Personal Data ‘Processor’ Contract Nature & Purpose of Contract This contract is the legal basis for the current business relationship between The Company, ‘the Controller’ (company registration number 10517458 trading as Global Steel Exports Limited) and the ‘Processor’ which involves disclosing personal information pertaining to The Company employees. This contract confirms the terms and conditions under which ‘the processor’ is to process The Company employee personal data to protect the data protection rights and freedoms of individuals as specified by law under the General Data Protection Regulation (GDPR). As used in this agreement, ‘Personal Information’ shall stand for ‘any’ information that can be used on its own, or together with other categories of data, to identify a natural person. The Controller (The Company) is allowing access and copies of employee personal information to ‘the Processor’ for the purposes of processing employee salaries. The ‘Processor’ must provide sufficient guarantees, to the Controller, in particular, in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of the General Data Protection Regulation (GDPR), including for the security of processing. The adherence of the ‘Processor’ to an approved code of conductor an approved certification mechanism, such as Cyber Essentials, may be used as an element to demonstrate compliance with the obligations of the Controller.
Personal Data being transferred to the ‘Processor’ The Personal Data categories transferred as part of this contract are: 1. 2. 3. 4. 5.
Name Address Bank Account Bank Account Sort Code Bank Account Number
Global Steel Exports, 31 Greenhill Crescent, Watford Business Park, Hertfordshire, Watford WD18 8YB. Tel: +44 (0) 1923 658575 658546 Website: www.globalsteelexports.com Registration no: 10517458
Pa ge 1|4
Duration of Contract The contract will be going until terminated by the Controller or the ‘Processor’ by giving 3 months’ notice.
Specific tasks and responsibilities of the ‘Processor’ To demonstrate compliance with the GDPR, the ‘Processor’ should maintain records of processing activities under its responsibility. The ‘Processor’ is obliged to cooperate with the ‘Controller’ and/or the supervisory authority (ICO) and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
The ‘Processor’ shall maintain a record of all categories of processing activities carried out on behalf of a Controller, including: a.) The name and contact details of the ‘Processor’ or ‘Processor’s and of each Controller on behalf of which the ‘Processor’ is acting, and, where applicable, of the Controller’s or the ‘processors’ representative, and the data protection officer b.) The categories of processing carried out on behalf of each Controller (Collection, Transmission, Access, Storage, Deletion, Processing, etc.) c.) A general description of the technical and organisational security measures that are in place to protect personal information
Terms & Conditions of Contract a.) The ‘Processor’ shall not engage another ‘Processor’ without prior specific or general written authorisation of the Controller. b.) The ‘Processor’ must not transfer or give personal data access to a third country or an international organisation, unless required to do so by Union or Member State law to which the ‘Processor’ is subject; in such case, the ‘Processor’ shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Global Steel Exports, 31 Greenhill Crescent, Watford Business Park, Hertfordshire, Watford WD18 8YB. Tel: +44 (0) 1923 658575 658546 Website: www.globalsteelexports.com Registration no: 10517458
Pa ge 2|4
c.) The ‘Processor’ must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. d.) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the ‘Processor’ shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. e.) Taking into account the nature of the processing, assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s access and other data protection rights. f.) At the choice of the Controller, the ‘Processor’ must delete or return all the personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data. g.) Makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this contract and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. h.) The ‘Processor’ must have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. i.) The ‘Processor’ must have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. j.) The ‘Processor’ must have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. k.) The ‘Processor’ shall notify the Controller without undue delay after becoming aware of a personal data breach.
Global Steel Exports, 31 Greenhill Crescent, Watford Business Park, Hertfordshire, Watford WD18 8YB. Tel: +44 (0) 1923 658575 658546 Website: www.globalsteelexports.com Registration no: 10517458
Pa ge 3|4
Risks Risks to the rights and freedoms of the data subjects To maintain security and to prevent processing in infringement of the GDPR, the ‘Processor’ should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may lead to physical, material or non-material damage.
Global Steel Exports, 31 Greenhill Crescent, Watford Business Park, Hertfordshire, Watford WD18 8YB. Tel: +44 (0) 1923 658575 658546 Website: www.globalsteelexports.com Registration no: 10517458
Pa ge 4|4