Flash Player is required.

Get Adobe Flash player

POLICY APPOINTING SUPPLIERS

INTRODUCTION
This Policy (“Policy”) sets out steps that should be taken where a third party (“Supplier”) is appointed to provide services in connection with, or to, the Business (as defined below) and which may involve the Supplier processing personal data. This Policy will also apply if an existing Supplier is re-contracted on new terms or re-engaged on existing terms.
I, HARBANS SINGH NOTARY PUBLIC of 4 Springvale Avenue, Walsall, WS5 3QB trading as Harbans Singh Notary Public, (“Notary”) commit to comply with this Policy in the course of my business as notary public (“Business”).]
The steps which must be followed are:
Step 1: Establish whether the Supplier is a Controller or a Processor
Step 2: Comply with data protection law requirements in the procurement process
Step 3: Check whether personal data will be transferred outside the UK
Step 4: Complete the self-assessment Checklist to ensure compliance with this Policy
This Policy does not apply if the Supplier’s services do not involve the processing of personal data (for example where it is solely a contract for the purchase of goods, such as hardware).
STEP 1: IDENTIFY WHETHER the Supplier is a Controller or a Processor
Whenever it is proposed to appoint a Supplier to which this Policy applies, it is important to first identify whether the Supplier is a “Controller” or a “Processor”.

It is important to identify whether the Supplier is a Controller or Processor because:

 

EXAMPLES
SUPPLIER AS A CONTROLLER

SUPPLIER AS A PROCESSOR

SUPPLIER NOT ENGAGED IN “PROCESSING”

If the Supplier will be acting as a Controller:
As mentioned above, it is less likely that a Supplier will be acting as Controller and the majority of Suppliers will be Processors. However, if the Supplier is indeed a Controller:

Please note that Controllers which are public authorities are less likely to accept a written agreement from the Business as they act under their official authority. In these cases, it may be reasonable for the Business to assume that the Controller will comply with its legal obligations even if no agreement is entered into. However, in some cases public authorities may still be considered Processors especially if they act outside their official authority and a written agreement (as per Steps 2 and 3) may be required. The Business should ensure that only such minimal possible personal data is shared with such public authorities as is required to carry out the relevant acts.

 

STEP 2: Comply with data protection law in the procurement process.
Because the Business will be responsible for the actions of its Processors, there are certain steps which must be taken to protect the Business when appointing a Supplier who is a Processor.
In addition, when contracting with a Supplier who is a Processor, the Business is under a legal obligation to ensure certain mandatory provisions concerning personal data are included in the contract with the Processor. These provisions are reflected in the standard Data Processing Agreement.
The following steps outline the practical steps which should be taken during the procurement process to ensure that data protection legal obligations are met.
Step - Understand the nature of the data processing
What does this mean in practice?
Identify the types and amounts of personal data which the Supplier will have access to. The Supplier should only have access to the minimum amount of personal data they need to provide the services.
If the Supplier will have access to payment card data, the agreement will also need to address compliance with Payment Card Industry Data Security Standard (PCI DSS).

Step - Conduct due diligence on the Supplier
What does this mean in practice?
Choose a Supplier providing sufficient guarantees regarding information security and handling of personal data.
It should be ensured the Supplier is able to provide appropriate security protection for the data, taking into account the nature of the personal data and any risks involved (for example, the consequences of a security breach).

Step -Take additional precautions with special categories of personal data or card payment data.
What does this mean in practice?
Pay particular attention to security specifications for the contract if it involves processing special categories of personal data. 

Step - Ensure the written contract contains or incorporates the data protection clauses
What does this mean in practice?
The contract with the Supplier must include specific data protection language, as this is a legal requirement under UK and EU data protection laws.
If the contract is on the Supplier’s standard terms, it will still need to be ensured that the necessary data protection language is included in the contract.
Step - Note any data transfers outside of the UK or EEA
What does this mean in practice?
If any personal data will be transferred outside the UK  or EEA(including where the personal data can be accessed remotely from outside the UK or EEA), steps must be taken to ensure that the transfer is lawful. See Step 3 below.
Step - Anonymise, pseudonymise or aggregate personal data if possible
What does this mean in practice?
These safeguards should be considered to help eliminate data protection risks whenever possible.
Step - Limit access to the personal data
What does this mean in practice?
The Supplier should have appropriate access controls so that only those involved in the delivery of the services can access the personal data, and access rights are limited to that necessary for each individual’s role.

