DATA PROCESSING AGREEMENT – ASK4 AS CONTROLLER

The EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA18) and other relevant EU implementing laws require controls to be in place when a ‘data controller’, such as ASK4 Limited (ASK4) and any other (direct or indirect) subsidiary or holding company of ASK4 (each an ASK4 Group Company), uses the services of an external ‘data processor’, such as yourself to assist them in their business processes.

In order that ASK4 and ASK4 Group Companies, as data controllers, and you ,as data processor, can meet our respective obligations, you agree to the following:

  • You will only process the personal data we provide to you in accordance with our instructions and for the purposes of carrying out the services you are required to perform for us.
  • You will only process the personal data we provide to you within the United Kingdom or EU and not transfer the personal data, or agree for the personal data to be transferred, outside the United Kingdom or EU without our prior written consent. If you wish to undertake processing at any time outside the UK or EU, inform us which processes are to be dealt with in this manner, and where, so that we may consider the matter and, if appropriate, furnish you with the necessary consent.
  • You will ensure that all of your employees and other representatives accessing the personal data you process on our behalf are aware of the terms of this agreement, have received appropriate training in relation to data protection and confidentiality requirements and have agreed to keep the personal data confidential at all times.
  • You will put into place and maintain at all times during the operation of this agreement, such technical, operational and organisational measures as are necessary to ensure that an appropriate level of security is maintained as set out in Article 32 of UK GDPR. This includes adhering to Section 9 of the ASK4 Compliance Requirements (https://www.ask4.com/legal/compliance-requirements). You also agree that these security measures will remain in place for so long after the termination of our agreement as is necessary in order to protect the confidentiality of the personal data processed by you or which continues to be processed on our behalf.
  • You will not sub-contract the provision of any of the services you provide on our behalf or involve any third party in the processing of the personal data without our written consent, which we may refuse without giving reason. In the event that consent is given for a third party to process the personal data, that third party must also enter into a separate data processing agreement with ASK4.
  • You may be required, taking into account the nature of the processing and the information available to you, to assist us in ensuring compliance with the obligations as set out in Articles 32 to 36 of the UK GDPR in relation to the security of the processing, the notification of a personal data breach to the supervisory authority, the communication of a personal data breach to the data subject, the carrying out of a data protection impact assessment or a consultation with the Information Commissioner’s Office in connection with any such assessment.
  • In the event that we are required to respond to requests from individuals exercising their data subject access rights as set out in Chapter 3 of the UK GDPR, and the possible enforcement of their data protection rights, you will assist us to do so as appropriate.
  • You will safely delete or return the personal data we entrust to you at any time upon request to do so and you will, in any event, securely delete the personal data or return the same to us at the end of our agreement. In the event that you are under a legal obligation to retain such data, you must declare this to us in writing now or as soon as such obligation arises.
  • On our asking you to do so immediately make available to us all information necessary to demonstrate compliance with all the elements of this agreement and also permit and assist in the conduct of any audits or inspections that we may reasonably request.
  • You must maintain at all times a record of all categories of processing activities carried out by you on our behalf, which record will include details of all processors and controllers, details of any transfers to a third country or an international organisation and details of technical and organisational security measures as referred to in Article 32(1) of the UK GDPR.
  • You will maintain the integrity of the personal data, without alteration, ensuring that it can be separated from any other information created.
  • You shall immediately contact us on data-protection@ask4.com in the event that there is any personal data breach or incident where the personal data, or the confidentiality of any person, may have been compromised.

This agreement forms part of your wider contractual relationship with the relevant ASK4 Group Company and is incorporated by your acceptance of the ASK4 Compliance Requirements and/or the ASK4 Terms of Purchase.