NON-EUROPEAN ECONOMIC AREA DATA CONTROLLER/PROCESSOR AGREEMENT June 2016
1.1 The Controller is the holder of a licence to use Cubiks Products as defined in any agreement (“Licence”) currently in force between the Controller and any member of the Cubiks Group of Companies ("Licensor"). The Cubiks Group of Companies is defined below.
1.2 The Processor is the Licensor with whom the Controller is contracting.
1.3 The Processor may subcontract its obligations under this Agreement to Cubiks Limited, registered number 3840112 whose registered office is at Ranger House, Walnut Tree Close, Guildford, Surrey, GU1 4US, United Kingdom and to the third parties as set out in Appendix 1 below (“Sub-Processors”). The Processor remains fully responsible to the Controller for the compliance of Cubiks Limited with the terms and conditions herein.
1.4 This Agreement is made between the Controller and the Processor and is supplemental to and forms part of any Licence as described in 1.1 above.
1.5 In consideration of the provision by the Licensor of online access to the Cubiks Products and the mutual undertakings set out herein the parties agree as follows.
The purpose of this Agreement is to protect individuals with regard to the Processing of their Personal Data, and to allow the free movement of their Personal Data, insofar as it is necessary for the purposes set out in Appendix 1.
UK law requires a written contract between Controller and Processor and for Processor to take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of Personal Data over a network, and against all other unlawful forms of processing.
The Appendices to this Agreement shall form an integral part of this Agreement.
For the purposes of this Agreement, the following terms shall have the meanings set out below:
(a) "Controller" shall mean the natural or legal person, public authority, agency or any other body as described in clause 1 above and which alone or jointly with others determines the purposes and means of the Processing of Personal Data;
(b) "Processor", in relation to Personal Data, shall mean any natural or legal person, public authority, agency or any other body (other than an employee of Controller) who Processes the Personal Data on behalf of Controller;
(c) "Data Subject" shall mean an individual who is the subject of Personal Data;
(d) "Personal Data" shall mean any information relating to an identified or identifiable data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(e) "Processing" shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and “Process” shall be construed accordingly;
(f) "Supervisor" shall mean the United Kingdom Information Commissioner;
(g) "Cubiks Group of Companies" shall mean those companies which can be found listed at http://www.cubiks.com/SiteInformation/Pages/CubiksGroupLimited.aspx. The term Cubiks Group of Companies includes a single member of that group.
The details of the Processing of Personal Data covered by this Agreement are specified in Appendix 1.
All contacts between the Parties concerning this Agreement shall be between the persons nominated in Appendix 2, and such other persons as the nominated Contacts may from time to time authorise in writing. Any changes to the contacts nominated in Appendix 2 shall be agreed in writing between the Parties.
7. OWNERSHIP OF THE DATA
All Personal Data stored and Processed under the terms of this Agreement by Processor on behalf of Controller are and shall remain exclusively the property of Controller.
8. OBLIGATIONS OF CONTROLLER
Controller agrees and warrants:
(a) that the Processing of Personal Data by him has been and will continue to be carried out in accordance with all the relevant legal requirements of the jurisdiction or jurisdictions within which Controller is using the licensed software ("Controller's Jurisdiction");
(b) that Controller will observe the privacy and data protection notice of Processor (or such other notice as the parties may agree) including without limitation the stated restrictions as to the use of Personal Data;
(c) the Processor may Process the Personal Data controlled by the Controller for the purposes described in Appendix 1.
9. OBLIGATIONS OF PROCESSOR
Processor agrees and warrants:
(a) to Process Personal Data on behalf of Controller, in accordance with the instructions of Controller (i) to ensure compliance with paragraph (b) below and (ii) subject to such instructions being consistent with the established functionalities and established capabilities of the Cubiks Products which are the subject of the Licence. Processor further agrees not to carry out any Processing of Personal Data supplied by Controller without the explicit instructions of Controller;
(b) to Process Controller's Personal Data in accordance with Appendix 3 of this Agreement;
(c) to deal promptly, fully and properly with all reasonable enquiries from Controller relating to his Processing of the Personal Data and to cooperate with the Supervisor in the course of any of its enquiries and to abide by the advice of the Supervisor with regard to the Processing of the Personal Data.
