Terms and Conditions for Processing Personal Data

Effective date: January 17, 2020

The Supplier: INTEGRAL RESEARCH, a company limited by guarantee (Registered in England number: 11074476) whose registered office is at: 46-48 East Smithfield, London, E1W 1AW

The contract

A brief description of the services to be provided by the supplier that require the processing of company personal data, type of personal data, duration and categories of data subject can be set out here of referenced in a further schedule.

Data Protection

A. Each party agrees that, where applicable, in the performance of its respective obligations under the Agreement, it shall comply with the provisions of the relevant data privacy legislation, including but not limited to the Data Protection Act 1998 and General Data Protection Regulations 2016 (in this clause 1, referred to collectively as GDPR) to the extent it applies to each of them.  Where used in this clause 1, the expressions Processing, Personal Data, Processor and Supervisory Authority shall bear their respective meanings given in the GDPR.

B. The Supplier is acting as a Data Processor and the following provisions shall apply:

1. 1. The Processor undertakes that it shall process the Personal Data strictly in accordance with the terms of this Agreement, its direct obligations under the Regulations and the Company’s documented instructions from time to time;
      
   2. The Supplier shall where required by GDPR appoint a suitably qualified Data Protection Officer and at all times ensure that only such of its employees who may be required to assist it in meeting its obligations under this Agreement shall have access to the Personal Data. The Supplier shall ensure that all employees used by it to provide the Services have undertaken a commitment of confidentiality and undergone training in the law of data protection and in the care and handling of Personal Data;
      
   3. The Supplier shall, in a manner consistent with the requirements of the GDPR and with any guidance issued by the European Data Protection Board or relevant Supervisory Authority, implement appropriate technical and organisational measures to safeguard the Data from unauthorised or unlawful Processing or accidental loss, destruction or damage;
   4. Schedule 2 sets out those sub processors that the supplier will use in the service.  The supplier will not disclose Personal Data to, or appoint, another sub-processor without the prior written agreement of the Company. Where the Supplier wishes to so appoint another sub-processor, the Supplier shall do so in the following manner
      1. the Supplier will notify the Company of their intention to appoint a sub processor and permit the company 10 working days in which to raise any objections
      2. the supplier and sub-processor shall contract on terms, which are substantially similar to the ones set out in this clause 1, as applicable; and  
      3. the grant of any approval by the Company under this clause 1 in respect of the appointment of any sub-processor shall not relieve the Supplier from any liability under this Agreement and the Supplier shall remain responsible for obligations, services and functions performed by any of its sub-processors to the same extent as if those obligations, services and functions were performed by the Supplier.
   5. The Supplier will make available to the Company all information necessary to demonstrate its compliance with the obligations laid down in this agreement including allowing its data processing facilities, procedures and documentation which relate to the processing of the Personal Data to be inspected (on reasonable written notice) by the Company or its appointed agents in order to ascertain compliance with the terms of the Agreement. 
   6. The supplier or its sub-processor shall notify the Company immediately in the event that it receives a request, communication or notice from 
      1. the Supervisory Authority in respect the performance of its obligations under this agreement; or 
      2. any Data Subject exercising his rights under the Regulation; and 
      3. shall co-operate and assist the Company promptly in meeting all requests;  
   7. The Supplier shall promptly carry out any request from the Company requiring the Supplier to amend, transfer or delete the Personal Data or any part of the Personal Data
   8. The Supplier will assist the Company upon request in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority
   9. The Supplier shall provide to the Company, on request, a copy of the Personal Data in the format and on the media reasonably specified by the Company;  
   10. On expiry or termination, the Supplier shall immediately cease to process the Personal Data and shall arrange for its safe return or destruction as shall be agreed with the Company at the relevant time;
   11. the shall notify the Company immediately, or at the latest within 48 hours, where there has been an actual or suspected Personal Data loss, or other breach of this clause 1, or breach of any of the Regulations that apply directly to the supplier, which relates directly or indirectly to the processing of the Company Personal Data under, or in connection with, this Agreement or which otherwise has the potential to cause reputational or regulatory damage to the Company (each a Security Breach).  Following such notification, the Supplier shall
       1. implement any measures necessary to restore the security and compliance of the compromised Personal Data; and
       2. support (including administrative and financial) the Company to make any required notifications to the Regulator and the affected Data Subjects
   12. If any Personal Data in the possession or control of the Supplier becomes lost, corrupted or rendered unusable for any reason, the Supplier shall promptly restore such Personal Data using its back up and/or disaster recovery procedures at no cost to the Company
   13. the Supplier shall maintain a record, based on the information within schedule x of this agreement, of all categories of personal data, data subjects, purpose of the processing, recipients of the data and location of the data if processed outside the European Economic Area and make such records available to the Company or Supervisory Authority on request; 
   14. the Supplier shall not and will ensure that its sub-contractors shall not, under any circumstances transfer the Personal Data outside the European Economic Area unless such a transfer is made on terms compliant with GDPR 
   15. the supplier shall fully indemnify and keep the Company indemnified against all claims, demands, actions, costs, expenses, losses and damages arising from or incurred by reason of any loss, damage or distress suffered by any person as a result of the loss, destruction or unauthorised disclosure of, or unauthorised access to, Personal Data by the Supplier or its personnel or as a result of any failure to comply with the provisions of this clause1.

Contact Us

If you have any questions about these terms and conditions, please contact us:

• By email: infosec@integralresearch.com
• By phone number: +44 (0)23 8098 4718