Start your digital transformation process with TES today.
Whether you’d like to arrange an informal chat, a free demo or discuss a potential project, our team of charity and not-for-profit digital transformation experts are always on hand.
This Schedule sets out the additional terms, requirements, and conditions on which TES will process personal data when providing the Services under this Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.
The table below sets out the subject-matter, nature and purpose, duration of the processing, the type(s) of personal data being processed, and the categories of data subjects, as required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679), as well as details of any third-party processors already engaged by TES on the Commencement Date of the Agreement (the “Table”):
|Data Processing Details|
|Subject-matter||The provision of services as detailed in the Sales Order Form and Project Documentation relating to the Services and Deliverables and the administration of them.|
|Nature and purpose||Except for the administration of the contract with the Customer, the processing of personal data is entirely incidental to the service provision by TES and is limited to storage and authorised disclosure. No access or changes to, or other processing of any personal data is carried out as part of the service provision other than as may be required on the Customer’s specific written instructions.|
|Duration||For the duration of service provision. Data is automatically deleted following termination of the Master Services Agreement in accordance with its terms.|
|Types of personal data||(1) Customer employee contact information for the administration of the contact. (2) As may be included by the Customer in any uploaded data. TES have no control over or visibility of this information.|
|Categories of Data Subject||(1) Customer employee administrative contacts. (2) As may be included by the Customer in any uploaded data. TES have no control over or visibility of this information.|
|Third Party Processors||[TBC]. Please see clause 5.3 below regarding TES’s obligations in relation to sub-processors.|
“Applicable Laws”: the law of the European Union (for so long as and to the extent that they apply to the Data Processor), the law of any member state of the European Union and/or the UK Data Protection Legislation and any other law that applies in the UK.
“controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing” and “appropriate technical and organisational measures”: as defined in the Data Protection Legislation.
“Data Protection Legislation”: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.
“UK Data Protection Legislation”: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
For the purposes of this Schedule, the Customer will be referred to as the “Data Controller”, and TES will be referred to as the “Data Processor”.
The parties acknowledge that for the purposes of the Data Protection Legislation, the Data Controller is the controller and the Data Processor is the processor. The Table sets out the scope, nature and purpose of processing by the Data Processor, the duration of the processing and the types of personal data and categories of Data Subject.
Without prejudice to the generality of Clause 1.1, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to the Data Processor and/or lawful collection of the personal data by the Data Processor on behalf of the Controller for the duration and purposes of this Agreement.
Without prejudice to the generality of Clause 1.1, the Data Processor shall, in relation to any personal data processed in connection with the performance by the Data Processor of its obligations under this Agreement:
where, in all cases, the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the personal data;
5.1 The Data Controller acknowledges and consents to the appointment on the Commencement Date by the Data Processor of the third parties listed in the Table as sub-processors of the personal data being processed under this Agreement.
5.2 The Data Processor confirms that: (a) it shall impose on all sub-processors the same data protection obligations as set out in clauses 1, 4, and 5; and (b) such sub-processors as referred to in clause 5.1 are common to all customers of the Data Processor and the Data Processor shall remain fully liable for the actions of its sub-processors at all times.
5. 3 The Data Processor shall give the Data Controller prior notice of the appointment of any new sub-processors and provide the Data Controller with full details of the processing to be undertaken by the sub-processor, thereby giving the Data Controller the opportunity to object to such appointment. If the Data Processor so notifies the Data Controller of any changes to sub-processors and the Data Controller objects to such changes, the Data Controller will be entitled to terminate this Agreement (without liability for either party, and such termination will be deemed to be a no-fault termination) if the Data Controller has reasonable grounds for objecting to such changes by reason of the changes causing, or being likely to cause, the Data Controller to be in breach of the Data Protection Legislation.