Data Sharing Policy

Data Protection Terms and Conditions

  1. INTERPRETATION

1.1              In this Policy the following terms shall have the following meanings:

  • Agreed Purposes: has the meaning given in clause 1.

Company: Warners (Midlands) Plc.

Contract: the contract made between the Customer and the Company for the supply of goods or services.

  • Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation in force at the time.

Customer: the person or company purchasing Products from the Company.

Data: the Customer or any of its employees, workers, customers or end users’ personal data as defined in the Data Protection Legislation.

Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.

  • Permitted Recipients: The parties to this agreement, the employees of each party, any third parties engaged to perform obligations in connection with this agreement.

Policy: means this document and (unless the context otherwise requires) includes any special terms agreed in writing between the Customer and the Company.

  • Shared Personal Data: the personal data to be shared between the parties under clause 1.1 of this agreement. The purpose of processing and the exact data required for its fulfilment will be outlined in the schedule. Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject:
    1. Recipients name
    2. Recipients address

 

Writing: means in writing, including telex, cable facsimile transmissions email and comparable means of communication.

  1. DATA PROTECTION
    • Shared Personal Data. This clause sets out the framework for the sharing of personal data between the parties as data controllers.
    • Particular obligations relating to data sharing. The Customer shall:
      • ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Company for the Agreed Purposes; and
      • give full information to any data subject whose personal data may be processed under this agreement of the nature such processing. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees.
    • Mutual assistance. Each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each party shall:
      • consult with the other party about any notices given to data subjects in relation to the Shared Personal Data;
      • promptly inform the other party about the receipt of any data subject access request;
      • provide the other party with reasonable assistance in complying with any data subject access request;
      • not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other party wherever possible;
      • assist the other party, at the cost of the Customer, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
      • notify the other party without undue delay on becoming aware of any breach of the Data Protection Legislation;
      • at the written direction of the Data Controller, delete or return Shared Personal Data and copies thereof to the Data Controller on termination of this agreement unless required by law to store the personal data;
      • use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;
      • maintain complete and accurate records and information to demonstrate its compliance with this clause 2 and allow for audits by the other party or the other party’s designated auditor; and
      • provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Legislation.

2                    Data processing

2.1              The Company shall only process the Data provided by the Customer for the Agreed Purposes as outlined in the agreed schedule.

2.2              The Company shall delete the Data after each delivery.

2.3              If the Purpose is to deliver products or services on more than one occasion, the Customer shall provide the Data before each delivery.

2.4              The Data shall only be accepted by the Company if the Data is provided by the Customer in a secure format as provided by the company. Data provided in any other means will be refused by the Company.

2.5              The Customer will only send data relevant to the completion of the Company’s processing responsibilities and the Company shall not be responsible for updating the Data at any time.

2.6              If the Company receives returned mail or failed delivery notices, the Company shall inform the Customer, and it shall be the Customer’s responsibility to update the Data and deal with all data queries and subject access requests.

2.7              The Company shall not:

2.7.1        share the Data with any other party unless requested to by the Customer; or

2.7.2        sell the Data to any other party.

2.8              Only authorised personnel within the Company shall have access to the Data.

3                    DATA PROTECTION

3.1              Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 3 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.

3.2              The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the data controller and the Company is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).

3.3              Without prejudice to the generality of clause 3.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Data to the Company for the Purpose and duration of the Contract.

3.4              Without prejudice to the generality of clause 3.1, the Company shall, in relation to any of the Data processed in connection with the performance by the Company of its obligations under this agreement:

3.4.1        process that Data only on the written instructions of the Customer unless the Company is required by the laws of the UK or of any member of the European Union or by the laws of the European Union applicable to the Company to process the Data (Applicable Laws). Where the Company is relying on laws of a member of the European Union or European Union law as the basis for processing Data, the Company shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Company from so notifying the Customer;

3.4.2        ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Data and against accidental loss or destruction of, or damage to, the Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

3.4.3        ensure that all personnel who have access to and/or process the Data are obliged to keep the Data confidential; and

3.4.4        not transfer any the Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:

(i)        the Customer or the Company has provided appropriate safeguards in relation to the transfer;

(i)        the end user has enforceable rights and effective legal remedies;

(i)        the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any the Data that is transferred; and

(i)        the Company complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Data;

3.4.5        assist the Customer, at the Customer’s cost, in responding to any request from an end user and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

3.4.6        notify the Customer without undue delay on becoming aware of a Data breach;

3.4.7        at the written direction of the Customer, delete or return the Data and copies thereof to the Customer on termination of the Contract unless required by Applicable Laws to store the Data; and

3.4.8        maintain complete and accurate records and information to demonstrate its compliance with this clause 3.4.

3.5              Either party may, at any time on not less than 30 days’ notice, revise this clause 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

4                    INDEMNITY

4.1              The Customer acknowledges that the Company places particular reliance upon the provisions of this Policy. In addition to any other remedy available to the Company, the Customer indemnifies the Company against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other professional costs and expenses) suffered or incurred by the Company arising out of or in connection with the breach of the Data Protection Legislation or this Policy by the Customer, its employees or agents.

5                     GENERAL

5.1              Any notice required or permitted to be given by either party to the other under this Policy shall be in Writing, addressed to that other party at its registered office or principal place of business or such other address as may at the relevant time have been notified.

5.2              The rights and remedies of the Company in respect of the Contract shall not be diminished, waived or extinguished by the granting of any indulgence, forbearance or extension of time granted by the Company to the Customer, nor by any failure of, or delay by the Company in ascertaining or exercising any such rights or remedies. Any waiver of any breach of the Contract by the Company can only be made in writing. No waiver by the Company of any breach of the Contract by the Customer shall be considered as a waiver of any subsequent breach of the same or any other provision.

5.3              If any provision of this Policy is held by any competent authority to be invalid or unenforceable in whole or in part, the validity of the other provisions in this Policy and the remainder of the provision in question shall not be affected thereby.

5.4              Both parties hereby irrevocably agree to submit to the exclusive jurisdiction of the English Courts.

5.5              The Contract shall be governed by and construed in all respects in accordance with the laws of England.

5.6              No person who is not a party to the Contract (including without limitation any employee, officer, agent, representative or sub-contractor of either party) shall have a right to enforce any term of the Contract which expressly or by implication confers a benefit on that person without the express prior agreement in writing of the parties which agreement must refer to this clause 5.6.

5.7              Even if a person who is not a party to the Contract (including without limitation, any employee, officer, agent representative or sub-contractor of either party) has a right to enforce any term of the Contract by virtue of any law, the parties may vary or cancel the Contract by agreement between them without requiring the consent of such third party.