General Data Protection Regulation (GDPR)
Overview and Status – Data Processor
The European Union’s General Data Protection Regulation (GDPR) protects fundamental rights to privacy. It introduces robust requirements that will raise the standards for protection of personal data, security, and compliance. The UK is passing a new Act to implement all the requirements of GDPR in UK law; this will continue in force even if the UK ceases to be a member of the EU.
This statement is focused on the general data protection regulation surrounding Stickman Technology’s products and services which are supplied on a business to business basis. A full internal review of general data protection has also been completed. Should you require any further information, please contact our Privacy Officer, at GDPR@stickman.co.uk.
GDPR distinguishes between a “controller” which “determines the purposes and means of the processing of personal data” and a “processor” which processes personal data only under the direct instruction of a controller. A detailed assessment has been carried out by Stickman Technology and its consultants, concluding that the Company is a processor in its business activities, with its business customers being controllers. KPMG reviewed the analysis. You should therefore include the use of Stickman products in your own GDPR compliance.
We have carried out a review of the underlying processes and data security of the MESH platforms, and made appropriate enhancements so that it conforms to the requirements of GDPR. We have completed documentation of this, implementing an appropriate structure of policy and procedures, and updated our standard contracts to provide full GDPR compliance. The updated elements that form our Data protection schedule are detailed below.
SCHEDULE F DATA PROTECTION
In this Schedule definitions in the Agreement shall apply and the following expressions shall have the following meanings:
(a) “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
(b) “Data Protection Impact Assessment” means a Process to help identify and minimise the data protection risks of a project.
(c) “Data Protection Legislation” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement.
(d) “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Union).
(e) “Personal Data” means any information relating to an identified or identifiable person.
(f) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
(g) “Process” “Processes” and “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
(h) “Processor” means the entity which Processes Personal Data on behalf of the Controller.
(i) “Subject Access Request” means a written request for Personal Data, from an individual.
(j) “Sub-Processor” means a Processor engaged by another Processor for carrying out specific Processing activities on behalf of the Controller.
2.0 Processing of Personal Data
2.1 Roles of the Parties
(a) The parties acknowledge and agree that (to the extent applicable) Licensor acts as a Processor with respect to Personal Data and the Licensee acts as the Controller of the Personal Data.
(b) Licensee has engaged Licensor to provide certain services as detailed in the Agreement.
2.2 Licensee’s Processing of Personal Data – General Obligations
(i) comply with Data Protection Legislation and ensure that any instructions it issues to Licensor shall comply with Data Protection Legislation;
(ii) have sole responsibility for:
– the accuracy, quality, and legality of Personal Data;
– the means by which Licensee acquired Personal Data; and
– establishing the legal basis for Processing under Data Protection Legislation.
3.0 Act on the Written Instruction of the Controller
Licensor’s Processing of Personal Data – General Obligations
Where Licensor Processes Personal Data as a Processor, it shall comply with Data Protection Legislation as they apply to Licensor as a Processor, and it shall Process Personal Data only as required by law or in accordance with Licensee’s instructions as detailed in the Agreement or as supplemented by the parties’ mutual written agreement.
4.0 People Processing the Data are Subject to a Duty of Confidence
Licensor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and are subject to binding confidentiality obligations.
5.1 Licensor shall take appropriate technical and organisational measures to protect the confidentiality, integrity, availability and resilience of Licensor systems which are involved in Processing.
5.2 Licensee shall take appropriate technical and organisational measures to protect the security of the Personal Data, including ensuring that Personal Data is securely transferred to Licensor.
6.0 Licensor Processors and Sub-Processors
6.1 Appointment of Processors and Sub-Processors
Licensee acknowledges and agrees that:
(a) Licensor may engage Sub-Processors in connection with the provision of the Services; and
(b) such Sub-Processors may include affiliates of Licensor.
6.2 Sub-Processing Agreement
Licensor shall ensure that its contract with any Sub-Processor imposes on the Sub-Processor obligations that are equivalent to the obligations to which Licensor is subject under this Schedule.
6.3 Role for Sub-Processors
Licensor uses Sub-Processors for the purpose of providing servers to store Personal Data and to create resilience in the event of systems failure or disruption of communication. Sub-Processors are accessed for conformity to our policy or required to accept compliance to our policy.
6.4 Responsibility for Sub-Processors
Licensor shall be responsible and liable for the acts, omissions or defaults of its Sub-Processors in the performance of obligations under this Schedule or otherwise as if they were Licensor’s own acts, omissions or defaults.
7.0 Subject Access Requests and Similar Assistance
(i) Licensor shall provide such commercially reasonable assistance as the Licensee may reasonably request to help the Licensee fulfil its obligations under Data Protection Legislation to respond to Subject Access Requests or otherwise; and
(ii) Licensee shall be responsible for any reasonable costs arising from Licensor’s provision of such assistance.
7.2 Licensor shall make reasonable efforts to provide Licensee with all information it reasonably requires to enable it to comply with Data Protection Legislation. Licensor may charge for any reasonable cost arising from providing information which would not normally be requested for this purpose or for repeated requests.
7.3 Licensor shall make reasonable efforts to keep Licensee informed in a timely manner of any occurrence which might impact Licensee’s compliance with Data Protection Legislation.
8.0 Security of Processing, Notification of Breaches and Data Protection Impact Assessments
8.1 Licensor shall promptly notify Licensee upon becoming aware of the occurrence of a Personal Data Breach and provide Licensee with the following information as it becomes available:
(i) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned; and
(ii) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.2 Licensee shall promptly notify Licensor upon becoming aware of the occurrence of a Personal Data Breach involving Licensor, or Licensor’s systems or facilities, personnel, Processors or Sub-Processors.
8.3 Each party will be separately responsible for assessing the need to undertake, and the completion of, any Data Protection Impact Assessment, including any consultation with a regulator, under Articles 35 and 36 of the GDPR or otherwise in respect of its use or provision of the Services.
9.0 Return / Deletion of Licensee Data
On termination of the Agreement for any reason, or upon written request from Licensee at any time, Licensor shall cease Processing any Personal Data, and (at Licensee’s direction) return to Licensee or delete (in accordance with Licensor’s document retention and deletion policies), any Personal Data in Licensor’s possession or control, except as required by law or as required in order to defend any actual or possible legal claims.
10.0 Audits and Requests for Information and Assistance
Licensee may audit Licensor’s compliance with its obligations under this Schedule, subject to the following requirements:
(a) The audit shall be undertaken by a reputable organisation active in the relevant type of work and shall follow the type of investigation normally undertaken;
(b) Licensee may perform such audits once per calendar year or as required by law;
(c) nothing in this clause 10.0 shall require Licensor to breach any duties of confidentiality owed to any of its licensees or employees; and
(d) all audits are at Licensee’s sole cost and expense. Any request for Licensor’s assistance requiring the use of resources different from or in addition to those required for provision of the Services will be considered an additional service for which reasonable additional fees may be charged.
Schedule 1 – Services, Processing, Personal Data, and Data Subjects
The Services are as set out in the Agreement.
The Processing will be carried out for the following categories of data subject
The Personal Data processed concern the following type and categories:
Licensor, will, depending on the scope of its engagement, Process the Personal Data to perform the Services and to comply with its statutory and regulatory obligations. This will involve, among other things, the collection, storage, analysis, retrieval, and transmission of Personal Data. Licensor will also maintain back-up copies of the Personal Data to provide operational resilience and will destroy all copies of data in accordance with the provisions of the Agreement.