1. Introduction
1.1 This Data Processing Schedule forms part of each Contract entered into between Safecall and the Customer and is subject to its terms and conditions, including the limitations and exclusions of liability, set out therein.
1.2 Definitions for capitalised terms used in this Data Processing Schedule are set out in paragraph 5.
2. Compliance with Data Protection Law
2.1 Each party shall comply with the Data Protection Law as it applies to personal data processed under this Contract. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Law.
3. Data processing
3.1 The Customer and Safecall acknowledge that Safecall will perform certain processing activities, the subject matter, duration, nature and purpose of which are described more fully in the Description of Processing.
3.2 In respect of such processing activities, Safecall is the processor and the Customer is the controller save in circumstances where Safecall knows an employee’s details but withholds them from the Customer at the employee’s request, or writes a report in such a way as to protect the identity of the employee, whereby Safecall shall be regarded as an independent controller. In such circumstances, Safecall will be the controller only in respect of the employee’s name and any other data which is withheld in order to protect the employee’s identity and the remaining provisions of this paragraph 3 shall not apply.
3.3 Where the Customer is the controller, the Customer shall be responsible for establishing and maintaining the lawful basis for the processing of personal data under this Contract and shall notify Safecall, in writing on request, of the applicable lawful basis for processing.
3.4 The Customer shall be responsible for providing appropriate privacy notices to its employees in respect of the Services.
3.5 In respect of the personal data processed by Safecall as a data processor acting on behalf of the Customer under this Contract, Safecall shall:
(a) only process the personal data in accordance with the Customer’s written instructions from time to time, unless such processing is required by any law to which Safecall is subject, in which case, Safecall shall (to the extent permitted by law) inform the Customer of that legal requirement before carrying out the processing;
(b) process the personal data only to the extent, and in such a manner, as is necessary for the purposes of carrying out its obligations under this Contract;
(c) ensure that persons engaged in the processing of personal data are bound by appropriate confidentiality obligations;
(d) keep a written record of all processing activities which it carries out;
(e) implement and have in place appropriate technical and organisational measures to protect against unauthorised, unlawful or accidental processing, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, such measures in each case to be appropriate to the likelihood and severity of harm to data subjects that might result from the unauthorised, unlawful or accidental processing, having regard to the state of technological development and the cost of implementing any measures, a summary of which is set out in Part 2 of the Appendix ("Security Measures"). The Customer acknowledges that the Security Measures are subject to technical progress and development and that Safecall may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services;
(f) not engage any agent, sub-contractor, supplier, processor or other third party to process personal data (“sub-processor”) without the prior written consent of the Customer and ensure in such cases that prior to the processing of any personal data by the sub-processor, terms equivalent to the terms set out in this Data Processing Schedule are included in a written contract between Safecall and any sub-processor engaged in the processing of data;
(g) The Customer consents to the use of the sub-processors identified in Part 3 of the Appendix as amended from time to time in accordance with this Agreement. If Safecall wishes to add any sub-processors, it shall give the Customer not less than fourteen (14) days' prior written notice. If, prior to the expiry of this notice period, the Customer objects in writing to Safecall's appointment of the third party sub-processor on reasonable grounds relating to the protection of the personal data, then either: (i) Safecall will not appoint the sub-processor or; (ii) Safecall may elect to suspend or terminate the affected Services without penalty;
(h) comply promptly with any lawful request from the Customer requesting access to, copies of, or the amendment, transfer or deletion of the personal data to the extent the same is necessary to allow the Customer to fulfil its own obligations under the Data Protection Law, including the Customer's obligations arising in respect of a request from a data subject;
(i) notify the Customer promptly if it receives any complaint, notice or communication (whether from a data subject, competent supervisory authority or otherwise) relating to the processing, the personal data or either party's compliance with the Data Protection Law as it relates to this Contract, and provide the Customer with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication;
(j) notify the Customer promptly and at least within five (5) business days if, in its opinion, an instruction from the Customer infringes any Data Protection Law (provided always that the Customer acknowledges that it remains solely responsible for obtaining independent legal advice regarding the legality of its instructions) or Safecall is subject to legal requirements that would make it unlawful or otherwise impossible for Safecall to act according to the Customer's instructions or to comply with Data Protection Law;
