GDPR Data Sharing Terms (Third Parties)
- DEFINITIONS
- "Data Protection Laws" means all applicable laws, rules and regulations applicable from time to time relating to data protection, privacy and/or the processing of data relating to identified or identifiable individuals from time to time, including the UK Data Protection Act 1998, the GDPR (with effect from the date that it takes effect) and any laws and regulations that implement, supplement or amend the GDPR.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- "NYK" means the NYK Group entity with which the Supplier is contracting
- "NYK Affiliate" means an entity that owns or controls, is owned or controlled by or is under common control or ownership with NYK from time to time, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- "NYK Group" means Nippon Yusen Kabushiki Kaisha and each NYK Affiliate from time to time.
- "Data Processor" means any company or other body which processes Personal Data on behalf of NYK.
- "Data Subject" means the identified or identifiable living person to which Personal Data relates.
- "Personal Data" means any data which can be used to identify an individual, either on its own or together with other data. This term is very widely defined and could include simple login details, emails, website browsing histories, CCTV footage of an individual, HR records etc... and "NYK Personal Data" means any Personal Data processed by or on behalf of the Supplier on behalf of any member of NYK Group from time to time and/or provided by NYK Group to the Supplier to enable the Supplier to provide goods/services and/or processed by or on behalf of the Supplier in the course of providing goods/services for NYK Group from time to time.
- "Model Clauses" means contractual clauses that have been approved for use by the relevant supervisory authorities under applicable Data Protection Laws to enable the lawful transfer of personal data to a country or organisation that would otherwise not be regarded as having adequate safeguards for personal data (which as at the date of these Terms include the controller to processor terms approved by Commission Decision C(2010)593).
- "Restricted Transfer" means the transfer of any NYK Personal Data to any country or organisation, where such transfer would be prohibited by Data Protection Laws (or the terms of data transfer agreements put in place to address data transfer restrictions in Data Protection Laws) in the absence of the use of Model Clauses.
- "Services" means any goods and/or services provided or to be provided and any other activities to be undertaken by the Supplier for NYK Group from time to time that may involve the processing of Personal Data.
- "Supplier" means the organisation engaged by NYK for the provision of goods and/or services which may involve the processing personal data.
- "EEA" means the European Economic Area, which consists of the member states of the European Union, plus Norway, Iceland and Lichtenstein. If the UK leaves the EEA then it will still be treated as part of the EEA for the purposes of these Terms.
- "Terms" means these terms.
- The terms used in paragraph 1 (including the terms controller, processor, data subject, personal data, and related expressions) shall have the meanings given to them in the Data Protection Laws.
- PROCESSING OF NYK PERSONAL DATA
- The parties acknowledge that the Supplier may process NYK Personal Data from time to time. The Supplier shall only process NYK Personal Data for purposes authorised in writing by NYK from time to time and shall keep a record of all such processing.
- The Supplier shall comply with all applicable Data Protection Laws at all times when processing NYK Personal Data and shall not, by any act or omission, put NYK in breach of any Data Protection Laws.
- In addition to its obligations under paragraph 2.2, where the Supplier processes NYK Personal Data as a data processor on behalf of any member of NYK Group, the Supplier shall:
- only process the NYK Personal Data in accordance with NYK's written instructions from time to time, unless such processing is required by any law (other than contract law) to which the Supplier is subject, in which case, the Supplier shall (to the extent permitted by law) inform NYK of that legal requirement before carrying out the processing. The Supplier shall keep a written record of all such processing which shall include the information required to be kept under Article 30 of the GDPR. The Supplier shall notify NYK if it considers that NYK's instructions breach Data Protection Laws;
- take all appropriate technical and organisational measures to ensure a level of security for the NYK Personal Data which is appropriate to the risks to individuals that may result from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the NYK Personal Data. Without prejudice to the generality of the previous sentence, the Supplier shall:
- comply with such of NYK Group's standard IT and data security policies and procedures as NYK notifies to the Supplier in writing from time to time; and
- take and comply with all of the measures it has informed NYK that it will take to protect the NYK Personal Data and shall update them from time to time so that they continue to comply with good industry practice (and shall not make any changes that might result in a lesser degree of protection being afforded to any NYK Personal Data).
