The terms in this Data Processing Charter (Charter) (as amended from time to time) are supplementary to and forms part of the booking form, terms of service or other agreement between Serco Limited (Serco) and the Customer regarding provision of goods or services by Serco to the Customer (the Agreement).
The terms in this Charter are binding between Serco and the Customer and constitutes a data processing agreement. Please read carefully the Agreement (including this Charter) and our Privacy Policy (available at https://epcresilience.the-escape.work/privacy-policy and as may be amended from time to time) before purchasing any products or services from Serco as its set out certain rights and responsibilities of each Party, including potential financial liability.
WE DRAW YOUR ATTENTION TO THE LIABILITY PROVISIONS IN THE ASSOCIATED TERMS AND CONDITIONS OF OUR AGREEMENT WITH YOU, OUR CUSTOMER, WHICH WILL APPLY TO THIS DATA PROCESSING CHARTER.
Definitions
- The expressions Data Subject, Personal Data, Personal Data Breach and Supervisory Authority have the meanings given to them in the Data Protection Act 2018.
- Customer means the person, be it a natural person or legal entity, which orders or receives from Serco any goods or services in connection with the Agreement.
- Data Controller or Controller and Data Processor or Processor shall take the meaning of Controller and Processor in the Data Protection Act 2018 respectively.
- Data Privacy Laws means (i) the General Data Protection Regulation (EU) 2016/679 (GDPR) (where applicable) and any applicable national implementing laws as amended from time to time; (ii) the UK General Data Protection Regulation (UK GDPR) (as amended), the Data Protection Act 2018 to the extent it relates to processing of Personal Data and privacy; and (iii) any other laws and regulations relating to the processing of Personal Data and privacy which apply to a Party from time to time and, if applicable, the guidance and codes of practice issued by the relevant data protection or Supervisory Authority, in each case as may be replaced, extended or amended.
- Data Subject Rights Request means a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Privacy Laws to access their Personal Data.
- Fair Processing Notice means a fair processing notice which meets the requirements of Article 13 or Article 14 of the UK GDPR (as applicable).
- Serco means Serco Limited, a company incorporated in England and Wales with company number 24246, with its registered office at Serco House, 16 Bartley Wood Business Park, Bartley Way, Hook, Hampshire RG27 9UY.
- Party is a party to this agreement, together referred to as the Parties.
- Processing shall take the meaning in the Data Protection Act 2018 and process and processed have corresponding meanings;
Obligations
1. Each Party will comply with the Data Privacy Laws in respect of its respective activities under the Agreement. This Charter is in addition to, and does not relieve, remove or replace, a Party's obligations or rights under Data Privacy Laws.
2. Each Party will maintain records and information of their processing activities to the extent required by the Data Privacy Laws.
3. The Customer warrants and undertakes that the Customer has taken all the steps necessary as required under Data Privacy Laws, including but not limited to: (i) providing appropriate Fair Processing Notice in accordance with the UK GDPR Article 13 or 14 and obtaining all necessary consents (where necessary); (ii) ensuring that there is a legal basis for Serco and its processors (where applicable) to process the Personal Data in accordance with the Agreement; (iii) it is not subject to any prohibition or restriction which would prevent or restrict it from disclosing or transferring the personal data to Serco (and Serco’s processors); and (iv) informing the Data Subjects of the Customer’s legal basis.
Data Controller Obligations
4. Where the Parties have determined that, the Parties are each a Data Controller in relation to the processing of Personal Data in connection with the Agreement, the terms outlined in this Data Controller Obligation section will apply in place of the Data Processor Obligations section above.
5. Each Party acknowledge their obligations under the relevant Data Privacy Laws and will comply with their obligations under the relevant Data Privacy Laws in force at the time.
6. Each Party acknowledge that, for the purposes of Data Privacy Laws and the Agreement:
a) the Customer is a separate Data Controller (acting independently) in respect of any Personal Data transferred/shared with Serco for the purposes of the Agreement; and
b) Serco is a separate Data Controller acting independently of the Customer (and/or is an Independent Data Controller)) of Personal Data that Serco Process (including transfer of such Personal Data to the Customer) for the purposes of providing the services under the terms of the Agreement.
