DATA PROCESSING TERMS (Manheim
Limited as Data Processor)
Approved
Countries
|
means the United
Kingdom; countries in the European Economic Area; countries that the European
Union has approved as having an adequate level of data protection;
|
Business
Days
|
means any day other
than a Saturday or Sunday or public holiday in England;
|
Company:
|
has the meaning given to it in the Schedule;
|
Complaint:
|
means a complaint or request relating to either party’s
obligations under Data Protection Legislation to the extent that it is
relevant to these Data Processing Terms including, without limitation, any
compensation claim from a Data Subject or any notice, investigation or other
action from a Supervisory Authority;
|
Consumer:
|
has the meaning given to it in Appendix 1 (eVA Services Terms
and Conditions);
|
Data Protection
Legislation
|
means all applicable data protection and privacy legislation in force from
time to time in the UK including the EU GDPR; UK GDPR; the Data Protection
Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as
updated by Directive 2009/136/EC) and the Privacy and Electronic
Communications Regulations 2003 (SI
2003/2426) as amended. Controller (or Data Controller), Processor
(or Data Processor), Sub-Processor, Data Subject, Personal Data, Personal
Data Breach, Processing and Appropriate Technical Measures: shall
each be as defined in the Data Protection Legislation;
|
Data Subject Request:
|
means a request made
by a Data Subject to exercise any rights of the Data Subject under the Data
Protection Legislation;
|
EU
GDPR:
|
means the General Data Protection Regulation ((EU) 2016/679); |
SCCs
|
means the European
Commission’s Standard Contractual Clauses, also approved by the UK
government, for the transfer of Personal Data from the European Union or the
UK to processors established in third countries (controller-to-processor
transfer), as set out in the Annex to Commission Decision 2010/87/EU |
Supervisory
Authority:
|
means any local,
national or multinational agency, department, official, parliament, public or
statutory person or any government or professional body, regulatory or
supervisory authority, board or other body responsible for administering Data
Protection Legislation; |
UK
GDPR
|
means the General
Data Protection Regulation as enacted into UK law by the European Union
(Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and
Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019 |
Vehicle:
|
has the meaning given to it in Appendix 1 (eVA Services Terms
and Conditions); |
WebApp
|
has the meaning given to it in Appendix 1 (eVA
Services Terms and Conditions). |
1.1. The Parties agree that, in connection with the performance of their
obligations under the Agreement, they shall comply with all applicable
requirements of the Data Protection Legislation.
1.3. The parties agree that, for the
processing of the Personal Data referred to in clause 1.2, the Company shall be the Data
Controller and Manheim shall be the Data Processor. Manheim shall, unless required to do
otherwise by any applicable law, process the Personal Data only on and in
accordance with the Company’s documented instructions set out in clause 1.2
(‘Processing Instructions’).
2. Manheim’s Obligations
2.1. If any applicable law requires Manheim
to process Personal Data other than in accordance with the Processing
Instructions, it shall notify the Company of any such requirement before
processing the Personal Data. Manheim will not process the Personal Data in a
way that does not comply with the Data Protection Legislation and shall notify
the Company if, in its opinion, the Processing Instructions would not comply
with the Data Protection Legislation.
2.2. Subject to the Company paying Manheim’s
reasonable charges, Manheim shall assist the Company in the fulfilment of the Company’s
obligations to respond to Data Subject Requests relating to Personal Data.
2.3. Manheim shall in relation to
the Personal Data:
2.3.1.refer all Data Subject Requests
it receives to the Company within three Business Days of receipt of the
request;
2.3.2.subject to the Company paying Manheim’s
reasonable charges, provide such information and cooperation and take such
action the Company reasonably requests in relation to a Data Subject Request,
within any timescale reasonably required by the Company; and
2.3.3.not respond to any Data Subject
Request or Complaint without the Company’s prior written approval.
2.4. Manheim shall, subject to the Company
paying Manheim’s reasonable costs, provide such information, co-operation and
other assistance that the Company requires (considering the nature of
processing and the information available to Manheim) to ensure compliance with the
Company obligations under Data Protection Legislation, specifically with
respect to:
2.4.1.security of processing of Personal
Data;
2.4.2.data protection impact
assessments (as such term is defined in Data Protection Legislation) that
relate to Personal Data;
2.4.3.prior consultation with a Supervisory
Authority regarding high risk processing of Personal Data; and
2.4.4.any remedial action and/or
notifications in relation to Personal Data to be taken in response to any
Personal Data Breach and/or Complaint, including (subject in each case to the Company’s
prior written authorisation) regarding any notification of the Personal Data
Breach to Supervisory Authorities and/or communication to any affected Data
Subjects.
