BACKGROUND (A)          IBSA Legal Ltd (“IBSA Legal”) are obliged under the Data Protection Legislation to have a Data Processing Agreement in place with those persons who process Personal Data on our behalf (each being a “Supplier”), ensuring that all Processing complies with the Data Protection Legislation. (B)          In the course of its provision of legal services to clients, IBSA Legal interact with an enormous number of Suppliers, many of whom will interact with a huge number of providers of legal services. In practice, it will be impossible to persuade the vast majority of such Suppliers to enter into an individual Data Processing Agreement with IBSA Legal. (C)          Accordingly, IBSA Legal have produced these conditions to set out the conditions on which Suppliers Process data on our behalf in the absence of an individual Data Processing Agreement.

1. INTERPRETATION

  1.1 The definitions and rules of interpretation in this clause apply in these conditions and in any other agreement between the parties. “Business Day” means a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business. “Data Controller” shall have the meaning given in the Data Protection Legislation. “Data Processor” shall have the meaning given in the Data Protection Legislation. “Data Protection Legislation” means:

• until GDPR becomes directly applicable in the UK, the Data Protection Act 1998; then
• unless and until the GDPR is no longer directly applicable in the UK, GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time in the UK; and then
• any successor legislation to the GDPR and/or the Data Protection Act 1998.

“Data Subject” shall have the meaning given in the Data Protection Legislation. “GDPR” means the General Data Protection Regulation ((EU) 2016/679) “Personal Data” shall have the meaning given in the Data Protection Legislation. “Process” and “Processing” shall have the meaning given under the Data Protection Legislation.   1.2 Clause, Schedule and paragraph headings shall not affect the interpretation of these conditions. 1.3 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular. 1.4 A reference to writing or written includes faxes and e-mail. 1.5 Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

2. SCOPE

  These conditions shall govern any and all Processing of Personal Data performed by a Supplier for or on behalf of IBSA Legal, whether or not such Processing forms part of any other contract or agreement. These conditions shall however be superseded in relation to the applicable Supplier by the signature of a bespoke Data Processing Agreement between IBSA Legal and that Supplier.

3. DATA PROTECTION

  3.1 IBSA Legal and the Supplier will comply with all applicable requirements of the Data Protection Legislation. This clause 3 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation. 3.2 The parties acknowledge that for the purposes of the Data Protection Legislation, IBSA Legal is the Data Controller and the Supplier is the Data Processor. 3.3 Without prejudice to the generality of clause 3.1, IBSA Legal will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of these conditions. 3.4 Without prejudice to the generality of clause 3.1, the Supplier shall, in relation to any Personal Data Processed by the Supplier: 3.4.1 Process that Personal Data only on the written instructions of IBSA Legal unless the Supplier is required to Process the applicable Personal Data by the Data Protection Legislation. Where the Supplier is relying on the Data Protection Legislation as the basis for Processing Personal Data, the Supplier shall promptly notify S&B of this before performing the Processing required by the Data Protection Legislation, unless the Data Protection Legislation prohibits the Supplier from so notifying IBSA Legal; 3.4.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the Personal Data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 3.4.3 ensure that all personnel who have access to and/or process Personal Data are contractually obliged to keep the Personal Data confidential; and 3.4.4 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of IBSA Legal has been obtained and the following conditions are fulfilled: 3.4.4.1 the Supplier has provided appropriate safeguards in relation to the transfer; 3.4.4.2 the Data Subject has enforceable rights and effective legal remedies; 3.4.4.3 the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 3.4.4.4 the Supplier complies (and procures compliance by the transferee) with reasonable instructions notified to it in advance by IBSA Legal with respect to the Processing of the Personal Data; 3.4.5 assist IBSA Legal without charge in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 3.4.6 at the written direction of IBSA Legal, delete or return Personal Data and copies thereof to IBSA Legal on termination of the agreement; and 3.4.7 maintain complete and accurate records and information to demonstrate its compliance with this clause 3 and allow for audits by IBSA Legal or IBSA Legal ‘s designated auditor. 3.5 IBSA Legal does not consent to the Supplier appointing any third-party processor of Personal Data under these conditions. If such consent (which must be in writing) is subsequently given by IBSA Legal, then as between IBSA Legal and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 3.

4. SUPPLIER’S EMPLOYEES

  4.1 The Supplier will ensure that all employees, officers, contractors and other personnel: 4.1.1 are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data; 4.1.2 have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and 4.1.3 are aware both of the Supplier’s duties and their personal duties and obligations under the Data Protection Legislation and these conditions. 4.2 The Supplier will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of the Supplier’s employees with access to the Personal Data.

5. PERSONAL DATA BREACH

  5.1 The Supplier will promptly and without undue delay notify IBSA Legal if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable (each such case being a “Personal Data Breach”). The Supplier will restore such Personal Data at its own expense. 5.2 The Supplier will immediately notify IBSA Legal if it becomes aware of: 5.2.1 any accidental, unauthorised or unlawful processing of the Personal Data; or 5.2.2 any Personal Data Breach. 5.3 Where the Supplier becomes aware of a situation falling within either clause 5.2.1 or 5.2.2 above, it shall, without undue delay, also provide IBSA Legal with the following information: 5.3.1 description of the nature of the situation, including the categories and approximate number of both Data Subjects and Personal Data records concerned; 5.3.2 the likely consequences; and 5.3.3 description of the measures taken, or proposed to be taken to address the situation, including measures to mitigate its possible adverse effects. 5.4 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The Supplier will reasonably co-operate with IBSA Legal in IBSA Legal ‘s handling of the matter, including: 5.4.1 assisting with any investigation; 5.4.2 providing IBSA Legal with physical access to any facilities and operations affected; 5.4.3 facilitating interviews with the Supplier’s employees, former employees and others involved in the matter; 5.4.4 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by IBSA Legal; and 5.4.5 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing. 5 5.5 The Supplier will not inform any third party of any Personal Data Breach without first obtaining IBSA Legal ‘s prior written consent, except when required to do so by law. 5.6 The Supplier agrees that IBSA Legal has the sole right to determine: 5.6.1 whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in IBSA Legal ‘s discretion, including the contents and delivery method of the notice; and 5.6.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6. WAIVER

  No failure or delay by a party to exercise any right or remedy provided under these conditions or by law shall constitute a waiver of that or any other right or remedy, nor shall it preclude or restrict the further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy shall preclude or restrict the further exercise of that or any other right or remedy.

7. REMEDIES

  Except as expressly provided in these conditions, the rights and remedies provided under these conditions are in addition to, and not exclusive of, any rights or remedies provided by law.

8. GOVERNING LAW & JURISDICTION

  These conditions and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales, and the courts of England & Wales shall have exclusive jurisdiction to settle any such dispute or claim.