Make it Happen Signage Consultancy Ltd

Privacy & Data Protection Policy

Definitions

“Company” refers to “Make it Happen Signage Consultancy Ltd” a company incorporated under the laws of England and Wales with company number 10030579 and/or any of its associated or subsidiary companies.

“Customer” refers to the person or firm entering into the Contract with the Company as set out in the Order.

……………………………………………………………………………………………………………………… . Extract from General Terms & Conditions

7. Privacy & Data Protection

7.1 The following definitions apply in this clause:

7.1.1 Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.

7.1.2 Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR); the Data Protection Act 2018 (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

7.1.3 Domestic Law: the law of the United Kingdom or a part of the United Kingdom.

7.2 Both parties will comply with all applicable requirements of the provisions of Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.

7.3 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Company is the Processor.

7.4 Without prejudice to the generality of the above provisions of clause 7.2 above the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Company for the duration and purposes of the Contract.

7.5 Without prejudice to the generality of the above provisions in clause 7.2, the Company shall, in relation to any Personal Data processed in connection with the performance by the Company of its obligations under the Contract:

7.5.1 process that Personal Data only on the written instructions of the Customer unless the Company is required by Domestic Law to otherwise process that Personal Data. Where the Company is relying on Domestic Law as the basis for processing Personal Data, the Company shall promptly notify the Customer of this before performing the processing required by the Domestic Law unless the Domestic Law prohibits the Company from so notifying the Customer;

7.5.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction of or damage to and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

7.5.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

7.5.4 not transfer any Personal Data outside of the UK unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:

7.5.4.1 the Customer or the Company has provided appropriate safeguards in relation to the transfer;

7.5.4.2 the Data Subject has enforceable rights and effective legal remedies;

7.5.4.3 the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and

7.5.4.4 the Company complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;

7.5.4.5 assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

7.5.4.6 notify the Customer without undue delay on becoming aware of a Personal Data breach;

7.5.4.7 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Contract unless required by Domestic Law to store the Personal Data; and

7.5.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 7.

7.6 The Customer consents to the Company appointing the Company’s nominated agent providing software for the Services as a third-party processor of Personal Data under the Contract. The Company confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business. As between the Customer and the Company, the Company shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 7.6.

7.7 Either party may, at any time on not less than 30 days’ notice, revise this clause 7 replacing it with any applicable controller to processor standard clauses or similar terms adopted by the Information Commissioner or forming part of an applicable certification scheme (which shall apply when replaced by attachment to the Contract).