Data Protection and Privacy Policy

It is a legal requirement for the company to comply with the General Data Protection Regulations (GDPR), 2018. It is also company policy to ensure that every employee maintains the confidentiality of any personal data held by the company in whatever form. This Policy sets out our approach to Data Protection and Information Security so that colleagues will be clear of their responsibilities and so that clients and suppliers can have confidence about how Computeam handles data.

Personal data means recorded information we hold about you from which you can be identified. It may include contact details, other personal information, photographs, expressions of opinion about you or indications as to our intentions about you.

Data protection

Principles of Data Protection

The company needs to keep certain information about its employees, customers and suppliers for financial and commercial reasons and to enable us to monitor performance, to ensure legal compliance and for health and safety purposes. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. This means that we must comply with the Data Protection Principles set out in the General Data Protection Regulations (GDPR), 2018.

Everyone who is responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

·                processed lawfully, fairly and in a transparent manner

·                collected and used for specified, explicit and legitimate purposes

·                used in a way that is adequate, relevant and limited to what is necessary

·                accurate, and where necessary, kept up to date

·                kept for no longer than is absolutely necessary

·                handled according to people’s data protection rights

·                processed in a manner that ensures appropriate security of the personal data

·                not transferred outside the European Union without adequate protection

As an employee of Computeam, in processing or using any personal information you must ensure that you follow these principles at all times.

It is the policy of Computeam to hold no sensitive information, such as:

·                ethnic background

·                political opinions

·                religious beliefs

·                sexual health

·                criminal records*

* Computeam uses an external agency to conduct an enhanced DBS (Formerly CRB) check on all current and prospective colleagues as part of our safeguarding procedure but this information is handled and processed externally and once cleared colleagues keep possession of their own data. These checks are processed every three years, in accordance to Department for Education guidelines.

Data protection officer

To ensure the implementation of this policy Computeam has designated Jon Crosse as the company’s data protection officer (DPO).

Notification of data held

As a staff member, client or supplier of Computeam you have the right to:

·                request access to any personal data the company holds about you and the purpose for which it is used;

·                prevent the processing of your data for direct-marketing purposes;

·                know how to gain access to it;

·                ask to have inaccurate data held about you amended;

·                prevent processing that is likely to cause unwarranted substantial damage or distress to you or anyone else;

·                object to any decision that significantly affects you being taken solely by a computer or other automated process;

·                know what the company is doing to comply with its obligations under the 2018  Regulations.

This information is available from the Data Protection Officer by written request to dpo@computeam.co.uk

Individual responsibility

As an employee of Computeam you are responsible for:

·                checking that any information that you provide in connection with your employment is accurate and up to date;

·                notifying the company of any changes to information you have provided, for example changes of address;

·                ensuring that you are familiar with and follow the data protection policy.

Any breach of the data protection policy, either deliberate or through negligence, may lead to disciplinary action being taken and could in some cases result in a criminal prosecution.

Data security

While working for Computeam all colleagues are responsible for ensuring that:

·                any personal data that we hold, whether in electronic or paper format, is kept securely;

·                personal information is not disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party;

·                items that are marked ‘personal’ or ‘private and confidential’, or appear to be of a personal nature, are opened by the addressee only.

You should not use your office address or contact details for matters that are not work related.

Information Security

Access

Sensitive information requires strict control, very limited access and disclosure, and may be subject to legal restrictions. In some cases, information is highly sensitive because of its aggregation into a single document, regardless of whether it contains highly sensitive data elements.

Employees may frequently need to gain remote access to machines in order to complete a support ticket. At times, sensitive data may be accessible. Always ensure that before you access a device, you seek permission of the user prior to remoting on.

Security Classifications

Categories of information based upon intended use and expected impact if disclosed.

·                Public

Information intended for public use that, when used as intended, would have no adverse effect on the operations, assets, or reputation of Computeam, or Computeam’s obligations concerning information privacy.

