DATA PROCESSING TERMS (Verifying
Retailer as Data Processor)
Approved
Countries
|
means the United Kingdom; countries in the European
Economic Area; countries that the European Union has approved as having an
adequate level of data protection;
|
Business
Days
|
means any day other than a Saturday or Sunday or public
holiday in England;
|
Complaint:
|
means a complaint
or request relating to either party’s obligations under Data Protection
Legislation to the extent that it is relevant to these Data Processing Terms
including, without limitation, any compensation claim from a Data Subject or
any notice, investigation or other action from a Supervisory Authority;
|
Data Protection
Legislation
|
means all applicable data
protection and privacy legislation in force from time to time in the UK
including the EU GDPR; UK GDPR the Data Protection Act 2018; the Privacy and
Electronic Communications Directive 2002/58/EC (as updated by Directive
2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. Controller
(or Data Controller), Processor (or Data Processor), Sub-Processor, Data
Subject, Personal Data, Personal Data Breach, Processing and
Appropriate Technical Measures: shall each be as defined in the Data
Protection Legislation;
|
Data Subject Request:
|
means a request made by a Data Subject to exercise any
rights of the Data Subject under the Data Protection Legislation;
|
EU
GDPR:
|
means the General Data
Protection Regulation ((EU) 2016/679); |
Personnel
|
means any person who is directly or indirectly employed
or engaged by the Verifying Retailer or its or their sub-contractors or
agents to perform services under the Agreement; |
Provenance
Material:
|
has the meaning given to it in Appendix 2 (Services
Descriptions) of the Agreement; |
Supervisory
Authority:
|
means any local, national or multinational agency,
department, official, parliament, public or statutory person or any
government or professional body, regulatory or supervisory authority, board
or other body responsible for administering Data Protection Legislation; |
UK GDPR
|
means the General Data Protection Regulation as enacted
into UK law by the European Union (Withdrawal) Act 2018 and as amended by the
Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU
Exit) Regulations 2019 |
Verifying
Retailer
|
has the meaning given to it in Appendix 2 (Services
Descriptions) of the Agreement. |
1.1. The Parties agree that, in connection with the performance of their
obligations under the Agreement, they shall comply with all applicable requirements
of the Data Protection Legislation.
1.2. The parties agree that, for the
processing of the personal data collected by the Verifying Retailer collected
on Manheim’s behalf (including the Provenance Material), the Verifying Retailer
shall be the Data Processor and Manheim shall be the Data Controller.
1.3. The Verifying Retailer shall,
unless required to do otherwise by any applicable law, process the Personal
Data only on and in accordance with Manheim’s documented instructions (‘Processing Instructions’). The Processing Instructions are detailed in
Appendix 2 of this Agreement (Service Descriptions).
2. Verifying Retailer obligations
2.1. If any applicable law requires the
Verifying Retailer to process Personal Data other than in accordance with the
Processing Instructions, it shall notify Manheim of any such requirement before
processing the Personal Data. The Verifying Retailer will not process the
Personal Data in a way that does not comply with Data Protection Legislation
and shall notify Manheim if, in its opinion, the Processing Instructions would
not comply with Data Protection Legislation.
2.2. The Verifying Retailer shall
assist Manheim in the fulfilment of Manheim’s obligations to respond to Data
Subject Requests relating to Personal Data.
2.3. The Verifying Retailer shall in
relation to the Personal Data:
2.3.1.immediately record and then
refer all Data Subject Requests it receives to Manheim within three Business
Days of receipt of the request;
2.3.2.provide such information and
cooperation and take such action Manheim requests in relation to a Data Subject
Request, within any timescale reasonably required by Manheim; and
2.3.3.not respond to any Data Subject
Request or Complaint without Manheim’s prior written approval.
2.4. The Verifying Retailer shall
provide such information, co-operation and other assistance Manheim requires
(considering the nature of processing and the information available to the
Verifying Retailer) to ensure compliance with Manheim’s obligations under Data
Protection Legislation, including with respect to:
2.4.1.security of processing of Personal
Data;
2.4.2.data protection impact
assessments (as such term is defined in Data Protection Legislation) that
relate to Personal Data;
2.4.3.prior consultation with a
Supervisory Authority regarding high risk processing of Personal Data; and
2.4.4.any remedial action and/or
notifications in relation to Personal Data to be taken in response to any
Personal Data Breach and/or Complaint, including (subject in each case to Manheim’s
prior written authorisation) regarding any notification of the Personal Data
Breach to Supervisory Authorities and/or communication to any affected Data
Subjects.
