These Data Protection and Security Requirements are incorporated into and should be read in conjunction with the terms and conditions agreed between the Parties (the “Agreement”).
In these Data Protection and Security Requirements: (i) “LT” means the LevelTech company, or any LevelTech Group Company that is a party to the Agreement; (ii) “Partner” means the NGB, or other company or organisation that is also a party to the Agreement; and (iii) “Party” or “Parties” means either one or both of them.
Other capitalised words or phrases used in these Data Protection and Security Requirements shall have the meanings set out in the Glossary of Terms Section below.
The Parties recognise they are processing personal data in connection with the performance of their obligations under the Agreement and that the factual arrangement between them dictates the role of each Party (as to controller or processor) in respect of the Data Protection Legislation.
Unless the factual arrangement between us is otherwise challenged or determined by a Regulator or other lawful court order with relevant jurisdiction, the Parties agree that LT and Partner shall be independent data controllers. Each Party may also utilise processors or sub-processors who may assist them in the processing of personal data, for which they are respective data controllers.
Each Party must comply with its respective obligations under the Data Protection Legislation and shall not by any act or omission cause the other Party to be in breach of the Data Protection Legislation.
Each Party must process any personal data:
Unless a Party has otherwise given its consent in writing, a Party must not use the personal data of the other Party to undertake any unrelated sales or marketing activity not expressly agreed between the Parties. Sales and marketing activity means any direct and indirect marketing of any kind including promotional emails, outbound telephone calls, mail, SMS messages and any digital or social media to advertise to, or communicate directly with data subjects.
Each Party must not process or use any personal data to enhance or enrich any other data or database (including any customer or marketing databases) unless:
The following requirements apply to the extent a Party is acting as a controller of personal data provided to it by the other Party:
Each Party must provide to the other such assistance and information regarding its processing activities as the other may reasonably require in order to comply with any requests from a Regulator or for it to provide transparency to data subjects in respect of the transfer and use of the other Party’s personal data and otherwise comply with its obligations under the Data Protection Legislation.
Each Party is responsible for providing the necessary information required to be provided to data subjects in accordance with the Data Protection Legislation in respect of its processing of any personal data provided to it by the other Party.
Each Party agrees that nothing contained in its privacy/processing notice or other transparency information provided to data subjects shall permit the other Party to use the personal data other than in strict accordance with these Data Protection and Security Requirements.
Legal Basis of Processing
Each Party must have and be able to evidence a valid lawful basis for each processing activity in compliance with the Data Protection Legislation. If consent of the data subject is the lawful basis relied upon, each Party is responsible for obtaining adequate consent of the data subjects for its own processing activities and transferring that data to the other Party accordingly.
Each Party must promptly and properly respond to and, as appropriate, comply with any requests it receives from data subjects regarding the exercise of any of their rights pursuant to Data Protection Legislation.
If the Party in receipt of a data subject request is not the appropriate Party to respond to the data subject, that Party shall without undue delay refer the data subject request to the other Party, setting out reasons why it is not able to adequately comply with the request. Where the assistance of the other Party is required to respond to any data subject request, that Party shall promptly and at its own cost provide such assistance as is reasonably requested.
International Data Transfers
The Parties shall ensure any transfers of personal data to territories outside of the EEA or which are not subject to an Adequacy Decision (“Permitted Territory’), shall be undertaken with the appropriate international data transfer mechanism in place (e.g. Standard Contractual Clauses, Safe Harbor, or any of their successors). The Parties shall also ensure any processors or sub-processors engaged by them relating to any transfers of personal data fulfil the requirements in the Processor/Sub-Processor section set out below.
The following requirements apply to the extent a Party engages a processor or sub-processor to process personal data provided to it by other Party:
Such processor or sub-processor must promptly notify the Party in writing if in its reasonable opinion an instruction issued by such Party in respect of the transferred personal party is not compliant with Data Protection Legislation.
Other than processors or sub-processors notified to the other Party as specified in the Agreement and/or otherwise agreed in writing, a Party must not allow personal data transferred to it by other Party to be processed by a third party for any purpose without the written approval of such Party.
Where such approval is provided, such Party must ensure that each processor or sub-processor processes such personal data in accordance with a written agreement that requires the processor or sub-processor to comply with terms which are no less onerous than those applicable to such Party under these Data Protection and Security Requirements (including audit rights to audit the relevant processor or sub-processor).
