General Data Protection Regulation (GDPR)
For the purposes of this Schedule:
a. Data Protection Laws means any applicable law relating to the processing of Personal Data, as applicable to either party or the Services, including:
i. the Directive 95/46/EC (Data Protection Directive) or the GDPR;
ii. any laws which implement such laws;
iii. any laws that replace, extend, re-enact, consolidate or amend any of the laws stated in (i) and (ii) above;
iv. all guidance, codes of practice and codes of conduct issued by any relevant Data Protection Supervisory Authority relating to such Data Protection Laws (whether legally binding or not);
b. GDPR means the General Data Protection Regulation (EU) 2016/679;
c. Protected Data means Personal Data received from or on behalf of the Customer, or obtained in connection with the performance of the Supplier’s obligations under the Agreement; and
d. Sub-processor means any agent, subcontractor or any other third party engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data.
The terms “Controller”, “Data Subject”, “International Organisation” “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.
Data Protection Principles
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
- processing is fair, lawful and transparent
- data is collected for specific, explicit, and legitimate purposes
- data collected is adequate, relevant and limited to what is necessary for the purposes of processing
- data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
- data is not kept for longer than is necessary for its given purpose
- data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
Compliance with data protection laws
- The parties agree that the Customer is a Controller or the provider of information or data to Sentry Intelligence and the Supplier is a Processor for the processing of Protected Data pursuant to this Agreement.
- The Supplier shall, and shall ensure its Sub-Processors and each of the Supplier personnel shall comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Services.
- Nothing in this Agreement relieves the Supplier of any responsibilities or liabilities under Data Protection Laws.
Each party shall be liable for and shall indemnify (and keep indemnified) the other against all actions, proceedings, liabilities, costs, claims, losses, expenses, compensation paid to Data Subjects and other reasonable professional costs and expenses suffered or incurred by the indemnified party arising out of or in connection with any breach of the the Data Protection Laws by the indemnifying party, its employees or agents.
The Supplier shall only process (and shall ensure Supplier personnel only process) the Protected Data in accordance with this policy or in accordance with the Customer’s written instructions by means of contractual agreement to provide commercial services. The Supplier will immediately inform the Customer if any instruction relating to the Protected Data infringes or may infringe any Data Protection Law.
The Supplier has implemented appropriate technical and organisational measures to protect the Protected Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The technical and organisational security measures which the Supplier has in place are set out in Organisational Security Measures set out below.
The Supplier will not permit any processing of Protected Data by any third party (except Supplier personnel that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior specific written permission of the Customer, except (i) as specifically stated in this Schedule, or (ii) where such processing is required by any applicable law, regulation or public authority.
The Supplier shall prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written agreement containing data protection obligations that provide at least the same level of protection for Protected Data as those in this Schedule.
The Supplier shall remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own.
Where a Sub-processor is engaged by the Supplier, the Supplier shall:
a. carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Protected Data required by this Schedule;
b. remain liable for any breach of this Schedule caused by a Sub-processor; and
c. provide relevant details and a copy of each agreement with a Sub-Processor to the Customer on request.
The Supplier shall, taking into account the nature of the processing, provide reasonable assistance to the Customer insofar as this is possible, to enable the Customer to respond to requests from a data subject seeking to exercise their rights under Data Protection Laws. In the event that such request is made directly to the Supplier, the Supplier shall promptly inform the Customer of the same.
The Supplier shall to the extent required by Data Protection Laws, taking into account the nature of the processing and the information available to the Supplier, provide the Customer with commercially reasonable assistance with data protection impact assessments (as such term is defined in Data Protection Laws) or prior consultations with data protection authorities that the Customer is required to carry out under Data Protection Laws.
Data subject requests
The Supplier will record and refer all requests and communications received from Data Subjects or any Supervisory Authority to the Customer which relate (or which may relate) to any Protected Data promptly (and in any event within three days of receipt) and will not respond to any without the Customer’s express written approval and strictly in accordance with the Customer’s instructions unless and to the extent required by law.
The Supplier will not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the EEA or to any International Organisation without the prior written consent of the Customer.
Audits and records
The Supplier will, in accordance with Data Protection Laws, make available to the Customer such information in the Supplier’s possession or control as the Customer may reasonably request with a view to demonstrating the Supplier’s compliance with the obligations of data processors under Data Protection Laws in relation to its processing of Protected Data.
The Customer may exercise its right to audit under Data Protection Laws through the Supplier providing:
a. an audit report not older than 18 months by an independent external audit or demonstrating that the Supplier’s technical and organisational measures are in accordance with the Supplier’s industry audit standard; and
b. additional information in the Supplier’s possession or control to a Supervisory Authority when it requests or requires additional information in relation to the data processing activities carried out by the Supplier under this Schedule.
The Supplier shall promptly (and in any event within 24 hours) notify the Customer if it (or any of its Sub-Processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data.
The Supplier shall promptly (and in any event within 24 hours) provide all information as the Customer requires to report the circumstances and to notify affected Data Subjects under Data Protection Laws.
Return/Deletion of Protected Data
Upon termination or expiry of any contractual agreement, the Supplier shall at the Customer’s election, promptly (and in any event, within 30 days of the expiry of the Agreement) delete or return to the Customer the Protected Data (including existing copies) in the Supplier’s possession by secure file transfer, save to the extent that the Supplier is required by any applicable law to retain some or all of the Protected Data.
The Supplier will provide written certification to the Customer that it has fully complied with the section above within 30 days of the expiry of the Agreement.
Any information provided to Sentry Intelligence by users of our website including information submitted via contact for case enquiry forms is transferred and stored securely and is used only to deliver our commercial services.
Personal Data: Categories of Data Subjects:
Protected Data will concern the following categories of Data Subjects:
- Data Subjects about whom the Supplier collects Protected Data for the provision of Services; and/or
- Data Subjects about whom Protected Data is transferred to the Supplier in connection with the Services by, at the direction of, or on behalf of the Customer.
Minimum technical and organisational security measures
Without prejudice to its other obligations, the Supplier shall implement and maintain at least the following technical and organisational security measures to protect the Protected Data:
The Supplier will provide the Customer free and on-going access to a dedicated secure cloud based data centre, certified and audited for ISO27001:2005, SSAE16 and other industry recognised security protocols. All data is subject to End-to-End encryption, HIPAA and PH1 certification and fully GDPR compliant.
In the event of the Customer requiring reports to be sent via printed copy, all reports will be redacted by the removal of information referring to personal details of the individual or individuals and shall instead be provided with a unique reference number known only by the Customer and the Supplier.