For the purposes of this Data Controller Obligation section, the Personal Data which may be shared between the Parties (“Shared Personal Data”) pursuant to the Agreement will be confined to the following categories of information relevant to the following categories of data subject: full name, work details including roles and responsibilities, booking details, training details including past qualification, contact details, training attendance and outcome of the training and/or conference and event participants/delegates, staff (including temporary and agency workers) and business contact details of each Party’s personnel, including but not limited to any directors, officers, employees, agents, consultants and contractors of the Party engaged in the performance of the relevant Party’s duties under the Agreement.
7. Each Party will provide such assistance as is reasonably requested by the other Party in relation to either Party's obligations under Data Privacy Laws and any complaint, communication, Data Subject Rights Request received, by that Party (and insofar as possible within the timescales reasonably required by the requesting Party).
8. Where appropriate, the each party will ensure that an appropriate Fair Processing Notice is given to all relevant Data Subjects as required by the Data Privacy Laws; and to enable lawful transfer between the Parties of the Shared Personal Data for the purposes of administrating and delivering the services under the Agreement (“Agreed Purpose”).
9. The Parties will have appropriate technical and organisational measures in place to protect the security, confidentiality, integrity and availability of the Personal Data during all stages of the Processing including transfer, storage, access and deletion.
10. Each Party (“Disclosing Party”) will notify the other party without undue delay on becoming aware of an actual or potential Personal Data Breach in respect of the Personal Data shared pursuant to the Agreement and Disclosing Party shall:
a) do what is reasonably necessary (including to assist the other Party) in mitigating the effects of the Personal Data Breach;
b) implement any reasonable measures necessary to restore the security of any compromised Personal Data; and
c) work with the other Party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Privacy Laws (within the timeframes set out therein or required by the requesting Party).
11. Each Party will not disclose or allow access to the Personal Data to anyone other than the permitted recipients (which will mean the Parties to the Agreement including but not limited to their employees, workers, agents, the Cabinet Office, and any third parties engaged to perform obligations in connection with the Agreement); and ensure that all permitted recipients are subject to appropriate binding obligations to protect the confidentiality of the Shared Personal Data;
12. The Customer acknowledges that Serco may cause or allow Personal Data to be transferred to and/or otherwise processed outside the UK and/or European Economic Area for the purpose of performing its obligations under the Agreement.
13. The Customer shall ensure it is not subject to any prohibition or restriction which would:
a) prevent or restrict it from disclosing or transferring any such Personal Data to Serco, as required pursuant to the Agreed Purposes; or
b) prevent or restrict Serco from Processing any such Personal Data as envisaged under the Agreement and the Agreed Purposes.
14. The Customer shall ensure that in compliance with the Data Privacy Laws when transferring Personal Data to Serco that such sharing or disclosure shall be through relevant secure methods of transfer.
15. Serco will only transfer the Shared Personal Data to the Customer: a) to the extent necessary to perform the respective obligations under this Agreement;
b) using a secure and suitable method of transfer; and
c) in accordance with the Agreement.
16. Following the safe receipt the Shared Personal Data by the Customer, the Shared Personal Data will be retained and otherwise processed by or on behalf of the Customer only for as long as is necessary for the purpose(s) as set out in the Agreement or as is otherwise required by applicable law and thereafter shall be securely and permanently deleted or disposed of (as applicable).
17. Each Party will maintain the relevant records of its Processing activities in accordance with Data Privacy Laws and will make the record available to the other Party upon reasonable written request.
18. Where the Customer intends to disclose or share any Shared Personal Data with a third party for which it is a Data Controller, it shall ensure that in compliance with the Data Privacy Laws it has in place a sharing agreement/arrangement with the third party and such sharing or disclosure shall be through relevant secure methods of transfer.
19. The Fair Processing Notice for Emergency Planning College can be found as the privacy policy on the EPC website https://epcresilience.the-escape.work/privacy-policy (which may be amended from time to time) and the Customer shall ensure that this Fair Processing Notice is brought to the attention of relevant Data Subjects (e.g. the Customer’s employees).
20. The holders of the following role(s) of each Party shall be the initial key data protection representatives (“Key Data Protection Representatives”) of such party; and each Party may replace or add to any Key Data Protection Representative by giving written notice to the other parties in writing:
a) Serco – Data Protection Officer (dpo@serco.com);
b) The Customer – to be notified in writing to Serco prior to the commencement of the services or as defined within the Customer’s privacy policy within its relevant website.
Updated August 2023