3. Technical and Organisational
Measures
3.1. The Verifying Retailer shall
implement and maintain appropriate technical and organisational measures in
relation to the processing of Personal Data by the Verifying Retailer such that
the processing will meet the requirements of Data Protection Legislation, and ensure the protection of the
rights of Data Subjects; so as to ensure a level of security in respect of Personal
Data processed by it is appropriate to the risks that are presented by the
processing, in particular from accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to Personal Data transmitted,
stored or otherwise processed.
3.2. The Verifying Retailer shall
ensure that all staff entrusted to handle Personal Data are appropriately
trained and have committed themselves to a contractual or legal duty of
confidentiality in respect of the Personal Data.
4. Cross-border Transfers of
Personal Data and Sub-Processing
4.2. If consent is given under
clause 4.1, the Verifying Retailer will only process or transfer any Personal Data
outside the Approved Countries under the following conditions:
4.2.1.the Verifying Retailer is
processing the Personal Data in a territory which is subject to a current
finding by the European Commission, for Personal Data subject to the EU GDPR,
or current finding by the UK government, for Personal Data subject to UK GDPR,
that the territory provides adequate protection for the privacy rights of
individuals and such processing shall be subject to clause 4 of this Appendix 4; or
4.2.2.the Verifying Retailer
participates in a valid cross-border transfer mechanism under the Data
Protection Legislation, so that the Verifying Retailer can ensure that the
appropriate safeguards are in place to ensure an adequate level of protection
with respect to the privacy rights of individuals; or
4.2.3.the transfer of any Personal
Data otherwise complies with the Data Protection Legislation for the reasons
set out in this Appendix 4 or Appendix 1.
4.3. The Verifying Retailer may not
appoint a third-party processor of Personal Data under the Agreement without Manheim’s
prior written consent which shall not be unreasonably withheld.
4.4.1.the name and contact details of
the Data Processors;
4.4.2.the categories of processing
carried out by the relevant Data Processor;
4.4.3.details of any transfers of Personal
Data outside of the Approved Countries; and
4.4.4.a general description of the
technical and organisational security measures implemented by the Verifying
Retailer as required under the Data Protection Legislation.
5. Breach notification
5.1.
In
respect of any Personal Data Breach, the Verifying Retailer, shall:
5.1.1.
notify Manheim
of the Personal Data Breach without undue delay (and always within 1 Business Day
after becoming aware of the Personal Data Breach); and
5.1.2.
provide
Manheim without undue delay (wherever possible, no later than 48 hours after
becoming aware of the Personal Data Breach) with such details as Manheim
reasonably requires regarding:
5.1.2.1.
the
nature of the Personal Data Breach, including the categories and approximate
numbers of Data Subjects and Personal Data types and records concerned;
5.1.2.2.
any
investigations into such Personal Data Breach;
5.1.2.3.
the
likely consequences of the Personal Data Breach; and
5.1.2.4.
any
measures taken, or that the Verifying Retailer recommends, to address the
Personal Data Breach, including to mitigate its possible adverse effects,
provided that, (without prejudice to the above obligations) if the
Verifying Retailer cannot provide all these details within such time frames, it
shall (in the same timeframe) provide Manheim with reasons for the delay and
when it expects to be able to provide the relevant details (which may be
phased) and give Manheim regular updates on these matters.
5.2.
The
Verifying Retailer shall promptly (and in any event within two Business Days)
inform Manheim if it receives a Complaint and provide Manheim with full written
details of such Complaint.
6. End of Contract Provisions
6.1. The Verifying Retailer will,
upon termination of the Agreement, delete or return (at Manheim’s choice) all
the Personal Data processed on behalf of Manheim.
7. Audits & Inspections
7.1. The Verifying Retailer will
allow for and contribute to audits undertaken by Manheim or Manheim’s appointed
representative. Such audits shall be limited to a review of documentation
reasonably required by Manheim to demonstrate Verifying Retailer’s compliance
with the obligations under this Appendix 4.