing on a Project by Project basis and subject always to the following conditions;
before engaging any such third party or sub-contractor, VCG having satisfied itself by conducting a thorough due diligence that the third party or sub-contractor in question is a reputable data handler and has in place all necessary and appropriate security, protections, registrations, contracts and controls in relation to the Processing of Personal Data and that such third party or sub-contractor applies Best Practice at all times (including in line with any recommendations from the Information Commissioner) in relation to the Processing of Personal Data;
VCG having in place an appropriate data handling contract with each third-party or sub-contractor which, inter alia, ensures the data privacy and security of Personal Data as well as compliance generally with the DP Act;
VCG continually reviewing the performance and compliance of the relevant third party or sub-contractor in relation to the Processing of Personal Data and in relation to the DP Act generally;
if VCG becomes aware that any third party or sub-contractor processing Personal Data on behalf of VCG is in breach of any data protection obligations including under the DP Act or is processing Personal Data in a manner incompatible with VCG’s obligations under this Agreement or is not applying Best Practice in relation to such Processing, VCG shall immediately terminate all arrangements with that third party or sub-contractor for the Processing of Personal Data and shall immediately notify the Client of the same;
if VCG terminates any arrangements under clause 1.19.4 above, VCG shall ensure that the continuity of the Services remains unaffected; and
upon request of the Client provide evidence of the matters set out in 1.19.1 to 1.19.4 and/or allow the Client success upon request to its records so that the Client can audit compliance with this clause 1.19.
VCG hereby indemnifies and will keep indemnified the Client against all costs, claims, damages and expenses incurred by the Client or for which the Client may become liable due to any failure by a third party or sub-contractor or any of their employees or agents to comply with the DP Act or otherwise as a result of any failure by any employee or Agent of any third party or sub-contractor failing to maintain the confidential nature of the Personal Data.
Without prejudice to the generality of clause 1.20, VCG agrees to indemnify and keep indemnified the Client against any liability that the Client may incur to a third party (including any Data Subject) or as a fine or penalty imposed by the Information Commissioner in the event of a breach of data security by a third party or sub-contractor engaged by VCG where such breach could reasonably have been prevented by the third party or sub-contractor bearing in mind (i) VCG’s obligations under this clause 1 and (ii) the level of technological solutions and protections available from time to time to prevent breaches of this nature and/or harm resulting from any such breaches.
For the purposes of this clause 1 the term “Best Practice” shall mean the use of such technologies, configurations or processes which meet or exceed any recommendations that have been or may be made or issued by the Information Commissioner’s Office and that are recognised as being at the forefront of what is available to the commercial data processing industry.
VCG undertakes to keep strictly confidential and not to disclose to any third party or use for its own benefit any Confidential Information made available to it. The Confidential Information will remain the property of the Disclosing Party. VCG agrees to use the Client’s Confidential Information only for the purpose of performing its agreed obligations.
The nature and results of all work done by VCG in performing the Services are deemed to be Confidential Information of the Client’s and will not be disclosed or utilised by VCG for any purpose other than the performance of its agreed obligations.
VCG will take all steps to ensure that the Client’s Confidential Information is kept confidential, will allow access to the Client’ Confidential Information only to those Representatives who have a reasonable need to know and use it for the purpose of performing their agreed obligations and will inform each Representative of the confidential nature of the Client’s Confidential Information and of their obligations in respect thereof. VCG will be responsible for any breach by any of its Representatives to whom it allows access to Confidential Information. At the request of the Client, VCG will provide the names of its Representatives who have been given access to Confidential Information. The Client may request Representatives of VCG to execute individual confidentiality agreements. Upon receipt of such request, VCG shall ensure such Representatives as specified by the Client execute individual confidentiality agreements in the reasonable form specified by the other Party within ten Business Days of receipt of such request.
Upon termination or expiry of this Agreement, VCG and any of its Affiliates and Representatives will immediately return to the Client all Confidential Information in recorded form in its possession or under its control and delete all such Confidential Information on any computer or other device containing such information and confirm such deletion in writing to the Client.
VCG will not make any public announcement regarding its agreed obligations without the prior written consent of the Client.
The obligation of confidence in this clause 2 shall survive the termination or expiry of this Agreement for any reason.
3 Jan 2017