Data processing addendum

This Data Processing Addendum (“DPA”) supplements the Terms for Provision of Communications Services (“Terms”) that are in place between the Client (“Controller”) and Cavendish Consulting Limited (“Cavendish”, “Processor”) and covers the Services provided by Cavendish to the Client, as set out in a Proposal (the “Agreement”).

The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data is processed.

This DPA is entered into between Cavendish and the Client when Cavendish agrees to provide Services to the Client, as set out in the Agreement (the “Effective Date”) and shall apply to the extent that Cavendish Processes Personal Data as a Processor as defined below.

WHEREAS:

(1)          The provision of the Services by the Processor, as described in Schedule 1, involves it processing the Personal Data described in Schedule 2 on behalf of the Controller.

(2)          Under the United Kingdom (“UK”) General Data Protection Regulation (“the UK GDPR”) (Article 28, paragraph 3), the Controller is required to put in place an agreement in writing between the Controller and any organisation which processes Personal Data on its behalf governing the processing of that data.

(3)          The Parties have agreed to enter into this DPA to ensure compliance with the said provisions of the UK GDPR in relation to all processing of the Personal Data by the Processor for the Controller.

(4)          The terms of this DPA are to apply to all processing of Personal Data carried out for the Controller by the Processor and to all Personal Data held by the Processor in relation to all such processing.

IT IS AGREED as follows:

1 Definitions and Interpretation

1.1 In this DPA, unless the context otherwise requires, the following expressions have the following meanings:

“Controller”, “Processor”, “processing”, and “Data Subject”   Data Protection Lawsshall have the meanings given to the terms “Controller”, “Processor”, “processing”, and “Data Subject” respectively in Article 4 of the UK GDPR;     The UK GDPR;the Data Protection Act 2018;any laws which implement or supplement any such laws; andany laws that replace, extend, re-enact, consolidate or amend any of the foregoing
“ICO”  means the UK’s supervisory authority, the Information Commissioner’s Office;
“Personal Data”means all such “Personal Data”, as defined in Article 4 of the UK GDPR, as is, or is to be, processed by the Processor on behalf of the Controller, as described in Schedule 2;
“Services”means those servicesdescribed in Schedule 1 which are provided by the Processor to the Controller and which the Controller uses for the purposes described in Schedule 1;
“Sub-Processor”means a sub-processor appointed by the Processor to process the Personal Data; and
“Sub-Processing Agreement”means an agreement between the Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 9.

1.2 Unless the context otherwise requires, each reference in this DPA to:1.2.1 “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
1.2.2 a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
1.2.3 “this DPA” is a reference to this Data Processing Addendum and each of the Schedules as amended or supplemented at the relevant time;
1.2.4 a Schedule is a schedule to this DPA; and
1.2.5 a Clause or paragraph is a reference to a Clause of this DPA (other than the Schedules) or a paragraph of the relevant Schedule.
1.2.6 a “Party” or the “Parties” refer to the parties to this DPA.

1.3 The headings used in this DPA are for convenience only and shall have no effect upon the interpretation of this DPA.

1.4 Words imparting the singular number shall include the plural and vice versa.

1.5 References to any gender shall include all other genders.

1.6 References to persons shall include corporations.

2 Scope and Application of this DPA

2.1 The provisions of this DPA shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Controller by the Processor, and to all Personal Data held or accessed by the Processor in relation to all such processing whether such Personal Data is held at the date of this DPA or received afterwards.

2.2 The provisions of this DPA supersede any other arrangement, understanding, or agreement including, but not limited to, the Agreement made between the Parties at any time relating to the Personal Data.

2.3 This DPA shall continue in full force and effect for so long as the Processor is processing Personal Data on behalf of the Controller, and thereafter as provided in Clause 10.

3 Provision of the Services and Processing Personal Data

The Processor is only to carry out the Services, and only to process the Personal Data received from the Controller:

3.1 for the purposes of those Services and not for any other purpose;

3.2 to the extent and in such a manner as is necessary for those purposes; and

3.3 strictly in accordance with the express written authorisation and instructions of the Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Controller to the Processor).

However, the Processor reserves the right to utilise aggregated or anonymized versions of the Personal Data solely for the purpose of enhancing the quality of its services as set out in the Agreement

4 Data Protection Compliance

4.1 All instructions given by the Controller to the Processor shall be made in writing and shall at all times be in compliance with the UK GDPR and other applicable laws. The Processor shall act only on such written instructions from the Controller unless the Processor is required by law to do otherwise (as per Article 29 of the UK GDPR).

4.2 The Processor shall promptly comply with any request from the Controller requiring the Processor to amend, transfer, delete, or otherwise dispose of the Personal Data.

4.3 The Processor shall transfer all Personal Data to the Controller on the request of the Controller in the formats, at the times, and in compliance with the written instructions of the Controller.

