Third-Party Data Privacy Addendum
Version 1.1 | May 24,2018
The following apply to all contracts (each a “Third-Party Contract”) between any Ohlson Lavoie Corporation and any subsidiaries or affiliates (each referred to as “OLC”) and any third-party supplier of products or services including all vendors and subconsultants (each a “Third-Party Contractor”):
The following defined terms shall have the following meanings:
“Applicable Data Protection Law” shall mean (a) the Data Protection Act 1998; or (b) from 25th May 2018, the GDPR (as defined below), read in conjunction with and subject to any applicable UK national legislation that provides for specifications or restrictions of the GDPR’s rules; or (c) from the date of implementation, any applicable legislation that supersedes or replaces the GDPR in the UK or which applies the operation of the GDPR as if the GDPR were part of UK national law, which may include the Data Protection Act 2018.
“GDPR” shall mean the General Data Protection Regulation (EU) 2016/679.
“personal data”, “controller”, “processor”, “data subject”, and “processing” (and other parts of the verb ‘to process’) shall have the meaning set out in the Applicable Data Protection Law.
This Third-Party Data Privacy Addendum applies only to the personal data of residents of the European Union, Switzerland and the United Kingdom.
OLC and Third-Party Contractor:
- Shall comply at all times with Applicable Data Protection Law and this Third-Party Data Privacy Addendum and shall not perform its obligations under the Third-Party Contact in such a way as to cause the other to breach any of its applicable obligations under Applicable Data Protection Law and this Third-Party Data Privacy Addendum; and
- Acknowledge that the factual arrangements between them dictates the classification of each party as a data controller or data processor.
Where Third-Party Contractor processes personal data on behalf of OLC, with respect to such processing, Third-Party Contractor shall:
- Process the personal data only in accordance with the Third-Party Contract and the documented instructions of OLC and not make any use of the personal data for its own purposes, regardless of whether or not the personal data is converted to an anonymized and/or aggregated form;
- Implement appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorized or unlawful processing, accidental loss, destruction or damage to the personal data and having regard to the nature of the personal data which is to be protected and shall include inter alia as appropriate:
- The pseudonymization and encryption of the personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing the personal data;
- The ability to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident; and
- A process for regular testing, assessing and evaluating the effectiveness of technical and organization measures for ensuring the security of any processing;
- Only permit the personal data to be processed by persons who are bound by enforceable obligations of confidentiality and take steps to ensure such persons only act on Third-Party Contractor’s instructions in relation to the processing;
- Not transfer personal data outside of the European Economic Area without the prior written consent of OLC and where OLC consents to such transfer warrants that the transfer shall be made in such a way as to ensure that the level of protection offered to natural persons by the Applicable Data Protection Law is not undermined;
- Obtain prior written consent from OLC in order to transfer the personal data to any agents, subcontractors, affiliates or any other third parties and where OLC consents, Third-Party Contractor shall:
- Ensure that any such agents, subcontractors, affiliates or other third parties are subject to, and contractually bound by, at least the same obligations as Third-Party Contractor under this Third-Party Data Privacy Addendum;
- Provide to OLC copies of any documentation to demonstrate compliance with the obligations in this Third-Party Data Privacy Addendum; and
- Remain fully liable to OLC for all acts and omissions of any agents, subcontractors, affiliates or third parties;
- Promptly alert and inform OLC of a personal data breach (including, but not limited to, any unauthorized or unlawful processing, loss of, damage to or destruction of personal data) suffered by Third-Party Contractor or by any agents, subcontractors, affiliates or third parties to which personal data has been transferred and provide all necessary cooperation and assistance to enable OLC to comply with its obligations under Applicable Data Protection Law and to reduce the impact of the incident on its business operations and reputation. Third-Party Contractor shall not inform any third party of the personal data breach without first obtaining OLC’s prior written consent, except when law or regulation requires it;
- Permit OLC (subject to reasonable and appropriate confidentiality undertakings and to inspect and audit Third-Party Contractor’s data processing activities to enable OLC to verify and/or procure that Third-Party Contractor is complying with its obligations under this Third-Party Data Privacy Addendum;
- On OLC’s request, assist OLC to respond to requests from data subjects who are exercising their rights under Applicable Data Protection Law (having obtained OLC’s consent to do so) and forward to OLC all communications it receives from third-parties relating to the processing of any personal data which suggests non-compliance by OLC and / or Third-Party Contractor with Applicable Data Protection Law and not do anything or enter into any communication with such third party unless expressly authorized to do so by OLC or required by applicable law;
- On OLC request, assist OLC to comply with OLC’s obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of the Applicable Data Protection Legislation), comprising (if applicable): (a) notifying a supervisory authority that Third-Party Contractor has suffered a data breach; (b) communicating a data breach to an affected individual; (c) carrying out an impact assessment; and (d) where required under an impact assessment, engaging in prior consultation with a supervisory authority;
- Unless applicable law requires otherwise, upon termination of the agreement at the option of OLC comply or procure compliance with the following (i) delete all personal data provided by OLC to Third-Party Contractor permanently, safely and securely and provide OLC with a certificate of destruction; and/or (ii) return to OLC all personal data and any other information provided by OLC to Third-Party Contractor; and (iii) cease to process the personal data; and
- Indemnify and keep indemnified OLC against all losses, costs, expenses, damages, liabilities, demands, claims, actions or proceedings which OLC may incur or suffer, including fines or penalties awarded against it by the relevant data protection regulator, as a result of any breach of any of the obligations set out in this Third-Party Data Privacy Addendum.
- OLC retains all rights, title and interest in the personal data including any amendments or alterations to such personal data made by Third-Party Contractor or on Third-Party Contractor’s behalf.
5.0 PROCESSING PARTICULARS
Third-Party Contractor acknowledges that the factual description of the subject-matter, duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects (the “Processing Particulars”) are as set out in the Third-Party Contract. Third-Party Contractor will notify OLC if the Processing Particulars are not set out in the Third-Party Contract to a reasonably satisfactory level of detail (taking into consideration any applicable regulatory guidance available from time to time).
6.0 CHANGES TO THIS POLICY
As we strive to improve our practices, we may review OLC’s Third-Party Data Privacy Addendum from time to time. We reserve the right to change this policy at any time and to notify you of those changes by posting an updated version of this policy on our website. It is your responsibility to check our policy each time before you access our website for any changes.
For questions about this Third-Party Data Privacy Addendum, please contact us by email at firstname.lastname@example.org or by mail to Ohlson Lavoie Corporation, 1401 Zuni Street, Suite 102, Denver, CO 80204; Attention: Corporate Compliance Officer.