Terms & Conditions.
In these conditions the following expressions shall have the following meanings: -
"The Processor" - Dentons Directories Limited.
"The Company" - The individual(s) firm or Company who orders an Advertisement from the Processor.
"Advertisement" - Such entry (in whatever print typeface display artform or other representation) in any publication of the Processor which relates to the order by the Customer.
INCORPORATION AND GENERAL TERMS
Any order accepted by the Processor shall be on these terms and conditions.
No variation shall be accepted or incorporated unless confirmed in writing to the Processor by the Company and further confirmed in writing by a representative duly authorised by the Processor.
No employee or agent is authorised to make any representations concerning the services, quality or effect of any publication of the Processor unless confirmed by the Processor in writing. In entering into any contract with the Processor the Company acknowledges that it does not rely on and waives any claim for breach of any such representations which are not so confirmed.
APPROVAL OF COPY
Unless the Company expressly requests the Processor to submit Copy prior to publication, the Company shall be deemed to have hereby authorised the Processor to proceed to publication with such Copy as the Processor sees fit.
In the event of prior submission of Copy to the Company for approval, the Company shall be given 14 days in which to signify their rejection of Copy. The Processor shall be at liberty to notify the Company in writing of a shorter period for approval where circumstances such as deadlines for publication dictate otherwise. In the event of the Processor failing to receive rejection by the Company of Copy within the period of 14 days (or lesser period if notified as above) then the Company shall be deemed to have approved Copy submitted and to have authorised the Processor to proceed to publication in the form of Copy. The Processor shall incur no liability for any errors not corrected by the Company in Copy submitted.
The Processor shall make every effort to ensure that all Advertisements agree with Copy. However, omissions or mistakes may at times happen. In such an event the Processor shall refund to the Company the charge for the Advertisement. The Processor may also at its absolute discretion publish a correct Advertisement free of charge in the next issue of the relevant publication concerned. In any event the limit of the Processor's liability shall be the price payable by the Company under the relevant order and the Processor accepts no liability whatsoever for injury or damage of any kind nor for any consequential loss in relation to such omissions or mistakes.
The Processor shall use its best endeavours to publish the Advertisement in its next publication of the Directory referred to in the order of the Company.
The Processor reserves the right to publish and distribute its directories and other publication in such form, layout, sections, editions and formats and at such times in such categories, and in such geographical classifications as the Processor shall from time to time decide: no warranty is given nor condition agreed to the contrary.
The Processor reserves the right to cancel acceptance of the order with no liability on the part of the Processor resulting, if the Processor does not receive sufficient advertisements to justify publication or if the page on which it is intended to place the Companys Advertisement cannot be arranged so as to accommodate the nature of the Advertisement required.
The Processor reserves the right to change the typeface of the Advertisement so as to conform with the typeface adopted from time to time by the Processor for use in the publication in which the Advertisement is to be placed.
The Processor does not allow to the Company any free entries, whether in the same category in the relevant publication of the Processor, or otherwise. The Processor at its absolute discretion will consider any request by the Company as to a free entry. The Processor shall be under no obligation or liability whether in contract or in tort as to any free entry which is agreed to by the Company.
Copyright in all artwork and other material contained in the Advertisement shall vest in the Processor where such work is prepared by the Processor or on its behalf. The Company shall have the right to use the work contained in the Advertisement for the purpose of entry as an Advertisement in the Processor's publication referred to in the order, and for no other purpose.
Where information artwork or other material of any kind is supplied by the Company to the Processor, the Company warrants that such information artwork and material: -
- is accurate
- will not cause the Processor to infringe the law of any country or injure or infringe the rights reputation or business of any party nor cause any liability on the part
of the Processor by way of misdescription false trade description or otherwise
- is not defamatory and is free of copyright or other legal restrictions
The Company shall fully indemnify the Processor against any actions, demands, costs, charges, penalties or expenses imposed on the Processor or its employees as a result of any civil or criminal claim or prosecution of any kind whatsoever in respect of the content of any Advertisement (whether or not due to the negligence of the Processor).
