1.1 This Data Processing Schedule forms part of each Contract entered into between Safecall and the Customer and is subject to its terms and conditions, including the limitations and exclusions of liability, set out therein.
1.2 Definitions for capitalised terms used in this Schedule are set out in paragraph 5.
2. Compliance with Data Protection Law
Each party shall comply with the Data Protection Law as it applies to personal data processed under this Contract. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Law.
3. Data processing
3.1 The Customer and Safecall acknowledge that Safecall will perform certain processing activities, the subject matter, duration, nature and purpose of which are described more fully in the Description of Processing.
3.2 In respect of such processing activities, Safecall is the processor and the Customer is the controller save in circumstances where Safecall knows an employee’s details but withholds them from the Customer at the employee’s request, or writes a report in such a way as to protect the identity of the employee, whereby Safecall shall be regarded as an independent controller. In such circumstances, Safecall will be the controller only in respect of the employee’s name and any other data which is withheld in order to protect the employee’s identity and the remaining provisions of this paragraph 3 shall not apply.
3.3 Where the Customer is the controller, the Customer shall be responsible for establishing and maintaining the lawful basis for the processing of personal data under this Contract and shall notify Safecall, in writing on request, of the applicable lawful basis for processing.
3.4 The Customer shall be responsible for providing appropriate privacy notices to its employees in respect of the Services.
3.5 In respect of the personal data processed by Safecall as a data processor acting on behalf of the Customer under this Contract, Safecall shall:
(a) only process the personal data in accordance with the Customer’s written instructions from time to time, unless such processing is required by any law to which Safecall is subject, in which case, Safecall shall (to the extent permitted by law) inform the Customer of that legal requirement before carrying out the processing;
(b) process the personal data only to the extent, and in such a manner, as is necessary for the purposes of carrying out its obligations under this Contract;
(c) ensure that persons engaged in the processing of personal data are bound by appropriate confidentiality obligations;
(d) keep a written record of all processing activities which it carries out;
(e) implement and have in place appropriate technical and organisational measures to protect against unauthorised, unlawful or accidental processing, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, such measures in each case to be appropriate to the likelihood and severity of harm to data subjects that might result from the unauthorised, unlawful or accidental processing, having regard to the state of technological development and the cost of implementing any measures, a summary of which is set out in the Appendix to this Schedule ("Security Measures") and the Customer acknowledges that the Security Measures are subject to technical progress and development and that Safecall may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services;
(f) not engage any agent, sub-contractor, supplier, processor or other third party to process personal data (sub-processor) without the prior written consent of the Customer and ensure in such cases that prior to the processing of any personal data by the sub-processor, terms equivalent to the terms set out in this Data Protection Schedule are included in a written contract between Safecall and any sub-processor engaged in the processing of data. The Customer consents to the use of the subprocessors identified at https://www.safecall.co.uk/terms-and-conditions/data/subprocessors from time to time. If Safecall wishes to add any subprocessors, it shall give the Customer not less than fourteen (14) days' prior written notice. If, prior to the expiry of this notice period, the Customer objects in writing to Safecall's appointment of the third party subprocessor on reasonable grounds relating to the protection of the personal data, then either: (i) Safecall will not appoint the subprocessor or; (ii) Safecall may elect to suspend or terminate the affected Services without penalty;
(g) comply promptly with any lawful request from the Customer requesting access to, copies of, or the amendment, transfer or deletion of the personal data to the extent the same is necessary to allow the Customer to fulfil its own obligations under the Data Protection Law, including the Customer's obligations arising in respect of a request from a data subject;
(h) notify the Customer promptly if it receives any complaint, notice or communication (whether from a data subject, competent supervisory authority or otherwise) relating to the processing, the personal data or to either party's compliance with the Data Protection Law as it relates to this Contract, and provide the Customer with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication;
(i) notify the Customer promptly and at least within five (5) business days if, in its opinion, an instruction from the Customer infringes any Data Protection Law (provided always that the Customer acknowledges that it remains solely responsible for obtaining independent legal advice regarding the legality of its instructions) or Safecall is subject to legal requirements that would make it unlawful or otherwise impossible for Safecall to act according to the Customer's instructions or to comply with Data Protection Law;
(j) inform the Customer without undue delay after becoming aware that any personal data processed under this Contract has been lost or destroyed or has become damaged, corrupted, or unusable or has otherwise been subject to unauthorised or unlawful processing including unauthorised or unlawful access or disclosure;
(k) inform the Customer promptly (and in any event within two (2) business days) if it receives a request from a data subject for access to that person's personal data and shall:
(i) promptly provide the Customer with reasonable co-operation and assistance in relation to such request; and
(ii) not disclose the personal data to any data subject (or to any third party) other than at the request of the Customer or as otherwise required under this Contract;
(l) provide reasonable assistance to the Customer in responding to requests from data subjects and in assisting the Customer to comply with its obligations under Data Protection Law with respect to security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;
(m) delete or return that personal data to the Customer at the end of the duration of the processing as referred to in the Appendix, and at that time delete or destroy existing copies (unless otherwise required by law);
(n) subject to the requirements of commercial and client confidentiality, make available to the Customer such information as is reasonably required to demonstrate compliance with this Data Protection Schedule and, subject to any other conditions set out in this Contract regarding audit, allow for and contribute to audits, including inspections, of compliance with this Data Protection Schedule conducted by the Customer or a professional independent auditor engaged by the Customer. The following requirements apply to any audit: (i) the Customer must give a minimum thirty (30) days’ notice of its intention to audit (or such shorter period of notice as it receives itself where an audit is mandated by its regulator); (ii) the Customer may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to agreement with Safecall of a scope of work for the audit at least ten (10) days in advance; (iv) Safecall may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial and/or client confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Customer; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Safecall prior to the audit; and (viii) the Customer shall compensate Safecall for its reasonable costs (including for the time of its personnel, other than the 'Main contact' specified in the Order Form) incurred in supporting any audit; and
(o) only transfer personal data outside the United Kingdom if such transfer is carried out in accordance with paragraph 4.
