top of page
PSP Powell Spencer & Partners Solicitors legal services firm logo.

GDPR Third Party Policy

eg. company, chambers or individual name

Service Type
Service Detail

eg. Interpreter, Psychiatrist, Advocacy, I.T.

I confirm I have read the Third-Party Agreement and agree to comply with its terms.

Drawing mode selected. Drawing requires a mouse or touchpad. For keyboard accessibility, select Type or Upload.

Third-Party GDPR Agreement

BETWEEN:
(1)          Powell Spencer & Partners Solicitors whose Office is at 270 Kilburn High Road, London, NW6 2BY (“The Firm"); and
(2)          You, The Data Processor as described within Company/Name details section of this form (“The Data Processor”)
Hereinafter each individually referred to also as the “Party” and collectively as the “Parties”.
WHEREAS:
The Firm from time to time engages the Data Processor to provide to the Firm the Services described under the Services Provided subsection.

As part of the provision by the Data Processor of the Services, Personal Data may be transferred by the Firm to the Data Processor and involves the Data Processor Processing such Personal Data on behalf of the Firm.

To ensure compliance by the Firm with obligations pursuant to Applicable Privacy and Data Protection Law, the Firm and the Data Processor have agreed to enter into this Agreement in relation to all Processing of Personal Data by the Data Processor for or on behalf of the Firm.

IT IS AGREED AS FOLLOWS:
1.            Definitions
1.1          For the purposes of this Agreement:
“Applicable Privacy and Data Protection Law” means all applicable laws and regulations and other pronouncements having the effect of law relating to the processing of personal data and privacy to which the Parties are legally obligated to comply. For purposes of clarity, “Applicable Privacy and Data Protection Law” includes but is not limited to the General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“the GDPR”) and any law, regulation, act, measure, or guidance implementing or supplementing the GDPR, including where applicable the guidance and codes of practice issued by the ICO, as well as any other laws and regulations of the European Union or the United Kingdom the that may from time to time apply to the processing of personal data and privacy to which the Parties are legally obligated to comply.  References to “Applicable Privacy and Data Protection Law” mean the Applicable Privacy and Data Protection Law as may be amended, modified, supplemented, or restated.
“ICO” means the UK’s supervisory authority, the Information Commissioner’s Office;
“Personal Data” means the personal data provided, made available, or otherwise accessible to the Data Processor and/or the Data Processor’s Representatives, whether directly or indirectly, that falls within the definition of ‘Personal Data’ as defined in Article 4 of the GDPR or other Applicable Privacy and Data Protection Law.
“Data Subject” has the meaning given to the term ‘data subject’ in Article 4 of the GDPR;
“Processing” has the meaning given to the term ‘processing’ in Article 4 of the GDPR;
“Schedule” or “Schedules” means the Schedule or Schedules annexed to and forming an integral part of this Agreement and which shall have effect as if set out in full in the body of this Agreement;
“Data Processor’s Representatives” means any of the directors, officers, employees, consultants, sub-contractors or agents of the Data Processor;
“Sub-Processor” means a sub-processor appointed by the Data Processor to process Personal Data;
“Sub-Processing Agreement” means an agreement between the Data Processor and a Sub-Processor governing the processing of Personal Data to be carried out by the Sub-Processor;
“Services” means the services to be provided to our Firm by the Data Processor, by any of the Data Processor’s Representatives and/or by a Sub-Processor [in accordance with the Service Agreement] as described within Services Provided section of this form.
2.            Scope and Application of this Agreement 
The Agreement is effective as of the Effective Date and shall continue in full force and effect for so long as the Data Processor is Processing Personal Data for or on behalf of the Firm and thereafter as provided in clause 9 of this Agreement.

The terms of this Agreement are to apply to all Processing of Personal Data described in Schedule 2 conducted for or on behalf of the Firm by the Data Processor and to all Personal Data held by the Data Processor in relation to such Processing whether such Personal Data is held at the date of this Agreement or received afterwards.