·                Internal

Information not intended for parties outside Computeam that, if disclosed, would have minimal or no adverse effect on the operations, assets, or reputation of the Company, or the Computeam’s obligations concerning information privacy.

·                Sensitive

Information intended for limited use within Computeam that, if disclosed, could be expected to have a serious adverse effect on the operations, assets, or reputation of Computeam, or the Computeam’s obligations concerning information privacy.

·                Highly Sensitive

Information intended for very limited use within Computeam that, if disclosed, could be expected to have a severe adverse effect on the operations, assets, or reputation of the Computeam or Computeam’s obligations concerning information privacy.

Computeam regularly handle sensitive data and it is important for colleagues to be aware of the required procedures should they become aware that such data is being handled in the future.

Use, Transmission and Storage

The following controls are required when using, transmitting or storing highly sensitive information.

·                Do not discuss or display it in an environment where it may be viewed or overheard by unauthorized individuals.

·                Do not leave keys or access badges for rooms or file cabinets containing such information in areas accessible to unauthorized personnel.

·                When printing, photocopying or faxing it, ensure that only authorized personnel will be able to see the output.

·                Store paper documents in a locked drawer and in a locked room, or in another secure location when appropriate.

·                Properly identify such information as highly sensitive to all recipients, by labelling it "Highly Sensitive," providing training to personnel, explicitly mentioning the classification, or similar means.

·                Encrypt electronic information using an encryption algorithm approved by our suppliers

o    Placing it on removable media;

o    Placing it on a mobile computer (e.g., laptops, PDAs, smart phones); or

o    Sending it via e-mail to non-Computeam addresses.

·                Do not send this information via social media

·                Do not send  via unsecured file transfer unless it is encrypted.

·                Follow an established and documented software development lifecycle when building applications that process highly sensitive information.

Transport

The following controls are required when transporting highly sensitive information:

·                When sending such information by mail (including Postal Service etc.) in non-electric form, the sender must obtain tracking and signature confirmation services and use a tamper-evident sealed package.

·                When carrying unencrypted highly sensitive information, or devices containing such information, ensure that it is physically secure at all times.

Do not remove highly sensitive information from an approved secure location without prior approval of your manager.

Destruction

Computeam records should be destroyed only in accordance with company policy

·                Destroy electronic instances of information using Computeam approved method as described.

Reformatting a hard drive is not sufficient to securely remove all data.

·                Crosscut shred or pulp all highly sensitive information in paper form. This includes all transitory work products (e.g., unused copies, drafts, notes).

Documentation Retention

This paragraph represents Computeam Ltd’s policy regarding the retention and disposal of records and the retention and disposal of electronic documents.

The purpose of this policy is to ensure that necessary records and documents of are adequately protected and maintained and to ensure that records that are no longer needed by Computeam Ltd or are of no value are discarded at the proper time. Timescales for the retention and disposal of records for individual data types are outlined below.

Data Type	Retention and Deletion Timescale
Staff Employment Details	Data retained for duration of employment. Archived online upon employee leaving company. Details stored in personnel file are securely shredded after 24 months.
Staff Medical & Next of Kin Details	Data retained for duration of employment. Archived online upon employee leaving company. Details stored in personnel file are securely shredded after 24 months.
Client contact details	Data retained on system and deleted if/when individuals have left employment with the client site.
Supplier contact details	Data retained on system and deleted if individuals have left employment with the supplier.
Client Data	Clients are directly responsible for retention/deletion of their own data. Computeam may delete documents on behalf of the users (e.g. where files are not required to be backed up, they may be excluded from the backup).
Staff DBS records	Data retained for duration of employment and is deleted within 24 months of the end of employment.

For further information on how Computeam Ltd handles data, please contact your Data Protection Officer.