3. Technical and Organisational
Measures
3.1. Manheim shall implement and
maintain appropriate technical and organisational measures in relation to the
processing of Personal Data by Manheim such that the processing will meet the
requirements of Data Protection Legislation,
and ensure the protection of the rights of Data Subjects; so as to ensure a
level of security in respect of Personal Data processed by it is appropriate to
the risks that are presented by the processing, in particular from accidental
or unlawful destruction, loss, alteration, unauthorised disclosure of, or
access to Personal Data transmitted, stored or otherwise processed.
3.2. Manheim
shall ensure that all staff entrusted to handle Personal Data are appropriately
trained and have committed themselves to a contractual or legal duty of
confidentiality in respect of the Personal Data
4. Cross-border Transfers of
Personal Data and Sub-Processing
4.1. Subject to 4.2, Manheim shall be
authorised by the Company to transfer Personal Data outside of the Approved
Countries.
4.2. Manheim will process or
transfer any Personal Data outside the Approved Countries under the following
conditions:
4.2.1.Manheim is processing the Personal
Data in a territory which is subject to a current finding by the European
Commission, for Personal Data subject to the EU GDPR, or current finding by the
UK government, for Personal Data subject to UK GDPR, that the territory
provides adequate protection for the privacy rights of individuals and such
processing shall be subject to clause 4.4 of this Appendix 3; or
4.2.2.Manheim participates in a valid
cross-border transfer mechanism under the Data Protection Legislation, so that
Manheim and where appropriate, the Company, can ensure that the appropriate
safeguards are in place to ensure an adequate level of protection with respect
to the privacy rights of individuals; or
4.2.3.The transfer of any Personal
Data otherwise complies with the Data Protection Legislation for the reasons
set out in this Appendix 3 or Appendix 1.
4.3. Manheim shall be generally
authorised to appoint and use Sub-Processors under the Agreement. Manheim shall
maintain a list of Sub-Processors currently in use on its website at https://evavaluations.com/services-terms-and-conditions/. The Company shall have a period of 30 days from the point at which any
changes are made to the website to object, on reasonable grounds, to any change
in the use of Sub-Processors. If no objection is received within 30 days but
the Company has continued to use our products and services the changes shall be
deemed as accepted.
4.4.1.the name and contact details of
the Data Processors;
4.4.2.the categories of processing
carried out by the relevant Data Processor;
4.4.3.details of any transfers of Personal
Data outside of the Approved Countries; and
4.4.4.a general description of the
technical and organisational security measures implemented by Manheim as
required under the Data Protection Legislation.
4.5. If any Personal Data transfer
between the Company and Manheim requires execution of SCCs to comply with Data
Protection Legislation, then the Company authorises Manheim to enter into the
relevant SCCs with any Sub-Processor in the Company’s name and on its behalf.
In such circumstances, Manheim will provide to the Company a copy of the
applicable SCCs for approval before it is signed and once signed, the executed
copy of the SCCs.
5. Breach notification
5.1.
In
respect of any Personal Data Breach, Manheim, shall:
5.1.1.
notify
the Company of the Personal Data Breach without undue delay; and
5.1.2.
provide
the Company without undue delay with such details as the Company reasonably
requires regarding:
5.1.2.1.
the
nature of the Personal Data Breach, including the categories and approximate
numbers of Data Subjects and Personal Data records concerned;
5.1.2.2.
any
investigations into such Personal Data Breach;
5.1.2.3.
the
likely consequences of the Personal Data Breach; and
5.1.2.4.
any
measures taken, or that Manheim recommends, to address the Personal Data
Breach, including to mitigate its possible adverse effects,
provided that, (without
prejudice to the above obligations) if Manheim cannot provide all these details
within such timeframes, it shall (in the same timeframe) provide the Company
with reasons for the delay and when it expects to be able to provide the relevant
details (which may be phased) and give the Company regular updates on these
matters.
5.2.
Manheim
shall promptly (and in any event within two Business Days) inform the Company
if it receives a Complaint and provide the Company with full written details of
such Complaint.
6. End of Contract Provisions
6.1. Manheim will, upon termination
of the Agreement, delete or return (at the Company’s choice) all the Personal
Data processed on behalf of the Company. If no notification to either effect is
received from the Company within 30 days of the termination of the Agreement
then the Personal Data will be deleted.
7. Audits & Inspections
7.1 Manheim will allow for and contribute to audits
undertaken by the Company or the Company’s appointed representative. Such
audits shall be limited to a review of documentation reasonably required by the
Company to demonstrate Manheim’s compliance with the obligations under this
Appendix 3. The Company must give a minimum notice of 10 business days, in
writing, before such an audit can take place.