Data Protection Requirements

Operative provisions

1. Definitions

1.1 In this Schedule:

• Controller
  Has the meaning given in applicable Data Protection Laws from time to time.
• Data Protection Laws

  Means, as binding on either party or the Services.
  (a) The GDPR.
  (b) The Data Protection Act 2018.
  (c) Any laws which implement any such laws.
  (d) Any laws that replace, extend, re‐enact, consolidate or amend any of the foregoing.

• Data Subject GDPR
  Has the meaning given in applicable Data Protection Laws from time to time.
• GDPR
  Means the General Data Protection Regulation, Regulation (EU) 2016/679
• International Organisation
  Has the meaning in applicable Data Protection Laws from time to time.
• Personal Data
  Has the meaning given in applicable Data Protection Laws from time to time.
• Personal Data Breach
  Has the meaning given in applicable Data Protection Laws from time to time.
• Processing
  Has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed, processing, and processes shall be construed accordingly).
• Processor
  Has the meaning given in applicable Data Protection Laws from time to time.
• Protected Data
  Means Personal Data received by the Support Provider from Co‐operatives UK in connection with the performance of the Support Provider’s obligations under this Agreement.
• Sub-Processor
  Means any agent, subcontractor or other third party (excluding its employees) engaged by Co‐operatives UK for carrying out any processing activities on behalf of Co‐operatives UK in respect of the Protected Data.

2. Co‐operatives UK’s compliance with data protection laws

The parties agree that Co‐operatives UK is a Controller and that the Support Provider is a Processor for the purposes of processing Protected Data pursuant to this Agreement. Co‐operatives UK shall comply with all Data Protection Laws in processing Protected Data. The Support Provider shall ensure all instructions given by it to Co‐operatives UK in respect of Protected Data (including the terms of this Agreement) shall be in accordance with Data Protection Laws.

3. The Support Provider’s compliance with data protection laws

The Support Provider shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of this Agreement.

4. Instructions

The Support Provider shall only process the Protected Data in accordance with this Agreement (and not otherwise unless alternative processing instructions are agreed between the parties in writing) except where otherwise required by applicable law.

5. Security

Taking into account the state of technical development and the nature of processing, the Support Provider shall implement and maintain the technical and organisational measures set out in this Agreement to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.

6. Sub‐processing and personnel

6.1 The Support Provider shall:

6.1.1 Not permit any processing of Protected Data by any agent, subcontractor or other third party (except its or its Sub-Processors’ own employees who are subject to an enforceable obligation of con dence with regards to the Protected Data).

6.1.2 prior to the relevant Sub‐Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub‐Processor under a written contract containing materially the same obligations as under this Schedule.

7. Assistance

7.1  The Support Provider shall fully cooperate with and assist Co‐operatives UK in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the processing and the information available to it.

7.2  The Support Provider shall, taking into account the nature of the processing, assist Co‐operatives UK (by implementing appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of Co‐operatives UK’s obligations to respond to requests for exercising Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.

8. International transfers

The Support Provider shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the European Economic Area or to any International Organisation without the prior written consent of Co‐operatives UK.

9. Audits and processing

The Support Provider shall, in accordance with Data Protection Laws, make available to Co‐operatives UK such information that is in its possession or control as is necessary to demonstrate the Support Provider’s compliance with the obligations placed on it under this Schedule and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by Co‐operatives UK (or another auditor mandated by Co‐operatives UK) for this purpose (subject to a maximum of one audit request in any 12 month period).

10. Breach

The Support Provider shall notify in writing Co‐operatives UK without undue delay and in any event within 48 hours of becoming aware of any Personal Data Breach in respect of any Protected Data.

11. Deletion/return and survival

On the end of the arrangements relating to the processing of Protected Data, the Support Provider shall either return the Protected Data to Co‐operatives UK or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the Support Provider to store such Protected Data. This Schedule shall survive termination or expiry of this Agreement indefinitely.