Passwords

Computeam Ltd’s password policy consists of a set of requirements designed to enhance computer security by encouraging users to employ strong passwords and use them properly. When setting passwords on company systems and property, you should ensure that they:

·       Aren’t easily guessed (e.g. “password123”), but are memorable to you

·       Contain a minimum of eight characters

·       Contain UPPERCASE and lowercase letters

·       Contain at least one special character (e.g. “!”, “@”, “?”)

·       Contain at least one numerical character

You should also ensure that you comply with the following general guidance regarding the setting and changing of passwords:

·       Avoid choosing passwords based on easily discoverable information such as your middle name or home address

·       Avoid using the same password for more than one system, otherwise a breach of one will lead to a breach of all systems

·       Consider saving more complex passwords in a password management solution, but avoid writing them down especially in locations close to your user device. If you require assistance in selecting a password management solution please consult with the Network Security team.

If you suspect that your password to a company system has been compromised,  please inform a member of the network security & admin team immediately and follow the process for changing your password. Please also ask the Network admin and security team for advice if you believe one of your personal passwords has been compromised.

Password Hints

If the system requires a password hint, avoid typing your password in here. This will not only give you the hint, but rogue accessors to the system too.

Changing Your Password

We recommend changing your password to all systems at least once every three months.

Network Admin & Security Team

Please seek the help of the Computeam Network Admin & Security team for advice and guidance on information security, to reset passwords or to pass on any concerns about system security.

The following policy outlines the data processing agreement between Computeam Ltd and their clients (data controllers).

Parties

(1)                 COMPUTEAM LIMITED a company registered in England and Wales with company number 03683744 whose registered office is at Suite 443 Broadstone Mill, Broadstone Road, Stockport, Cheshire, SK5 7DL (Supplier)

(2)                 Clients of Computeam Ltd

BACKGROUND

(A)                The Client owns any copyright and any database rights in the Client Data (as defined below).

(B)                 This agreement is supplemental to any Contract (as defined below) and introduces further contractual provisions to ensure the protection and security of the Client Data passed from the Client to the Supplier for processing.

Agreed terms

1.                   Interpretation

1.1                The following definitions and rules of interpretation apply in this agreement.

                        Applicable Law: the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier.

                        Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

                        Business Purpose: the purpose or purposes as detailed in Schedule 1.

Charges: the charges payable by the Client to the Supplier for the supply of the Services as set out in the Contract.

                        Claim: has the meaning given in clause 6.2.

                        Client Data: means the data or information, in whatever form, described in Schedule 1 as supplied by the Client to the Supplier (and in relation to which the Supplier is providing the Services) which falls within the meaning of “data” defined by Data Protection Legislation and relates only to “personal data”, or any part of such personal data, of which the Client is a “data controller” (each having the meaning set out in Data Protection Legislation).

Client System: any information technology system or systems owned or operated by the Client from which Data is received in accordance with this agreement.

Contract: any separate agreement entered into between the parties in respect of the provision of the Services (as defined below) by the Supplier.

                        Confidential Information: all confidential information (however recorded or preserved) disclosed by a party or its employees, officers, representatives, advisers or subcontractors involved in the provision or receipt of the Services who need to know the confidential information in question (Representatives) to the other party and that party's Representatives in connection with this agreement, which is either labelled as such or else which should reasonably be considered as confidential because of its nature and the manner of its disclosure.

                        Commencement Date: the date of this agreement.

Data Protection Legislation: the DPA 1998, the GDPR, the Data Protection Directive (95/46/EC), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC)  the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time in the UK and, if the GDPR is no longer directly applicable in the UK, any successor legislation to the GDPR or the DPA 1998.

                        DPA 1998: Data Protection Act 1998.

GDPR: the General Data Protection Regulation ((EU) 2016/679).

                        Processed Data: any Client Data that has been processed.

                        Services: the services to be supplied by the Supplier under the Contract.

                        Supplier System: any information technology system or systems owned or operated by the Supplier to which Data is delivered or on which the Services are performed in accordance with this agreement.