Such Party shall remain wholly responsible for any failure by any processor or sub-processor to process any personal data transferred to a Party in accordance with these Data Protection and Security Requirements and/or the Data Protection Legislation.
Each Party must ensure appropriate technical and organisational measures are in place to ensure compliance when responding to requests from data subjects under the Data Protection Legislation (in particular the right of access, rectification, erasure, objection, data portability and restriction of processing), when utilising a processor or sub-processor.
Data Subject Requests
Upon receipt of a request from a data subject that relates to personal data that has been transferred between the Parties, a Party shall ensure that any processor or sub-processor it utilises:
High Risk Processing
Any processor or sub-processor utilised by a Party must not process personal data transferred to it by the other Party (in particular by using any new technologies) in a manner which could, when taking into account the nature, scope, context and purpose of the processing to be carried out, result in a high risk for the rights and freedoms of individuals, unless such Party has:
Any processors or sub-processors utilised must assist the Party in ensuring its compliance with its obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to it, including completion of any impact assessment consider necessary by such Party in respect of the processing of such personal data.
Processors or sub-processors must maintain a record of processing activities undertaken on a Party’s behalf, which shall contain details of the categories of processing, the technical and organisational security measures in place for that processing and any transfers of personal data to a third country or international organisation (and the suitable safeguards in place). Such records shall be subject to the audit provisions at Section 6 (Audit & Access to Data) of these Data Protection Security Requirements.
In the event a processor or sub-processor is contacted by any Regulator in respect of or due to any aspect of its performance of any of its obligations that relate to the processing of personal data transferred to it from the other Party, such processor or sub-processor shall undertake to promptly (and in any event within 48 hours) notify such Party of all details regarding the enquiry or investigation, unless prohibited from doing so by a Regulator or Statutory Requirement.
Except where a processor or sub-processor is explicitly mandated to do so by the Data Protection Legislation or a Regulator, it shall not make any disclosures, comments, statements or take any action other than as set out above in response to contact it has received from a Regulator without such Party’s prior written consent (such consent not to be unreasonably withheld or delayed).
Transfers Outside EEA
Processors or sub-processors utilised by a Party shall only transfer personal data provided to it by the other Party to territories within the EEA or which are subject to an Adequacy Decision (“Permitted Territory”), with the written prior approval of such Party, and who shall provide the other Party with reasonable advance notice when undertaking such international transfers.
Where a Party consents to an international transfer outside of the Permitted Territories, the processor or sub-processor must ensure appropriate safeguards are in place in accordance with the Data Protection Legislation (which may include entering into Standard Contractual Clauses with such Party). If the Standard Contractual Clauses are no longer deemed adequate by a competent authority or the Data Protection Legislation the processor or sub-processor must as a matter of priority enter into an agreement approved pursuant to the Data Protection Legislation or take other measures as may reasonably be required.
If a processor has subcontracted any part of the processing of personal data transferred between the Parties, and such Party has consented to an international transfer to the sub-processor outside the Permitted Territories, the processor must ensure that each sub-processor enters into Standard Contractual Clauses with such Party prior to that data transfer to the sub-processor processing personal data transferred to it by the other Party.
Each Party must maintain effective information security policies which comply with: (i) applicable Statutory Requirements; (ii) Good Industry Practice; and (iii) any professional or industry information security certifications that a Party may state they hold (e.g. ISO27001).
Roles and Responsibilities
Each Party must ensure it has a named individual(s) who is assigned responsibility and accountability for information security as a minimum for:
Personnel and Subcontractors
Each Party must ensure Personnel and Subcontractors:
Each Party is responsible for procuring that all Personnel and Subcontractors comply with these Data Security Requirements.
Assets and Media Handling
Each Party must ensure all assets (both physical and logical) are managed effectively to prevent Security Incidents. As a minimum this includes:
A Party must not hold any data transferred to it on any removable media (e.g. CD, USB memory stick) without ensuring all data held on the removable media is encrypted and handled in accordance with these Data Protection and Security Requirements.
Data Handling and Encryption
Each Party must maintain data classification and handling policies in accordance with Good Industry Practice that ensure the adequate protection of any data transferred to it by the other Party.
Each Party must ensure that all transferred data is encrypted in transit (including on removable media) using algorithms, strong key lengths (at least 256-bit) and proper key-management practices that meet Good Industry Practice and as a minimum the National Institute for Standards and Technology cryptographic standards set out here:
Encryption keys must never be stored in clear text.
