We expect our subcontractors and suppliers to comply with all Data Protection Laws and, where applicable, to comply with this policy together with any other related policies, measures or instructions that we provide.
As our subcontractor or supplier, you must protect all personal data, and must ensure that it is only used for the purpose for which it was provided in accordance with our instructions. Your obligations to us will be set out in a contract between us, and will include:
- Implementing and maintaining appropriate technical and organisational measures so that the processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.
- Obtaining our prior written authorisation if you intend to engage another processor, and to notify us of any changes relating to additional or replacement processors.
- Obtaining our prior written authorisation if you need to transfer the personal data to a third country or international organisation. Such written authorisation will be subject to the third country /international organisation benefiting from an adequacy decision by the EU Commission or the presence of approved appropriate safeguards.
- Processing the personal data in accordance with the contractual terms between us. These will include:
- Details such as: the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and our respective obligations and rights.
- Obligations that you will: process the personal data only on our documented instructions; ensure that any person processing the personal data is subject to obligations of confidentiality; implement all appropriate technical and organisational measures; assist us in responding to requests relating to the exercise of data subject’s rights; delete or return all the personal data to us after the end of the provision of services relating to the processing, and delete existing copies unless an overriding legal obligation requires storage of the personal data; and provide all information necessary to demonstrate your compliance with the contractual terms, including allowing for and contributing to audits or inspections conducted by us or our appointed auditor.
- Notifying us immediately of any suspected or actual data breaches, or loss of personal data; and assisting us in investigating and resolving such.