Step - Ensure the Supplier can assist with individual rights requests
What does this mean in practice?
The data protection language in the contract must include an obligation on the Supplier to assist the Business to enable individuals to exercise their individual rights. These include rights to access, rectify and erase their personal data, and object to it being used for a particular purpose.
The Supplier must ensure that it can respect these rights (e.g. by rectifying or erasing personal data), when requested to by the Business. The Supplier should also ensure that if it receives any requests in relation to personal data, these are promptly passed on to the Business.
Step - Check the Supplier’s subcontractors
What does this mean in practice?
Essentially, it should be ensured that all data processing terms will be ‘flowed down’ to any subcontractor.
Step - Provide notice of the data sharing unless this has been done already
What does this mean in practice?
Ensure that the arrangement with the Supplier is covered by the privacy notice given to Personnel or clients, as applicable.
If the arrangement is not adequately covered by the existing notice, consider how to inform them prior to providing their personal data to the Supplier.
Step - Business monitors the Supplier’s compliance throughout the appointment
What does this mean in practice?
Ensure there are reasonable steps in place which allow a Business to monitor the Supplier’s performance with its security and processing obligations. For example, the Business may check the Supplier’s website and look out for any relevant press releases from time to time and regularly (depending on level of engagement and associated risks) ask the Processor (e.g. pursuant to the Data Processing Agreement) for information such as a confirmation of the information security measures that the Processor has in place from time to time.
Step - Establish what will happen to the personal data at the end of the relationship
What does this mean in practice?
If there is no longer a need to keep the personal data, because of the termination of the service relationship or because the law no longer requires it, it should be returned to the Business. Make sure the contract terms provide for the return of the personal data to the Business or purging upon request of the Business.
STEP 3: Check if personal data WILL be transferred outside the UK or eea
This Step 3 should be completed whether the Supplier will be acting as a Controller or a Processor.
In considering whether to appoint a Supplier, the following should be established:

A ‘transfer’ of personal data includes the following:

Subject to the exceptions set out below, personal data should not be transferred from a UK or an EEA country to a non-UK/EEA country unless there are means of providing appropriate safeguards for that personal data. 
A small number of countries (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay) have been legally recognised to provide an adequate level of protection and personal data can therefore be transferred from the EEA to those countries.  The list of “adequate” countries can be found on the Commission’s website, here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
For countries outside the UK/EEA and not listed above an alternative solution has to be adopted before personal data can be transferred. The most relevant to the Business is likely to be requiring the non-UK/EEA recipient to sign up to an approved set of international data transfer clauses, known as the ‘EU Model Clauses’. Which version of the Clauses should be used depends on whether the Supplier is acting as a Controller or a Processor. The EU Model Clauses should not be amended by the parties. The Appendices will need to be completed prior to execution.

Summary of the contractual arrangements which must be in place:

Country in which personal data will be hosted in, or will be accessible from:
‘Adequate’ countries (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay)
How to regulate processing by the Supplier:
Use the standard Data Processing Agreement
How to regulate transfers outside the UK/EEA:
N/A as the countries offer ‘adequate protection’

Country in which personal data will be hosted in, or will be accessible from:
Non-adequate countries (e.g. Australia, India, China, or US
How to regulate processing by the Supplier:
Use the standard Data Processing Agreement
How to regulate transfers outside the UK/EEA:
Execute the applicable EU Model Clauses

Exceptions
In some circumstances transfers may be made without ensuring appropriate safeguards for the transferred personal data, as explained above. These exceptions will mostly concern transfers instructed by the client rather than transfers to a Supplier of the Business.
Explicit consent from data subject.
This will only apply where all personal data in the document to be transferred outside the UK/EEA is the personal data of the client and no third party (unless such third party also consented). Consent has to be freely given, unambiguous, informed and confirmed by affirmative action or statement of the data subject. A record of the consent must be retained together with the assessment of possible risks of the transfer and the appropriate safeguards put in place in relation to the transfer.
Transfer is necessary for the performance of contract
This will apply only to contracts between the Business and the data subject or another party on the data subject’s request. This may apply, for example, where the client engages the Business to procure notarisation by foreign notaries. In such cases, the Business should obtain a warranty from the client to the effect that the client has obtained explicit and demonstrable consent from each other data subject whose personal data is included in the document which is subject to the transfer. This exception will also likely apply to transfers to foreign public authorities.
Transfer is necessary for important reasons of public interest recognised by law.

This will apply in very limited circumstances, such as in the case of the UK’s substantial public interest in detecting and preventing crime.

Information in public registers.

You can transfer overseas part of the personal data on a public register, as long as the person you transfer to complies with any restrictions on access to or use of the information in the register.
Transfer is necessary in connection with legal proceedings, legal advice or defending legal rights.
This may apply, for example, where notarised documents are forwarded to a third party law firm in connection with legal proceedings or legal advice.
These are the main exceptions that are likely to apply. However, in some circumstances further exceptions may apply.