                        Term: has the meaning given to it in clause 8.1.

1.2                “Data subject”, “personal data”, “processing”, “process” and “appropriate technical and organisational measures” shall bear the meanings given to those terms respectively in Data Protection Legislation.

1.3                Clause, Schedule and paragraph headings shall not affect the interpretation of this agreement.

1.4                A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).

1.5                The Schedules form part of this agreement and shall have effect as if set out in full in the body of this agreement. Any reference to this agreement includes the Schedules.

1.6                A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.7                Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

1.8                Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.

1.9                A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.

1.10            A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.

1.11            A reference to writing or written includes email.

1.12            Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.

1.13            In the case of conflict or ambiguity between any of the provisions of this agreement and the provisions of any Contract, the provisions of this agreement shall prevail.

2.                   Scope of Processing

2.1                Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.

2.2                The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and the Supplier is the data processor (where “data controller” and “data processor” have the meanings as defined in the Data Protection Legislation).  Schedule 1 sets out the scope, nature and purpose of processing by the Supplier, and the types of personal data (as defined in the Data Protection Legislation).  The duration of the processing shall be for the period as set out in any Contract between the parties from time to time, or otherwise, for the duration of this agreement and until this agreement is terminated in accordance with clause 8.

2.3                Without prejudice to the generality of clause 2.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Client Data to the Supplier for the duration and purposes of this agreement.

2.4                During the Term, the Supplier shall process the Client Data it receives from the Client:

(a)            solely for the Business Purpose, only to the extent is reasonably necessary to achieve the Business Purpose and for no other purpose except with the express written consent of the Client (and shall only make copies of the Client Data to the extent reasonably necessary for the Business Purpose (which, for clarity, includes back-up, mirroring (and similar availability enhancement techniques), security, disaster recovery and testing of the Client Data); and

(b)            only in accordance with the Client’s written instructions from time to time (provided the Supplier shall not be required to do so where such actions may breach any Applicable Law, in which case the Data Processor shall notify the Data Controller of the reasons for any breach it considers to be possible or likely unless the Applicable Law prohibits the Supplier from so notifying the Client).

2.5                The Client acknowledges that the Supplier is under no duty to investigate the completeness, accuracy or sufficiency of the Client’s instructions or the Client Data.

3.                   Obligations of the Supplier

3.1                Without prejudice to the generality of clause 2.1, the Supplier shall, in relation to any Client Data processed in connection with the performance by the Supplier of its obligations under this agreement:

(a)            ensure that it has in place appropriate technical and organisational measures as set out in clause 5;

(b)            ensure that all personnel who have access to and/or process Client Data are obliged to keep the Client Data confidential;

(c)            not transfer any Client Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:

(i)              the Client or the Supplier has provided appropriate safeguards in relation to the transfer;

(ii)            the data subject has enforceable rights and effective legal remedies;

(iii)           the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Client Data that is transferred; and

(iv)           the Supplier complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Client Data;

(d)            assist the Client, at the Client's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(e)            notify the Client without undue delay on becoming aware of a security breach concerning the Client Data, or if the Client Data is lost or destroyed or becomes damaged or corrupt or unusable (Data Breach);

(f)             at the written direction of the Client, delete or return Client Data and copies thereof to the Client on termination of the agreement in accordance with clause 8.3, unless it is required by any Applicable Law to keep copies of the Client Data;

(g)            where the Client gives notice to the Supplier that it considers a Data Breach to be likely to result in a “high risk” (given the meaning set out in the GDPR) to data subjects, the Supplier shall provide the Client with reasonable cooperation and assistance in relation to any notification or other communication that is given to the data subjects affected by the Data Breach; and

(h)            maintain complete and accurate records and information to demonstrate its compliance with this clause 3.1 and allow for audits by the Client or the Client's designated auditor in accordance with clause 4.

