GDPR May 2018

on Friday, 25 May 2018. Posted in blog

Creative Telecoms GDPR Statement 2018

Dear Partner & Perspective Clients

As we are sure you are aware, the General Data Protection Regulation 2016/679 (“GDPR”) will become effective on the 25th May 2018.

One of the requirements of the GDPR is that contracts between suppliers and customers under which the supplier processes personal data on behalf of the customer contains certain rights and obligations of the parties in relation to such processing, as well as a description of the processing conducted by the supplier.

To comply with such requirement, Creative Telecoms is hereby modifying the contract with you by replacing any prior standard provisions related to data protection on your agreement with Creative Telecoms with the attached GDPR compliant data protection clause.  If your agreement with Creative Telecoms does not contain any relevant data protection clause, then the attached clause will be deemed a new clause under such agreement. Note that, unless we hear from you otherwise within the next 5 working days, this modification/addition shall be deemed accepted, and will be effective as of the 25th May 2018.

If Creative Telecoms has recently agreed a separate GDPR compliant data protection addendum or contract modification with you, then this email and its contents are not applicable to you.

Data Protection Clause

[X] DATA PROTECTION

  • For the purposes of this clause:
1.1.1 “Applicable Data Protection Legislation” shall mean (a) the Data
Protection Act 1998; or (b) from 25th May 2018, the GDPR, read in
conjunction with and subject to any applicable UK national legislation that
provides for specifications or restrictions of the GDPR’s rules; or (c) from the
date of implementation, any applicable legislation that supersedes or
replaces the GDPR in the UK or which applies the operation of the GDPR as
if the GDPR were part of UK national law, which may include the Data
Protection Act 2018;
1.1.2 “Customer” shall mean the entity contracting with Creative Telecoms as identified in
the agreement between such customer and Creative Telecoms;
1.1.3 “Creative Telecoms” shall mean the Creative Telecoms entity identified in the agreement with the
Customer;
1.1.4 “GDPR” shall mean the General Data Protection Regulation (EU) 2016/679;
And
1.1.5 “Personal Data”, “Data Controller”, “Data Processor”, “Data Subject”, and
“processing” (and other parts of the verb ‘to process’) shall have the
meaning set out in the Applicable Data Protection Legislation.
1.2 Each party shall comply at all times with its respective obligations under the provisions
of the Applicable Data Protection Legislation and shall not perform its obligations under
this Agreement in such a way as to cause the other to breach any of its applicable
obligations under Applicable Data Protection Legislation.
1.3 Creative Telecoms processes Personal Data on behalf of the Customer as
described in the Product Related Privacy Notice and for such purposes Creative Telecoms is the
Data Processor and the Customer is the Data Controller. In connection with such
processing Creative Telecoms shall:
1.3.1 process the Personal Data only on documented instructions from the
Customer and in accordance with this Agreement;
1.3.2 ensure that persons authorised to process the Personal Data have
committed themselves to confidentiality or are under an appropriate statutory
obligation of confidentiality and take steps to ensure that such persons only
act on Creative Telecoms’ instructions in relation to the processing;
1.3.3 implement appropriate technical and organisational measures to protect the
Personal Data against unauthorised or unlawful processing and against
accidental loss, destruction, damage, alteration or disclosure. These
measures shall be appropriate to the harm and risk which might result from
any unauthorised or unlawful processing, accidental loss, destruction or
damage to the Personal Data and having regard to the nature of the Personal
Data which is to be protected (and the Customer shall notify Creative Telecoms
immediately if the nature of such Personal Data changes in a material way);
1.3.4 remain entitled to appoint third party sub-processors. Where Creative Telecoms
appoints a third party sub-processor, it shall, with respect to data protection
obligations:
(a) ensure that the third party is subject to, and contractually bound by,
at least the same obligations as Creative Telecoms; and
(b) remain fully liable to the Customer for all acts and omissions of the
third party;
1.3.5 in addition to the sub-processors engaged pursuant to clause 1.3.4 above,
be entitled to engage additional or replacement sub-processors, subject to:
(a) the provisions of clause 1.3.4 above being applied; and
(b) Creative Telecoms notifying the Customer of the additional or replacement
sub-processor,
and where the Customer objects to the additional or replacement sub processor,
the parties shall discuss the objection in good faith;
1.3.6 not transfer Personal Data outside of the UK / European Economic Area
except where such transfer is made in such a way as to ensure that the level
of protection offered to natural persons by the Applicable Data Protection
Law is not undermined;
1.3.7 assist the Customer to respond to requests from Data Subjects who are
exercising their rights under the Applicable Data Protection Legislation;
1.3.8 notify the Customer without undue delay after becoming aware that it has
suffered a Personal Data breach and shall not inform any third party of the
Personal Data breach without first obtaining the Customer’s prior written
consent, except when law or regulation requires it;
1.3.9 on the Customer’s reasonable request, assist the Customer to comply with
the Customer’s obligations pursuant to Articles 32-36 of the GDPR (or such
corresponding provisions of the Applicable Data Protection Legislation),
comprising (if applicable): (a) notifying a supervisory authority that Creative Telecoms
has suffered a Personal Data breach; (b) communicating a Personal Data
breach to an affected individual; (c) carrying out an impact assessment; and
3
(d) where required under an impact assessment, engaging in prior
consultation with a supervisory authority;
1.3.10 unless applicable law requires otherwise, upon termination of the
Agreement, at the option of the Customer comply or procure compliance with
the following (i) delete all personal data provided by the Customer to Creative Telecoms
and/or (ii) return to the Customer all Personal Data provided by the Customer
to Creative Telecoms; and
1.3.11 not more than once in any 12 month period and on reasonable notice, of at
least twenty (20) business days, permit the Customer (subject to reasonable
and appropriate confidentiality undertakings), to inspect and audit Creative Telecoms’
data processing activities to enable the Customer to verify and/or procure
that Creative Telecoms is complying with its obligations under this clause.
1.4 Each party may collect, store and process contact Personal Data (such as name, work
email address, telephone/mobile work number, and work address) of the other party
and/or its employees for the purposes of the performance of this Agreement, and such
collection and/or processing shall be carried out in accordance with such party’s privacy
policy.

© Creative Telecoms 2018. All rights reserved.