Data Processing Notice
DATA PROCESSING NOTICE – ORDERING PLATFORM USERS
This Notice is incorporated in the Privacy Notice and relevant to the websites below:
Where you use the ordering platforms on our websites or otherwise provide us with personal data relating to your own clients in order for us to provide you with products and services tailored to your own client’s needs and in relation to their conveyancing transaction, it is your responsibility to ensure that you have obtained appropriate consent or provided appropriate privacy notice information to your own client (Own Client) to enable you to share their data (Own Client Data) with us. You would usually do this as part of your own client engagement process.
In the limited instance above where you input Own Client Data into the ordering platform directly or where you provide Own Client Data to us by another agreed method (Data Input) you agree that you are the Controller and we are the Processor and this relationship is governed by the provisions in this notice.
This Notice takes effect from 26th May 2018.
1. DATA PROTECTION
1.1 It is your responsibility to ensure that your use of Own Client Data through Data Input has been collected from your Own Client in accordance with the Data Protection Legislation.
1.2 In relation to Own Client Data processed by us we shall:
(a) process Own Client Data only in accordance with Schedule 1, unless we are required to do otherwise by Law.
(b) ensure that we have in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the Own Client Data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(c) ensure that:
(i) our Personnel do not process Own Client Data except in accordance with this Notice (and in particular Schedule 1);
(ii) We take all reasonable steps to ensure the reliability and integrity of any Personnel who have access to Own Client Data and ensure that they are aware of and comply with our duties under this Notice, are subject to appropriate confidentiality undertakings with us or any Sub-processor, are informed of the confidential nature of the Own Client Data and do not publish, disclose or divulge any of the Own Client Data to any third party unless directed in writing to do so by you or as otherwise permitted by this Notice, and have undergone adequate training in the use, care, protection and handling of the Own Client Data; and
(d) not transfer Own Client Data outside of the EU unless we are satisfied that the recipient complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Own Client Data that is transferred;
(e) at your written direction, delete or return Own Client Data (and any copies of it) to You on termination of our agreement with you unless we are required by Law to retain it. We may delete Own Client Data systematically at earlier intervals in line with our Retention Policy which can be provided on request.
1.3 As Processor we shall notify you immediately if we:
(a) receive a Data Subject Access Request (or purported Data Subject Access Request);
(b) receive a request to rectify, block or erase any Own Client Data;
(c) receive any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(d) receive any communication from the Information Commissioner or any other regulatory authority in connection with Own Client Data processed under this Notice;
(e) receive a request from any third party for disclosure of Own Client Data where compliance with such request is required or purported to be required by Law; or
(f) become aware of a Data Loss Event.
1.4 Taking into account the nature of the processing, we shall provide you with full assistance in relation to your obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.3 (and insofar as possible within the timescales reasonably required by you) including by promptly providing:
(a) you with full details and copies of the complaint, communication or request;
(b) such assistance as is reasonably requested by you to enable you to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) at your request, with any Own Client Data we hold;
(d) reasonable assistance as you request following any Data Loss Event;
(e) assistance as your request with respect to any request from the Information Commissioner’s Office, or any consultation by you with the Information Commissioner's Office.
1.5 We shall maintain complete and accurate records and information to demonstrate its compliance with this Notice.
1.6 We shall allow you access for audits of our Data Processing activity on reasonable notice.
1.7 We shall designate a data protection officer if required by the Data Protection Legislation.
1.8 You acknowledge and agree that in the course of providing services to you we use third parties to provide us with certain reports and services and in some instances this requires us to share Own Client Data with these third parties.
1.9 We shall remain fully liable for all acts or omissions of any third party in relation to Data Protection Legislation but otherwise the terms and conditions of the third party govern the limits of liability of the service they have provided to you at your request through the ordering platform.
1.10 We may, at any time on not less than 30 Working Days’ notice, revise this Notice by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme.
1.11 We both agree to take account of any guidance issued by the Information Commissioner’s Office.
1.12 Our aggregate liability to you in respect of any loss, cost, harm, expense (including reasonable legal fees), liabilities or damage suffered or incurred by you as a result of a Data Loss Event or otherwise by breach of this Notice shall be limited to £100,000.
1.13 You shall indemnify us against any loss, cost, harm, expense (including reasonable legal fees), liabilities or damage suffered or incurred by us from a breach of your obligations under this Notice.
Definitions used in this Notice
Data Protection Legislation: (i) GDPR: the General Data Protection Regulation (Regulation (EU) 2016/679). the Law Enforcement Directive (Directive (EU) 2016/680) and any applicable national implementing Laws as amended from time to time (ii) the Data Protection Act 2018 to the extent that it relates to processing of personal data and privacy; (iii) all applicable Law about the processing of personal data and privacy including the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended from time to time.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Data Protection Officer take the meaning given in the GDPR.
Data Loss Event: any event that results, or may result, in unauthorised access to Personal Data held by us under this Notice, and/or actual or potential loss and/or destruction of Personal Data in breach of this Notice, including any Personal Data Breach.
Own Client Data – including name, maiden name, address, purchase address, date of birth, gender, previous addresses, passport or driving licence details, national insurance number as defined in the Privacy Notice
Data Subject Access Request: a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data.
Law: means any law, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, bye-law, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements with which both parties are bound to comply.
Personnel: means all directors, officers, employees, agents, consultants and contractors of either party.
Protective Measures: appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it.
Retention Policy: Our retention policy which can be provided on request.
Schedule 1 Processing, Personal Data and Data Subjects
Subject matter of the processing
We process data of Own Clients as relevant to your input of such Own Client Data to order products and services from us.
Duration of the processing
We process this data for the period required to fulfil these services.
Type of Personal Data
Own Client Data
Categories of Data Subject