CBS Solutions LTD (CBS) and “Customer” have entered into a Data Processing Agreement (“Agreement”) for the provision of CBS Services, in the context of which, CBS may process Personal Data.
The purpose of this Data Processing Agreement is to set out the data processing requirements that apply to the provision of CBS Services and ensure that Customer and CBS comply with Data Processing Laws.
In this Data Processing Agreement, the following definitions apply:
“Data Controller” “Data Processor” “Data Subjects” “Personal Data” “Personal Data Breach” shall have the meanings ascribed to them in the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”).
“Data Protection Laws” means the provisions of applicable laws regulating the use and processing of data relating to persons, as may be defined in such provisions, including a) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC, b) after 25 May 2018 the GDPR, c) the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and d) all other applicable laws and regulations relating to processing of personal data.
“Services” means the CBS Services to be provided to Customer under the Agreement and any applicable service schedules attached thereto.
2. Compliance with Data Protection Laws
2.1. CBS and Customer agree that, Customer is an independent Data Controller with respect to the processing of Personal Data which is necessary for the operation of the Services, and CBS is an independent Data Controller with respect to the processing of billing, utilisation, usage/patterns/counts/statistics, traffic data and other Customer account related information (to the extent it is Personal Data) which is necessary for CBS’s performance of its obligations under the Agreement, or with respect to any Personal Data held for general business purposes.
2.2. CBS and Customer shall each comply at all times with its obligations under Data Protection Laws in respect of any Personal Data processed by it under the Agreement and any service schedules attached thereto.
3. Data Processing
3.1. CBS acknowledges that it is a Data Processor on behalf of the Customer for the purposes of providing Services and performing its related obligations (including incident resolution, support or consultancy services).
3.2. In so far as CBS processes Personal Data on behalf of Customer as a Data Processor, CBS will (and will procure that CBS affiliates will):
3.2.1. Only process Personal Data in accordance with the Customer’s documented instructions, including as set out in the Agreement and this Data Processing Agreement and ensure that CBS personnel process Personal Data only on such instructions of the Customer, unless processing is required by EU or member state law to which CBS are subject, in which case CBS shall, to the extent permitted by such law, inform Customer of that legal requirement before processing that Personal Data;
3.2.2. Restrict the disclosure and processing of Personal Data to the extent necessary to provide the Services, or as otherwise permitted under the Agreement and this Data Processing Agreement, or by Customer in writing, and only disclose Personal Data on a need to know basis in connection with the Services to those who have committed themselves to confidentiality, or as required by applicable law;
3.2.3. Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing and ensure a level of security appropriate to the risk presented by the processing;
3.2.4. Ensure that only those personnel who need to have access to Personal Data are granted access to it, and that such access is granted only for the proper provision of the Services; and
3.2.5. If and to the extent CBS retains a copy of any Personal Data, not retain that Personal Data for longer than is necessary to perform the Services and at Customer’s option, securely destroy or return such Personal Data, except where required to retain the Personal Data by law or regulation. The parties agree that CBS shall not actively process such Personal Data and shall be bound by the provisions of this Data Processing Agreement in respect of any such retained Personal Data. CBS shall delete such data promptly after it ceases to be obliged to retain it and shall only process it to the extent required to comply with applicable laws.
The Customer generally authorises CBS to appoint sub-processors in accordance with any restrictions in this Data Processing Agreement.
4.1. Prior to disclosing any Personal Data to any sub-processor, CBS shall ensure that it has undertaken appropriate due diligence in respect of such sub-processor and shall ensure the sub-processor enters into a written agreement on terms which provide that the sub-processor has equivalent obligations to those set out in this Data Processing Agreement. CBS shall remain fully liable to Customer for any breach of such obligations by the sub-processor.
4.2. CBS shall maintain an up to date list of its sub-processors and shall inform Customer with details of any intended change in sub-processors at least 30 days prior to any such change. The Customer may object to CBS’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, CBS will either not appoint or replace the sub-processor or, if this is not possible, the Customer may terminate the applicable Service (without prejudice to any fees incurred by the Customer prior to termination). CBS shall not use such sub-processor until any such objections are resolved or the Customer has terminated the Agreement.
5.1. CBS shall, insofar as is possible, promptly notify Customer of any enquiry, complaint notice or other communication it receives from any supervisory authority, or from any Data Subject relating to the Services (including any requests to access, correct, delete, block or restrict access to their Personal Data or receive a machine-readable copy thereof) and, insofar as is possible and to the extent technically feasible, assist Customer with its obligation to respond to any notification or Data Subject rights request in accordance with the timescales set out in the Data Protection Laws.
5.2. If Customer reasonably believes that CBS’s processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, CBS shall, on request from Customer, assist Customer in connection with any data protection impact assessment and prior consultation, which may be subject to additional fees and terms, that may be required under Data Protection Laws, taking into account the nature of the processing and the information available to CBS.
6. Breach Reporting
CBS shall notify Customer without undue delay of becoming aware of any Personal Data Breach involving Personal Data Processed on behalf of the Customer using the Services, and thereafter co-operate with Customer and provide assistance as may be reasonably required by Customer in the investigation, remediation and mitigation of such breach. CBS shall provide reasonable assistance to Customer in respect of any and breach reporting obligations Customer may have, and provide such additional information relating to such breach as Customer may reasonably require.
CBS will maintain all information necessary to demonstrate compliance with its obligations laid down in this Data Processing Agreement and a written record of all processing of Personal Data on behalf of Customer and, upon reasonable request grant Customer and its auditors and agents a right of access to and to take copies of records relating to compliance and all processing of such Personal Data on behalf of Customer in order to assess whether CBS has complied with its obligations in respect of the processing of Personal Data.
CBS shall not transfer any Personal Data outside the EEA except to the extent authorised by Customer as follows:
8.1. If after the date this Data Processing Agreement, CBS (or any affiliate or any sub-contractor) proposes to transfer any Personal Data outside the EEA, CBS (or any affiliate or any sub-contractor) shall obtain Customer’s consent prior to such transfer, which consent may be conditional upon the relevant parties having entered into an agreement that ensures that Personal Data is accurately protected as required by the Data Protection Laws.
9. Future Amendments
The parties may amend this Data Processing Agreement at any time during the term of the Agreement by written agreement if necessary to comply with any legal requirement or guidance from a supervisory authority, or if required to take account of any changes to the processing of Personal Data pursuant to the Agreement.