Data Processing Charter
The EPC Data Processing Charter
The terms in this Data Processing Charter (Charter) are supplementary to and form part of the booking form, terms of service or other agreement between Serco Limited (Serco) and the Customer regarding provision of goods or services by Serco, in its capacity as managing the Emergency Planning College (EPC), (the Agreement).
WE DRAW YOUR ATTENTION TO THE LIABILITY PROVISIONS IN THE ASSOCIATED TERMS AND CONDITIONS OF OUR AGREEMENT WITH YOU, OUR CUSTOMER, WHICH WILL APPLY TO THIS DATA PROCESSING CHARTER.
- The expressions Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Supervisory Authority have the meanings given to them in the Data Protection Act 2018.
- Customer means the person, be it a natural person or legal entity, which orders or receives from Serco any goods or services in connection with the Agreement.
- Data Controller and Data Processor shall take the meaning of Controller and Processor in the Data Protection Act 2018 respectively.
- Data Privacy Laws means (i) the General Data Protection Regulation (EU) 2016/679 (GDPR) and any applicable national implementing laws as amended from time to time; (ii) the Data Protection Act 2018 to the extent it relates to processing of Personal Data and privacy; and (iii) any other laws and regulations relating to the processing of Personal Data and privacy which apply to a Party from time to time and, if applicable, the guidance and codes of practice issued by the relevant data protection or supervisory authority.
- Data Subject Rights Request means a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Privacy Laws to access their Personal Data.
- Fair Processing Notice means a fair processing notice which meets the requirements of Article 13 or Article 14 of the GDPR (as applicable).
- Serco means Serco Limited, a company incorporated in England and Wales with company number 242246, with its registered office at Serco House, 16 Bartley Wood Business Park, Bartley Way, Hook, Hampshire RG27 9UY.
- Sub-processor means any third party appointed to process Personal Data on behalf of Serco in relation to the Agreement.
- Party is a party to this agreement, together referred to as the Parties.
- Processing shall take the meaning in the Data Protection Act 2018 and process and processed have corresponding meanings;
Mutual Data Processing Obligations
- Each Party will comply with the Data Privacy Laws in respect of its respective activities under the Agreement.
- Each Party will maintain records and information of their processing activities to the extent required by the Data Privacy Laws.
Data Processor Obligations
- The followings Data Processor Obligations will apply where Serco processes any Personal Data as a Data Processor on behalf of the Customer who is the Data Controller (or through the Customer on behalf of another Data Controller). The Data Processing Schedule below sets out the details of such processing by Serco as a Data Processor.
- Where Serco acts as a Data Processor, Serco will:
- only process Personal Data for the purpose of performing its obligations under the Agreement during the term of the Agreement on documented instructions that the Customer may give to Serco from time to time concerning such Processing (except to the extent that any processing of Personal Data is required by applicable laws) and the Customer shall ensure that any such instructions comply with all applicable laws.
- notify the Customer where Serco reasonably believes any instructions from the Customer in respect of the processing of Personal Data infringe any Data Privacy Laws or any other applicable laws (unless the applicable laws prohibit the provision of such information) and Serco may process Personal Data otherwise than in accordance with the Customer's instructions if it reasonably considers that compliance with the Customer's instructions would or may breach any applicable laws;
- implement and maintain technical and organisational measures, including those required by Article 32 of the GDPR, to ensure an appropriate level of security for such Personal Data;
- procure that Serco personnel, to the extent that they are involved in the processing of Personal Data, shall be subject to appropriate binding obligations to protect the confidentiality of the Personal Data;
- notify the Customer promptly if it considers that any of the Customer’s instructions infringe the Data Protection Laws;
- inform the Customer without undue delay on becoming aware of any such Personal Data being subject to a Personal Data Breach and provide the Customer with its reasonable assistance and cooperation in relation to the Personal Data Breach;
- cease processing the Personal Data upon termination or expiry of the Agreement and promptly return or delete the Personal Data (except to the extent applicable law requires the continued processing of the Personal Data by Serco or otherwise permitted pursuant to the Agreement;
- as required, maintain a record of its processing activities in accordance with the requirements of Article 30(2) of GDPR;
- permit Customer or the Customer’s designated auditor (on reasonable prior notice, during normal business hours and at the Customer’s expense) to inspect and audit the facilities used by Serco to process the Personal Data, and the records maintained by Serco relating to that processing;
- promptly notify the Customer if it receives:
- a Data Subject Rights Request (or purported Data Subject Rights Request);
- receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under the Agreement; or
- receives a request from any third party for disclosure of Personal Data; and
- provide reasonable assistance to the Customer, at the Customer's cost, in relation to any complaint, communication or request made under paragraph 4.j and compliance with the Customer’s obligations under Articles 32 to 36 (inclusive) of GDPR.