PAYMENT AND ADDITIONAL CHARGES
Payment by the Company shall be due to the Processor on demand.
In the event of the Company failing to make proper payment to the Processor, the Processor shall be entitled to charge interest on the price payable at a rate of 4% above National Westminster Bank plc base rate from time to time from the date of demand until the date of actual payment (whether before or after judgement has been obtained).
In the event of alterations being requested by the Company or the further submission of Copy being required, the Company shall be charged extra at the Processor's prevailing rates from time to time.
The Processor shall not be liable to the Company in the event of the Processor being unable to publish the Advertisement for any reason beyond its control.
These conditions and all other express terms on the Contract shall be governed and construed in accordance with the laws of England.
1. Processing of Company Personal Data
- The Parties agree that with regard to the Processing of Company Personal Data, Company is the Data Controller, Processor is a Contracted Processor and that Process may engage Subprocessors if required pursuant to the requirements set forth in Section 5 "Subprocessing" below.
- Processor shall:
- comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
- not Process Company Personal Data other than on the Company's documented instructions unless Processing is required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform the Company of that legal requirement before the relevant Processing of that Personal Data.
- Company instructs Processor (and authorises Processor to instruct each Subprocessor) to Process Company Personal Data, in particular, to transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.
2. Details of processing of Company Personal Data required by Article 28(3) GDPR
- The duration of the contract is defined in the details of the Principal Agreement. The nature and purpose of the Processing of Company Personal Data by the Processor for the Company are precisely defined in the Principal Agreement.
- The types of Company Personal Data to be Processed comprises the following data types/categories: Business Name and Type of Business, Business Address, Business Phone Numbers, Business Email addresses and Websites.
- The categories of Data Subject to whom the Company Personal Data relates comprise: Employees, Contractors
- The obligations and rights of Company are set out in the Principal Agreement.
3. Processor Personnel
Processor shall ensure that its personnel engaged in the Processing of Company Personal Data are informed of the confidential nature of the Company Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that persons' engagement with Processor for 5 years. Processor shall take reasonable steps to ensure the reliability of any Processor employee, agent or contractor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Processor shall in relation to the Company Personal Data implement and comply with all technical and organizational measures necessary to perform its obligations under this Agreement and to ensure a level of data security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Appropriate measures for consideration are described in Annex 1 to these Terms & Conditions.
- In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
- The technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented in writing.
- Company authorises Processor to appoint Subprocessors in accordance with this section and with any restrictions in the Principal Agreement.
- The Processor may commission Subprocessors only after prior explicit written or documented consent from the Company.
- Processor may continue to use Subprocessors already engaged by Processor as of 01/05/2018, who are listed in Annex 2 to these Terms & Conditions, on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.
- If the Subprocessor provides the agreed Service outside the EU/EEA, the Processor shall ensure compliance with EU Data Protection Regulations by appropriate measures.
- Processor shall ensure that each Subprocessor performs the obligations, as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Processor.
- Processor shall be liable for the acts and omissions of its Subprocessors to the same extent Vendor would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum, except as otherwise set forth in the Principal Agreement.
- Further outsourcing by the Subprocessor is not permitted.
6. Data Subject Rights and Data Protection Impact Assessment
- Processor shall assist Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Companies' obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
- Processor shall promptly notify Company if Processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data and Processor shall implement Data Subject requests as instructed by the Company without undue delay.
- Insofar as it is included in the scope of services, the erasure policy, 'right to be forgotten', rectification, data portability and access shall be ensured by the Processor in accordance with documented instructions from the Company without undue delay.
- Processor shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required of Company by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
7. Personal Data Breach
- Processor shall notify Company without undue delay, not later than within 72 hours, upon Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Company Personal Data Breach under the Data Protection Laws.
- Processor shall investigate the Personal Data Breach and provide Company with information about the Personal Data Breach and take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.
- Processor shall co-operate with Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Notification(s) of Personal Data Breach will be delivered to the Company's business, technical or administrative contacts by sending an email.
