General Data Protection Regulation 2018 (“GDPR”) Notification between SysGroup PLC and its subsidiary companies (the Data Processor) and (the Data Controller) Relating to The Provision by the Customer of Personal Data

With the introduction of the GDPR into UK legislation on 25th May 2018, in keeping with good business practice and ethics and in order to comply with the GDPR, we are revising our terms relating to the provision by you to us of your personal data (as defined in the GDPR).

This notice supplements and amends our agreement with you in relation to its contents. You are asked to please read and indicate your acceptance of these terms for our records by clicking at the bottom of this page, but failure to do so shall not affect their validity.  Where there is any conflict between the terms of this notice and the terms of our agreement with you, the terms of this notice will override the conflicting term in our agreement.

 

As part of this notice it is agreed that nothing within the existing contracts relieves either the Customer or SysGroup PLC and its subsidiaries, of our own direct responsibilities and liability under the GDPR.

This notice does not override any agreed indemnity in the contract between the Customer and SysGroup PLC and its subsidiaries, and any agreed indemnity as part of the original contract remains unchanged

Personal Data definition

In dealing with you as a customer, we have access to certain personal information of individuals within your business and within the businesses that you trade with, either as customer or supplier.  This information will include (but is not limited to) names and personal data of individual persons such as:

 

  • officers of a company;
  • partners in a partnership;
  • shareholders in a business; and
  • names and contact details of persons within an organisation (yours and potentially your suppliers/customers) whose details are required or provided for data processing and communication purposes. 

Data processing to be undertaken

As Data Processor we will process personal data controlled by you across our data networks

Duration of the data processing

Duration of processing will be as set out in the original contract covering the provision of our services to you

Nature and purpose of the processing

The nature of our data processing is in providing IT infrastructure and network capability to enable your business operations to function

Types and formats of data being shared

Data will be transferred across our networks and/or held in backup and storage devices in electronic format

Data security measures

As Data Processor we follow best practice in security over your data. This best practice was outlined in the original contract covering the provision of our services to you. In addition, we confirm that we adopt ‘Privacy by Design’ principles in all our service and infrastructure provision and that all relevant staff have received appropriate data protection training

Your obligations as Data Controller

In agreeing to allow us to process personal data, whether within your business or to other persons whose details you provide, you confirm in each instance (as Data Controller) that:

  • you have provisions within officer and employee service agreements or employment policies within your business, which are GDPR compliant, and which authorise you to:
    • provide personal data of individuals to us for the purposes of transacting business with you (including communicating with those persons);
    • authorise us to access information containing personal data from third parties for the purposes of doing business with you; 
  • you have enforceable provisions within your contracts and terms of business in place with your suppliers/customers, whose details you provide to us, which are GDPR compliant, and which confirm that:
    • you, and we are authorised to receive from your suppliers/customers, whether directly or indirectly through you, and through third party providers, information, including personal data of individuals within your suppliers/customers’ organisations for the purposes of doing business with them;
    • personal data provided by your suppliers/customers to you has been provided in accordance with and is compliant with the GDPR for that purpose;
    • that personal data accessed by us in relation to your suppliers/customers through third parties has been provided for use by those third parties in accordance with and is compliant with the GDPR for that purpose; and
    • you are authorised to provide that information and personal data to us; and
  • all such persons have actively consented to their personal data being held and processed by us for the purposes of our contracting and communicating with you.

Where we are dealing with a specific office holder (such as account manager), the provisions of this notice will apply to the appointment of any new person to that office.

 

Our obligations as Data Processor

We confirm that, when we are dealing with your personal data: 

  • we comply with the GDPR as a Data Processor;
  • we have appropriate security measures to prevent personal information from being accidentally lost, or used or accessed unlawfully;
  • we limit access to that data to those who have a genuine business need to access it;
  • we will only process that data for the purpose, and for the period strictly required in our transactions with you and that we will review and cleanse such data from time to time as appropriate
  • we will only act on the written instructions of the Data Controller (you) (unless required by law to act without such instructions);
  • we will ensure that people processing the data are subject to a duty of confidence and have received appropriate training;
  • we will take appropriate measures to ensure the security of processing;
  • we will only engage a sub-processor with the prior consent of the data controller and a written contract;
  • we will assist the Data Controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • we will provide reasonable assistance to the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • we will delete or return all personal data to the Data Controller as requested at the end of the contract; and
  • we will submit to audits and inspections, provide the controller with whatever reasonable information it needs to ensure that both parties are meeting their Article 28 obligations, and tell the Data Controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Compliance

We may, in accordance with our audit process, require you from time to time, to provide evidence of your compliance with the terms of this notice.

Information relating to the GDPR can be found at:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/