4.                   Audit

4.1                The Supplier shall keep at its normal place of business detailed, accurate and up-to-date records relating to the processing of the Processed Data by the Supplier and to the measures taken under clause 5, including the permissioning and control of the Processed Data (Records).

4.2                The Supplier shall for the purpose of auditing the Supplier's compliance with its obligations under this agreement permit the Client and its third-party representatives, on not less than 10 Business Days’ notice  during normal business hours to:

(a)            have access to, and take copies of, the Records and any other information held at the Supplier's premises or on the Supplier System; and

(b)            inspect all Records, documents and electronic data and the Supplier System and facilities and equipment.

Such audit rights may be exercised only once in any calendar year during the Term save to the extent that the Supplier is in material breach of its obligations under this agreement or any Data Protection Legislation and in such circumstances the notice period referred to in this clause 4.2 shall not apply.

4.3                The Supplier shall give all necessary assistance to the conduct of such audits during the Term.

4.4                Audit access by any third party representative of the Client shall be subject to such representative agreeing confidentiality obligations equivalent to those in clause 10 in respect of the information obtained.

5.                   Security Measures

5.1                The Supplier shall, in relation to any Client Data processed in connection with the performance by the Supplier of its obligations under this agreement, ensure that it has in place appropriate technical and organisational measures, to protect against accidental, unauthorised or unlawful processing or alteration of Client Data and against accidental loss or destruction of, damage or alteration to Client Data, appropriate to the harm that might result from the accidental, unauthorised or unlawful processing or loss, destruction, alteration or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.  Such measures may include, where appropriate:

(a)            pseudonymising and encrypting Client Data,

(b)            ensuring confidentiality, integrity, availability and resilience of its systems and services;

(c)            ensuring that availability of and access to Client Data can be restored in a timely manner after an incident; and

(d)            regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it.

6.                   Client Warranties and Indemnity

6.1                The Client warrants and represents that:

(a)            the processing of the Client Data from time to time (including processing for direct marketing purposes) has been carried out in accordance with the Data Protection Legislation at all times;

(b)            it is not aware of any circumstances likely to give rise to breach of any of the Data Protection Legislation in the future;

(c)            the Supplier is entitled to process the Client Data for the Business Purpose and such use will comply with all Data Protection Legislation;

(d)            all data subjects relating to the Client Data have given their valid written consent and, where required under the Data Protection Legislation, their explicit consent to the transfer of their personal data by the Client to the Supplier and to the processing of their personal data by the Supplier for the Business Purpose within the European Economic Area;

(e)            all Client Data is necessary, accurate and up-to-date;

(f)             the Client Data contains nothing that is defamatory or indecent; and

(g)            it is registered with all relevant data protection authorities to process all Client Data for the Business Purpose.

6.2                The Client shall indemnify the Supplier against all claims, liabilities, costs, expenses, damages and losses and all other reasonable professional costs and expenses) suffered or incurred by the Supplier arising out of or in connection with the processing of the Client Data under this agreement (Claim), except to the extent that the Claim has arisen out of or in connection with any negligence or wilful default of the Supplier.

6.3                The Client acknowledges that:

(a)            the Supplier is reliant on the Client for direction as to the extent to which the Supplier is entitled to use and process the Client Data; and

(b)            any Claim includes any claim or action brought by a data subject arising from any action or omission by the Supplier, to the extent that such action or omission resulted directly or indirectly from the Client's instructions.

6.4                If any third party makes a Claim, or notifies an intention to make a Claim, the Supplier shall:

(a)            give written notice of the Claim to the Client as soon as reasonably practicable;

(b)            not make any admission of liability in relation to the Claim without the prior written consent of the Client;

(c)            at the Client's request and expense, allow the Client to conduct the defence of the Claim including settlement; and

(d)            at the Client's expense, co-operate and assist to a reasonable extent with the Client's defence of the Claim.