Physical and Operational Security
Each Party must ensure appropriate technical and organisational measures are in place and take such precautions as are necessary to:
The technical and organisational measures a Party must have in place include as a minimum:
Monitoring, Review and Improvement
Each Party must:
Hosting and Development
If a Party, or any Personnel or Subcontractor on its behalf, performs any coding, development, programming and/or hosting of any code, software, applications, APIs and/or websites transmitting or processing the transferred data, such Party must:
If a Party, or any of its Subcontractor processes, transmit or stores customers’ payment card data for the purposes of the Agreement, such Party must comply with the relevant Payment Card Industry Security Standards Council’s then current standards, including (as appropriate) PCI DSS, PA DSS, PCI PTS Security Requirements, PCI Card Security Requirements (together the “PCI Standards”). Such Party must also comply with any specific requirements of any card issuer regarding payment card data. Each Party must without undue delay notify the other Party when it becomes aware of any non-minor breach by it or any Subcontractor of the PCI Standards which are relevant to the provision of such Party’s obligations under the Agreement. On request, a Party will (if relevant) promptly evidence its compliance with the PCI Standards by submitting to the other Party a copy of its Attestation of Compliance (AoC) which is applicable to its obligations under the Agreement. This must meet the requirements and governance set by the PCI Security Standards Council.
Security Incident Management Incident Management
Each Party must maintain robust controls to ensure the proper notification and handling of Security Incidents to ensure they are notified to the other Party without undue delay and timely corrective action can be undertaken to mitigate the impact and resolve the Security Incident.
On occurrence of a Security Incident, a Party must without any undue delay, and in any event within 24 hours:
Partner through the contact details provided to LT for such purposes;
Each Party must also comply with the Investigation and Mitigation requirements in the sub-section below and regularly (and upon the other Party’s reasonable request) update the other Party by telephone or e-mail regarding the Security Incident, providing details of:
A Party must not issue any communication to any Regulator or data subject regarding the Security Incident without the other Party’s prior approval (not to be unreasonably with-held or delayed), unless explicitly mandated to do so by a Regulator or Statutory Requirement.
Each Party must provide reasonable cooperation and assistance and such information as the other Party may require regarding the Security Incident which may include assisting such Party to notify the Regulator or affected data subjects in accordance with Data Protection Legislation.
Investigation and Mitigation
Each Party, in addition to notifying a Security Incident to the other Party, shall proactively and without delay:
In the event a Party’s System is in any way threatened or compromised by a Security Incident or any data transferred to the other Party is corrupted, lost or degraded on their System as a result of a Security Incident caused by such Party, that Party:
If a Security Incident impacts customers or adversely affects the reputation of a Party, that Party may without the approval of the other Party issue a factual statement to address the issues raised by the Security Incident and that names the other Party and its relevant Subcontractors and take such other steps as may be required to protect its name and reputation.
In the event a Security Incident is or reasonably should be considered to be a BCDR Event, a Party must comply with the Business Continuity Section below.
Throughout the term of the Agreement each Party must maintain a BCDR Plan in accordance with Good Industry Practice which ensures in the event of a BCDR Event the effective recovery and continuity of its obligations under the Agreement (including meeting any agreed recovery time objective (RTO) or recovery point objective (RPO) targets or service levels).
A Party must test its BCDR Plan on a regular basis (and in any event no less than once every twelve months). Testing may be performed separately on the constituent parts of the BCDR Plan rather than in full, provided all constituent parts are separately tested during a 12-month period.
A Party must promptly notify the other Party following the completion of any test of the BCDR Plan where such test reveals any weakness, flaw or fault, including full details of the root cause of the same and any remedial measures to be undertaken by such Party.
A Party must notify the other Party by telephone and email immediately upon becoming aware of the occurrence of a BCDR Event. If the BCDR Event poses a real and major risk to the other Party’s business, it will invoke the BCDR Plan provided the other Party is notified of the invocation with full details of the steps taken as soon as possible.
Despite invocation of the BCDR Plan, a Party must use all reasonable endeavours to continue to perform its obligations under the Agreement and keep the other Party regularly updated of the progress of the resolution of the BCDR Event.
