THE SERIOUS STUFF
PRIVACY & DATA PROCESSING
“Data Protection Legislation” means (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.
​
1.1 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and the Training is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
1.2 The training company shall, in relation to any Personal Data (as defined in the Data Protection Legislation) processed in connection with the performance by the Agency of its obligations under this agreement:
(a) process that Personal Data only on the written instructions of the Client for the purposes of carrying out training session for their company in accordance with the terms of this agreement unless the Training company is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Agent to process Personal Data (Applicable Laws). Where the training company is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Agent shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Agent from so notifying the Client;
(b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
(d) assist the Client in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify the Client without undue delay on becoming aware of a Personal Data breach;
(f) at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(g) maintain complete and accurate records and information to demonstrate its compliance with this clause.