Data Protection and Confidentiality
1. Adapt (UK) Training Services Limited in the management of its business observes and complies with all applicable legal obligations including those relating to data protection and confidentiality of information and the same level of legal compliance is encouraged and expected of our employees, contractors and agents.
2. The terms ‘controller’, ‘data subject,’ ‘processor’, ‘personal data,’ ‘personal data breach’ and ‘processing’ shall have the meanings given to them in the EC General Data Protection Regulation (EU) 2016/679) (the “GDPR”).
3. The parties acknowledge that in complying with their obligations and enjoying their rights contained in these terms and conditions they may (dependent upon the circumstances) act as a controller, processor, or a joint controller (under GDPR regulation 26) and references to those terms and their application to a party shall be circumstance dependent.
4. In respect of any personal data held or processed by either party as a result of or pursuant to these terms and conditions:
a) each party warrants to the other that it has made all necessary registrations and notifications of its particulars in accordance with applicable data protection or privacy laws of the EU, including GDPR, or any other country (collectively, “Data Protection Laws”) and any regulations made thereunder and will ensure that such registrations and notifications are kept accurate and up to date and supply on request to the other a copy of such registrations and notifications, together with any amended particulars that may be filed from time to time; and
b) each party shall at all times comply with the Data Protection Laws and any regulations made thereunder as are applicable to them and their obligations pursuant to these terms and conditions.
5. The parties acknowledge that the GDPR is expected to enter into force on 25 May 2018 (“GDPR Date”). The parties agree to co-operate in good faith to ensure that any processing of personal data by them under or in connection with these terms and conditions shall comply with the GDPR. Such co-operation may include, without limitation, the implementation of technical and organisational measures, and the variation of this Agreement.
6. In respect of processing of applications:
a) the subject matter is the provision of training by ourself as the Training Providers/Instructors and the evaluation by accrediting bodies of applications by operators to their card.certificate accreditation scheme;
b) the duration is 7 years
c) the nature and purpose of the processing is:
d) the type of personal data subject to processing is that set out in the course application paperwork, test paperwork and operator registration documents;
e) the categories of data subjects whose personal data is subject to processing is operators and their employers.
7. In conditions each party shall (and shall ensure that its staff and contractors shall):
addition to and notwithstanding any other right or obligation arising under these terms and
a) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to the rights and freedoms of natural persons implement all appropriate technical and organisational measures necessary or desirable to ensure that personal data is protected against loss, destruction and damage, and against unauthorised access, use, modification, disclosure or other misuse and to ensure protection of the rights of data subjects in accordance with Data Protection Laws;
b) take all reasonable steps to ensure the reliability and trustworthiness of staff which will have access to any personal data;
c) assist the other in ensuring compliance with its obligations pursuant to Articles 32 to 36 of GDPR, taking into account the nature of processing and the information available to the relevant party and any other processors;
d) comply with Article 26 of the GDPR;
e) process the personal data obtained from the other strictly only for the purposes of fulfilling its obligations under these terms and conditions;
f) ensure that it has in place all necessary notices and consents to enable lawful transfer of personal data to the other party;
g) to the extent that the relevant party is acting as a processor comply with the express instructions or directions of the controller in connection with the processing of such personal data and the requirements of any Data Protection Laws and specifically not otherwise modify, amend, combine with other personal data or alter the contents of the personal data or disclose or permit the disclosure of any of the personal data to any third party (including the data subject) unless specifically authorised in writing by the controller or required to do so under Data Protection Laws (in such case the processor shall inform the controller of that legal requirement before processing, unless prohibited from doing so on grounds of public interest);
h) promptly comply with any request from the controller requiring the processor to amend, transfer or delete the personal data; and without prejudice to the above, the processor shall, at the controller’s direction, return or delete all personal data immediately upon the suspension or termination of the accreditation, unless Data Protection Laws require ongoing storage of such data;
i) consider all suggestions made by the other to ensure that the level of protection provided for personal data is in accordance with these terms and conditions and to make the changes suggested unless they can prove to the other’s reasonable satisfaction that they are not necessary or desirable to ensure ongoing compliance with these terms and conditions;
j) not disclose personal data without the controller’s prior written authority;
k) not do or omit to do anything which causes the other to breach any Data Protection Laws or contravene the terms of any registration, notification or authorisation under any Data Protection Laws;
l) take all reasonable steps to ensure the reliability of any of their personnel who have access to the personal data;
m) ensure that only those of their personnel who need to have access to the personal data are granted access to it and only for the purposes of the performance of these terms and conditions and ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
n) not transfer personal data which has been obtained by or made available to it to any country outside the European Economic Area without the prior written consent of the other, such consent may be subject to and given on such terms as the other may in its reasonable discretion prescribe.
In the event that the other party consents to the transfer of Personal Data outside the European Economic Area, the parties shall enter into a further agreement taking a form substantially in accordance with any applicable model clauses relating to the transfer of personal data outside the EU in order to ensure that the personal data is processed in accordance with the Data Protection Laws;
o) not engage another processor without the prior written authorisation of the controller. The processor shall notify the controller of any intended changes concerning the addition or replacement of other processors. If, within fifteen (15) days of receipt of such notice, the controller notifies the processor in writing of any objections (on reasonable grounds) to the proposed appointment of another processor, the processor shall not appoint the proposed processor until reasonable steps have been taken to address the objections raised by controller and the controller has been provided with a reasonable written explanation of the steps taken;
p) where engaging another processor for carrying out processing activities on behalf of the controller, ensure the same data protection obligations as set out in these terms and conditions shall be imposed on that other processor and shall remain fully liable to the controller; for the performance of that other processor’s obligations;
q) make available to the other, at the other’s expense, all information reasonably necessary to demonstrate compliance with Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the other or another auditor mandated by the other after reasonable notice.
8. Each party will (and will ensure that its staff will) immediately notify the other if it:
a) becomes aware that a disclosure of personal data may be required by law;
b) receives a request from an individual to access their personal data or to cease or not begin processing, or to rectify, block, erase or destroy personal data. The parties will cooperate in promptly investigating and dealing with such request in order to ensure that the individual’s rights under the Data Protection Laws are satisfied and each party shall assist the other by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the relevant party’s obligation to respond to such requests;