7.                   Limitation of liability

7.1                Nothing in this agreement shall limit or exclude the Supplier's liability for:

(a)            death or personal injury caused by its negligence, or the negligence of its employees, agents or subcontractors;

(b)            fraud or fraudulent misrepresentation; or

(c)            any other liability which cannot be limited or excluded by applicable law.

7.2                Subject to clause 7.1, neither party shall be liable to the other party, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with the Contract for:

(a)            loss of profits;

(b)            loss of sales or business;

(c)            loss of agreements or contracts;

(d)            loss of anticipated savings;

(e)            loss of use or corruption of software, data or information;

(f)             loss of or damage to goodwill or reputation; or

(g)            any indirect or consequential loss.

7.3                Subject to clause 7.1, the Supplier's total liability to the Client, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising under or in connection with this agreement shall be limited to an amount equal to the aggregate value of the Charges in the 12 month period prior to the date of the breach that gives rise to the liability of the Supplier to the Client (or in the case of multiple breaches, the 12 month period shall be calculated from the date of the first such breach).

8.                   Term and termination

8.1                Subject to earlier termination in accordance with clause 8.2, this agreement shall commence on the Commencement Date and shall remain in force until terminated upon the later of (Term):

(a)            termination of the Contract; or

(b)            in the absence of a Contract, the expiry of 20 Business Days’ written notice.

8.2                Without prejudice to any rights that have accrued under this agreement or any of its rights or remedies, either party may at any time terminate this agreement with immediate effect by giving written notice to the other party if:

(a)            the other party commits a material breach of any material term of this agreement and (if such breach is remediable) fails to remedy that breach within a period of 10 Business Days after being notified in writing to do so;

(b)            the other party takes any step or action in connection with its entering administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business or, if the step or action is taken in another jurisdiction, in connection with any analogous procedure in the relevant jurisdiction;

(c)            the other party suspends, or threatens to suspend, or ceases or threatens to cease to carry on all or a substantial part of its business; or

(d)            the other party's financial position deteriorates to such an extent that in the terminating party's opinion the other party's capability to adequately fulfil its obligations under the Contract has been placed in jeopardy.

8.3                Upon receipt of  written notice of termination from the Client or upon giving written notice of termination to the Client by the Supplier (in either case whether in respect of this agreement or the Contract), the Supplier shall as soon as reasonably practicable:

(a)            return or destroy any Client Data (at the absolute discretion of the Client and in such manner as the Client may reasonably direct in writing) that is in the possession or control of the Supplier, its employees, agents, subcontractors and/or sub-processors;

(b)            to the extent technically and legally practicable, erase all Client Data from its computer and communications systems and devices used by it, or which is stored in electronic form;

(c)            use its reasonable endeavours to procure that any third parties erase all Data to the extent technically and legally practicable which is stored in electronic form on systems and data storage services provided by third parties; and

(d)            certify in writing to the Client (by a certificate signed by a director of the Supplier) that it has complied with its obligations under this clause 8.3.

8.4                Notwithstanding termination, all provisions of this agreement will remain in force until the Supplier has complied with the terms of clause 8.3.  Termination of this agreement shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination.

8.5                Clauses 2.1, 6, 7, 10, and 13 shall survive termination of this agreement.

9.                   Force majeure

Neither party shall be in breach nor liable for delay in performing, or failure to perform, any of its obligations under the Contract if such delay or failure result from events, circumstances or causes beyond its reasonable control.  In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be.  If the period of delay or non-performance continues for 6 weeks, the party not affected may terminate this agreement by giving 10 Business Days’ written notice to the affected party.

