1. Data Protection
1.1 In the course of providing services to you, we may process personal data on behalf of, or relating to you, your directors, employees, contractors, suppliers or other personnel, including those of your affiliates or relevant third parties. The purpose and scope of this Addendum, in conjunction with our Privacy Statement is to set out the terms and conditions applicable to such processing.
1.2 For the purpose of this Addendum, unless and until no longer directly applicable in the UK, ‘Data Protection Laws’ means the Data Protection Act 2018, Directive (95/46/EC) of the European Parliament and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) or equivalent, the Investigatory Powers Act 2016, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and all applicable national laws (including implementing laws and judgements of any relevant court of law), regulations and secondary legislation, as amended or updated and notified to you from time to time, in the UK and then any successor legislation and regulations relating to the processing of personal data, direct marketing, electronic communications and privacy, including where applicable the guidelines, recommendations, best practice, opinions, directions, decisions and codes of conduct issued, adopted or approved by the European Commission, the European Data Protection Board, the UK’s Information Commissioner’s Office and/or any other supervisory authority or data protection authority from time to time.
1.3 Both parties will comply with all applicable requirements of the Data Protection Laws, it being acknowledged and agreed that this Addendum is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Laws.
For the purposes of the Data Protection Laws:
- (a) where we determine the means and purposes for which any personal data you provide to us is processed, for example for our regulatory purposes or in providing you with advice, we will be the data controller of such personal data (as such terms are defined in the Data Protection Laws), to which the provisions of section 2 shall apply; and
- (b) where we process personal data on your behalf and you determine the means and purposes for which such data is held, you will be the data controller and we will be the data processor of such personal data, to which the provisions of section 3 shall apply, it being acknowledged that either or both of us and you may be a data controller over the same personal data for the purpose of the Data Protection Laws.
2. Where we are the data controller
2.1 The provisions of this section 2 shall apply where we are acting in the capacity as a data controller over personal data that you provide to us in accordance with paragraph 1.4(a).
2.2 Where we are a data controller over personal data that you provide to us from time to time, we shall:
- (a) implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Data Protection Laws;
- (b) handle all personal data for which we are a data controller, in accordance with our Privacy Statement;
- (c) Maintain written records (which may be included within our Privacy Statement) of:
- (i) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the privacy officer, data protection officer, or other equivalent role;
- (ii) the purposes of the processing;
- (iii) a description of the categories of data subjects and of the categories of personal data;
- (iv) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- (v) where applicable, transfers of personal data to a third country or an international organisation, inclusive of a description of the suitable safeguards in place;
- (vi) where possible, the envisaged time limits for erasure of the different categories of data;
- (vii) where possible, a general description of the technical and organisational security measures we will take to protect such personal data; and
- (d) Where we are obligated to do so, communicate with affected data subjects whose personal data we are a data controller over.
2.3 Where we are a data controller over personal data that you provide to us, you shall:
- (a) ensure that you have satisfied your own obligations as a data controller under the Data Protection Laws;
- (b) secured all necessary appropriate consents, registrations and notifications as may be required to enable the lawful transfer of the personal data to us; and
- (c) assist us to communicate with data subject(s) whose personal data we have become a data controller, where we are legally obligated to provide information to the same.
3. Where we are the data processor
3.1 The provisions of this section 3 shall apply where we are acting in the capacity as data processor for you in accordance with paragraph 1.4(b), and shall form a data processing agreement within the meaning of the Data Protection Laws.
3.2 We hereby confirm that, in our capacity as a data processor, the nature and the purpose of the processing is to supply professional services to you as instructed from time to time.
3.3 For so long as we are processing personal data on your behalf in a capacity as data processor, you will:
- (a) be the data controller for the purposes of Data Protection Laws;
- (b) provide us with any details of the types of personal data that you provide to us for processing from time to time (inclusive of details about any special categories of personal data);
- (c) ensure that you have secured all necessary appropriate consents, registrations and notifications as may be required to enable the lawful transfer of the personal data to us (and to make such further transfers to third parties as envisaged under this section3), and in order for us to process such personal data to the extent required for, and for the duration of, our provision of services to you;
- (d) provide us with documented instructions for processing of the personal data; and
- (e) be accountable to us for all costs, claims, damages and expenses (including legal costs) arising out of, or in connection with, any failure to comply with the requirements of this paragraph 3.3.
