GDPR amendment to Standard Customer Terms & Conditions
Variation to our General Conditions for Business Customers
You may be aware that the General Data Protection Regulation (GDPR) comes into effect in the UK, and wider European Union, on 25 May 2018.
In preparation for the GDPR, we have recently reviewed our General Conditions for Business Customers for the provision of telecommunication network services. In providing the Services to you, we recognise that personal data relating to your staff passes to us. We further recognise that personal data (for administrative purposes) passes between us, and the GDPR may apply to this data.
To allow us both to comply with our enhanced legal and regulatory obligations, it is important for both of us to ensure that our terms of business reflect the changes introduced by the GDPR. To do this, we have prepared a short variation to our terms, to be inserted as an addendum. This is in accordance with our rights to vary our standard terms, from time to time, under clause 12.1. Whilst these changes will take effect, procedurally, 28 days from the date of this letter, a number of changes or enhancements into how we process your personal data have already been implemented ahead of GDPR.
A copy of our proposed wording is annexed to this letter. The changes are not drafted to improve our position under our contract with you. If you have any questions relating to this letter or its subject matter, please email them to firstname.lastname@example.org
We look forward to continually working with you. Yours faithfully
Chief Executive Officer
For and on behalf of New Star Networks Limited
- The Company has amended its General Conditions for Business Customers (General Conditions) on the terms of this Schedule 1, in accordance with clause 12.1 of the General Conditions.
- Where there is any conflict between the provisions of this Schedule and those in the General Conditions (particularly clause 23), the terms of this Schedule shall prevail.
- The following definitions and rules of interpretation shall apply in this Schedule, in addition to those contained in clause 1 of the General Conditions:
“Act” refers to the UK Data Protection Act 1998;
“Customer Data” means all necessary personal data relating to any Customer (including name and contact details and any other data listed in Schedule 1) and any data subject employed or engaged by any Customer that is provided to NSN under the Agreement;
“Data Protection Laws” refers to:
(i) the Regulation (unless and until it is no longer directly applicable in the UK);
(ii) any UK implementing laws, regulations and secondary legislation under the Regulation
(as amended or updated from time to time);
(iii) any successor legislation to the Regulation; and
(iv) the Act; and
“Regulation” refers to the EU General data Protection Regulation (2016/679)
- These Schedules are in addition to the Company’s and the Customer’s obligations under the Data Protection Laws and the General Conditions.
- Terms used in these Schedules relating to data privacy/protection (but not otherwise defined), such as personal data, data processor and data subject, shall have the meaning(s) given to them in the Act or the Regulation (as applicable).
- The terms and provisions of this Schedule shall survive the termination or expiry of the General Conditions (for any reason).
- DATA PROTECTION
- Where the Company processes any Customer Data, the Company will comply with all requirements and obligations under the Data Protection Laws.
- The Customer shall notify all Users of the:
- nature and identity of the Company as a data processor;
- categories of personal data transferred; and
- The Company shall:
- maintain a valid and subsisting registration with the Information Commissioner’s Office to process the Customer Data (where required to do so).
- The Company shall:
- ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of, and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected (having regard to the state of technological development and the cost of implementing any measures);
- ensure that all personnel, contractors, agents or representatives who have access to and/or process personal data at any time are:
(a) limited only to those natural persons who need access to the personal data for the Company to meet its obligations under these General Conditions;
(b) informed of the confidential and sensitive nature of personal data; and
(c) are aware of their obligations, and data subjects’ rights, under the Data Protection Laws;
- assist the Customer (at the Customer’s cost) within a reasonable period in responding to any request from a data subject in connection with any exercise of any of its rights under the Data Protection Laws and to provide assistance with respect to security, breach notifications, impact assessments and consultations, where requested;
- provide, on request, a copy of all personal data held by the Company in the format and on the media reasonably specified by the Customer (at the Customer’s cost);
- notify the Customer as soon as reasonably practicable on becoming aware of a personal data breach, including if any personal data is lost, destroyed or becomes damaged, corrupted or unusable, and where requested or required to assist, to notify the data subject of such breach;
- keep and maintain complete and accurate records and information of any processing of personal data it carries out on behalf of the Customer, and permit (on reasonable notice), the Customer (or the Customer’s representative) to inspect all such records relating to the processing of personal data by the Company to demonstrate its compliance with this clause 23; and
- notify the Customer (as soon as reasonably practicable), if it has been given an instruction which doesn’t comply with the Data Protection Laws.
- The Customer acknowledges that the Customer Data will be processed by the Company through:
- hosting on third party systems; or
- processed by staff in offices located;
- By signing this Agreement, the Company:
- expressly consents to the transfers of Customer Data contemplated by Part 2.6 of this Schedule 1; and
- warrants that it has the relevant consent of all affected data subjects to the transfer (as required by the Regulation.
The definition of automated personal data (as referred to in sub-clause 9.1(l) of the General Conditions) shall have the updated meaning given to it in the Regulation, not the Act.
In addition to any other consequences of termination listed in sub-clause 14.11 of the General Conditions, each party will (at the disclosing party’s request) promptly return to the other all Confidential Information and any other property (including any personal data and Customer Data) which is in its custody or control, or will destroy the same and certify such destruction.