Service Specific Terms
This document is to be read in conjunction with the Terms and Conditions.
1. Interpretation
The following definitions and rules of interpretation apply in the Services Agreement: Applicable Data Protection Law: UK GDPR applies, which is the law of the United Kingdom or a part of the United Kingdom that relates to the protection of personal data. Business Day: a day, other than a Saturday, Sunday or UK bank holiday. Business Hours: the period from 9.00 am to 5:00 pm GMT/BST on any Business Day or as outlined in the Quote. Customer: means the party referred to as Customer on the Quote and any persons, consultants, employees and those acting on its behalf. Services: means a Supplier service or multiple Supplier services (which may be packaged) that are ordered by the Customer as outlined in the Quote. Supplier: means the party referred to as Supplier on the Quote and any persons, consultants, employees and those acting on its behalf. UK GDPR: has the meaning given to it in section 3(10) as supplemented by section 205(4) of the Data Protection Act 2018.
2. Outsourced Data Protection Officer (DPO)
A managed service where Customers can purchase some days (the smallest amount is 0.5 days) per month for DPO services. If the Customer does not use the full amount of time in any given month, that time may be carried over to the subsequent month (but not beyond). Supplier will provide virtual consultation to Customer, information, advice and other related services, under the DPO Service Levels below, to ensure that Customer processes the personal data of its staff, customers, service providers or any other individuals (also referred to as data subjects) in compliance with Applicable Data Protection Laws and best practice.
2.1 Supplier Obligations
2.1.1 Act as the Data Protection Officer (DPO) for Customer under Applicable Data Protection Laws; 2.1.2 Facilitate Customer compliance with the UK GDPR and other applicable data protection legislation by ensuring effective systems and controls are in place to enable Customer to comply with their legal obligations; 2.1.3 Act as the Customer's intermediary between relevant stakeholders, including supervisory authorities, data subjects, and business units; 2.1.4 Report notifiable data breaches identified and notified to Supplier by Customer to the Information Commissioner's Office (ICO) and any relevant supervisory authority at the end of any statutorily required notice period where the requisite notice has not been sent earlier either by Customer or Supplier at Customer's instruction; and 2.1.5 Inform and advise the Customer's senior management (where appointed to do so) under Supplier's position as DPO for the Customer.
2.2 Customer Obligations
2.2.1 Customer will ensure compliance with all Applicable Data Protection Laws and, in particular, Customer will: 2.2.2 Report all notifiable and potential data breaches to the Supplier’s assigned DPO advice@protection.trudigital.co.uk as soon as the Customer becomes aware of the breach; 2.2.3 Submit details of data breach(es) to Supplier for reporting to the ICO and any relevant supervisory authority without undue delay; and 2.2.4 Where Customer fails to comply with reporting obligations above, Supplier shall not be liable and Customer will indemnify Supplier for any penalties imposed by the ICO, any relevant supervisory authority or any third-party claims, because of failure and or delay in reporting notifiable breaches.
2.3 DPO Service Levels
2.3.1 Priority levels will be addressed in line with the following Service Levels.
| Type | Response Time |
|---|---|
| Critical: a scenario which will have serious immediate impact on the protection of personal data | 1 Hour |
| Urgent: for advice on UK GDPR topics that are subject to time constraints | 4 Hours |
| Non-Urgent: for advice and guidance on UK GDPR issues and longer term projects that do affect Customer’s operations. | by the end of the Next Business Day |
All Service Levels apply only to the Business Day and Business Hours. All service requests must originate with an email sent to advice@protection.trudigital.co.uk.
3. Additional Services
3.1 Data Protection Impact Assessment
Supplier will provide Customer access to up to 2 hours per month of remote support for queries and questions relating to Data Protection Impact Assessment matters. Customers can contact the DPIA service by emailing advice@protection.trudigital.co.uk initially, and then queries can be dealt with via email, phone or video conferencing. Included in the Comprehensive service, additional credits can be bought for the Advice service Customers
3.2 GDPR Audit and Analysis
The Supplier will provide an audit and analysis of the current level of compliance with GDPR. The output of the audit will be a report that outlines any non-conformities, along with recommendations and an action plan detailing what needs to be done to achieve compliance. During the audit, which will be conducted remotely, Customer will need to provide access to key staff, documentation and evidence to support the audit. Included in the comprehensive service, additional credits can be bought for the advice service for Customers
3.3 Redacting
Supplier will provide the Customer with a redacting service in relation to subject access requests. Included in the Comprehensive service (up to 5 redactions per annum), additional credits can be bought for both Comprehensive and Advice service Customers. Included in the Comprehensive Plus service (unlimited redactions). The Customer must provide the necessary data, and the Supplier will provide a tool so that the Customer can review redactions before being sent to the data subject.