Privacy Notice for Clients – Processing of Personal Data
CONTEXT OF THE PROCESSING
The Service provider shall, on behalf of the Client, be authorised to process personal data, as defined by the applicable regulations in force, required in order to provide the services which are the object of the Engagement Letter in accordance with the instructions provided by the Client.
As part of their contractual relationship, the parties undertake to comply with the regulations in force regarding the processing of personal data, in particular Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR").
The Client shall set out in the Engagement Letter the purposes, means of processing and the data which shall be the object of the processing.
Such processing shall be governed by the Contract concluded between the Service Provider and the Client in accordance with Article 28 of the GDPR.
The Engagement Letter shall also define the subject matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects.
OBLIGATIONS OF THE SERVICE PROVIDER
The Service Provider undertakes to fulfil all the obligations imposed on the processor by virtue of the GDPR.
The Service Provider undertakes to:
- process the personal data solely for the purpose(s) which is/are the object of the sub-contracting;
- process the data in accordance with the Client's documented instructions appearing in the Engagement Letter;
- ensure the confidentiality of the personal data processed as part of the Engagement Letter;
- ensure that the individuals authorised to process the personal data by virtue of the Engagement Letter:
- undertake to respect confidentiality and are bound by an appropriate legal confidentiality obligation and,
- receive the necessary training on the protection of personal data.
- take into account, as regards its Services, the principles of data protection by design and data protection by default;
- help the Client, as much as possible, to fulfil its obligation to act on requests made by the data subjects regarding the exercising of their rights: right of access, rectification and erasure, right to object, right to the restriction of processing, right to data portability, right not to be subject to automated individual decision-making (including profiling);
- notify the Client of any personal data breach without delay once it becomes aware;
- help the Client to carry out data protection impact assessments if deemed necessary;
- if the Client so chooses, delete all personal data or return them to the Client upon completion of the service provision relating to the processing and destroy existing copies save for any legal or regulatory provision to the contrary. In the event that the Service Provider intends to retain personal data for processing required to comply with a legal obligation or for the purposes of its legitimate interests, and provided that the interests and freedoms and fundamental rights of the data subjects are not overriding, it must inform the Client in writing, in the month prior to the end of the contractual relationship, of the legal basis and the nature of the processing in question, the categories of personal data concerned and the duration of the processing in question, without prejudice to the Client's right to object to the processing in question and request the destruction of the personal data on valid and legitimate grounds;
- provide the Client with the contact details of its data protection officer, if it has designated one in accordance with Article 37 of the GDPR. It may do so by means of a reference in the Engagement Letter to the Service Provider website on which the contact details of the data protection officer are published;
- maintain a written record of all categories of processing activities carried out on behalf of the Client in accordance with Article 30(2) of the GDPR;
- provide the Client with the documentation required to demonstrate the fulfilment of all its obligations and to enable audits, including inspections, to be carried out by the Client or another auditor that it has appointed, and contribute to such audits.
OBLIGATIONS OF THE CLIENT
The Client undertakes to fulfil all the obligations imposed on the controller by virtue of the GDPR.
The Client shall in particular ensure that the personal data are:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Vis-à-vis the Service Provider, the Client undertakes to:
- document in writing all instructions concerning the processing of data to be carried out by the Service Provider;
- ensure, in advance and during the entire duration of the processing carried out by the Service Provider, the fulfilment of the obligations set out in the GDPR.
SECURITY MEASURES
Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Service Provider and the Client shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (such as, in particular, controls upon entering facilities, media formats, memory, access, transmission, introduction and transportation);
- the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident (such as, in particular, control of availability);
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Client and the Service Provider shall take steps to ensure that any natural person acting under the authority of the Client or under that of the Service Provider, who has access to personal data, does not process them, except on instruction from the Client, unless he or she is required to do so by European Union law or Luxembourg law.
The responsibilities of each of the Parties with regard to the security measures to be implemented shall be specifically defined in the Engagement Letter.
AUTHORISED DISCLOSURE
The confidentiality obligation resulting from this article shall not prohibit the Service Provider from disclosing personal data if such disclosure is required or permitted by virtue of applicable legal rules or rules of professional conduct, in particular as part of a disciplinary procedure or civil, commercial or criminal proceedings or as part of the legislation on combating money laundering and terrorism financing.
That confidentiality obligation shall also not prohibit the Service Provider from transferring one or more pieces of personal data to third parties, such as the administrations concerned, if such transfer
is required in order to enable one or more services under the Contract to be performed.