GAHR is GDPR compliant and as we operate as Data Processors for some clients we have clear code of conduct as to how we process and store data.
Definitions
Terms such as “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
“Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Services Agreement with the Data Controller i) until 25 May 2018, EU Directive 95/46/EC, as transposed into domestic legislation of each Member State; ii) on and from 25 May 2018 the General Data Protection Regulation (EU) 2016/679 (“GDPR”); iii) as and when enacted in the United Kingdom the Data Protection Act [2018], supplementing and amending the GDPR; iv) EU Directive 2002/58/EC on privacy and electronic communications, as transposed into domestic legislation of each Member State; and v) any applicable decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, supervisory authorities and other applicable government authorities; in each case together with all laws implementing, replacing or supplementing the same and any other applicable data protection or privacy laws;
“EEA” means the European Economic Area
“Personal Data” means the data described in the Service Agreement with the Data Controller and any other personal data processed by The Processor on behalf of the Controller pursuant to or in connection with the Services Agreement;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Processor or any Sub-processor;
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
“Sub-processor” means any data processor (including any affiliate of the Processor) appointed by the Processor to process personal data on behalf of the Controller;
“Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws
Processing of Personal Data
GAHR will only process the types of Personal Data relating to the categories of data subjects for the purposes of the Services Agreement with the Data Controller and for the specific purposes in each case. GAHR shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Controller’s documented instructions (whether in the Services Agreement or otherwise) unless processing is required by applicable law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data.
Security
GAHR will treat all Personal Data as strictly confidential and will inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
GAHR will take reasonable steps to ensure the reliability of any employee, agent, contractor and/or Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in the Service Agreement in the context of that person’s or party’s duties to the Processor.
GAHR will ensure that all such persons or parties involved in the processing of Personal Data are subject to:
- confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
- user authentication processes when accessing the Personal Data.
GAHR will implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.
GAHR acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. GAHR will therefore evaluate the technical and organisational measures it has implemented on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with Data Protection Laws.
Subprocessing
GAHR shall not engage any Sub-processor to process Personal Data other than with the prior specific or general written authorisation of the Controller
In the case of general written authorisation, GAHR shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.
With respect to each Sub-processor, GAHR shall:
- carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data, including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Addendum
- include terms in the contract between the Processor and each Sub-processor which are the same as those set out in this Addendum, and shall supervise compliance thereof;
- insofar as that contract involves the transfer of Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Controller into the contract between the Processor and each Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as the Controller may approve as providing an adequate protection in respect of the processing of Personal Data in such third country(ies).
Data Subject Rights
GAHR shall without undue delay notify the Controller if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in chapter III of GDPR, and shall provide full details of that request.
GAHR will co-operate as reasonably requested by the Controller to enable the Controller to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or the Services Agreement, which shall include:
- the provision of all information reasonably requested by the Controller within any reasonable timescale specified by the Controller in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a data subject;
- where applicable, providing such assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by Data Protection Laws; and
- implementing any additional technical and organisational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.
Incident Management
In the case of a Personal Data Breach, GAHR will immediately and, where feasible, not later than 24 hours after having become aware of it, notify the Personal Data Breach to the Controller providing the Controller with sufficient information which allows the Controller to meet any obligations to report a Personal Data Breach under Data Protection Laws. Such notification shall as a minimum:
- describe the nature of the Personal Data Breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned;
- communicate the name and contact details of the Processor’s data protection officer or other relevant contact from whom more information may be obtained;
- describe the likely consequences of the Personal Data Breach;
describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
GAHR will fully co-operate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach, in order to enable the Controller to (i) perform a thorough investigation into the Personal Data Breach, (ii) formulate a correct response and to take suitable further steps in respect of the Personal Data Breach in order to meet any requirement under Data Protection Laws.
The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The Processor shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Controller before notifying the Personal Data Breach.
Deletion or return of Controller Personal Data
GAHR will promptly and in any event within 90 (ninety) calendar days of the earlier of: (i) cessation of processing of Personal Data by the Processor; or (ii) termination of the Services Agreement, at the choice of the Controller either:
- return a complete copy of all Personal Data to the Controller by secure file transfer in such format as notified by the Controller to the Processor and securely wipe all other copies of Personal Data processed by the Processor or any Authorised Sub-processor; or
- securely wipe all copies of Personal Data processed by the Processor or any Authorised Sub-processor
Audits
GAHR will make available to the Controller on request all information necessary to demonstrate compliance with this code of conduct and Data Protection Laws and allow for and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller of any premises where the processing of Personal Data takes place.
GAHR will permit the Controller or another auditor mandated by the Controller during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Controller may satisfy itself that the provisions of Data Protection Laws are being complied with.
International transfers of Data
GAHR will not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the EEA without an adequate level of protection, unless authorised in writing by the Controller in advance.