NON-EUROPEAN ECONOMIC AREA DATA CONTROLLER/PROCESSOR AGREEMENT June 2013
1.1 The Controller is the holder of a licence to use Cubiks Products as defined in any agreement (“Licence”) currently in force between the Controller and any member of the Cubiks Group of Companies ("Licensor"). The Cubiks Group of Companies is defined below.
1.2 The Processor is the Licensor with whom the Controller is contracting.
1.3 The Processor may subcontract its obligations under this Agreement to Cubiks Limited, registered number 3840112 whose registered office is at Ranger House, Walnut Tree Close, Guildford, Surrey, GU1 4US, United Kingdom. The Processor remains fully responsible to the Controller for the compliance of Cubiks Limited with the terms and conditions herein.
1.4 This Agreement is made between the Controller and the Processor and is supplemental to and forms part of any Licence as described in 1.1 above.
1.5 In consideration of the provision by the Licensor of online access to the Cubiks Products and the mutual undertakings set out herein the parties agree as follows.
The purpose of this Agreement is to protect individuals with regard to the Processing of their Personal Data, and to allow the free movement of their Personal Data, insofar as it is necessary for the purposes set out in Appendix 1.
UK law requires a written contract between Controller and Processor and for Processor to take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of Personal Data over a network, and against all other unlawful forms of processing.
The Appendices to this Agreement shall form an integral part of this Agreement.
For the purposes of this Agreement, the following terms shall have the meanings set out below:
(a) "Controller" shall mean the natural or legal person, public authority, agency or any other body as described in clause 1 above and which alone or jointly with others determines the purposes and means of the Processing of Personal Data;
(b) "Processor", in relation to Personal Data, shall mean any natural or legal person, public authority, agency or any other body (other than an employee of Controller) who Processes the Personal Data on behalf of Controller;
(c) "Data Subject" shall mean an individual who is the subject of Personal Data;
(d) "Personal Data" shall mean any information relating to an identified or identifiable data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(e) "Processing" shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and “Process” shall be construed accordingly;
(f) "Supervisor" shall mean the United Kingdom Information Commissioner;
(g) "Cubiks Group of Companies" shall mean those companies which can be found listed at https://www.cubiks.com/legal/cubiks-group-companies. The term Cubiks Group of Companies includes a single member of that group.
The details of the Processing of Personal Data covered by this Agreement are specified in Appendix 1.
All contacts between the Parties concerning this Agreement shall be between the persons nominated in Appendix 2, and such other persons as the nominated Contacts may from time to time authorise in writing. Any changes to the contacts nominated in Appendix 2 shall be agreed in writing between the Parties.
7. OWNERSHIP OF THE DATA
All Personal Data stored and Processed under the terms of this Agreement by Processor on behalf of Controller are and shall remain exclusively the property of Controller.
8. OBLIGATIONS OF CONTROLLER
Controller agrees and warrants:
(a) that the Processing of Personal Data by him has been and will continue to be carried out in accordance with all the relevant legal requirements of the jurisdiction or jurisdictions within which Controller is using the licensed software ("Controller's Jurisdiction");
(b) that Controller will observe the privacy and data protection notice of Processor (or such other notice as the parties may agree) including without limitation the stated restrictions as to the use of Personal Data;
(c) the Processor may Process the Personal Data controlled by the Controller for the purposes described in Appendix 1.
9. OBLIGATIONS OF PROCESSOR
Processor agrees and warrants:
(a) to Process Personal Data on behalf of Controller, in accordance with the instructions of Controller (i) to ensure compliance with paragraph (b) below and (ii) subject to such instructions being consistent with the established functionalities and established capabilities of the Cubiks Products which are the subject of the Licence. Processor further agrees not to carry out any Processing of Personal Data supplied by Controller without the explicit instructions of Controller;
(b) to Process Controller's Personal Data in accordance with Appendix 3 of this Agreement;
(c) to deal promptly, fully and properly with all reasonable enquiries from Controller relating to his Processing of the Personal Data and to cooperate with the Supervisor in the course of any of its enquiries and to abide by the advice of the Supervisor with regard to the Processing of the Personal Data.
Processor will only disclose Personal Data in accordance with instructions from Controller, and will take appropriate security measures, in accordance with Appendix 3, to ensure that no unauthorised disclosure occurs.
The maximum total liability of the Processor under this Agreement and the Licence described above shall be 100% of the total Fees payable under such Licence.
12. TERMINATION OF THE AGREEMENT
(a) The Parties agree that the termination of the Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Agreement as regards the Processing of Personal Data.
(b) Subject to a reasonable time interval to ensure that Controller has made alternative arrangements for processing his data, and subject to these arrangements working satisfactorily, Processor shall, insofar as it is practicable, delete or render anonymous all copies of Controller's Personal Data held and processed by Processor.
(c) If Controller's Personal Data, for reasons of practicality, cannot be so deleted or render anonymous, Processor shall take appropriate action to ensure that those Personal Data will not be further processed, disclosed, or in any way used, other than their later deletion should that become possible.
13. VARIATION OF THIS AGREEMENT
The Parties undertake not to vary or modify the terms of this Agreement, other than to correct such deficiencies as may become apparent in this Agreement in relation to the application to the Processing of the Directive or its interpretation by the Controller's Jurisdiction.
14. GOVERNING LAW
This Agreement shall be governed by the laws of England.
The Processing of Personal Data which is subject to this Agreement is:
(a) for human resources purposes;
(b) where applicable and subject to prior agreement with the Licensor, for disclosure by Controller to Controller's clients for human resources purposes; and
(c) for the management of the data and the performance of the obligations of the Licensor and the Processor to the Controller.
The categories of Personal Data processed are those necessary for the identification of participating individuals, for the human resources assessments involving use of Cubiks products licensed and consultancy provided by the Cubiks group to the Controller.
In addition, Processor may on an anonymous basis process data for statistical, research, historical and management purposes.
Where appropriate, processing may be carried out by the Controller, the Processor, companies in the same group as the Processor and by associates, suppliers, distributors and agents of the Processor.
The Cubiks Products licensed to the Controller are as specified in the Licence.
Nominated First Contacts
On behalf of Controller: Director of Human Resources or designated representative.
On behalf of Processor: Group Company Secretary via Cubiks Helpdesk, telephone 00 44 1483 544 240.
Security of processing
(a) The Processor conducts all Processing of Personal Data in accordance with current European Economic Area data protection standards.
(b) The Processor will implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other forms of processing which are unlawful in the United Kingdom.
(c) Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected.
(d) The Controller will comply with paragraphs 2 and 3 so far as practicable and will comply with the equivalent requirements imposed by the laws of the Controller's Jurisdiction