Standard Data Processing Clauses

We shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the Data Protection Legislation and ensure the protection of the rights of the Data Subject.

Unless separate contractual provisions are in place, where the University procures the services of a third party processor the following standard data processing clauses shall apply; these are consistent with the requirements of the UK General Data Protection Regulations (UK GDPR) Article 28.

Definitions

‘Controller’, ‘Processor’, ‘Data Subject’, ‘Personal Data’, ‘Personal Data Breach’, ‘Processing’, ‘Commissioner’ and ‘appropriate technical and organisational measures’ shall have the same meanings as defined in the Data Protection Legislation.

Data Protection Legislation means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC), the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended, and any other legislation or regulatory requirements relating to the Processing of Personal Data within the United Kingdom.

A ‘Restricted Transfer’ means a transfer of Personal Data to a country or territory outside of the European Union and European Economic Area, and which does not benefit from an adequacy decision made under Article 45 of Regulation (EU) 2016/679.

The terms ‘Controller’, ‘we’, ‘us’, ‘the University’ means the Manchester Metropolitan University. ‘Processor’ means the third party providing services involving the processing of Personal Data on behalf of the University.

Data processing clauses

The Controller shall make Personal Data available to the Processor in accordance with these standard data processing clauses. The Processor shall:

1. Comply with and not cause the Controller to breach any obligations under the Data Protection Legislation.

2. Notify the Controller without undue delay if it identifies any areas of actual or potential non-compliance with the Data Protection Legislation.

3. Process Personal Data only for the purpose of performing the contract between the Controller and the Processor and any other documented instructions from the Controller which may be received in writing, from time to time, (unless the Processor is required to process Personal Data to comply with any applicable laws within the United Kingdom, in which case the Processor will notify the Controller of such legal requirement prior to such Processing unless such law prohibits notice to the Controller on public interest grounds).

4. Not engage or use any third party for the Processing of Personal Data or permit any third party to Process Personal Data without the prior written consent or general written authorisation of the Controller. Such consent shall not unreasonably be withheld. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.

5. If the Processor appoints a Sub-Processor, the Processor will ensure that, prior to the Processing taking place, there is a written contract in place between the Processor and the Sub-Processor that specifies the Sub-Processor’s Processing activities and imposes on the Sub-Processor the same terms as imposed within these data processing clauses. The Processor will procure that Sub-Processors will perform all obligations set out in these clauses and the Processor will remain responsible and liable to the Controller for all acts and omissions of Sub-Processors as if they were its own.

6. Ensure that any individual authorised to Process Personal Data is subject to confidentiality obligations or is under an appropriate statutory obligation of confidentiality.

7. At the choice of the Controller, securely delete or return all Personal Data promptly at the end of the provision of services relating to the Processing, and securely delete any remaining copies, (unless applicable United Kingdom law requires continued storage of the Personal Data by the Processor).

8. Only make a Restricted Transfer of Personal Data if:

a. a competent authority or body of the United Kingdom makes, recognises or adopts a binding decision that the country or territory to which the transfer is to be made provides an adequate level of protection for Processing of Personal Data;

b. the recipient of Personal Data provides adequate safeguards for the transfer in accordance with United Kingdom adequacy regulations set out in the Data Protection Legislation. In which case the Controller will execute any documents (including data transfer agreements) relating to that transfer which the Processor or the relevant Sub-Processor requires it to execute from time to time; or

c. the Processor or the relevant Sub-Processor is required to make the transfer to comply with applicable laws within the United Kingdom, in which case the Processor will notify the Controller of such legal requirement prior to such transfer unless such laws prohibit notice to the Controller on public interest grounds.

9. Taking into account art of the possible, and the nature and sensitivity of the processing implement technical and organisational measures to ensure a level of security appropriate to the risk presented by Processing the Personal Data, in particular from a Personal Data Breach.

10. Notify the Controller promptly and without undue delay upon becoming aware of a reasonably suspected, “near miss” or actual Personal Data Breach.

11. Promptly (and in any event within 72 hours) notify the Controller of any request that it receives for exercise of a Data Subject’s rights under the Data Protection Legislation or communication or complaint that it receives from a Data Subject or the Commissioner or other third party in connection with the Personal Data.

12. Without charge, provide reasonable assistance to and co-operate with the Controller in:

a. responding promptly to requests for exercising Data Subjects’ rights under the Data Protection Legislation.
b. documenting and reporting any Personal Data Breach incidents to the Commissioner and/or Data Subjects; and
c. conducting data protection / privacy impact assessments of any Processing operations and consulting with the Commissioner, Data Subjects and their representatives accordingly.

13. Co-operate and make available to the Controller all information necessary to demonstrate compliance with the Data Protection Legislation and the obligations set out in these data processing clauses; and allow for and contribute to audits, inspections, and mid contract reviews conducted by the Controller or another auditor mandated by the Controller.

14. Acknowledge that the University is a public authority for the purposes of the Freedom of Information Act 2000 (FOIA) and the Environment Information Regulations (EIR); and that public authorities have certain information disclosure requirements under the FOIA and EIR.

15. Without charge, assist and co-operate with the University to enable the University to comply with any relevant requests for information with which the University is obliged by FOIA or EIR to comply, within the time limits set out in clause 16.

16. Agree and procure that any relevant sub-contractors shall:

a. transfer any requested information to the University’s representative as soon as practicable after receipt and in any event within five Business Days of the University requesting the information.
b. provide all necessary assistance as reasonably requested by the University to enable us to respond to a request for information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the EIR.

17. In no event respond directly to a request for information unless expressly authorised to do so in writing by the University. The University shall be responsible for determining at its absolute discretion and notwithstanding any other provision in these data processing clauses or any other agreement whether any information is exempt from disclosure in accordance with the provisions of the FOIA or the EIR.