3.4 In relation to any personal data processed by us where we are acting in the capacity as data processor, without prejudice to our rights and obligations where we are a data controller of any personal data in accordance with section 2, we shall:
- (a) process that personal data only on your reasonable and lawfully given written instructions unless we are required otherwise under any applicable law. Where we are relying on applicable law as the basis for processing personal data outside of your instructions, we shall promptly notify you of this unless such laws prohibit us from doing so;
- (b) not process such personal data for our own purposes without your prior written consent. For the avoidance of doubt, this shall not apply to us where we are the data controller of any personal data;
- (c) ensure that we have in place appropriate technical and organisational measures to ensure a level of security appropriate to the data security risks presented by processing such Personal Data, including (without limitation) the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by us);
- (d) regularly review and update the technical and organisational measures implemented in order to demonstrate to you that the processing of the personal data is performed in accordance with the Data Protection Laws upon request;
- (e) ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
- (f) put in place appropriate safeguards to protect the personal data including (without limitation), executing with the Customers such further documentation as may be necessary for the transfers to be lawful, such as standard contractual clauses in the form approved by the European Commission as such contractual clauses are from time to time amended and updated;
- (g) put in place enforceable data subject rights and effective legal remedies for data subjects as required by the Data Protection Laws;
- (h) notify you without undue delay on becoming aware of a personal data breach;
- (i) promptly inform you of any complaints, requests or enquiries received from data subjects, including but not limited to requests to access, correct, delete, block or restrict access to their personal data or receive a machine-readable copy thereof;
- (j) at your request and sole cost, assist you in responding to any request from a data subject with respect to any complaints, requests or enquiries security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- (k) immediately inform you if, in our opinion, an instruction infringes Data Protection Laws;
- (l) at your written direction, delete or return personal data and copies thereof to you on termination of the agreement unless we are separately a data controller of such information or are required by applicable law to retain the personal data. Where you terminate part only of the services that we provide to you, then this paragraph 3.4(l) shall only apply to the part of the services that have been terminated;
- (m) allow for limited audits, at your sole cost (including in respect of any of our own associated costs), which shall be strictly limited to the specific documents or information or part of any document or information that are reasonably necessary (as determined by Oury Clark acting reasonably) to demonstrate our compliance with the obligations of the Data Protection Laws as they directly relate to personal data that you are the data controller of. Such audits shall be carried out no more than once in any twelve month period by you or such designated auditor that we are satisfied is not our competitor (as we determine, acting reasonably) and audits shall be on not less than 30 business days’ notice on a date agreed with us and shall be carried out during normal working hours on a business day and shall not unreasonably disturb our operations; and
- (n) maintain a written record of processing activities to demonstrate our compliance with this section 3 and which shall as a minimum:
- (i) your name and contact details, your representative and/or data protection officer or other privacy manager or officer (each where applicable);
- (ii) the categories of data that we are processing for you;
- (iii) the purpose of the processing;
- (iv) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- (v) any transfers of personal data to a third country or an international organisation (where applicable) and details of the suitable safeguards in place; and
- (vi) the technical and organisational security measures in the form of a general description.
3.5 Where you submit personal data to us from within the European Economic Area (EEA), such information may be transferred to countries outside the EEA. By way of example, this may happen if one or more of our third party service providers with whom we share personal data in accordance with paragraph 3.6 are located, or have their servers located, outside your country or the country from which the data were provided. If we transfer personal data that you provide to us (in our capacity as a data processor) outside the EEA then we will take steps to ensure an adequate level of protection to any personal data that is transferred, which may include entry into appropriate contractual arrangements with such non-EEA recipient for the transfer of personal data to applicable third countries outside the EEA as adopted and approved by the EU Commission or competent data protection regulatory authority in accordance with applicable Data Protection Laws (Standard Data Protection Clauses). We will use our reasonable endeavours to work with you to apply for and obtain any permit, authorisation or consent that may be required under Applicable Data Protection Law in respect of the implementation of this paragraph 3.5.
3.6 You consent to us appointing the third party suppliers set out in our Supplier List, a list of which is available on application to the contact details below, some of whom may have located, or have their servers located, outside of the EEA in accordance with paragraph 3.5. We confirm that we have entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business. This list is periodically updated from time to time as we change, add or update our suppliers, so we encourage you to check this regularly. You have the right to object to any such changes that we may introduce to this list.
3.7 As between you and us, we may remain liable for acts or omissions of any hird-party processor appointed by us pursuant to paragraph 3.5, however please note that where you enter into contract directly with any third parties, then they may have their own privacy policies and terms and conditions, which we have no control over, accept no responsibility for, and shall have no liability for.
3.8 Either party may, at any time on not less than 30 days’ notice, revise this section 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).
4. Other Information
4.1 As technologies and information governance practices develop, and data privacy laws (and surrounding guidance) evolve, we may need to revise this Addendum. We therefore reserve the right to amend this Addendum. If the changes are significant or may materially impact upon your rights, we will provide a more prominent notice or contact you by other means (including, for certain services, email notification of Privacy Policy changes).
4.2 Any notices sent to us under this Addendum shall be provided to:
Oury Clark Chartered Accountants
Email: ocaprivacy@ouryclark.com
Tel: +44 (0)1753 55111
Address: Oury Clark Chartered Accountants, Herschel House, 58 Herschel Street, Slough SL1 1PG.
The Privacy Officer for Oury Clark Chartered Accountants is Ian Phipps.
Oury Clark Solicitors
Email: ocsprivacy@ouryclark.com
Tel: +44 (0)207 067 4300
Address: Oury Clark Solicitors, 10 John Street, London WC1N 2EB.
The Privacy Officer for Oury Clark Solicitors is Ross Meadows.
Annex – Record of Processing Activity as a Data Processor
Description of processing | Each applicable business entity within Oury Clark in its capacity as a data processor will or may process personal data to perform professional services pursuant to your instructions, in accordance with, and as further specified in, the associated letters of engagement or terms of business that govern such supply of services (inclusive of the Data Protection Addendum and this Annex). | |
---|---|---|
Type of personal data | The personal data that we may process in the course of delivering services to you in our capacity as data processor include the following types of personal data relating to you or other data subjects about whom you are the data controller and we are a data processor: | |
|
|
|
Special categories of personal data | The personal data that we may process in the course of delivering services to you in our capacity as data processor include the following special categories of personal data relating to you or other data subjects about whom you are the data controller and we are a data processor:
|
|
Categories of data subjects | You may submit personal data during the course of our service delivery to you, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subject: | |
|
|
|
Purpose of processing | The objective of our processing of personal data is the performance of the services pursuant to the letters of engagement or terms of business that govern our supply of services (inclusive of the Data Protection Addendum and this Annex). | |
Duration of processing | The duration of our delivery of services to you during which will be the time during which you are instructing any business entity within Oury Clark to perform services on your behalf. |