For the purposes of this clause, Data Protection Law means the General Data Protection Regulation (EU) 2016/679, the Data Protection Act 2018, any other data protection and/or privacy laws applicable to MetrovaTech, and any applicable laws replacing, amending, extending, re-enacting or consolidating the above from time to time.
Both parties will comply with all applicable requirements of Data Protection Law. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Data Protection Law.
The Client will comply with Data Protection Law in connection with the collection, storage and processing of personal data (which shall include you providing all the required fair processing information to, and obtaining all necessary consent from, data subjects), and the exercise and performance of your respective rights and obligations under these terms and conditions, including all instructions given by the Client to Metrova Technologies and maintaining all relevant regulatory registrations and notifications as required under Data Protection Law.
The parties acknowledge that if Metrova Technologies processes any personal data on the Client’s behalf when performing its obligations under this agreement, the Client is the controller and Metrova Technologies is the processor for the purposes of Data Protection Law.
The scope, nature and purpose of processing by MetrovaTech, the duration of the processing and the types of personal data and categories of data subject are set out in our Privacy Notice and the project quotation.
In relation to the processing of personal data under these terms and conditions, Metrova Technologies shall:
-Process personal data on the Client’s behalf only on and in accordance with the Client’s documented instructions as set out in this clause 11 (as updated from time to time by agreement between the parties), unless required to do so by applicable law; in such a case, we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
-Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
-Implement and maintain appropriate technical and organisational measures in relation to the processing of personal data; you hereby acknowledge that you are satisfied that our processing operations and technical and organisational measures are suitable for the purposes for which you propose to use our services and engage us to process the personal data;
-Promptly refer all data subject requests we receive to you and, taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
-Assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to us and only in the event that you cannot reasonably be expected to comply with the requirements of Articles 32 to 36 without our information and/or assistance (e.g. you do not possess or otherwise have access to the information requested). We may charge our reasonable costs on a time and materials basis in providing you with such assistance;
-Retain personal data in accordance with the retention periods set out in our Privacy Notice;
-Make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28(3) and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you provided: (i) you give us at least 7 days prior notice of an audit or inspection being required; (ii) you give us a reasonable period of time to comply with any information request; (iii) ensuring that all information obtained or generated by you or your auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential; (iv) ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to our business; (v) no more than one audit and one information request is permitted per calendar year; and (vi) paying our reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits;
-Take reasonable steps to ensure the reliability of anyone who we allow to have access to personal data, ensuring that in each case access is limited to those individuals who need to know or access the relevant personal data, as necessary for the purposes of the Terms; and
-Notify the Client without delay (and if possible within 24 hours) upon us or any sub-processor becoming aware of a personal data breach affecting personal data processed on the Client’s behalf, providing the Client with sufficient information to allow you to meet any obligations to report or inform data subjects of the personal data breach.
The Client hereby gives Metrova Technologies consent to engage sub-processors for processing of personal data on your behalf. We shall inform the Client before transferring any personal data processed on your behalf to a new sub-processor. Following receipt of such information you shall notify us if you object to the new sub-processor. If you do not object to the sub-processor within seven calendar days of receiving the information, you shall be deemed to have accepted the sub-processor. If you have raised a reasonable objection to the new sub-processor, and the parties have failed to agree on a solution within reasonable time, the Client shall have the right to terminate these Terms with a notice period determined by the Client, without prejudice to any other remedies available under law or contract. During the notice period, we shall not transfer any personal data processed on the Client’s behalf to the sub-processor.
Metrova Technologies shall enter into appropriate written agreements with all of its sub-processors on terms substantially similar to these Terms. We shall remain primarily liable to the Client for the performance or non-performance of the sub-processors’ obligations. Upon your request, we are obliged to provide information regarding any sub-processor, including name, address and the processing carried out by the sub-processor.
We will not transfer personal data processed on your behalf to a country outside the United Kingdom which is not recognised by the European Commission to have an adequate level of protection in accordance with Data Protection Law unless the transfer is effected by such legally enforceable mechanism(s) for transfers of personal data as may be permitted under Data Protection Laws from time to time.