Terms of Trade Data Protection Policies



"Data Protection Legislation" means Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the General Data Protection Regulations (being EC Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the movement of such data) (when in force), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable, any guidance notes and codes of practice issued by the European Commission and applicable national regulators including the UK Information Commissioner.

Provisions to be included in front end of agreement

The parties acknowledge and agree that in order to provide the [Services], [the Service Provider] may process personal data. [•][1] sets out the subject matter and duration of the processing; nature and purpose of the processing; the type of personal data being processed; and the categories of data subject.

Each party acknowledges and agrees that each party has respective rights and obligations under applicable Data Protection Legislation. The Service Provider shall, and without prejudice to its other rights or obligations, in respect of its processing of such personal data comply with the provisions set out in schedule [A].


  1. The Service Provider shall comply with the following provisions in respect of the processing of personal data in the supply of the Services:

1.1       process the data only to the extent, and in such a manner, as is necessary to provide the Services and in accordance with the Company’s written instructions from time to time and the Service Provider shall not process or permit the processing of the data for any other purpose. If the Service Provider is ever unsure as to the parameters of the instructions issued by the Company and/or believes that the Company’s instructions may conflict with the requirements of Data Protection, the Service Provider shall immediately notify the Company for clarification and where requested provide reasonable details in support of any assertion that the Company’s instructions may be unlawful;

1.2       shall ensure that any person authorised to process data in connection with this Agreement is subject to a duty of confidentiality;

1.3       having regard to the state of technological development and the cost of implementing any measures, take appropriate technical and organisational measures against the unauthorised or unlawful processing of data and against the accidental loss or destruction of, or damage to data, to ensure a level of security appropriate to: a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage of the data; and b) the nature of the data to be protected.  Such measures shall be of at least the minimum standard required by Data Protection Legislation and be of a standard no less than the standards compliant with good industry practice for the protection of personal data;

1.4       assist the Company by appropriate technical and organisational measures in responding to, and complying with, data subject requests;

1.5       provide the Company with full co-operation and assistance in relation to the Company’s obligations and rights under Data Protection Legislation including providing the Company with all information and assistance necessary to investigate security breaches carry out privacy impact assessments or otherwise to assess or demonstrate compliance by the parties with Data Protection Legislation;

1.6       notify the Company in writing without undue delay and in any event with 24 hours of becoming aware becomes aware of any accidental or deliberate, unauthorised or unlawful acquisition, destruction, loss, alteration, corruption, access, use or disclosure of personal data under this Agreement or in breach of the Service Provider’s security obligations under this Agreement;

1.7       not engage any third party to process data (or otherwise sub-contract or outsource the processing of any data to a third party) (a “Sub processor”) without the prior written consent of the Company acting in its sole discretion. Where such consent is given, it is conditional on the Service Provider:

1.7.1          entering into a written contract with the Sub processor that:

1.7.2          is on terms that the same as those set out in this paragraph;

1.7.3          provides sufficient guarantees to implement appropriate technical and organisation measures in compliance with the Data Protection Legislation;

1.7.4          terminates automatically on termination or expiry of this Agreement for any reason; and

1.7.5          remaining liable for all acts or omissions of the Sub processors as if they were acts or omissions of the Service Provider;

1.8       return or destroy (as directed in writing by the [Operating Company]) all data it has in its possession and promptly delete existing copies unless applicable law requires storage of the personal data.

  1. The Service Provider shall keep at its normal place of business a written record of data processing carried out in the course of the Services and in respect of the measures taken by the Service Provider under paragraph 1 of this Schedule, (“Records”).
  2. The Service Provider shall permit the Company, its third-party representatives or a regulator or its third party representatives, on reasonable notice during normal business hours, access to inspect, and take copies of, the Records and any other information held at the Service Provider's [and/or Sub processors’ premises] or on the Service Provider’s [and/or Sub processors’] systems relating to this Agreement, for the purpose of auditing the Service Provider's compliance with its obligations under this Schedule.