In this Policy, unless the context otherwise requires, the following expressions have the following meanings:
“Client” means the counterparty to the Service Agreement with TGC;
“processing” shall have the meaning given to the term in Article 4 of the GDPR;
“Data Subject” means former and current officers, employees and/or directors of the Client;
“GDPR” means Regulation(EU) 2016/679 (General Data Protection Regulation);
“Personal Data” means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by TGC on behalf of the Client;
“Service Agreement” means any agreement or contract between the Client and TGC;
“Services” means the global compliance and corporate administration services which are provided by TGC to the Client;
“Sub-Processor” means a sub-processor appointed by TGC to process the Personal Data;
“Sub-Processing Agreement” means an agreement between TGC and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor; and
“TGC” Think Global Compliance Limited
This Policy shall apply to the processing of the Personal Data, carried out for the Client by TGC, and to all Personal Data held by TGC in relation to all such processing.
Personal Data may include names, dates of birth, and contact details of Data Subjects. The exact details of the Personal Data that will be processed by TGC as Processor and held by TGC on behalf of the Client, is described in the Service Agreement.
3. Provision of the Services and Processing Personal Data
TGC is only to carry out the Services, and only to process the Personal Data received from the Client:
- for the purposes of those Services and not for any other purpose; and
- to the extent and in such a manner as is necessary for those purposes.
4. Data Protection Compliance
TGC shall promptly comply with any request from the Client and/or Data Subject(s) requiring TGC to amend, transfer, delete, or otherwise dispose of the Personal Data.
TGC shall transfer all Personal Data to the Client on the Client’s request in the formats, at the times.
The Client and TGC shall comply at all times with the GDPR and other applicable data protection laws and shall not perform their obligations under this Policy or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
The Client warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
TGC agrees to comply with any reasonable measures required by the Client to ensure that its obligations under this Policy are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR).
TGC shall provide all reasonable assistance (at the Client’s cost) to the Client in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, and the conduct of data protection impact assessments.
When processing the Personal Data on behalf of the Client, TGC shall:
- process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Client or as may be required by law (in which case, TGC shall inform the Client of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
- taking in account that no service or system is completely secure, implement technical and organisational measures, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure;
- on reasonable prior notice, submit to audits and inspections and provide the Client with any information reasonably required in order to assess and verify compliance with the provisions of this Policy and both Parties’ compliance with the requirements of the GDPR; and
- inform the Client immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
5. Data Subject Access, Complaints, and Breaches
TGC shall, at the Client’s cost, assist the Client in complying with its obligations under the GDPR.
TGC shall, at the Client’s cost, cooperate fully with the Client and assist as required in relation to any subject access request, complaint, or other request, including by:
- providing the necessary information and assistance in order to comply with a subject access request;
- providing the Client with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Client); and
- providing the Client with any other information requested by the Client.
TGC shall notify the Client immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
6. Liability and Indemnity
The Client shall be liable for, and shall indemnify (and keep indemnified) TGC in respect of any and all action, proceeding, liability, cost, claim, loss, expense, or demand suffered or incurred by, awarded against, or agreed to be paid by, TGC and any Sub-Processor arising directly or in connection with:
- any non-compliance by the Client with the GDPR or other applicable legislation;
- any Personal Data processing carried out by TGC or Sub-Processor in accordance with instructions given by the Client that infringe the GDPR or other applicable legislation; or
- any breach by the Client of its obligations under this Agreement, except to the extent that TGC or Sub-Processor is liable.
TGC shall be liable for, and shall indemnify (and keep indemnified) the Client in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Client arising directly or in connection with TGC’s Personal Data processing activities:
- only to the extent that the same results from the Data Processor’s or a Sub-Processor’s breach of this Agreement; and
- not to the extent that the same is or are contributed to by any breach of this Policy by the Client.
The Client shall not be entitled to claim back from TGC or Sub-Processor any sums paid in compensation by the Client in respect of any damage to the extent that the Client is liable to indemnify TGC or Sub-Processor.
Nothing in this Policy shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR.
TGC shall not process or make any use of any Personal Data supplied to it by the Client otherwise than in connection with the provision of the Services to the Client.
TGC shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
Nothing in this Policy shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
8. Appointment of Sub-Processors
At times TGC may appoint third parties to provide some of the Services or assist with providing technical support, for instance IT service providers or other suppliers. By signing the Service Agreement, the Client authorises TGC to subcontract the Processing of Personal Data to Sub-Processors. In the event that TGC appoints a Sub-Processor, TGC shall enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon TGC by this Policy and which shall permit both TGC and the Client to enforce those obligations.
9. Deletion and/or Disposal of Personal Data
TGC shall, at the written request of the Client, delete (or otherwise dispose of) the Personal Data or return it to the Client in the format(s) reasonably requested by the Client within a reasonable time after the earlier of the following:
- the end of the provision of the Services under the Service Agreement; or
- the processing of that Personal Data by TGC is no longer required for the performance of TGC’s obligations under the Service Agreement.
Following the deletion, disposal, or return of the Personal Data, TGC shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case TGC shall inform the Client of such requirement(s) in writing.
10. THINK ONLINE™
If Data Subjects have been given access rights to THINK Online™ by their TGC account manager, it is recommended that they take note of the privacy notice associated with this service. Data Subjects will have access to the notice once they log onto THINK Online™.
11. Contact TGC
If Data Subjects have any questions about their Personal Data or this Personal Data Policy, please contact TGC by email at firstname.lastname@example.org, by telephone on +44 20 3963 1950, or by post at The Epworth 25 City Road, London ECIY IAA, United Kingdom.