3.6 Each party agrees to indemnify and keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses (including reasonable legal fees) incurred by the other party or for which the other party may become liable due to any failure by the indemnifying party of its directors, employees or agents to comply with any of its obligations under this Data Protection Schedule.
4. International transfers
4.1 Safecall will not transfer data outside the United Kingdom unless such transfer is:
(a) to a recipient in an Adequate Territory;
(b) to a recipient that has achieved binding corporate rules authorisation in accordance with Data Protection Laws;
(c) to a recipient that has entered into the Model Clauses;
(d) to a recipient in circumstances where Safecall is entitled to rely on a permitted derogation under Data Protection Law, which may include circumstances where (among other things) the transfer is necessary for the establishment, exercise or defence of legal claims; or
(e) in accordance with the Customer's documented instructions.
4.2 Where Safecall uses a sub-processor located in a third country outside of the United Kingdom that is not an Adequate Territory, Safecall shall have the right to enter into Model Clauses with the sub-processor for and on behalf of the Customer, whether on a named or an undisclosed basis.
4.3 Where the Customer or its users are located in a third country outside of the United Kingdom that is not an Adequate Territory and requires Safecall to transfer personal data to it or them, the Customer acknowledges that Safecall may not be able to ensure that such transfer is subject to appropriate safeguards. The Customer nevertheless instructs Safecall to undertake such transfers as required for the proper delivery of the Services.
4.4 In the event that: (i) the Customer or any of its users of the Services are located in the EEA but not in the United Kingdom; and (ii) the United Kingdom leaves the EEA and is not designated by the European Commission as an Adequate Territory, the Model Clauses will apply to the personal data that is transferred to the United Kingdom by the Customer or any of its users in accordance with the following provisions:
(a) the Customer will be the data exporter and Safecall will be the data importer;
(b) the Customer will be deemed to have enter into the Model Clauses in its own name and on behalf of any of its Affiliates who also act as a controller in relation to personal data that is processed under this Schedule;
(c) the governing law of the Model Clauses shall be the law of the member state of the EEA in which the data exporter is established, as determined by Data Protection Law, and clause 9 of the Model Clauses shall be deemed to have been completed accordingly;
(d) Appendix 1 of the Model Clauses shall be deemed to be completed with the details set out in the Description of Processing; and
(e) Appendix 2 of the Model Clauses shall be deemed to be completed with the summary of the Security Measures referred to in paragraph 3.5(e).
4.5 The parties agree that in the event of a conflict between the Model Clauses and the terms of this Schedule or a Contract, the Model Clauses shall prevail.
In this Schedule, the following terms have the meanings given to them below, unless a contrary intention appears:
The terms controller, processor, process and data subject have the meanings given to them under Data Protection Law.
Adequate Territory means: (i) with respect to transfers from the EEA to a third country that is outside of the EEA, a territory outside of the EEA that has been designated by the European Commission as ensuring an adequate level of protection pursuant to Data Protection Law; and (ii) with respect to transfers from the United Kingdom to a third country, a territory that has been recognised by the United Kingdom as ensuring an adequate level of protection pursuant to Data Protection Laws.
Data Protection Law means: (i) the General Data Protection Regulation ((EU) 2016/679) (GDPR) for so long as the GDPR is directly effective in the UK; (ii) the Data Protection Act 2018; (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (ii) any other laws, regulations and secondary legislation enacted from time to time in the UK relating to data protection, the use of information relating to individuals, the information rights of individuals and/or the processing of personal data, including without limitation any UK act of Parliament or regulation giving effect to, incorporating, transposing, implementing, supplementing or derogating from the GDPR in whole or in part or otherwise amending or replacing the Data Protection Act 2018, irrespective of whether GDPR continues to have direct effect in the UK.
Description of Processing means the description set out in Part 1 of the Appendix to this Data Protection Schedule.
European Economic Area or EEA means those member states that are subject to the Agreement on the European Economic Area dated 1 January 1994 including the member states of the European Union and Iceland, Liechtenstein and Norway.
Model Clauses means the Standard Contractual Clauses for the transfer of Personal Data to proecssors established in third countries as approved by the European Commission in Decision 2010/87/EU (available online at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en), as such model clauses may be amended or superseded by the European Commission from time to time.
Personal data has the meaning given to it in the Data Protection Law, so far as it relates to the personal data, or any part of such personal data, of which Safecall is the processor acting on the Customer's behalf and in relation to which the Customer is the controller.
Security Measures has the meaning given to it in paragraph 3.5(e).
Appendix to the Data Protection Schedule
Part 1 – Description of Processing
Subject matter of processing
Personal data processed for the purposes of the Services specified in the Order Form
Duration of processing
The duration of the processing of personal data by Safecall under this Contract is the period of this Contract and the longer of such additional period as: (i) is specified in any provisions of this Contract regarding data retention; and (ii) is required for compliance with law
Nature of processing
Such processing as is necessary to enable Safecall to provide the ordered Services to the Customer
Purpose of the processing
The performance of Safecall’s obligations and the exercise of its rights in respect of the ordered Services
Personal data types
Personal data provided to Safecall by or on behalf of the Customer or the data subjects in connection with the ordered Services
Categories of data subject
The Customer’s employees
Special categories of data (if appropriate)
Any special category data that may be disclosed by or on behalf of the Customer or the data subjects in the use of the ordered Services
Obligations and rights of the controller
As set out in this Contract