(k) inform the Customer without undue delay after becoming aware that any personal data processed under this Contract has been lost or destroyed or has become damaged, corrupted, or unusable or has otherwise been subject to unauthorised or unlawful processing including unauthorised or unlawful access or disclosure;
(l) inform the Customer promptly (and in any event within two (2) business days) if it receives a request from a data subject for access to that person's personal data and shall:
(i) promptly provide the Customer with reasonable co-operation and assistance in relation to such request; and
(ii) not disclose the personal data to any data subject (or to any third party) other than at the request of the Customer or as otherwise required under this Contract;
(m) provide reasonable assistance to the Customer in responding to requests from data subjects and in assisting the Customer to comply with its obligations under Data Protection Law with respect to security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;
(n) delete or return that personal data to the Customer at the end of the duration of the processing as referred to in the Appendix, and at that time delete or destroy existing copies (unless otherwise required by law);
(o) subject to the requirements of commercial and client confidentiality, make available to the Customer such information as is reasonably required to demonstrate compliance with this Data Processing Schedule and, subject to any other conditions set out in this Contract regarding audit, allow for and contribute to audits, including inspections, of compliance with this Data Processing Schedule conducted by the Customer or a professional independent auditor engaged by the Customer. The following requirements apply to any audit: (i) the Customer must give a minimum thirty (30) days’ notice of its intention to audit (or such shorter period of notice as it receives itself where an audit is mandated by its regulator); (ii) the Customer may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to agreement with Safecall of a scope of work for the audit at least ten (10) days in advance; (iv) Safecall may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial and/or client confidentiality; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Customer; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by Safecall prior to the audit; and (viii) Safecall reserves the right to charge for any reasonable costs incurred in supporting any audit;
(p) provide assistance to the Customer with any data privacy impact assessments for which Safecall reserves the right to charge any reasonable costs incurred; and
(q) only transfer personal data outside the United Kingdom if such transfer is carried out in accordance with paragraph 4.
3.6 Each party agrees to indemnify and keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses (including reasonable legal fees) incurred by the other party or for which the other party may become liable due to any failure by the indemnifying party of its directors, employees or agents to comply with any of its obligations under this Data Processing Schedule.
4. International transfers
4.1 Safecall and the Customer agree that personal data will be processed within the United Kingdom unless:
(a) transferred by secure transfer to a country within the EU or the EEA with the prior written permission of the Customer to such transfer; and
(b) the processing of the personal data is compliant with this Data Processing Schedule; and
(c) the relevant transfer takes place without breach of applicable Data Protection Law; or
(d) transferred to a recipient in circumstances where Safecall is entitled to rely on a permitted derogation under Data Protection Law, which may include circumstances where (among other things) the transfer is necessary for the establishment, exercise or defence of legal claims.
4.2 Where Safecall uses a sub-processor located in a third country outside of the United Kingdom that is not an Adequate Territory, Safecall shall have the right to enter into Model Clauses with the sub-processor for and on behalf of the Customer, whether on a named or an undisclosed basis.
4.3 Where the Customer or its users are located in a third country outside of the United Kingdom that is not an Adequate Territory and requires Safecall to transfer personal data to it or them, the Customer acknowledges that Safecall may not be able to ensure that such transfer is subject to appropriate safeguards. The Customer nevertheless instructs Safecall to undertake such transfers as required for the proper delivery of the Services.
4.4 In the event that: (i) the Customer or any of its users of the Services are located in the EEA but not in the United Kingdom; and (ii) the United Kingdom, after leaving the EEA, is not designated by the European Commission as an Adequate Territory, the Model Clauses will apply to the personal data that is transferred to the United Kingdom by the Customer or any of its users in accordance with the following provisions:
(a) the Customer will be the data exporter and Safecall will be the data importer;
(b) the Customer will be deemed to have entered into the Model Clauses in its own name and on behalf of any of its Affiliates who also act as a controller in relation to personal data that is processed under this Data Processing Schedule;
(c) the governing law of the Model Clauses shall be the law of the member state of the EEA in which the data exporter is established, as determined by Data Protection Law, and clause 9 of the Model Clauses shall be deemed to have been completed accordingly;
(d) Appendix 1 of the Model Clauses shall be deemed to be completed with the details set out in the Description of Processing; and
(e) Appendix 2 of the Model Clauses shall be deemed to be completed with the summary of the Security Measures.
4.5 The parties agree that in the event of a conflict between the Model Clauses and the terms of this Data Processing Schedule or a Contract, the Model Clauses shall prevail.