Processor will only disclose Personal Data in accordance with instructions from Controller, and will take appropriate security measures, in accordance with Appendix 3, to ensure that no unauthorised disclosure occurs.
The maximum total aggregate liability of the Processor and any Sub-Processor under this Data Agreement and the Licence described above shall be limited to 110% of the Annual Service Fee actually paid by the Controller to Cubiks in accordance with the Licence during the Contract Year when liability arises (or during the Term of the Licence if shorter). If not otherwise defined in this Agreement, capitalised terms in this clause 11 shall have the meanings given to them in the Licence.
12. TERMINATION OF THE AGREEMENT
(a) The Parties agree that the termination of the Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Agreement as regards the Processing of Personal Data.
(b) Subject to a reasonable time interval to ensure that Controller has made alternative arrangements for processing his data, and subject to these arrangements working satisfactorily, Processor shall, insofar as it is practicable, delete or render anonymous all copies of Controller's Personal Data held and processed by Processor.
(c) If Controller's Personal Data, for reasons of practicality, cannot be so deleted or render anonymous, Processor shall take appropriate action to ensure that those Personal Data will not be further processed, disclosed, or in any way used, other than their later deletion should that become possible.
13. VARIATION OF THIS AGREEMENT
The Parties undertake not to vary or modify the terms of this Agreement, other than to correct such deficiencies as may become apparent in this Agreement in relation to the application to the Processing of the Directive or its interpretation by the Controller's Jurisdiction.
14. GOVERNING LAW
This Agreement shall be governed by the laws of England.
By contributing to any of these assessments, Data Subject agrees to information provided by him/her being used by for the following purposes:
- Cubiks may use Data Subject's Personal Data for monitoring, validation, statistical, research, benchmarking, product development and management purposes which will include ensuring that employers’ decisions are based on fair, objective and scientifically derived information. This may involve matching the Data Subject’s Personal Data with data from other sources. The results will not be used in relation to the Data Subject and will be anonymised as soon as possible.
- Cubiks may use the Data Subject's Personal Data to assist Licence Holder in the use and understanding of any Cubiks Product and, if necessary, in IT system fault finding.
- Cubiks, if acting on behalf of Licence Holder, may use Data Subject's Personal Data for human resources purposes and to provide human resources services to the Licence Holder.
- Cubiks’ agents, associates, integration partners, suppliers and other trusted third parties may be involved in the processing of Data Subject's Personal Data, through necessity and/or convenience
- Licence Holder and any member of the Licence Holder’s group (meaning a company which controls the Licence Holder, is controlled by the Licence Holder or is controlled by the company that controls the Licence Holder) may use the data subject’s Personal Data for human resources purposes.
- Integration partners, suppliers and other trusted third parties may be involved in the processing of Data Subject's Personal Data, through necessity and/or convenience on behalf of the Licence Holder and members of the Licence Holder’s Group.
- If the Licence Holder or Group Member Company of Licence Holder is carrying out work for a client, then Licence Holder may disclose results to its client on paper or by email. The client of Licence Holder may use the information for human resources purposes only.
Licence Holder is responsible for ensuring that the processing of Personal Data by him has been and will continue to be carried out in accordance with all applicable legal requirements. Furthermore Licence Holder is responsible for identifying any such legal requirements.
Nominated First Contacts
On behalf of Controller: Director of Human Resources or designated representative.
On behalf of Processor: Group Company Secretary via Cubiks Helpdesk, telephone 00 44 1483 544 240.
Security of processing
(a) The Processor conducts all Processing of Personal Data in accordance with current European Economic Area data protection standards.
(b) The Processor will implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other forms of processing which are unlawful in the United Kingdom.
(c) Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected.
(d) The Controller will comply with paragraphs 2 and 3 so far as practicable and will comply with the equivalent requirements imposed by the laws of the Controller's Jurisdiction.
© 2016 Cubiks Intellectual Property Limited