Data protection and GDPR:
1.1 Where Senior, pursuant to the Agreement, processes Personal Data on behalf of the Client, Senior acknowledges that the Client is the Data Controller and the owner of such Personal Data, and that Senior is the Data Processor.
1.2 The Data Processor is operating within reasonable compliance, and shall continue to comply, with the requirements of the applicable Data Protection Laws and all other data protection legislation in and jurisdiction relevant to the exercise of its right of the performance of its obligations under this Agreement.
1.3 The Data Controller shall, for all categories of personal data (including special categories) processed under this Agreement, either;
1.3.1 Obtain the consent of the data subject to the processing; or
1.3.2 Confirm the ground upon which the Personal Data is being processed
1.4 The Data Controller shall indemnify the Data Processor against all liabilities, costs, expenses, damages and losses (including reasonable professional costs and expenses) suffered or incurred by the Data Processor as a result of the Data Controller’s breach of its obligations pursuant to paragraph 1.3.1 above.
1.5 In respect of any Personal Data to be processed by the Data Processor pursuant to this Agreement for which the Customer is Data Controller, the Data Processor shall;
1.5.1 Have in place and at all times maintain appropriate technical and organisational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk;
1.5.2 Not engage any sub-processor without the prior specific or general written authorisation of the Customer (and in the case of general written authorisation; the Data Processor shall inform the Customer of any intended changes concerning the addition or replacement of other processors and the Customer shall have the right to object to such changes.).
1.5.3 Ensure that each of the Data Processor’s employees, agents, consultants, subcontractors and sub-processors are made aware of the Data Processor’s obligations under this Schedule and enter into binding obligations with the Data Processor to maintain the levels of security and protection required under this Schedule. The Data Processor shall ensure that the terms of this Schedule are incorporated into each agreement with any sub processor, subcontractor, agent or consultant to the effect that the sub-processor, agent or consultant shall be obligate to act at all times in accordance with duties and obligations of the Data Processor under this Schedule. Subject to clause 1.5.4 The Data Processor shall at all times be and remain liable to the Client for any failure of any employee, agent, consultant, subcontractor or sub-processor to act in accordance with the duties and obligations of the Data Processor under this Schedule;
1.5.4 Senior are not liable to the Client for any failures of other Data Processors or Sub Processors obligations under this Schedule who are engaged with by the client and with whom Senior are instructed to integrate with; including but not restricted to; direct debit systems, online payment providers, email services, CRMs and analytics
1.5.5 Process that personal Data only on behalf of the Client in accordance with the Client’s instructions and to perform its obligation under this agreement or other documented instructions and for no other purpose save to the limited extent required by law;
1.5.6 Upon the request of the Client, within 30 days of the expiry or termination of this agreement, Senior shall make available to the Client for download a full and complete file of the Customer Data. After the expiry of the 30 day period, Senior shall, unless required otherwise by law, delete all of the Customer Data in its live and staging systems or otherwise in its possession or control, note; in the case of backups these will be deleted in a 60 day cycle (30 days following deletion of live database);
1.5.7 Ensure that all persons authorised to access the Personal Data are subject to oblations of confidentiality and receive training to ensure compliance with the Agreement and the Data Protection Laws;
1.5.8 Make available to the Client all information necessary to demonstrate compliance with the obligations laid out in Article 28 of GDPR and this Schedule and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client, provided that, in respect of this provision the Data Processor shall immediately inform the Client if, in its opinion, an instruction infringes Data Protection Laws, subject to clause 1.5.14
1.5.9 Taking into account the nature of the processing, provide assistance to the Client, within such timescales as the Client may be required from time to time, in connection with the fulfilment of the Client’s obligation as Data Controller to respond to requests for the exercise of data subjects’ right pursuant to Chapter III of the GDPR to the extent applicable, subject to clause 1.5.14;