- The Customer acknowledges and agrees that Serco shall be entitled to use (and permit each Sub-processor to use) Sub-processors to process Personal Data on behalf of the Serco. . If Serco wishes to appoint additional or replacement Sub-processors during the term of the Agreement, it will inform the Customer in order to submit their objections within twenty (20) business days of the date of notification, however Serco will not be bound by such objections.
- Serco may cause or allow Personal Data to be transferred to and/or otherwise processed outside the European Economic Area for the purpose of performing its obligations under the Agreement.
- Serco will procure that any Sub-processors who have access to Personal Data in connection with this Agreement will be subject to binding contractual obligations which are substantially similar to these Data Processor Obligations and Serco will remain liable to the Customer for the performance of the Sub-processors obligations in relation to any Processing of Personal Data pursuant to the Agreement.
- The Customer shall ensure that it has all necessary consents and notices in place to enable the lawful processing of the Personal Data by Serco for the duration and purposes of the Agreement and this Charter.
Data Controller Obligations
- Where the Parties are each to be a Data Controller in relation to the processing of Personal Data in connection with the Agreement, the terms outlined in this Data Controller Obligation section will apply in place of the Data Processor Obligations section above.
- Each Party will provide such assistance as is reasonably requested by the other Party in relation to either Party's obligations under Data Privacy Laws and any complaint, communication, Data Subject Rights Request received, or Personal Data Breach reported by that Party (and insofar as possible within the timescales reasonably required by the requesting Party).
- Where appropriate, the Customer will ensure that an appropriate Fair Processing Notice is given to, or made available to, all relevant Data Subjects.
Data Processing Schedule
Details of the Personal Data being processed by the Serco on behalf of the Customer are as follows:
Roles of the Parties and subject matter of processing
The Parties acknowledge that for the purposes of the Data Privacy Laws, the Customer is the Data Controller and Serco is the Processor in respect of, at the request of the Customer, sending communications to Data Subjects who will be attending training or will be participants in the delivery of other EPC services.
The Parties acknowledge that they are also each a Controller for the purposes of the Data Privacy Laws in respect to other Personal Data processed in connection with this Agreement, including (but not limited to) where Serco delivers the training and uses its professional judgement.
Duration of the processing:
For the term of the Agreement, subject to early termination in line with the terms of this Agreement.
Serco may retain a copy of the Personal Data processed pursuant to this Agreement for regulatory, audit and other necessary purposes such as (but not limited to) providing evidence to the Customer of communications related to the service(s).
Nature and purpose of the processing:
Collecting and recording the Personal Data provided to Serco under this Agreement and using this information to facilitate the delivery of the requested training or other EPC service.
Types of Personal Data
The categories of personal information which we may collect and use includes:
- Personal details: title, full name, business or home address, telephone numbers, email address, nationality, language/dialect spoken, job role, vehicle details, travel assistance requirements.
- Public Identifiers: signatures, passport details, social media handles, photographs, video recordings (identifying physical characteristics).
- Financial Details: purchase transaction history, card payment details.
- Travel Information: travel and accommodation itinerary information.
- Correspondence: social media postings, general correspondence.
- Preferences consents, permissions, or preferences that you have specified, such as whether you wish to subscribe to our mailing list or agree to our terms and conditions.
- Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history.
- Sensitive Personal Data: health and medical information, racial or ethnic origin, religion.
Categories of Data Subjects:
Includes, training participants or participants of other EPC services selected by the Customer (for instance their employees).