Where you (as data controller) (“You”, Yours”) place an ad-hoc order for print procurement work with RRD (“We, Us, Our”) to the extent that We process Your Personal Data (as defined in the General Data Protection Regulation) We will do so on the following terms:
In respect of Personal Data, the parties acknowledge that RRD is data processor, and that You are a data controller. In respect of any Personal Data We process, each of the parties will:
- respond to enquiries regarding Personal Data and deal with any such enquiries promptly in accordance with the General Data Protection Regulation; and
- comply in full with the General Data Protection Regulation.
We will only process Personal Data pursuant to Your written instructions.
If We become aware of any breach of any security measure relating to Personal Data, We will promptly (and in any event within 24 hours):
- notify You of such breach;
- identify the cause of the breach;
- use reasonable endeavours to remedy any breach and its consequences;
- use reasonable endeavours to prevent the breach from re-occurring; and
- provide a report to You detailing the cause of and procedure for correcting the breach of security.
- use technical and organisational measures necessary to ensure that any Personal Data in Our possession or control or stored on a computer system under Our control is protected against loss, destruction, damage, unauthorised access, unauthorised use, unauthorised modification, unauthorised disclosure or other misuse;
- in relation to Personal Data ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data;
- ensure that only personnel who are under a contractual obligation of confidentiality are provided with access to Personal Data;
- obtain prior written consent from You before transferring any Personal Data to any sub-processor, or allowing a sub-processor to access any Personal Data (and in any event ensure that data processing clauses no less stringent than as contained in this Agreement are imposed on any such sub-processor); and
- immediately (and in any event within 24 hours) notify You if We become aware of a breach of this clause provision or any unauthorised access to Personal Data;
- maintain a record of all categories of any processing activities We undertake in relation to Personal Data in accordance with Article 30 of the General Data Protection Regulation, and provide a copy of such record(s) to You for inspection on reasonable demand.
- immediately inform You in the event that We believe that Your instructions in relation to Personal Data conflict with the requirements of the General Data Protection Regulation;
- ensure that Personal Data will not be stored, copied, used, altered, deleted, accessed, modified or otherwise interfered with by us for any purpose other than as expressly required to perform our obligations to You;
- ensure that Personal Data will not be disclosed to any third party, agents or subcontractors without Your prior written consent;
- (if requested by You) promptly provide You with a copy of all Personal Data held by us in the form and on the media reasonably specified by You;
- not (and will procure that any sub-processor will not), do or omit to do anything which would cause You to be in breach of Your obligations under the General Data Protection Regulation;
- take all reasonable steps to ensure the reliability of our staff who have access to Personal Data and will, in particular, ensure that all our staff have been appropriately vetted and that all our staff:
- are informed of the confidential nature of Personal Data;
- have undertaken and will undertake regular training in the laws relating to handling personal data, data privacy and information security at least annually with evidence of completion;
- are aware both our duties and their own personal duties and obligations under the General Data Protection Regulation;
- have committed themselves contractually to confidentiality; and
- do not process Personal Data except on instructions from You, unless required to do so by European Union or EU member state law; and
- not export any Personal Data outside the European Economic Area without Your prior written consent.
If any part of Personal Data ceases to be required for the performance of our obligations, We will (and will procure that any sub-processor will) return Personal Data to You within 14 days of such cessation, or at Your discretion permanently and securely destroy or procure the secure destruction (and provide written confirmation to You) of the same. Where We are required by law to retain a copy of Personal Data We will, having previously notified You of this requirement, be permitted to retain one copy thereof subject to observance of all legal requirements (including but not limited to the General Data Protection Regulation), and good industry practice, and limited to such purpose(s) for which We are under a duty to retain it.
If We receive any complaint, notice or communication which relates to the processing of Personal Data or to a party’s compliance with the General Data Protection Regulation, or if We become aware of any breach of Data Protection Legislation, We will (and will procure that any sub-processor will) without undue delay notify You and provide You with full co-operation and assistance in relation to any such complaint, notice, communication, activities or breach. We will ensure that We have appropriate technical and organisational measures in place to enable us to support You in fulfilling Your obligations to respond to requests for exercising data subjects’ rights laid down in Chapter III of the General Data Protection Regulation.
We will (and will procure that any sub-processor will) promptly comply with any instruction from You to comply with any agreement between You and any data subject and with any court order or any enforcement notice or other information notice or special information notice or other request for information from the UK Information Commissioner. We will not communicate with any regulator in respect of Personal Data without Your prior approval.
Where You reasonably suspect that We (or any sub-processor) is failing to comply with the General Data Protection Regulation We shall (and shall procure that any sub-processor shall) permit You, Your auditors or other agents (each an “Auditing Party”), to have access to our premises and information systems, records, documents and agreements as reasonably required by the Auditing Party to check that We and/or our sub- processors are complying with the General Data Protection Regulation. The Auditing Party shall bear its own costs in relation to such audit, unless the audit reveals any non-compliance with our or sub-processor’s obligations under the General Data Protection Regulation, in which case the costs of the audit shall be borne by us. We shall (and shall procure that any sub-processor shall) permit at its own costs the relevant authorities to conduct a data protection audit with regards to the processing carried out by us or by a sub-processor in accordance with the General Data Protection Regulation.
The parties are required by the General Data Protection Regulation to notify each other of the relevant individual within its organisation authorised to respond from time to time to enquiries regarding any Personal Data. Our relevant contact details are set out below:
RR Donnelley UK Limited, Data Protection Officer – IT Governance Director Europe, Shannon Way, Ashchurch, Tewkesbury, GL20 8BL, UK, email: DataPrivacyEurope@rrd.com.