Lead Monitors Limited
In this Policy, “Applicable Data Protection Law” means any law, directive, legislative enactment, order, regulation, rule or other binding instrument relating to the protection of personal data, being the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the EU General Data Protection Regulation 2016/679, each as amended and supplemented from time to time during the Term for provision of the Services by LM to the End User.
The terms “personal data”, "process", “data controller”, “data processor”, “sub-processor” and “data subject” where used in this Policy will have the meanings ascribed to them in Applicable Data Protection Law.
LM and the End User agree that personal data shall be processed in accordance with the following Policy terms.
The parties agree the provisions of this Policy shall apply to the personal data LM processes in the course of providing its Services under the Contract. The parties agree that the End User is the data controller and LM is a data processor in relation to the personal data processed under this Policy and the Contract.
The End User, as the data controller, shall be responsible for obtaining all relevant permissions, or having a proper legal basis for processing personal data of data subjects that it requests LM to process under the Contract, in accordance with Applicable Data Protection Laws. For the avoidance of doubt, this includes (but is not limited to) having a suitable privacy notice which is communicated to data subjects at the time their personal data is collected, informing the data subjects that their personal data will be processed by the End User and its sub-contractors (which for the purposes of the Contract shall be LM and its approved subcontractors) in the manner anticipated by the Contract and this Policy.
The parties agree that:
The subject-matter of the data processing are users and / or visitors to the End User’s website upon which the LM software Services are to be uploaded for the tracking of use of the End User’s website, in accordance with this Policy and the Contract.
The nature and purpose of the processing is for the provision of the Services in accordance with this Policy and/or the Contract.
The categories of data subjects whose personal data is processed are users / visitors to the End User’s website.
Types of personal data LM processes will be contact information about users / visitors to the End User website, including name, address, email address, IP address.
When LM processes personal data in the course of performing Services under the Contract on behalf of the End User, LM shall:
process the personal data only in accordance with the instructions from the End User (which may be specific instructions or instructions of a general nature as set out in the Contract, or as otherwise notified by the End User to LM from time to time) and not for LM’s own purposes. If LM is required to process the personal data for any other purpose by Applicable Data Protection Law, LM shall inform the End User of this requirement before the processing, unless that law prohibits this on important grounds of public interest;
taking into account the nature of the processing, provide such reasonable assistance in fulfilling the End User’s obligations to respond to requests from data subjects exercising their rights under Applicable Data Protection Laws in respect of the processing activities undertaken by LM under the Contract and this Policy;
taking into account the nature of the processing, have appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure (a “Security Incident”). These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected, whilst being processed by LM, in accordance with LM’s IT & Cyber Security Policy;
promptly notify the End User in writing if LM suspects there has been a Security Incident, in which event LM will do all such acts and things (at its own expense) as the End User may require in order to remedy or mitigate the effects of the Security Incident;
not give access to or transfer any personal data to any third party (other than affiliates or group companies of LM, or its approved sub-contractors, without the End User’s prior written consent. Where the End User does consent to LM engaging another sub-contractor to carry out any processing of personal data, LM must ensure the reliability and competence of the third party, its employees and agents who may have access to the personal data and must include in any contract with the third party provisions appropriate to protect personal data in accordance with Applicable Data Protection Law. For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any Applicable Data Protection Law, LM will remain liable to the End User for the fulfilment of LM’s obligations under the Contract;
ensure that personnel (including employees and contractors) required to access the personal data have committed to keep personal data confidential and comply with the obligations set out in this Clause 4 or are under an appropriate statutory obligation of confidentiality;
upon the termination of the Contract at the End User’s request, securely destroy or return the personal data to the End User and delete existing copies (unless Applicable Law requires storage of the personal data), in accordance with this Policy or other policy documentation referred to in it;
keep and maintain accurate and complete records of all of its processing of personal data under the Contract and provide the End User relevant information regarding LM’s processing activities during the Term of the Contract, which will include providing access to and the right to audit such information as reasonably requested by the End User, at reasonable times and on reasonable notice;
ensure that any of LM’s staff who process personal data for the purposes of the Contract are reliable and have been trained in relation to the requirements of Applicable Data Protection Law and in the care and handling of personal data;
not perform its obligations under the Contract in a way that causes the End User to breach any applicable obligations under Applicable Data Protection Law;
promptly notify the End User of any complaint, communication or request relating to Applicable Data Protection Law; and
subject to this clause, not disclose or transfer any personal data provided by the End User outside of the European Economic Area (“EEA”) without the prior written consent of the End User.
where LM wishes to appoint an additional or replacement subcontractor, the parties will follow the escalation procedure as follows:
firstly, shall be referred to the data protection officer (or other person of equivalent or higher seniority) of each party, who shall both endeavour to agree the appointment within five (5) working days; followed by
the Managing Director (or other person of equivalent or higher seniority) of each party who shall both endeavour to agree the appointment within five (5) working days,
should the discussions over the appointment of the subcontractor remain unresolved after reference to the escalation procedure set out in sub-clauses (i) and (ii) above, LM shall not engage such a subcontractor and shall try and seek an alternative provider for approval by the End User.
LM shall return all End User personal data (if any remains in LM’s custody or control), if so requested by the End User, and provide all assistance reasonably requested by the End User to facilitate the smooth transition of the Services to the End User or any replacement supplier appointed by ensuring that all End User data stored on the LM computer systems are provided to the End User or any replacement supplier in a structured industry standard format. For the avoidance of doubt, if the End User requires the End User data in a format which is not industry standard or additional assistance is required beyond the transfer of End User data from LM’s systems to the End User or a replacement supplier, then LM shall be entitled to charge a reasonable cost (to be agreed between the parties) for placing the End User data in a non-standard format prior to such transition.
Changes to this Policy: This Policy may be updated time from time by the parties in writing, agreeing any changes to this Policy and the terms of the processing agreement entered into between the parties on the terms of this Policy.
© LeadMonitors 2017-2019