EUROPEAN ECONOMIC AREA DATA CONTROLLER/PROCESSOR AGREEMENT June 2013
1.1 The Controller is the holder of a licence to use Cubiks Products as defined in any agreement (“Licence”) currently in force between the Controller and any member of the Cubiks Group of Companies (“Licensor”). The Cubiks Group of Companies is defined below.
1.2 The Processor is the Licensor with whom the Controller is contracting.
1.3 The Processor may subcontract its obligations under this Agreement to Cubiks Limited, registered number 3840112 whose registered office is at Ranger House, Walnut Tree Close, Guildford, Surrey, GU1 4US, United Kingdom. The Processor remains fully responsible to the Controller for the compliance of Cubiks Limited with the terms and conditions herein.
1.4 This Agreement is made between the Controller and the Processor and is supplemental to and forms part of any Licence as described in 1.1 above.
1.5 In consideration of the provision by the Licensor of online access to the Cubiks Products and the mutual undertakings set out herein the parties agree as follows.
The purpose of this Agreement is to ensure that the Processing of Personal Data (as these terms are defined below) is carried out in accordance with Articles 6 to 12, and Articles 14 to 17 of the European Union Directive 95/46/EC (“On the protection of individuals with regard to the processing of personal data, and on the free movement of such data”), as set out in the legislation of the Member State in which Controller is established, subject to that legislation being in accordance with the Directive.
These Articles and legislation require a written contract to exist between Controller and Processor, and for Processor to take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing.
The Appendices to this Agreement shall form an integral part of this Agreement.
For the purposes of this Agreement, the following terms shall have the meanings set out below. These are cognisant of the meanings given them in Article 2 of Directive 95/46/EC.
(a) “Controller” shall mean the natural or legal person, public authority, agency or any other body as described in clause 1 above and which alone or jointly with others determines the purposes and means of the Processing of Personal Data;
(b) “Processor”, in relation to Personal Data, shall mean any natural or legal person, public authority, agency or any other body (other than an employee of Controller) who Processes the Personal Data on behalf of Controller;
(c) “Data Subject” shall mean an individual who is the subject of Personal Data;
(d) “Personal Data” shall mean any information relating to an identified or identifiable Data Subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(e) “Processing” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and “Process” shall be construed accordingly. In addition:
(f) “Member State” shall mean a state which is a member of the European Economic Area, that is, a member of the European Union or of the European Free Trade Area, but excluding Switzerland;
(g) “Directive” shall mean the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, entitled “on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data” and any modification of such directive or any replacement directive;
(h) “Supervisor” shall mean the Data Protection Supervisory Authority, as defined in Article 28 of Directive, of the Member State in which Controller is established. If Controller is established in more than one Member State, it shall refer to the Data Protection Supervisory Authority for the Member State in which Controller is acting for the purposes of this Agreement;
(i) “Cubiks Group of Companies” shall mean those companies which can be found listed at http://www.cubiks.com/SiteInformation/Pages/CubiksGroupLimited.aspx. The term Cubiks Group of Companies includes a single member of that group.
The details of the Processing of Personal Data covered by this Agreement are specified in Appendix 1.
All contacts between the Parties concerning this Agreement shall be between the persons nominated in Appendix 2, and such other persons as the nominated Contacts may from time to time authorise in writing. Any changes to the contacts nominated in Appendix 2 shall be agreed in writing between the Parties.
7. OWNERSHIP OF THE DATA
All Personal Data stored and Processed under the terms of this Agreement by Processor on behalf of Controller are and shall remain exclusively the property of Controller.
8. OBLIGATIONS OF CONTROLLER
Controller agrees and warrants:
(a) that the Processing of Personal Data by him has been and will continue to be carried out in accordance with all the relevant provisions of Directive 95/46/EC and in accordance with the privacy and data protection notice of the Processor (or such other notice as the parties may agree);
(b) that if the Processing involves any of the special categories of data as defined in paragraph 1 of Article 8 of the Directive 95/46/EC, Controller has collected those data, and is requesting their Processing by Processor, in accordance with paragraph 2 of the said Article;
(c) to respond in a reasonable time, and to the extent reasonably possible, to enquiries from Supervisor on the Processing of the relevant Personal Data by Controller;
(d) to respond in a reasonable time and to the extent reasonably possible to enquiries by a Data Subject concerning the Processing of his Personal Data by Controller, and to give appropriate instructions to Processor in a timely manner.
