Terms and conditions for the supply of consultancy of services to the council under a purchase order
11. Personal data
11.1 The Consultant shall, and shall procure that its employees, agents and contractors shall, observe and perform its obligations under the Data Protection Act 2018 (DPA), and the UK GDPR (as defined in s.3(10), and supplemented by s. 205(4), of the DPA) (the Data Protection Legislation).
11.2 Without prejudice to clause 11.1, the Consultant shall, when handling the Council’s data, including any personal data, ensure that it adopts such technical and security measures as the Council may require, or as would be adopted by a reasonably diligent provider of services equivalent to those delivered as Services under this Contract, to ensure that the security of the Council’s data is maintained in accordance with the security requirements of the Data Protection Legislation.
11.3 The parties agree that they shall only process personal data insofar as the parties have identified:
11.3.1 the subject matter, duration, nature, and purpose of the processing;
11.3.2 the type of personal data to be processed; and
11.3.3 the categories of data subject.
11.4 In processing personal data under the Contract, the Consultant shall:
11.4.1 only act on the Council’s written instruction (unless required to do otherwise by law);
11.4.2 ensure that any of its staff, agents, or employees processing personal data are subject to a duty of confidence;
11.4.3 not engage a sub-processor without the Council’s prior written authorisation (and if such sub-processor is appointed, shall ensure that they are under obligations which are at least equivalent to those contained in this clause 11 (Personal Data);
11.4.4 take such steps to assist the Council in responding to requests from data subjects to exercise their rights under the Data Protection Legislation;
11.4.5 assist the Council in meeting its obligations in respect of:
11.4.5.1 notification of personal data breaches;
11.4.5.2 conducting data protection impact assessments; and
11.4.5.3 adopting any technical and security measures to protect the personal data; and
11.4.6 submit to such audits and inspections, and provide such information as the Council shall request in order to assess its compliance with this clause 11 (Personal Data).
11.5 The parties agree that a breach of the obligations in this clause 11 (Personal Data), shall constitute an irremediable, material, breach for the purpose of clause 12.1.1.