8. Deletion or return of Company Personal Data
- Processor may not on its own authority rectify, correct, amend, erase or restrict the Processing of Company Personal Data that is being Processed on behalf of the Company, but only on documented instructions from the Company.
- Copies or duplicates of the Company Personal Data shall never be created without the knowledge of the Company, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
- Processor shall promptly and in any event within 14 days of the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data.
- Company may in its absolute discretion by written notice to Processor within 14 days of the Cessation Date require Processor to (a) return a complete copy of all Company Personal Data to Company by secure file transfer in such format as is reasonably notified by Company to Processor; and (b) delete and procure the deletion of all other copies of Company Personal Data Processed by any Contracted Processor. Processor shall comply with any such written request within reasonable time of the Cessation Date.
- Processor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Processor shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
- Processor shall provide written certification to Company that has fully complied with this section within reasonable time of the Cessation Date.
9. Audit rights
- Processor shall make available to Company on request within 14 days all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
- Processor shall ensure that Company is able to verify compliance with the obligations of the Processor in accordance with Article 28 GDPR. The Processor undertakes to give Company the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
- Company which is undertaking an audit shall give Processor reasonable notice of any audit or inspection to be conducted.
10. Quality assurance and other duties of the Processor
Processor shall comply with the statutory requirements under the referred to in Articles 28 to 33 GDPR. Such requirements may include, but not be limited to:
- Appointing a Data Protection Officer (a "DPO") who performs the duties set forth in, inter alia, Articles 38 and 39 GDPR, and keeping Company informed of such DPOs contact information at all times if required by law
- Company and Processor shall cooperate, on request, with the Supervisory Authority.
- Processor shall inform Company immediately of any inspections and measures conducted by the Supervisory Authority, insofar as they relate to these Terms & Conditions.
- Processor shall fully co-operate with Company in responding to an inspection by the Supervisory Authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim pursuant to GDPR or other Applicable Law.
- The Processor shall periodically monitor the internal processes and the technical and organizational measures to ensure that Processing is in accordance with the requirements of Applicable Law and the protection of the rights of the Data Subject.
- The Processor collect only that Personal Data that are proportionate, relevant, and appropriate for purposes of fulfilling its obligations under the Principal agreement with the Company.
- The Processor shall ensure compliance with the data transfer methods contained in the EU data protection laws.
11. General Terms
- The Processor shall indemnify and hold harmless the Company against all and any losses resulting from any material breach of these Terms & Conditions by Processor or any of its Sub-Contractors.
- The Processor represents and warrants that nothing in any applicable data protection legislation (or any other applicable laws or regulations) prevents it from fulfilling its obligations under these terms & Conditions and undertakes and agrees that, in the event of a change in any such laws that is likely to have a material adverse effect on the Processor’s compliance with these Terms & Conditions or in the event the Processor otherwise cannot comply with these Terms & Conditions for whatever reason(s), the Processor shall notify the Company within fifteen (15) days.
- The parties to these Terms & Conditions hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under these Terms & Conditions.
- Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
- In the event of inconsistencies between the provisions of these Terms & Conditions and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of these Terms & Conditions, the provisions of this Document shall prevail.
- Should any provision of these terms & Conditions be invalid or unenforceable, then the remainder of this Document shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1 - TECHNICAL AND ORGANISATIONAL MEASURES
1. Confidentiality (Article 32 Paragraph 1 Point b GDPR)
Physical Access Control
No unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems;
Electronic Access Control
No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media;
Internal Access Control
No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events;
The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Client support, sandboxing;
Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)
The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
2. Integrity (Article 32 Paragraph 1 Point b GDPR)
Data Transfer Control
No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
Data Entry Control
Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management
3. Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)
Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR);
4. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)
Data Protection Management;
Incident Response Management;
Data Protection by Design and Default (Article 25 Paragraph 2 GDPR);
Order or Contract Control
No third party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.
ANNEX 2 - SUBPROCESSORS
118 Data Resource
62 Anchorage Road,
Data Provider and Cleaner