4.4 Both Parties shall comply at all times with the UK GDPR and other applicable laws and shall not perform their obligations under this DPA or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the UK GDPR.

4.5 The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this DPA are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the UK GDPR) and any best practice guidance issued by the ICO.

4.6 The Processor shall provide all reasonable assistance to the Controller in complying with its obligations under the UK GDPR with respect to the security of processing, the notification of Personal Data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.

4.7 When processing the Personal Data on behalf of the Controller, the Processor shall:

4.7.1 not process the Personal Data outside the UK or European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) without the prior written consent of the Controller and, where the Controller consents to such a transfer to a country that is outside of the UK or EEA, to comply with the obligations of Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the UK GDPR by providing an adequate level of protection to any Personal Data that is transferred;
4.7.2 not transfer any of the Personal Data to any third party without the written consent of the Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 9;
4.7.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as may be required by law (in which case, the Processor shall inform the Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
4.7.4 implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against any unauthorised processing, including any accidental or unlawful loss, destruction, damage, alteration, disclosure or access. In assessing the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for Data Subjects. The Processor shall at least implement the technical and organisational measures specified in Schedule 3 and shall inform the Controller in advance of any material changes to such measures:
4.7.5 if so requested by the Controller (and within the timescales required by the Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
4.7.6 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the UK GDPR;
4.7.7 make available to the Controller any and all such information as is reasonably required and necessary to demonstrate the Processor’s compliance with the UK GDPR;
4.7.8 on reasonable prior notice, submit to audits and inspections and provide the Controller with any information reasonably required in order to assess and verify compliance with the provisions of this DPA and both Parties’ compliance with the requirements of the UK GDPR. The requirement to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under this DPA or under the law; and
4.7.9 inform the Controller immediately if it is asked to do anything that infringes the UK GDPR or any other applicable data protection legislation.

5 Data Subject Access, Complaints, and Breaches

5.1 The Processor shall assist the Controller in complying with its obligations under the UK GDPR. In particular, the following shall apply to Data Subject access requests, complaints, and data breaches.

5.2 The Processor shall notify the Controller without undue delay if it receives:

5.2.1 a subject access request from a Data Subject; or
5.2.2 any other complaint or request relating to the processing of the Personal Data.

5.3 The Processor shall cooperate fully with the Controller and assist as required in relation to any subject access request, complaint, or other request, including by:

5.3.1 providing the Controller with full details of the complaint or request;
5.3.2 providing the necessary information and assistance in order to comply with a subject access request;
5.3.3 providing the Controller with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Controller); and
5.3.4 providing the Controller with any other information requested by the Controller.

5.4 The Processor shall notify the Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.

6 Liability and Indemnity

6.1 The Supplier shall be liable for losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under this DPA, except to the extent the Client is liable under clause

6.1.1 only to the extent caused by the processing of Personal Data under this DPA and directly resulting from the Supplier’s breach of its obligations under this DPA; and
6.1.2 in no circumstances to the extent that any losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this DPA by the Client

6.2 The Client shall indemnify and keep indemnified the Supplier in respect of all losses suffered or incurred by, awarded against or agreed to be paid by, the Supplier and any Sub-Processor arising from or in connection with any:

6.2.1 non-compliance by the Client with the Data Protection Laws;
6.2.2 processing carried out by the Supplier or any Sub-Processor pursuant to any processing instruction that infringes any Data Protection Law; or
6.2.3 breach by the Client of any of its obligations under this DPA;

except to the extent the Supplier is liable under clause 6.1.

6.3 For the avoidance of doubt, the liability cap and limitations and exclusions of liability in clause 5.1 Terms for provision of communication services (Limitation of liability) applies so as to limit and exclude the Supplier’s liability under this indemnity in accordance with those provisions.’

6.4 If a party receives a compensation claim from a person relating to processing of Personal Data, it shall promptly provide the other party with notice and full details of such claim.

6.5 This clause 6 is intended to apply to the allocation of liability for loses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

6.5.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and
6.5.2 that it does not affect the liability of either party to any Data Subject.

7 Confidentiality

7.1 The Processor shall maintain the Personal Data in confidence, and in particular, unless the Controller has given written consent for the Processor to do so, the Processor shall not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Controller to any third party. The Processor shall not process or make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of the Services to the Controller.

7.2 The Processor shall ensure that all personnel who are to access or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.

7.3 The obligations set out in in this Clause 8 shall continue for a period of six years after the cessation of the provision of Services by the Processor to the Controller.

7.4 Nothing in this DPA shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

8 Appointment of Sub-Processors

8.1 The Client consents to Cavendish engaging third party sub-processors to process Personal Data on their behalf provided that Cavendish:

(i) maintains an up-to-date list of its sub-processors which it shall update with details of any change in sub-processors at least 10 days prior to any such change;
(ii) imposes data protection terms on any sub-processor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and
(iii) remains liable for any breach of this Clause that is caused by an act, error or omission of its sub-processor.

