Bid Solutions
Data Processing Addendum
BACKGROUND
This Data Processing Addendum (DPA) sets out the additional terms, requirements and conditions on which Bid Solutions will process personal data on behalf of the Customer when providing Vendor Match & Compare and Job Advertising services. In the event of any conflict between the terms of this DPA and any Agreement governing the provision of these services, the terms of the relevant Agreement shall prevail.
AGREED TERMS
1.1 In this Data Processing Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply, as in the Agreement. In addition, in this DPA the following definitions have the meanings given below:
|
Agreement |
as applicable the Job Advertising and/or Vendor Match & Compare terms and conditions under which Bid Solutions has agreed to provide services to the Customer. |
|
means: (a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data. (b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which Bid Solutions is subject, which relates to the protection of personal data. |
|
|
means: (a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom. (b) To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which Bid Solutions is subject. |
|
|
any personal data included in Customer Data. |
|
|
the General Data Protection Regulation ((EU) 2016/679). |
|
|
Privacy Policy |
Bid Solutions’ Privacy Policy as set out in the document or documents made available by Bid Solutions online via the link provided and as varied from time to time. |
|
the purposes for which the Customer Personal Data is processed, as set out in Annex A. |
|
|
Sub-processor List |
Bid Solutions’ current list of sub-processors as set out in the document or documents made available by Bid Solutions online via the link provided and as varied from time to time. |
|
has the meaning given to it in the Data Protection Act 2018. |
1.2 The terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.
2.1 Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 2 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Laws.
2.2 The parties have determined that, for the purposes of Applicable Data Protection Laws Bid Solutions shall process the Customer Personal Data as a processor on behalf of the Customer;
2.3 Should the determination in clause 2.2 change, then each party shall work together in good faith to make any changes which are necessary to this clause 2, the Privacy Policy or Annex A.
2.4 Without prejudice to the generality of clause 2.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Personal Data to Bid Solutions and lawful collection of the same by Bid Solutions for the duration and purposes of this Agreement.
2.5 In relation to the Customer Personal Data processed by Bid Solutions as processor on behalf of Customer, Annex A sets out the scope, nature and purpose of processing by Bid Solutions, the duration of the processing and the types of personal data and categories of data subject.
2.6 Without prejudice to the generality of clause 2.2 Bid Solutions shall, in relation to Customer Personal Data which it processes as processor on behalf of Customer:
2.6.1 process that Customer Personal Data only on the documented instructions of the Customer, unless Bid Solutions is required by Applicable Laws to otherwise process that Customer Personal Data. Where Bid Solutions is relying on Applicable Laws as the basis for processing Customer Processor Data, Bid Solutions shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer on important grounds of public interest. Bid Solutions shall inform the Customer if, in the opinion of Bid Solutions, the instructions of the Customer infringe Applicable Data Protection Legislation;
2.6.2 implement appropriate technical and organisational measures, including in accordance with Cyber Essentials certification, to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
2.6.3 ensure that any personnel engaged and authorised by Bid Solutions to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
2.6.4 assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to Bid Solutions), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
2.6.5 notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
2.6.6 at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless Bid Solutions is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 2.6.6 Customer Personal Data shall be considered deleted where it is put beyond further use by Bid Solutions; and
2.6.7 maintain records to demonstrate its compliance with this clause 2 and allow for reasonable audits by the Customer or the Customer's designated auditor, for this purpose, on reasonable written notice, no more than once per year.
2.7 The Customer hereby provides its prior authorisation for Bid Solutions to:
2.7.1 appoint WordPress and Mailchimp as processors to process the Customer Personal Data, provided that Bid Solutions:
(a) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on Bid Solutions in this clause 2;
(b) shall remain responsible for the failure of any such processor to meet its data protection obligations; and
(c) shall notify the Customer of any intended changes concerning the addition or replacement of Sub- processors, thereby giving the Customer the opportunity, acting reasonably, to object to such changes within 30 days of the update. If the customer does not object in this period the new sub-processor(s) will be deemed accepted. If Bid Solutions receives a reasonable objection to the appointment of a sub-processor within the specified time limit, Bid Solutions may in its sole discretion and without any liability to the customer:
(i) cease using the new sub-processor to process customer data, which may limit the functionality of the services available to the customer; or
(ii) take any other action reasonably required to address the objection which will permit Bid Solutions to continue to use the sub-processor.
2.7.2 transfer Customer Personal Data outside of the UK as required for the Purpose, provided that Bid Solutions shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws, including if applicable under standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).
Annex A - Particulars of the processing
|
Subject matter of Processing |
The personal data of Authorised Users or other data subjects contained in Advertising or Vendor Listings |
|
Duration of Processing |
The term of the Agreement. |
|
Nature and Purpose of Processing |
The provision of a Vendor Portal, Advertising or listings |
|
Type of Personal Data |
Any personal data contained in Customer Data (which may include names and email addresses, employment history and photos). |
|
Categories of Data Subject |
Any individuals included in Customer Data as points of contact or case studies. |
