Data protection clauses - from 12 May 2020
1. Definitions and interpretation
1.1 For the purposes of the clauses set out in this document (the "ClearBank Data Protection Clauses"), the terms below shall have the following meaning:
"Agreement" means the agreement into which these ClearBank Data Protection Clauses are deemed to be incorporated by reference;
"ClearBank" means the ClearBank entity which is party to the Agreement;
"ClearBank Portal" means the online service management portal made available to you by or on behalf of ClearBank from time to time;
"Commencement Date" means the date from which any Services are first made available to you;
"Data Policies" has the meaning given to it in clause 2.7.2;
"Data Protection Legislation" means (i) any legislation in force from time to time in the United Kingdom which implements the European Community's Directive 95/46/EC and Directive 2002/58/EC, including the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003; (ii) from 25 May 2018 only, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "General Data Protection Regulation"); (iii) any other applicable legislation in force from time to time in the United Kingdom and/or Jersey relating to privacy and/or the processing of personal data; and (iv) any guidance or statutory codes of practice issued by the Information Commissioner or the European Data Protection Board set up under the General Data Protection Regulation or any other competent authority in relation to such legislation;
"Security Incident" means any incident of accidental or unlawful destruction or accidental loss, alteration, unauthorised or accidental disclosure of or access to personal data that is likely to result in a high risk to the rights and freedoms of natural persons;
"Services" means any services provided to you by or on behalf of ClearBank under the Agreement from time to time; and
"you" means the party to the Agreement other than ClearBank, and "your" shall be construed accordingly.
1.2 The terms "processing" (and its derivatives), "personal data", "data controller", "data processor" and "data subject" will, where used in the ClearBank Data Protection Clauses, have the meanings given to them under the Data Protection Legislation.
1.3 ClearBank reserves the right to update these ClearBank Data Protection Clauses from time to time in order to comply with its obligations under Data Protection Legislation. The prevailing terms shall be those of the most recent version of the ClearBank Data Protection Clauses made available on the ClearBank Portal and/or the ClearBank website.
2. Data protection principles
2.1 ClearBank has developed its Services with IT security and the Data Protection Legislation in mind, in accordance with its primary role as a data processor.
2.2 You may provide data to ClearBank which will include personal data in connection with the Agreement. Each party acknowledges that ClearBank will process the personal data you provide to it:
2.2.1 for the purpose of the performance of ClearBank's obligations under, and the provision of the Services pursuant to, the Agreement; and
2.2.2 for the duration of the Agreement only.
2.3 Each party acknowledges that:
2.3.1 if personal data are processed in connection with the Agreement, the categories of data subjects and types of personal data will be as specified in the Agreement;
2.3.2 ClearBank will be a data processor acting on your behalf and in accordance with your written instructions in relation to the processing of personal data pursuant to ClearBank's performance of the Services under the Agreement; and
2.3.3 under certain circumstances, each party will be a data controller in connection with the processing of personal data where you provide ClearBank with personal data and ClearBank uses such personal data:
A. to comply with its own obligations under any applicable law;
B. for statistical or other analytical purposes;
C. as part of its claims management processes;
D. as part of ancillary non-clearing services that ClearBank provides to you; or
E. in any other context which requires ClearBank to determine the purposes and means of such processing.
2.4 To the extent that ClearBank acts as a data processor pursuant to the Agreement or in accordance with Data Protection Legislation, ClearBank will:
2.4.1 only process personal data to the extent, and in such a manner, as is necessary for the performance of ClearBank's obligations under the Agreement and in accordance with your written instructions as set out in the Agreement or as otherwise instructed from time to time, and will not process such personal data for any other purpose;
2.4.2 implement and ensure compliance with appropriate technical and organisational measures to protect the security of personal data processed by ClearBank in performance of the Services, and to protect personal data against unauthorised or unlawful processing, accidental or unlawful destruction and damage or accidental loss, alteration, unauthorised disclosure, or access;
2.4.3 take reasonable steps to ensure the reliability and trustworthiness of employees or agents which have access to any personal data, and ensure that such employees or agents are under confidentiality obligations;
2.4.4 to the extent permitted by applicable laws, promptly notify you of any request made by a data subject, regulator or any other person requesting access to personal data processed by ClearBank and you will handle such request and ClearBank will at all times cooperate with and assist you in executing your obligations under the Data Protection Legislation in relation to such access requests. In all cases, ClearBank will provide a copy to you of all personal data which ClearBank discloses unless prohibited by law;
2.4.5 notify you without undue delay by written notice with relevant details reasonably available of a Security Incident and provide reasonable cooperation and information upon your request in relation to the Security Incident;
2.4.6 on termination, return any data to you or, at your option, securely destroy it to the extent reasonably practicable;
2.4.7 make available to you and any competent data protection or privacy authority all necessary information regarding ClearBank's data processing activities unless providing this information would be in breach of applicable laws (including the Data Protection Legislation), in which case ClearBank must inform you to the extent it is permitted by applicable law to do so;
2.4.8 subject to clause 2.4.9, not engage any sub-contractor, who may be located in the European Economic Area or elsewhere, to assist ClearBank in the fulfilment of ClearBank's data processing obligations under the Agreement except with your prior written consent and unless there is a written contract in place with the sub-contractor which requires the sub-contractor to:
A. only carry out such processing as may be necessary from time to time for the purposes of its engagement by ClearBank in connection with the Agreement; and
B. comply with terms and conditions (and only sub-contract on terms and conditions) which provide an equivalent level of protection to personal data as set out in this clause 2.4,
2.4.9 and ClearBank shall be responsible for the acts and omissions of any such sub-contractors in the performance of data processing obligations under the Agreement as if they were ClearBank's own acts and omissions;
2.4.10 notify you fourteen (14) days in advance before engaging any data sub-processor that ClearBank has not previously communicated to you (via its relevant policies or otherwise) by directing you to an updated list of data sub-processors (or otherwise); if you wish to object to the engagement of such new data sub-processor you shall provide ClearBank with written notice of such objection including reasonable details of the grounds for your objection ("Objection Notice") as soon as possible; following receipt of an Objection Notice, ClearBank will endeavour to discuss any reasonable objections with you in good faith; if, after 61 days from the date on which ClearBank received the Objection Notice, you can demonstrate that the new data sub-processor is unable to comply with clauses 2.4.8(A) and (B) then you may terminate the Agreement by notice in writing to ClearBank; and
2.4.10 not transfer personal data to any country or territory outside the European Economic Area (other than within the scope of a European Union ("EU") finding of adequacy in respect of that country or territory pursuant to Article 25(6) of the EC Data Protection Directive 95/46/EC) unless ClearBank has ensured that such transfer complies with applicable Data Protection Legislation, either by having in place EU-approved standard contractual clauses to govern the transfer, or using another basis to ensure the transfer complies with the applicable Data Protection Legislation.
2.5 You hereby agree to ClearBank sub-contracting the processing of personal data to third parties from time to time in accordance with ClearBank's relevant policies as communicated to you from time to time provided that ClearBank acts in accordance with its obligations under clauses 2.4.8 - 2.4.10 above.
2.6 To the extent that ClearBank acts as a data controller pursuant to the Agreement (in relation to any personal data provided by you or on your behalf and in respect of which you are also a data controller), ClearBank and you will each:
2.6.2 deal promptly, reasonably and in good faith with all reasonable and relevant enquiries from the other party relating to its processing of personal data.
2.7 Irrespective of whether ClearBank acts as a data processor or a data controller:
2.7.1 you will comply at all times with: (i) all applicable laws and regulations relating to the processing of personal data and privacy; and (ii) all applicable Data Protection Legislation;
2.7.2 without prejudice to clause 2.7.1, you shall comply at all times with your own data processing, privacy and cyber security policies in relation to the processing of personal data and any cyber security incident ("Data Policies"). Within 5 Business Days following the Commencement Date and each anniversary of the Commencement Date, you shall provide ClearBank with copies of your Data Policies relating to the processing of personal data and any cyber security incident for ClearBank's review. Without prejudice to your obligations under clause 2.7, if ClearBank reasonably believe that your Data Policies are not appropriate, ClearBank may require you to comply with ClearBank's Data Policies, except where you are the data controller;
2.7.3 ClearBank will be entitled to assume that any disclosure of personal data to ClearBank by you is done so in a manner which is compliant with: (i) all applicable laws and regulations relating to the processing of personal data and privacy; and (ii) all applicable Data Protection Legislation;
2.7.4 you will provide all necessary information and notices to, and obtain all necessary consents from, any data subjects whose personal data you provide to ClearBank, so that ClearBank is able to use or otherwise process this personal data for the purposes of the Agreement without needing any further consent, approval or authorisation, and upon ClearBank's request from time to time you will consult with ClearBank, and comply with any reasonable requests of ClearBank in relation to the same; and
2.8 if requested by ClearBank, you will promptly provide reasonable evidence that you have provided all necessary information and notices to and obtained all necessary consents from data subjects.