8.2 The Client may object to Cavendish’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to the Client’s ability to comply with Applicable Data Protection Laws. In such event, Cavendish will either not appoint or replace the sub-processor or, if this is not possible, the Client may suspend or terminate the relevant agreement(s) (without prejudice to any fees incurred by the Client prior to suspension or termination).

8.3 As at the date of this DPA the Client has authorised use of those Sub-Processors listed in Schedule 4 subject to, and in accordance with, the terms of this DPA.

9 Deletion or Disposal of Personal Data

9.1 The Processor shall, at the written request of the Controller, delete (or otherwise dispose of) the Personal Data or return it to the Controller in the format(s) reasonably requested by the Controller within a reasonable time after the earlier of the following:

9.1.1 the end of the provision of the Services; or
9.1.2 the processing of that Personal Data by the Processor is no longer required for the performance of the Processor’s obligations under this DPA or the Agreement.

9.2 Following the deletion, disposal, or return of the Personal Data under sub-Clause 10.1, the Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Processor shall inform the Controller of such requirement(s) in writing.

10 Law and Jurisdiction

10.1 This DPA (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.

10.2 Any dispute, controversy, proceedings or claim between the Parties relating to this DPA (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

Schedule 1

Services

The Services to be provided refers to the communications and consultancy services Cavendish offer to provide to Client as set out in a Proposal. This may include:

Public Consultation

To consult with members of the public, elected officials, government and local authority employees, business owners, shoppers and users of public and private services in respect of proposed developments enabling us to:

  • Obtain feedback and opinions on the proposals;
  • To communicate with those who express an interest in the proposed development; and
  • To produce reports for official bodies setting out the opinions of consultees.

Public Affairs

Contacting government officials, consumers, and client employees, on behalf of Client to provide them with information about the products and services offered by Client and gather feedback.

Market Research

To fulfil contracts on behalf of Client in respect of:

  • Development of new products and services; and
  • Helping Client to understand the markets Client operate in and their customers.

Marketing and Public Relations

Fulfilling contracts in respect of promotional activity on behalf of Clients and to carry out Cavendish own promotional activity, including:

  • On- and off-line marketing, including supplying Data Subjects with information they opted-in to;
  • Telemarketing;
  • Media relations;
  • Other marketing activity;
  • Personalising and tailoring both Cavendish and products and services of Client for Data Subjects;
  • Communicating with Data Subjects, including responding to emails or calls; and

Supplying products and services to Data Subjects on behalf of Client.

Schedule 2

Personal Data

Type of Personal DataCategories of Data SubjectNature of Processing Carried OutPurpose(s) of ProcessingRetention PeriodDuration of Processing
Name; Address; Confirmation you are over the age of 13 and your age group; Comments and feedback on the projectMembers of the public, employees, customersPersonal data will be collected directly from individuals via survey responses, website feedback froms,  paper forms, in person consultations and meetings;  

Personal Data will be used to identify survey response and produce a report;  

Personal Data will be de-identified or anonymised and aggregated;

Personal Data will be stored on Cavendish systems or on the Borealis data management platform;  

Once completed the Personal data will be annonymised or deleted.		Cavendish will process Client’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Client’s instructions as set forth in this DPA.  All Client data will be deleted on termination of the contract or if requested by the Client.For the contract period unless otherwise agreed / no longer required. 

Schedule 3

Technical and organisational measures to ensure the security of Personal Data

`. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to Data Subjects, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Processor shall implement the following, as appropriate:

a) the encryption of the Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

3. As a minimum, the Processor shall implement the items set out below.

Organisational Measures

The Processor has in place the following policies:

  • Data Protection Policy
  • Information Security Policy
  • Data Subject Rights Procedure
  • Personal Data Breach Procedure
  • Personal Data Retention Policy
  • Clear Desk and Clear Screen Policy
  • Password Management Policy
  • Business Continuity Policy
  • Access Control Policy
  • BackupPolicy
  • Cryptographic ControlPolicy
  • Physical and Environmental Security Policy
  • Mobile Devices Policy
  • Acceptable Use Policy

Technical Measures

The Processor shall implement the following measures, as appropriate:

  • Firewalls
  • Anti-malware
  • Encryption of Personal Data
  • Access controls
  • Penetration testing
  • Vulnerability scanning

Schedule 4

Authorised Sub-Processors

Sub-ProcessorProcessing this Sub-Processor is authorised to undertake
Cavendish Insights Limited  Storage and processing of personal data
Amazon Web ServicesHosting of software used to deliver insight services  
BorealisStorage and processing of personal data

Contact us

Make your voice make a difference.