9. OBLIGATIONS OF PROCESSOR
Processor agrees and warrants:
(a) to Process Personal Data on behalf of Controller, in accordance with the instructions of Controller (i) to ensure compliance with paragraph (b) below and (ii) subject to such instructions being consistent with the established functionalities and established capabilities of the Cubiks Products which are the subject of the Licence. Processor further agrees not to carry out any Processing of Personal Data supplied by Controller without the explicit instructions of Controller;
(b) to process Controller’s Personal Data in accordance with Article 17 of the Directive;
(c) to ensure that all Processor’s staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this Agreement;
(d) that he has no reason to believe that any legislation, rule of law or order of a court applicable to him prevents him from fulfilling his obligations under this Agreement and that, in the event of his becoming so aware, he will notify Controller as soon as reasonably possible;
(e) to deal promptly, fully and properly with all reasonable enquiries from Controller relating to his Processing of the Personal Data and to cooperate with the Supervisor in the course of any of its enquiries and to abide by the advice of the Supervisor with regard to the Processing of the Personal Data;
(f) to deal promptly, fully and properly with all enquiries from Controller relating to subject access requests from Data Subjects received by Controller and passed to Processor for Processing, ensuring such requests are dealt with in the manner and within the time limits specified by Article 12 of the Directive, and as interpreted by the data protection law of the Member State in which the Controller is acting for the purposes of this Agreement;
(g) to return to Controller in good time for transmission to the Data Subject all material produced in response to a subject access request;
(h) at the request of Controller to submit its data processing facilities for audit which shall be carried out by Controller, or by an inspection body composed of independent members and in possession of the required professional qualifications, selected by Controller, or by the Supervisor and, where applicable, in agreement with the Supervisor.
Processor will only disclose Personal Data in accordance with instructions from Controller, and will take appropriate security measures, in accordance with Article 17 of the Directive, to ensure that no unauthorised disclosure occurs.
(a) It is noted that, under Article 23 of the Directive, an individual who suffers damage by reason of any contravention of the data protection law is entitled to compensation from Controller for that damage and, in certain circumstances, for damage and consequential distress.
(b) The Parties agree that if Controller is held liable for a violation referred to in subparagraph (a) above, Processor will, in proportion to the extent to which it is liable, indemnify Controller for any cost, charge, damages, expenses or loss Controller has incurred to a maximum value equivalent to the Licence Fee specified in the Licence.
12. MEDIATION AND JURISDICTION
(a) The Parties agree that if there is a dispute between a Data Subject and Controller and that dispute is not amicably resolved, they will cooperate to offer the Data Subject the opportunity to refer the dispute to mediation by an independent person or, where applicable, by the Supervisor.
(b) Paragraph (a) shall apply without prejudice to the Data Subject’s rights to seek remedies in a court in accordance with the data protection law.
13. TERMINATION OF THE AGREEMENT
(a) The Parties agree that the termination of the Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Agreement as regards the Processing of Personal Data.
(b) Subject to a reasonable time interval to ensure that Controller has made alternative arrangements for Processing his Personal Data, and subject to these arrangements working satisfactorily, Processor shall, insofar as it is practicable, delete or render anonymous all copies of Controller’s Personal Data held and processed by Processor.
(c) If Controller’s Personal Data, for reasons of practicality, cannot be so deleted or render anonymous, Processor shall take appropriate action to ensure that those Personal Data will not be further processed, disclosed, or in any way used, other than their later deletion should that become possible.
14. VARIATION OF THIS AGREEMENT
The Parties undertake not to vary or modify the terms of this Agreement, other than:
(a) to correct such deficiencies as may become apparent in this Agreement in relation to the application to the Processing of the Directive or its interpretation by the Member State in which the Controller resides; or
(b) any variation necessitated by any relevant subsidiary legislation, or by any amendment to the Directive or other relevant data protection law; or
(c) any variation to the Processing requirements of Controller; or
(d) any other change necessitated by law.
15. GOVERNING LAW
This Agreement shall be governed by the laws of England.
The Processing of Personal Data which are subject to this Agreement is
(a) for human resources purposes only;
(b) where applicable and subject to prior agreement with the Licensor, for disclosure by Controller to Controller’s clients for human resources purposes; and
(c) for the management of the Personal Data and the performance of the obligations of the Licensor and the Processor to the Controller.
The categories of Personal Data processed are those necessary for the identification of participating individuals, for the human resources assessments involving use of Cubiks Products licensed and consultancy provided by the Cubiks Group of Companies to the Controller.
In addition, Processor may on an anonymous basis Process Personal Data for statistical, research, historical and management purposes.
Where appropriate, Processing may be carried out by the Controller, the Processor, companies in the same group as the Processor and by associates, suppliers, distributors and agents of the Processor
The Cubiks Products licensed to the Controller are as specified in the Licence.
Nominated First Contacts
On behalf of Controller: Director of Human Resources or designated representative.
On behalf of Processor: Group Company Secretary represented by Cubiks Helpdesk, telephone 00 44 1483 544 240.
© 2013 Cubiks Intellectual Property Limited