Companies storing or processing personal data of individuals within the EU are required to comply with the General Data Protection Regulations (GDPR). The following Data Protection statement has been implemented by Ricardo to align with GDPR and covers new and existing agreements.
Applicable Laws means (for so long as and to the extent that they apply to the Provider) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law.
Data Protection Legislation: the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK) the General Data Protection Regulation ((EU) 2016/679) and any other directly applicable European Union regulation relating to privacy.
Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.
UK Data Protection Legislation: any data protection legislation from time to time in force in the UK including the Data Protection Act 1998 or 2018 or any successor legislation.
Both parties will comply with all applicable requirements of the Data Protection Legislation.
The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the data controller and the Provider is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the duration and purposes of this agreement.
The Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under this agreement:
(a) process that Personal Data only on the written instructions of the Customer unless the Provider is required by Applicable Laws to otherwise process that Personal Data. Where the Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Provider shall promptly notify the Customer of this before performing the processing required by the Applicable Laws, to the extent it is legally permitted to do so;
(b) ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(d) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
(i) the Customer or the Provider has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Provider complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(e) assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(f) notify the Customer without undue delay on becoming aware of a Personal Data breach;
(g) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this Notice.
Last updated: 15th May 2018