1.5.10 Provide the Client with assistance in ensuring compliance with articles 32 to 36 (inclusive) of the GDPR (concerning security of processing, data breach notification, communication of a personal data breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities) to the extent applicable to the Client, subject to clause 1.5.14 and taking into account the nature of the processing and the information available to the Data Processor;
1.5.11 Immediately notify the Client in writing about;
a. Any data breach of any accidental loss, disclosure or unauthorised access of which the Data Processor becomes aware in respect of Personal Data that it processes on behalf of the Client;
b. Any request for disclosure of the Personal Data by a law enforcement authority (unless otherwise prohibited);
c. Any access request or complaint received directly from a data subject (without responding other than to acknowledge receipt);
1.5.12 Maintain a record of its processing activities in accordance with article 30 of the GDPR
1.5.13 Indemnify the Client against liabilities, claims, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses) suffered or incurred by the Client or for which it may become liable as a result of any failure of the Data Processor, its employees, to comply with this Schedule. Up to a combined maximum value of £100,000
1.5.14 The Data Processor shall, at the Client’s expense to be calculated based upon the Data Processor’s standard hourly charge out rates:
a. Deal promptly and properly with all enquiries or requests from the Client relating to the Personal Data and the data processing actives, promptly provide to the Client in such form as the Client may request, as copy of any Personal data requested by the Customer; and
b. Assist the Client (where requested by the Client) in connection with any regulatory or law enforcement authority or law enforcement or enforcement action in respect of the Personal Data.
1.6 In respect of any Personal Data to be processed by a party acting as Data Processor pursuant to this Agreement for which the other party is Data Controller, the Data Processor shall not transfer the Personal Data outside the UK/EEA or to an internal organisation without:
1.6.1 Obtaining the written permission of the Data Controller
1.6.2 Ensuring appropriate levels of protection, including any appropriate safeguards if required, are in place for the Personal Data in accordance with the Data Protection Laws
1.6.3 Notifying the Data Controller of the protections and appropriate safeguard in paragraph 1.6.2 above; and
1.6.4 Documenting and evidencing the protections and appropriate safeguards in paragraph 1.6.2 above and allowing the Data Controller access to any relevant documents and evidence.
1.7 The following table sets out the details of processing as required by Article 28 of GDPR;
Details of processing activities:
Purposes of which the Personal Data shall be processed
Senior provides various web-based systems where forms are used to collect and store an amount of personal data that is core to enabling our Clients to deliver their core services
Description of the categories of the data subjects
Employers, Employees, Members, potential members, referees names and contact details, or individuals that sign up to receive information from our Clients
Description of transfers of Personal Data to a country outside of the UK/EEA
Senior’s systems, servers and data storage are based in secure environments in the EEU. CRM clients only: RiverCRM is based on Microsoft Dynamics, who store data in the UK/EEU however reserve the right to store data in US. The US is covered by ‘Safe Harbour’ agreement
The envisaged time limits for erasure of the different categories of Personal Data
Following termination or expiry of a Client’s contract, personal Data held processed on behalf of the Customer’s may be returned to the Data Controller at its own option and cost. 30 days after termination or expiry of the agreement, all personal Data processed on behalf of the Customer shall be permanently deleted. Historical data stored on backup systems will be deleted within a 60 day cycle
General description of technical and organisational security measures
Data is transferred from Web system to database via SSL. Senior is working towards encrypting all data in databases at rest. Availability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and Process for regularly testing, assessing and evaluating the effectiveness or technical and organisational measures for ensuring the security of the processing
Authorised Sub-processors
Upon instruction from Client Senior passes personal name, email address data to other data processors (or sub-processors); including but not restricted to; Microsoft Dynamics (River CRM), Om.net, other CRM providers (as instructed by client), Mailchimp; Campaign monitor; Pardot, Payment gateways (Sage Pay, WorldPay, PayPal), Go Cardless and Audis
Senior is committed to providing high-quality services that represent excellent value. If you are dissatisfied in any way with the service that you receive, please call Tricia Durrant on 0115 838 9555, or e-mail tricia.durrant@senior.co.uk. Please be assured that Senior will make every effort to deal with any Customer concerns and restore Customer satisfaction with our service and company.