Equipment Data Service Data Protection: Processor Provisions

The following definitions apply to these provisions:

The terms Controller, Data Subject, Personal Data, Personal Data Breach, Process, Processing and Processor shall have the meanings set out in the Data Protection Legislation.

Applicable Law means: all applicable laws, statutes, regulations, decree directives, legislative enactments, orders, binding decisions of a competent Court or Tribunal, rule, regulatory policies, guidelines, codes, other binding restriction, regulatory permits and licences applicable under law which are in force from time to time during the term of this Agreement to which a Party and/or any Processing of Personal Data is subject from time to time;

Data Processing Particulars means: in relation to any Processing under these provisions by Jisc as a Processor on behalf of the Institution as Controller:

• the subject matter and duration of the Processing;
• the nature and purpose of the Processing;
• the type of Personal Data being Processed; and
• the categories of Data Subjects;

Data Protection Legislation means: Any law statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction which relates to the protection of individuals with regards to the processing of personal data to which a Party is subject for the purposes of this Agreement, including the Data Protection Act 2018 and the General Data Protection Regulation 2016/679 (EU GDPR) as each is amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586) and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, as amended, to be referred to as DPA 2018 and the UK GDPR respectively;

Permitted country means: a country, territory or jurisdiction that is either: (a) within the UK or the European Economic Area; or (b) outside of the UK or European Economic Area but which is the subject of an adequacy determination by the UK Secretary of State or the European Commission (as applicable);

Regulator means: the ICO and any other independent public authority which has jurisdiction over a party, including any regulator or supervisory authority which is responsible for the monitoring and application of the Data Protection Legislation;

Regulator Correspondence means: any correspondence or communication (whether written or verbal) from the Regulator.

1. To the extent that you make available or share any Personal Data with us as Controller, you shall:

• Ensure you are not subject to any prohibition or restriction which would:
  • prevent or restrict you from disclosing or transferring the Personal Data to us, as required under these provisions;
  • prevent or restrict you from granting us access and a licence to use the Personal Data, as required under these provisions;
  • prevent or restrict us from Processing the Personal Data, as envisaged in these provisions.
• Ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable us to Process the Personal Data as required to deliver the Equipment Data Service in accordance with the Data Protection Legislation; and
• Implement appropriate systems and procedures (where relevant) to ensure that all Personal Data disclosed or transferred to, or accessed, by us is accurate, relevant and not excessive.

2. In relation to any Personal Data that the Institution (as a Controller) provides or makes available to Jisc (as a Processor), or that Jisc Processes on the Institution's behalf pursuant to these Terms, Jisc shall:

• use, access or otherwise Process the Personal Data only in accordance with the Institution's lawful instructions;
• take, implement, maintain and monitor appropriate technical and organisational measures which are sufficient to comply with at least the obligations placed on the Institution by the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation;
• not transfer any Personal Data outside a Permitted Country without the Institution's prior written consent;
• ensure the reliability and integrity of Jisc's employees, consultants, contractors and staff involved in the Processing of (and who will have access to) those Personal Data (Jisc Personnel), and shall ensure that all such individuals shall have entered into an appropriate contractual agreement that requires them to keep the Personal Data confidential;
• on the Institution's request, allow the Institution or any regulator to audit Jisc's compliance with this section 2;
• not sub-contract any Processing of the Personal Data unless the relevant sub-contractor is engaged by way of a written contract which imposes obligations on the sub- contractor which are at least equivalent to (and no less onerous than) the obligations imposed on Jisc pursuant to this section 2 and Jisc will remain primarily liable under these provisions for all acts and omissions at its sub-contractors and the acts or omissions of those employed or engaged by these sub- contractors, as if they were those of Jisc;
• comply with the obligations imposed upon a Processor under the Data Protection Legislation, and use all reasonable endeavours to assist the Institution to comply with the requirements of the Data Protection Legislation (including the obligations pursuant to Articles 32 to 36 of the UK GDPR (inclusive)); and
• on instruction from the Institution, cease Processing all Personal Data and return to the Institution all Personal Data (and all copies under its possession or control), except to the extent Jisc is required to retain copies by Applicable Law.

3. Both Jisc and the Institution acknowledge and agree that the Data Protection Particulars table below sets out an accurate description of the Data Protection Particulars:

4. Jisc shall notify the Institution immediately (and in any event, within forty-eight (48) hours), if it:

• becomes aware of any: (a) Personal Data Breach; (b) breach of these data protection terms or (c) breach of the Data Protection Legislation, whether committed by Jisc, Jisc Personnel , or any sub-contractors appointed by Jisc;
• is required by any Applicable Law to act other than in accordance with any of the Institution's instructions given under section 2 provided Jisc is not prohibited by law from so notifying the Institution; or
• considers, in its opinion (acting reasonably), that any of the Institution's instructions under section 2 infringe any of the Data Protection Legislation.

5. Jisc will notify the Institution promptly (and in any event within forty-eight (48) hours) following its receipt of any actual or purported request or notice or complaint from (or on behalf of) a Data Subject exercising their rights under the Data Protection Legislation (aData Subject Request) or any correspondence or communication (whether written or verbal) from the Regulator, and shall:

• not disclose any Personal Data in response to any Data Subject Request or Regulator Correspondence without the Institution's prior written consent; and
• provide the Institution with all reasonable co-operation and assistance required by the Institution in relation to any such Data Subject Request or Regulator Correspondence.