3.            Provision of the Services
3.1          The Data Processor is only to conduct the Services and only to carry out Processing of Personal Data received from the Firm:
3.1.1      for the purposes of conducting those Services described in Services Provided section and not for any other purpose;
3.1.2      to the extent and in such manner as is necessary for those purposes; and
3.1.3      strictly in accordance with the express documented instructions from the Firm as may be communicated in writing to the Data Processor from time to time unless the Data Processor is required by law to act without such instructions (as per Article 29 of the GDPR) (in which case the Data Processor shall inform the Firm of the legal requirement before Processing Personal Data for that purpose unless prohibited from doing so by law).
3.2          The Data Processor may not make or retain any copies of or otherwise make any record of Personal Data otherwise than for the purposes of conducting the Services as described in the Services Provided section and not for any other purpose.
4.            Compliance
4.1          Both the Firm and the Data Processor shall comply at all times with Applicable Privacy and Data Protection Law and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such a way as to cause either Party to be in breach of any of its obligations under Applicable Privacy and Data Protection Law.
4.2          The Data Processor undertakes to the Processing of Personal Data in accordance with this Agreement and Applicable Privacy and Data Protection Law.
4.2          The Data Processor shall provide all reasonable assistance to the Firm in complying with its obligations under Applicable Privacy and Data Protection Law in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.  In particular, the Data Processor shall:
4.2.1      keep detailed records of all Processing conducted on Personal Data in accordance with the requirements of Article 30(2) of the GDPR;
4.2.2      submit to measures, audits and inspections reasonably instigated or requested by the Firm and/or to provide the Firm with whatever information it reasonably requires to ensure that the Parties are both meeting their obligations under Applicable Privacy and Data Protection Law;
4.2.3      notify the Firm immediately if it is asked to do something which would be an infringement of Applicable Privacy and Data Protection Law including if the Data Processor is of the opinion that an instruction from the Firm infringes Applicable Privacy and Data Protection Law;
4.2.4      notify the Firm immediately of any Personal Data breaches of Applicable Privacy and Data Protection Law that have occurred or which may have occurred whilst they are Processing Personal Data.  In the event of any Personal Data breach which requires notification under Applicable Privacy and Data Protection Law to the ICO or a Data Subject (howsoever caused), the Data Processor shall ensure that any notice they give the Firm under this clause shall (where such information is known at the time and is available):
(a)          describe the nature of the Personal Data breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b)          communicate the name and contact details of Data Processor’s data protection officer or other point of contact where further information can be obtained;
(c)           describe the likely consequences of the Personal Data breach; and
(d)          describe the measures taken or proposed to be taken by the Data Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.            Requests and Complaints
5.1          The Data Processor shall immediately notify the Firm as soon as it receives a data access request, complaint or other query from a Data Subject or any other person t relating to the Processing of Personal Data under this Agreement.
5.2          The Data Processor shall cooperate fully with the Firm and, as required, assist in relation to any subject access request, complaint or other query and in particular by providing the Firm with whatever information and assistance it reasonably requires to comply with the request, complaint or query.
6.            Confidentiality
6.1          The Data Processor shall hold, store and maintain Personal Data in trust and confidence and shall ensure that the Processing of Personal Data is conducted securely and in accordance with Applicable Privacy and Data Protection Law.
6.2          The Data Processor shall ensure that the Data Processor’s Representatives and any other persons who have access to and/or are authorised to conduct Processing of Personal Data are subject to a duty of confidence and in particular are contractually obliged to keep Personal Data confidential on terms no less onerous than those set out in this Agreement.
6.3          The Data Processor must use all reasonable efforts to ensure that the Data Processor’s Representatives abide by this duty of confidentiality and do not do any act which, if done by the Data Processor, would be a breach of this Agreement.
6.4          The Data Processor shall implement appropriate technical and organisational measures to ensure the security of the Personal Data and the Processing of Personal Data and in particular to ensure the protection of Personal Data against unauthorised or unlawful Processing, alteration, loss or damage or unauthorised or unlawful disclosure to third parties.  Such technical and organisational measures shall include commercially reasonable safeguards and ensure a level of security appropriate to the risk.
6.5          The Firm reserves the right to issue instructions to the Data Processor as to the technical and organisational measures to be implemented by the Data Processor under sub-clauses 6.4.
7.            Sub-Processors