- If there is any conflict or inconsistency between any of these requirements, the requirement that provides the greater level of security shall apply;
- inform NYK immediately if at any time: (i) there is a breach or suspected breach of security in relation to any NYK Personal Data; or (ii) any NYK Personal Data is or is suspected to be used, disclosed to or accessed by a third party except in accordance with these Terms; (ii) any NYK Personal Data is lost, corrupted, destroyed or otherwise rendered unusable. This shall include providing a description of (and the approximate volume of) the NYK Personal Data and the data subjects affected, the nature of the breach, the likely consequences of the breach and the measures taken and/or proposed to be taken to address the breach. The Supplier shall, at its own cost, immediately take such actions as NYK shall require to remedy the breach and to avoid (or where that is not possible to minimise) potential loss, damage or distress to affected individuals. The Supplier shall also reimburse NYK for all legal and other costs, incurred in connection with such breach or suspected breach and any associated remedial action (including without limitation any costs associated with the investigation of the issue, notifications to affected individuals, the Office of the Information Commissioner and other supervisory bodies, provision of fraud/identity theft prevention services to affected individuals and any other activities undertaken to remedy or minimise the impact of the breach);
- not engage or authorise (and shall ensure that no sub-processor of any tier engages or authorises) a sub-processor or any other third party (other than the Supplier's own staff) to process the NYK Personal Data unless:
- it has obtained prior written consent from NYK (which may be granted or withheld in its sole discretion); and
- the proposed sub-contractor has either entered into a direct contract with NYK or a contract with the Supplier incorporating provisions equivalent to those in this Agreement relating to confidentiality, data protection and security (including this paragraph 1). For the avoidance of doubt, the Supplier shall remain liable for the acts and omissions of its sub-contractors as if they were the Supplier's own;
- not make or permit any Restricted Transfer of any NYK Personal Data to be made without NYK's prior written consent and subject to the implementation of such measures and the conclusion of all necessary contracts (including Model Clauses) as are required to enable NYK Group to comply with Data Protection Laws in relation to such transfer; and
- provide all necessary assistance to enable NYK to:
- fulfil its obligations to respond to any requests from data subjects and/or any supervisor authority in accordance with Data Protection Laws. This shall include promptly complying with any written request by NYK to amend, transfer, delete, suspend or restrict the processing of NYK Personal Data; and
- comply with its obligations to conduct privacy impact assessments and consult with regulatory bodies in relation to any data processing undertaken under these Terms.
- On the expiry or termination of the provision of the Services ("Service Termination"), the Supplier shall notify NYK of the NYK Personal Data that it holds. Where requested by NYK, the Supplier shall immediately transfer to NYK (or any replacement supplier nominated by NYK) a copy of all NYK Personal Data in a non-proprietary format. Promptly after the expiry of 60 days following Service Termination, the Supplier shall securely and permanently destroy all copies of NYK Personal Data in its possession or control (other than any copy transferred to NYK in accordance with this paragraph) unless the Supplier is required by law to retain any copies of such data. The Supplier shall be the data controller in relation to any such retained NYK Personal Data, shall process it solely as necessary to comply with its legal obligations and shall comply with all Applicable Data Protection Laws in relation to such data.
- The Supplier shall ensure that:
- access to the NYK Personal Data is limited to those individuals who need access in order to meet the Supplier's obligations under these Terms (together the "Authorised Personnel")
- all Authorised Personnel are informed of the confidential nature of the NYK Personal Data and are bound by appropriate confidentiality obligations when accessing it.
- INFORMATION & AUDIT
- The Supplier shall make available to NYK all information that NYK requests from time to time to enable NYK to: (i) verify that the Supplier is in compliance with these Terms; and/or to (ii) comply with NYK's obligations under Data Protection Laws and to respond to any requests or requirements of any applicable regulator.
- The Supplier shall allow NYK, its auditors and its authorised representatives, on seven days' written notice (or less in the case of an emergency, including but not limited to data security breach) to perform both remote and on-site audits and inspections of the Supplier's premises, systems, employees and relevant records and information as may be reasonably required in order to:
- fulfil any legally enforceable request by any regulatory bodies; and/or
- verify that personal data is being processed in accordance with the terms of these Terms.
- NYK shall use its reasonable endeavours to ensure that the conduct of each audit does not unreasonably disrupt the Supplier and that, where possible, individual audits are co-ordinated with each other to minimise any disruption.
- The Supplier shall provide NYK (and such other persons that are permitted to undertake an audit in accordance with this clause) with all reasonable co-operation, access and assistance in relation to each audit.
- GENERAL
- These Terms are entered into for the benefit of NYK and each member of the NYK Group in respect of which NYK Personal Data may be processed from time to time. Each such NYK Affiliate shall be entitled to enforce these Terms for its benefit as if references to NYK included reference to such NYK Affiliate.
- These Terms are intended to form a legally binding agreement between NYK and the Supplier which shall be governed by English law and subject to the exclusive jurisdiction of the English courts in respect of any contractual and non-contractual disputes arising in connection with these Terms. These Terms are intended to apply in addition to any contract for the supply of Services that may be entered into between the parties from time to time. If there is any conflict between these Terms and the terms of any contract for Services (whether entered into before, on or after the date of that these Terms take effect) then the provisions of these Terms shall take priority.
- The agreement formed by these Terms shall continue until it is terminated in accordance with its terms. Either party may terminate this agreement on giving the other not less than 30 days prior written notice but this notice may only be given where there no agreement for the supply of Services has been in place with the Supplier for more than 6 months prior to the date of the notice.
- The Supplier shall indemnify and keep indemnified and defend at its own expense NYK Group against all losses, liabilities, costs, claims and expenses incurred by NYK Group or for which NYK Group may become liable due to any breach of the Supplier's obligations under paragraph 2.