This addendum applies where MDV Consulting (MDV, we, us, our) carries out any activities as a data processor for a client (you).
In this addendum, the following terms have the following meanings:
Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.
Data Subject: an individual who is the subject of the Personal Data.
Personal Data: means any information that is regarded as personal data for the purpose of Data Protection Legislation and which is passed from you to MDV for the purpose of MDV providing services to you.
Both you and MDV will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
We both acknowledge that for the purposes of the Data Protection Legislation, you are the data controller and MDV is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
You will ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to MDV for the duration and purposes of this agreement.
You acknowledge that MDV is reliant on you for direction as to the extent to which MDV is entitled to use and process the Personal Data. Consequently, MDV will not be liable for any claim brought by a Data Subject arising from any action or omission by you, or to the extent that such action or omission resulted from your instructions. You shall indemnify MDV against all claims, costs, damages, losses and expenses incurred by MDV in connection with any claim by any Data Subject in relation to the processing of Personal Data in accordance with your instructions or this clause.
You and MDV confirm that:
MDV will process Personal Data for the purpose of providing services to you, including recruitment and employment consultancy services;
the Personal Data MDV will process may include identity and contact data (names, dates of birth and contact details), financial data, and employment data (CV and information contained with employment files);
the Personal Data may relate to any or all of your employees and staff, business partners and family members;
MDV will process the Personal Data to the extent necessary to provide the services you have requested;
MDV will process the Personal Data for the time taken to complete the services and may retain such data for a period of up to 7 years after you cease to be a client of MDV.
MDV shall, in relation to any Personal Data processed in connection with the performance by MDV of its obligations to you:
process that Personal Data only on your written or verbal instructions unless MDV is required by the laws of any member of the European Union or by the laws of the European Union applicable to MDV to process Personal Data;
ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
assist you, at your cost, in responding to any request from a Data Subject and in ensuring compliance with your obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
notify you without undue delay on becoming aware of a Personal Data breach;
at your written direction, delete or return Personal Data and copies thereof to you on termination of the agreement unless required by law to store the Personal Data; and
maintain complete and accurate records and information to demonstrate its compliance with this clause, and within 21 days of written request, provide you with all information reasonably necessary to demonstrate compliance with its obligations under this clause;
allow for and contribute to audits, including inspections during normal working hours, by you (or an auditor nominated by you) in relation to the processing of the Personal Data by MDV or its sub-processors, provided MDV is given reasonable notice of such audits and inspections.
You authorise MDV to transfer Personal Data to any country or territory outside of the European Economic Area as reasonably necessary for the provision of the services, provided that MDV complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred.
MDV may continue to use sub-processors already engaged by MDV as at the start of its engagement. Details of such sub-processors are available on request. MDV confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business.
MDV shall give you prior written notice of the appointment of any new sub-processor, and if you object to such appointment within 14 days of such notice, MDV may not appoint such sub-processor without your consent.