Royal Mail Data Terms
END USER AGREEMENT
THESE DATA PROTECTION CLAUSES are between the Solutions Provider or Third Party Solutions Provider (as the case may be), for and on behalf of Royal Mail, and the End-User.
RECITALS:
(A) Royal Mail and the Solutions Provider have entered into a Data Supply Agreement and at least one Data Licence Agreement relating, respectively, to the supply and licensed use of certain data which Royal Mail created, owns or is otherwise authorised to use and exploit.
(B) The Solutions Provider is permitted, pursuant to such agreements, to supply such data to the Third Party Solutions Provider for supply to an End-User or directly to an End-User.
(C) Such data may contain personal data from time to time and so the parties acknowledge and agree that transfers of that data by the Solutions Provider or the Third Party Solutions Provider (as the case may be) to the End-User would in such circumstances not be European Commission Approved Transfers.
(D) Therefore the Solutions Provider or the Third Party Solutions Provider (as appropriate) shall, for and on behalf of Royal Mail, enter into these Data Protection Clauses with the End-User in order to ensure adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Solutions Provider to the Third Party Solutions Provider of the personal data specified in Appendix 1.
(E) Royal Mail is the controller of the personal data that it transfers to be processed by the Solutions Provider and/or the Third Party Solutions Provider. It is intended that the End-User shall be the controller who agrees to receive the personal data from the Solutions Provider or the Third Party Solutions Provider (as the case may be) for the purposes of further processing in accordance with its End-User Agreement.
Clause 1 - Definitions
For the purposes of the Data Protection Clauses:
(a) "personal data", "special categories of data/sensitive data", "process/processing", "controller", "processor", "data subject" and "supervisory authority/authority" shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby "the authority" shall mean the competent data protection authority in the territory in which Royal Mail is established);
(b) "Royal Mail" shall mean the controller who is responsible for transferring the personal data; (c) "End-User" shall mean the controller who agrees to receive from Royal Mail (via the Solutions Provider or the Third Party Solutions Provider (as the case may be)) personal data for further processing in accordance with the terms of these Data Protection Clauses and who is not subject to a third country's system ensuring adequate protection;
(d) "Data Protection Clauses" shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the transfer (as well as the personal data covered) are specified in Appendix 2, which forms an integral part of the Data Protection Clauses.
Clause 2 - Obligations of Royal Mail
Royal Mail warrants and undertakes that:
(a) The personal data has been collected, processed and transferred in accordance with the laws applicable to Royal Mail;
It has used reasonable efforts to determine that the End-User is able to satisfy its legal obligations under these Data Protection Clauses;
(c) It will provide the End-User, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which Royal Mail is established;
(d) It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the End-User, unless the parties have agreed that the End-User will so respond, in which case Royal Mail will still respond to the extent reasonably possible and with the information reasonably available to it if the End-User is unwilling or unable to respond. Responses will be made within a reasonable time;
(e) It will make available, upon request, a copy of the Data Protection Clauses to data subjects who are third party beneficiaries under clause 4, unless the Data Protection Clauses contain confidential information, in which case it may remove such information. Where information is removed, Royal Mail shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, Royal Mail shall abide by a decision of the authority regarding access to the full text of the Data Protection Clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. Royal Mail shall also provide a copy of the Data Protection Clauses to the authority where required.
Clause 3 - Obligations of the End-User
The End-User warrants and undertakes that:
(a) It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected;
(b) It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the End-User, including a data processor, shall be obligated to process the personal data only on instructions from the End-User. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data;
(c) It has no reason to believe, at the time of entering into these Data Protection Clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these Data Protection Clauses, and it will inform Royal Mail (which will pass such notification on to the authority where required) if it becomes aware of any such laws;
(d) It will process the personal data for purposes described in Appendix 2, and has the legal authority to give the warranties and fulfil the undertakings set out in these Data Protection Clauses;
(e) It will identify to Royal Mail a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with Royal Mail, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of Royal Mail, or if the parties have so agreed, the End-User will assume responsibility for compliance with the provisions of clause 2(e);
(f) At the request of Royal Mail, it will provide Royal Mail with evidence of financial resources sufficient to fulfil its responsibilities under clause 4 (which may include insurance coverage);
(g) Upon reasonable request of Royal Mail, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by Royal Mail (or any independent or impartial inspection agents or auditors, selected by Royal Mail and not reasonably objected to by the End-User) to ascertain compliance with the warranties and undertakings in these Data Protection Clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the End-User, which consent or approval the End-User will attempt to obtain in a timely fashion;
(h) It will process the personal data in accordance with the data processing principles set forth in Appendix 1.
It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies Royal Mail about the transfer; and
(ii) the third party data controller becomes a signatory to these Data Protection Clauses or another data transfer agreement approved by a competent authority in the EU; or
(iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards; or
(iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.
