Last updated: 24th October 2022
Standard Data Protection Terms — Definitions
Contract: shall be the Proposal that you have signed along with any Standard Terms and Conditions referred to in the Proposal and these Standard Data Protection Terms.
Data Controller: shall have the meaning given to that term (or the term controller) in the Data Protection Legislation.
Data Processor: shall have the meaning given to that term (or the term processor) in the Data Protection Legislation.
Data Protection Legislation: all applicable laws and regulations from time to time in force relating to the protection of personal information, including the EU General Data Protection Regulation (EU) 2016/679 as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, the Data Protection Act 2018, and all applicable laws and regulations from time to time in force which apply to either party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and the binding codes of practice issued by the Information Commissioner or any other relevant data protection or supervisory authority applicable.
Data Subject: shall have the meaning given to that term in the Data Protection Legislation.
Personal Data: shall have the meaning given to that term in the Data Protection Legislation.
References to ‘Us’, ‘Our’ and ‘We’ refers to About Loyalty Ltd.
References to ‘You’ and ‘Your’ refer to you as the signatory of the Proposal.
Services: the services to be delivered by or on behalf of About Loyalty pursuant to the Proposal that you have signed.
Sub-Contract: any contract or agreement or proposed contract or agreement between About Loyalty and any third party whereby that third party agrees to provide to About Loyalty the Services or any part thereof or facilities or services necessary for the provision of the Services or any part thereof or necessary for the management, direction or control of the Services or any part thereof.
Sub-Contractor: the third parties that enter into a Sub-Contract with About Loyalty.
1. Both of us will comply with all applicable requirements of the Data Protection Legislation in the performance of the obligations contained in the Proposal that you have signed. These Standard Data Protection Terms are in addition to, the terms of the Proposal and furthermore do not relieve, remove or replace, each of our obligations under the Data Protection Legislation.
2. We both acknowledge that for the purposes of the Data Protection Legislation, you are the Data Controller and we are the Data Processor. The Proposal sets out the scope, nature and purpose of processing by us, the duration of the processing and the types of Personal Data and categories of Data Subject.
3. Without prejudice to the generality of clause 2, you warrant and represent that you have all necessary appropriate consents and have put any necessary privacy notices in place, to enable the lawful transfer and processing of the Personal Data to and by us for the duration and purposes of the Contract.
4. Without prejudice to the generality of clause 2, we shall, in relation to any Personal Data processed in connection with the performance by us of our obligations under the Proposal:
a) process that Personal Data only on the written instructions from you (which may be specific instructions or instructions of a general nature as set out in the Proposal or as otherwise notified by you to us during the term of the Contract) unless we are required by the laws of the United Kingdom or the laws of the European Union applicable to us to process Personal Data. Where we are relying on law of the United Kingdom or the European Union as the basis for processing Personal Data, we shall promptly notify you of this before performing the processing required by such laws unless those laws prohibit us from so notifying you;
b) ensure that we have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss, destruction, damage, alteration or disclosure of the Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction, damage, alteration or disclosure and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of our systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by us);
c) not transfer any Personal Data outside the EEA and the United Kingdom unless the prior written consent of you has been obtained and the following conditions are fulfilled:
(.i) you or we have provided appropriate safeguards in relation to the transfer;
(.ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) we comply with our obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(.iv) we comply with reasonable instructions notified to us in advance by you with respect of the processing of the Personal Data;
d) obtain prior written consent from you in order to transfer the Personal Data to any Sub-Contractors or affiliates for the provision of the Services;
e) ensure that all personnel who have access to and/or process Personal Data are contractually obliged to keep the Personal Data confidential;
f.) notify you (within five working days), if we receive:
(i) a request from a Data Subject to have access to that person's Personal Data; or
(ii) a complaint or request relating to your obligations under the Data Protection Legislation;
g) assist you, at your cost, in responding to any request from a Data Subject, including by:
(i)providing you with full details of the complaint or request;
(ii) providing you with any Personal Data we hold in relation to a Data Subject; and
(iii) providing you with any information reasonably requested by you;
h) assist you, at your cost, in ensuring compliance with your obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
i) notify you without undue delay on becoming aware of a Personal Data breach;
j) make available to you a list of any Sub-Contractors and service providers engaged in the processing of your Personal Data and include in any contract with such Sub-Contractors and service providers who process personal on your behalf, provisions which are equivalent to those in these Standard Data Protection Terms;
k) maintain complete and accurate records and information to demonstrate our compliance with our obligations under these Standard Data Protection Terms;
l) permit you or your designated auditor to inspect and audit our data processing activities and records, provided that:
(i) where a third party auditor is used, such auditor shall be bound by reasonable and appropriate confidentiality undertakings;
(ii) you or such auditor may only inspect such records and information during usual business hours, on giving not less than thirty days’ prior written notice, not more than once per year;
(iii) the scope of such inspection shall encompass only such records and information which relate only to Personal Data processed on your behalf in connection with the performance by us of our obligations under the Proposal and not on behalf of any third party;
5. You consent to our use of Sub-Contractors and service providers to provide the Services. We shall, prior to the relevant Sub-Contractors and service providers carrying out any processing activities in respect of the Personal Data, appoint each Sub-Contractor and service provider under a binding contract containing provisions which are equivalent to those in these Standard Data Protection Terms.
6. We shall give you not less than 60 days’ prior written notice of a change in Sub-Contractors and/or service providers. In the event that you do not agree to a proposed change you shall give us notice to that effect, including an explanation of the grounds for non-approval of the sub-Contractors or service providers, within 60 days of our notice informing you of the change. If you do not provide us with such a notice we shall be entitled to assume your approval of the change in Sub-Contractor or service provider. If you do provide us with such a notice then, we may, at our sole discretion:
a) continue to use such Sub-Contractor or service provider, and in that case, you may terminate the Contract without liability by providing written notice of termination with immediate effect;
b) terminate the Contract without liability by providing written notice of termination with immediate effect.
If the Contract is terminated pursuant to this clause 6, we shall refund to you all monies respect of the unexpired portion of the Contract that has been paid in advance by you.
7. Upon termination or expiration of the Contract, we shall:
a) Cease, and as soon as reasonably practicable, to process any of the Personal Data;
b) at your written request, delete all Personal Data, or return to you all Personal Data and copies thereof, unless we are required by Data Protection Legislation or any other applicable law to store the Personal Data.
8. You shall indemnify us and keep us indemnified against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, any compensation paid to Data Subjects, demands, and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) (including any claims by other members for loss or damage regarding our use or the use by the other members of Personal Data supplied by you) arising out of or in connection with a breach by you of your obligations under these Standard Data Protection Terms.