5. Definitions
5.1 In this Data Processing Schedule, the following terms have the meanings given to them below, unless a contrary intention appears:
The terms controller, processor, process and data subject have the meanings given to them under Data Protection Law.
Adequate Territory means: (i) with respect to transfers from the EEA to a third country that is outside of the EEA, a territory outside of the EEA that has been designated by the European Commission as ensuring an adequate level of protection pursuant to Data Protection Law; and (ii) with respect to transfers from the United Kingdom to a third country, a territory that has been recognised by the United Kingdom as ensuring an adequate level of protection pursuant to Data Protection Laws.
Data Protection Law means: the Data Protection Act 2018, the UK GDPR, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) together with: (i) any guidance, directions, decisions, determinations, codes of practice, orders, notices or demands issued by any supervisory authority or other competent authority; (ii) any other applicable data privacy or data protection laws; and (iii) any associated binding judgments of any competent tribunal, regulatory body or court of law, each as applicable and as amended, supplemented, substituted or replaced form time to time.
Description of Processing means the description set out in Part 1 of the Appendix to this Data Processing Schedule.
European Economic Area or EEA means those member states that are subject to the Agreement on the European Economic Area dated 1 January 1994 including the member states of the European Union and Iceland, Liechtenstein and Norway.
Model Clauses means the Standard Contractual Clauses for the transfer of personal data to processors established in third countries as approved by the European Commission in Decision 2010/87/EU (available online at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en), as such model clauses may be amended or superseded by the European Commission from time to time.
personal data has the meaning given to it in the Data Protection Law, so far as it relates to the personal data, or any part of such personal data, of which Safecall is the processor acting on the Customer's behalf and in relation to which the Customer is the controller.
Security Measures has the meaning given to it in paragraph 3.5(e).
Appendix to the Data Processing Schedule
Part 1 – Description of Processing
Subject matter of processing |
Safecall processes personal data under this Contract for the purposes of the Services specified in the Order Form. |
Duration of processing |
The duration of the processing of personal data by Safecall under this Contract is the period of this Contract and the longer of such additional period as: (i) is specified in any provisions of this Contract regarding data retention; and (ii) is required for compliance with law. Personal data shall not be processed or held for longer than is necessary to enable Safecall to provide the Services and comply with its obligations under this Contract. |
Nature of processing |
Such processing as is necessary to enable Safecall to provide the ordered Services to the Customer. This includes, but is not limited to, storage, retrieval, analysis, data collection and data transfer. |
Purpose of the processing |
The performance of Safecall’s obligations and the exercise of its rights in respect of the ordered Services. |
Personal data types |
Personal data provided to Safecall by or on behalf of the Customer or the data subjects in connection with the ordered Services. This includes, but is not limited to, the categories listed below. Against each category are the types of personal data that fall within that category. Personal Details: contact details, gender, date of birth, place of birth, marital/civil partnership status, domestic partners, dependants, disability status, emergency contact information. Position: description of current position, job title, corporate status, management category, job code, grade or level, job function(s) and subfunction(s), company name and code (legal employer entity), branch/unit/department, location, employment status and type, full-time/part-time, dates of hire/re-hire and termination date(s). System and Application Access Data: information required accessing systems and applications such as System ID, email account, instant messaging account, employee ID, system passwords, employee role, and electronic content produced by individuals using Customer systems. Financial Information: bank account number and account details. External Personal Details and Contact Information: name; address; e-mail and telephone details; gender; marital status; familial status; date of birth; place of birth, and government-issued identification number, such as Social Security number or national insurance number, tax identification number, military identification number, passport number or driver’s or other license number; employment status; passwords; activity records, such as driving records; employment history; and date and cause of death, date of entry into long term care. |
Categories of data subject |
The personal data includes, but is not limited to, the following categories of data subjects: past and present employees; past and present suppliers; past and present non-pay-rolled contractors or consultants, agency-supplied contractors or consultants and external secondees; current application end users; past application end users; individuals identified by Users; retirees; and past and present directors and officers. |
Special categories of data (if appropriate) |
Any special category personal data that may be disclosed by or on behalf of the Customer or the data subjects in the use of the ordered Services. This includes, but is not limited to, health/medically sensitive information, place of birth, criminal records, civil litigation record, sexual life (e.g., sexual orientation), race and ethnicity. |
Obligations and rights of the controller |
As set out in this Contract. |