(a) Each party shall be liable to the other parties for damages it causes by any breach of these Data Protection Clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these Data Protection Clauses. This does not affect the liability of Royal Mail under its data protection law.
(b) The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and Data Protection Clauses 2(b), 2(d), 2(e), 3(a), 3(c), 3(d), 3(e), 3(h), 3(i), 4(a), 6, 8(d) and 8 against the End-User or Royal Mail, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in Royal Mail's country of establishment. In cases involving allegations of breach by the End-User, the data subject must first request Royal Mail to take appropriate action to enforce his rights against the End-User; if Royal Mail does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the End-User directly. A data subject is entitled to proceed directly against Royal Mail where it has failed to use reasonable efforts to determine that the End-User is able to satisfy its legal obligations under these Data Protection Clauses (Royal Mail shall have the burden to prove that it took reasonable efforts).
(c) The End-User will indemnify Royal Mail and hold Royal Mail harmless from any cost, charge, damages, expense or loss which it causes Royal Mail as a result of its breach of any of the provisions of these Data Protection Clauses. Indemnification hereunder is contingent upon:
(ii) the End-User having sole control of the defence and settlement of any such claim; and
(iii) Royal Mail providing reasonable cooperation and assistance to the End-User in defence of such claim.
These Data Protection Clauses shall be governed by the law of the country in which Royal Mail is established, namely England.
Clause 6 - Resolution of disputes with data subjects or the authority (a) In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
(b) The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
(c) Each party shall abide by a decision of a competent court of Royal Mail's country of establishment or of the authority which is final and against which no further appeal is possible.
Clause 7 - Termination (a) In the event that the End-User is in breach of its obligations under these Data Protection Clauses, then Royal Mail may temporarily suspend the transfer of personal data to the End-User until the breach is repaired or the contract is terminated.
In the event that:
(ii) compliance by the End-User with these Data Protection Clauses would put it in breach of its legal or regulatory obligations in the country of import;
(iii) the End-User is in substantial or persistent breach of any warranties or undertakings given by it under these Data Protection Clauses;
(iv) a final decision against which no further appeal is possible of a competent court of Royal Mail's country of establishment or of the authority rules that there has been a breach of the Data Protection Clauses by the End-User or Royal Mail; or
(v) a petition is presented for the administration or winding up of the End-User, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the End-User is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs;
(c) Either party may terminate these Data Protection Clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the End-User, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
(d) The parties agree that the termination of these Data Protection Clauses at any time, in any circumstances and for whatever reason (except for termination under clause 7(c)) does not exempt them from the obligations and/or conditions under the Data Protection Clauses as regards the processing of the personal data transferred.
Clause 8 - Variation of these Data Protection Clauses
The parties may not modify these Data Protection Clauses except to update any information in Appendix 2, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial Data Protection Clauses where required.
Clause 9 - Description of the Transfer
The details of the transfer and of the personal data are specified in Appendix 2. The parties agree that Appendix 2 may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause 2(e). The parties may execute additional appendices to cover additional transfers, which will be submitted to the authority where required. Appendix 2 may, in the alternative, be drafted to cover multiple transfers.
Clause 10 – Costs
Each party shall perform its obligations under these Data Protection Clauses at its own cost.
DATA PROCESSING PRINCIPLES
1. Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Appendix 2 or subsequently authorised by the data subject.
2. Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
3. Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by Royal Mail.
4. Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
5. Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of Royal Mail. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the End-User or other organisations dealing with the End-User and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the End-User, and the data subject may always challenge a refusal before the authority.
6. Sensitive data: The End-User shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause 3.
7. Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to "opt-out" from having his data used for such purposes.
8. Automated decisions: For purposes hereof "automated decision" shall mean a decision by Royal Mail or the End-User which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The End-User shall not make any automated decisions concerning data subjects, except when:
(ii) the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties.
or
(b) where otherwise provided by the law of Royal Mail.
Data subjects
The personal data transferred concern the following categories of data subjects:
- Names, addresses and postcodes
The transfer is made for the following purposes:
- To enable the End-User to use the data for address and/or location management related purposes within the scope of the licence granted to it pursuant to the End-User Agreement
The personal data transferred concern the following categories of data:
- Names, addresses and postcodes
- The End-User that has entered in to the End-User Agreement with the Solutions Provider or Third Party Solutions Provider (as applicable) and those third parties (if any) to which it is permitted to transfer data pursuant to that End-User Agreement
The personal data transferred concern the following categories of sensitive data:
- None
- Royal Mail Group Limited, Registration Number Z5374624
- The End-User's use of the personal data is at all times subject to the scope of the licence granted to it pursuant to the End-User Agreement
- Contact details provided on End-User Registration Form (unless otherwise specified)
- Address Management Unit, Fourth Floor, Slindon Street, Portsmouth PO1 1AF (or such other details as may be advised from time to time)