PART A
1. Definitions
- 1.1 In this Privacy Policy, the following terms shall have the meanings set out below:
- 1.1.1 “Applicable Law” means any laws or regulations, regulatory policies, guidelines or industry codes (whether national or international) which apply to Company (or any of its Sub-Processors) and/or the provision of or the subject matter of the Services in each case as in force from time to time;
- 1.1.2 “Company” means [Steel Hub Group Ltd]
- 1.1.3 “Customer Group Member” means a Customer or any entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- 1.1.4 “Customer Personal Data” means any Personal Data Processed by Company on behalf of a Customer Group Member pursuant to or in connection with the Principal Agreement;
- 1.1.5 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
- 1.1.6 “EEA” means the European Economic Area;
- 1.1.7 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- 1.1.8 “GDPR” means EU General Data Protection Regulation2016/679;
- 1.1.9 “Personal Data” means any data that relates to an identified or identifiable natural person and where such data is protected under applicable Data Protection Laws;
- 1.1.10 “Principal Agreement” means the agreement or agreements between Company and the Customer Group Member for the Services Company is providing them.
- 1.1.11 “Service/s” means the services and other activities to be supplied to or carried out by or on behalf of Company for Customer Group Members pursuant to the Principal Agreement;
- 1.1.12 “Sub-processor/s” means any person (including any third party and any Company Affiliate) appointed by or on behalf of Company or any Company Affiliate and that Processes Customer Personal Data on behalf of any Customer Group Member;
- 1.1.13 “Company Affiliate/s” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- 1.2 The terms, “Commission”, “Controller”, “Processor”, “Data Subject/s”, “Member State”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Authority
Company warrants and represents that, before any Company Affiliate Processes any Customer Personal Data on behalf of any Customer Group Member, Company entry into this Privacy Policy as agent for and on behalf of that Company Affiliate will have been duly and effectively authorized (or subsequently ratified) by that Company Affiliate. References to ‘Company’ shall be deemed to include a reference to each Company Affiliate as applicable.
3. Processing of Customer Personal Data
- 3.1 Scope of this Privacy Policy and Role of Parties. This Privacy Policy applies to the Processing of Personal Data by Company in the course of providing the Services. For the Purposes of the Services and this Privacy Policy, Customer and each Customer Group Member are the Controller(s) and Company is the Processor and shall be Processing Personal Data on the Customer’s behalf, the Customer receiving the Services as principal and as agent of each Customer Group Member.
- 3.2 Instructions for Processing Personal Data. Company shall Process Personal Data as reasonably necessary for the provision of the Services arising from the Principal Agreement (inclusive of this Privacy Policy) and in accordance with Customer’s documented instructions which, unless expressly agreed otherwise, shall at all times be consistent and in accordance with the nature of the Principal Agreement.
- 3.3 Compliance with Laws. Company, in Processing the Customer Personal Data in accordance with Clause 3.2 above, shall comply with all applicable Data Protection Laws. Company shall not be responsible for complying with Data Protection Laws applicable to Customer Group Member or its industry that are not otherwise consistent with the provision of the Services or if, and to the extent that, the relevant provision of Data Protection Law would not also apply to Company provision of services equivalent to the Services to other customers. Customer shall comply with all Data Protection Laws applicable to Customer as Controller.
4. Company Personnel
- 4.1 Personnel Reliability. Company shall take reasonable steps to (i) require background screening and to ensure the reliability of any personnel who may have access to the Customer Personal Data or the Customer environments in which the Personal Data is processed, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement; and (ii) ensuring that any personnel are informed of the confidential nature of Personal Data, have received training, and are subject to confidentiality obligations or professional or statutory obligations of confidentiality.
- 4.2 Data Protection Officer. Company has appointed a data protection officer. The appointed person may be reached at [27, Old Gloucester Street, London WC1N 3AX]
5. Sub-processors
- 5.1 Appointment of Sub-processors. Subject always to section 3.2 above, each Customer authorizes Company to appoint Sub-processors in accordance with this section 5 to Process Customer Personal Data. Company shall be responsible for ensuring that each Sub-processor has entered into a written agreement requiring the Sub-processor to comply with terms no less protective than those provided in this Privacy Policy (a summary of such terms will be made available to Customer on request). Company shall be liable for the acts and omissions of any Sub-processor to the same extent as if the acts and omissions were performed by Company. Sub-processors may process such data within the EU or outside the EU.
- 5.2 Notification of New Sub-processors. Company may continue to use those Sub-processors already engaged by Company or any Company Affiliate as at the date of this Privacy Policy. Company shall make available to Customer through Company customer website a list of Sub-processors authorized to Process Customer Personal Data (“Sub-processor List”) and provide Customer with a mechanism to obtain notice of any updates to the Sub-processor List (“Sub-processor Notice”).
PART B
In addition to the terms set out in Part A above, the terms set out in this Part B shall apply to the Processing of Personal Data by Company on behalf of a Customer established in the European Union or otherwise subject to the requirements of the GDPR.
- 11.1 General Data Protection Regulation. With effect from 25 May 2018, Company will Process any Personal Data in accordance with the requirements of GDPR as directly applicable to Company provision of the Services.
- 11.2 Subject Matter, Nature, Purpose and Duration of Data Processing. Company will Process Customer Personal Data to provide the Services. The duration of the Processing of Personal Data shall be for the term of the Principal Agreement.
- 11.3 Types of Personal Data and Categories of Data Subjects. The types of Personal Data and categories of Personal Data shall be those determined by the Customer being the Customer Personal Data which, along with the categories of Data Subjects, may be more particularly described in the Principal Agreement.
- 11.4 Data Protection Impact Assessment and Prior Consultation.