7.1          The Data Processor shall not publish, copy or transfer any Personal Data and shall not disclose or share Personal Data which it is Processing under this Agreement with any third party without express documented consent from the Firm.    Should the Firm give such consent,:
(a)          the Data Processor shall enter into a suitable and adequate written Sub-Processing Agreement with the Sub-Processor in accordance with this Agreement, as set out in sub-clause 7.2;
 (b)         only permit the Processing of Personal Data to the extent, and in such manner, as is necessary in order to comply with its obligations to the Firm or as may be required by law (in which case the Data Processor shall inform the Firm of the legal requirement before Processing the Personal Data for that purpose unless prohibited from doing so by law);
(c)           the Data Processor shall not Process the Personal Data or otherwise transfer or transmit the Personal Data outside of the European Economic Area
7.2          In the event that the Data Processor appoints a Sub-Processor (with the express documented consent of the Firm), the Data Processor shall:              
- Enter into a suitable and adequate written Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Data Processor by this Agreement [and which shall permit both the Data Processor and the Firm to enforce those obligations];
- Ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and Applicable Privacy and Data Protection Law.
8.            Liability and Indemnity
8.1          The Data Processor warrants, represents and undertakes that it shall comply with Applicable Privacy and Data Protection Law.
8.2          The Data Processor shall be liable for and shall fully indemnify (and keep indemnified) the Firm in respect of any and all losses, damages, liabilities, claims, costs or expenses suffered or incurred by the Firm (including legal fees, fines penalties and third party damages or compensation) arising directly or in connection with the Data Processor’s or a Sub-Processor’s breach of this Agreement.
8.3          The Data Processor shall fully indemnify the Firm in respect of any and all losses, damages, liabilities, claims, costs or expenses suffered or incurred by the Firm (including legal fees, fines penalties and third party damages or compensation) to remedy any breaches by the Data Processor or Sub-Processor of Applicable Privacy and Data Protection Law, defend all claims brought against the Firm brought as a result of the Data Processor’s or sub-Processor’s breach of this Agreement, or satisfy a legal requirement caused by the Data Processor or Sub-Processor’s breach of this Agreement.
8.4          In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Firm for failing to meet its requirements under this Agreement
8.5          Nothing in this Agreement shall relieve or affect the liability of the Data Processor to the Data Subject or for any other breach of that Party’s direct obligations under Applicable Privacy and Data Protection Law.  The Data Processor shall acknowledge that it remains subject to the authority of the ICO and shall fully cooperate fully with the ICO, as required, and that failure to comply with its obligations as a Data Processor may render it subject to fines, penalties and compensation.
9.            Retention and Destruction
9.1          The Data Processor may only retain Personal Data for:
(a)          so long as is required to perform the Services;
(b)          for a longer period required by Applicable Privacy and Data Protection Law; or
(c)           for such other period as the Firm may reasonably request in writing. 
9.2          For the avoidance of doubt, the Firm reserves the right to determine the periods for which the Data Processor may retain the Personal Data under sub-clause 9.1 and to issue instructions relating to the retention and destruction of Personal Data at any time. Where no other instructions have been given to the Data Controller by the Firm, Personal Data (including copies of Personal Data held by the Data Processor) shall not be retained by the Data Processor for longer than six years.
9.2          At the expiration of such period or otherwise upon demand by the Firm, the Data Processor shall immediately return to the Firm or destroy all Personal Data.
9.3          The Data Processor’s obligations include the obligation to use all commercially reasonable efforts to expunge all Personal Data (including all copies of the Personal Data that it holds) in any medium and from any systems or equipment in the possession or under the control of the Data Processor any of the Data Processor’s Representatives or into which the Personal Data was programmed or inserted by or on behalf of the Data Processor or the Data Processor’s Representatives. No copies may be retained by the Data Processor or the Data Processor’s Representatives of any Personal Data.
9.4          The Firm reserves the right to issue instructions to the Data Processor as to the methods by which Personal Data is to be returned or destroyed under sub-clauses 9.2 and 9.3.
9.5          Following the return or destruction of Personal Data under sub-clauses 9.2 and 9.3, the Data Processor shall certify to the Firm that the Personal Data (including all copies of the Personal Data that it holds) has been returned or destroyed in accordance with this Agreement.
9.6          Any Personal Data that is not returned or destroyed pursuant to this Agreement shall continue to be subject to the confidentiality and non-disclosure provisions of this Agreement notwithstanding any expiration or termination of this Agreement.
10.          Review
10.0       The Parties shall review the effectiveness of the Processing of Personal Data under this Agreement every 6 months.  The Firm may continue, amend or terminate this Agreement depending upon the outcome of the review.
11.          Law and Jurisdiction
11.1        This Agreement shall be governed by the laws of England and Wales.

bottom of page