10.                Confidentiality

10.1            The Supplier acknowledges that the Client's Confidential Information includes any Client Data.

10.2            The term Confidential Information does not include any information that:

(a)            is or becomes generally available to the public (other than as a result of its disclosure by the receiving party or its Representatives in breach of this clause 10);

(b)            was available to the receiving party on a non-confidential basis before disclosure by the disclosing party;

(c)            was, is, or becomes, available to the receiving party on a non-confidential basis from a person who, to the receiving party's knowledge, is not bound by a confidentiality agreement with the disclosing party or otherwise prohibited from disclosing the information to the receiving party;

(d)            was known to the receiving party before the information was disclosed to it by the disclosing party;

(e)            the parties agree in writing is not confidential or may be disclosed; or

(f)             is developed by or for the receiving party independently of the information disclosed by the disclosing party.

10.3            Each party shall keep the other party's Confidential Information confidential and shall not:

(a)            use any Confidential Information except for the Business Purpose; or

(b)            disclose any Confidential Information in whole or in part to any third party, except as expressly permitted by this clause 10.

10.4            A party may disclose the other party's Confidential Information to those of its Representatives who need to know that Confidential Information for the Business Purpose, provided that:

(a)            it informs those Representatives of the confidential nature of the Confidential Information before disclosure; and

(b)            at all times, it is responsible for the Representatives' compliance with the confidentiality obligations set out in this clause 10.

10.5            A party may disclose Confidential Information to the extent required by Applicable Law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction provided that, as far as it is legally permitted to do so, it gives the other party as much notice of the disclosure as possible.

10.6            Each party reserves all rights in its Confidential Information. No rights or obligations in respect of a party's Confidential Information, other than those expressly stated in this agreement, are granted to the other party, or are to be implied from this agreement.

10.7            The provisions of this clause 10 shall continue to apply after termination of this agreement.

11.                Assignment and Subcontracting

11.1            This agreement is personal to the Client and it shall not assign, transfer, mortgage, charge, subcontract, declare a trust of or deal in any other manner with any of its rights and obligations under this agreement without the prior written consent of the Supplier.

11.2            The Client confirms it is acting on its own behalf and not for the benefit of any other person.

11.3            The Client consents and authorises the Supplier to appoint a third party (Subcontractor) to process the Client Data provided that the Subcontractor's contract:

(a)            is on terms that are substantially the same as those set out in this agreement; and

(b)            terminates automatically on termination of this agreement for any reason.

11.4            As between the Client and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any Subcontractor appointed by it pursuant to clause 11.3.

12.                Waiver

No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

13.                Rights and remedies

Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

14.                Notice

14.1            Any notice or other communication given to a party under or in connection with this agreement shall be in writing and shall be delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or sent by email to the address specified in the Contract (if any).

14.2            Any notice or other communication shall be deemed to have been received: if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address; if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service; or, if sent by email, at 9.00 am on the next Business Day after transmission.

14.3            This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any other method of dispute resolution.

15.                Entire agreement

15.1            This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

15.2            Each party acknowledges that in entering into this agreement it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this agreement.

15.3            Each party agrees that it shall have no claim for innocent or negligent misrepresentation based on any statement in this agreement.

16.                Variation

Except as expressly provided in this agreement, no variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

17.                Severance

17.1            If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this agreement.

17.2             If any provision or part-provision of this agreement is invalid, illegal or unenforceable, the parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.

18.                No partnership or agency

Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, nor authorise any party to make or enter into any commitments for or on behalf of any other party.

19.                Third-party rights

19.1            Unless it expressly states otherwise, this agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.

19.2            The rights of the parties to rescind or vary this agreement are not subject to the consent of any other person.

20.                Governing law

This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.

21.                Jurisdiction

21.1            Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).

This agreement has been entered into on the date stated at the beginning of it.

Schedule 1                  Client Data,  Purpose and Processing

This Schedule sets out the nature of the processing to be carried out by the Supplier, the particulars of the Client Data to be provided by the Client and the purpose for which the Client Data is provided, subject to any variation, amendment, or as more particularly described in any Contract entered into between Client and Supplier from time to time.

The Client agrees to provide, facilitate and/or grant access to the relevant Client Data required by the Supplier for the Business Purpose.