A Party nor any of its Personnel or Subcontractor must not access or attempt to gain access to the other Party’s System without such Party’s prior authorisation (whether remotely or otherwise).
If a Party grants the other Party or any Personnel or Subcontractor any access to their System, such Party must (and must ensure that all Personnel and Subcontractors must):
Withdrawal of Access
A Party may remove or prohibit remote or system access or may impose additional requirements they deem reasonably necessary to ensure appropriate security regarding the other Party’s system access at any time without notice.
A Party must allow for and contribute to audits and inspections conducted by the other Party, a Regulator or otherwise by any third party acting on a Party’s behalf. Any audits carried out in accordance with this Section (Audit and Access to Data) will be subject to the audit provisions as may be set out in the Agreement.
Access to Data
A Party must ensure that all data provided to it under the terms of the Agreement is made available to the other Party on demand. Such Party acknowledges that no restrictions apply to the number of demands a Party or any Auditor(s) may make to access or receive data.
Notification of Compliance
Promptly following receipt of written notice, a Party shall provide the other Party with information necessary to demonstrate its compliance with its obligations set out in these Data Protection and Security Requirements.
Expiry or Termination
Except as otherwise agreed between the Parties, within 30 days of expiry or termination of the Agreement (or such other time agreed by the Parties) and at any other time when reasonably requested to do so by a Party, the other Party must, at such Party’s option:
A Party shall be entitled to retain the other Party’s data where it is explicitly mandated by Statutory Requirement, provided such Party has anonymised or deleted any of the transferred data to the maximum extent possible. Where a Party has retained transferred data as described above, the other Party shall continue to be a controller of that retained personal data but its obligations in accordance with these Data Protection and Security Requirements shall continue to apply for as long as it continues to process that personal data.
a decision of the European Commission, the UK Government or supervisory authority, or of any other relevant country, that the laws of a country ensure an adequate level of protection or any other decision or position adopted to govern the international transfer of personal data;
an event which causes or is reasonably likely to cause a disruption to performance of a Party’s obligations under the Agreement to such an extent that it would be reasonably prudent to invoke the BCDR Plan;
The business continuity and disaster recovery plan that is prepared, tested and invoked in accordance with these Data Protection and Security Requirements;
controller, personal data breach, processor, processing, personal data and data subject
have the meanings in the Data Protection Legislation;
Data Protection Legislation
together: (a) Regulation (EU) 2016/679 (“GDPR”) as amended to be adapted into UK law (where applicable); (b) the Data Protection Act 2018 (“DPA 2018”); (c) any regulations made under the DPA 2018; (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended); (e) any regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 (Law Enforcement Directive); (f) any mandatory guidance and codes of practice issued by the Information Commissioner or any other supervisory authority; and any applicable data protection legislation that may apply from a relevant legal jurisdiction, as applies to the Parties under the Agreement;
Good Industry Practice
the exercise of skill, care, prudence, efficiency, foresight and timeliness which would reasonably be expected from a leading and expert supplier in their industry;
means any subsidiaries, holding companies and subsidiaries of such holding companies from time to time (as such terms are defined in s1159 of the Companies Act 2006);
all employees, staff, workers, agents and consultants employed by a Party or its Subcontractors;
the Information Commissioner’s Office (or any successor) and any other governmental or supervisory authority of a Party’s business, whether in the UK or any other relevant jurisdiction;
any unlawful, unauthorised access to or misuse of a Party’s System which: (a) has or may reasonably be expected to have an adverse impact on the other Party’s System; (b) causes the loss, degradation or unauthorised disclosure of any personal data transferred to the other Party; and/or (c) results in a personal data breach in respect of transferred personal data;
Standard Contractual Clauses
the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC as may be amended or superseded;
any law, legislation, bye law, regulation, order, regulatory policy (including any requirement, guidance, order, demand or notice of any Regulator or recognised stock exchange) or mandatory industry code of practice, rule of court or directives, delegated or subordinate legislation in force;
any subcontractor or third-party supplier engaged by a Party in connection with the Agreement;
the computing environment and infrastructure consisting of hardware, software, devices, end points, network components (including servers) and protocols (including any third-party data centres and cloud infrastructure);
any real or perceived security threat, danger or circumstance (whether intentional or accidental) that could or does result in risk or harm to data on a Party’s System (including any virus, malicious software, program or code); and
a physical, system or software security weakness or gap that could be exploited by a Threat.