GDPR Statement

Data Processing Agreement

Data protection and data processing

1. For the purposes of this clause 1, the terms “data controller”, “data processor”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to them in the applicable laws and regulations relating to data protection, privacy and information security, including (without limitation) the General Data Protection Regulation (“GDPR”) meaning Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any national implementing, amending or replacement legislation, as applicable from time to time (“Data Protection Laws”). “Personal Information” means any information which:

i) falls within the definition of “personal data”, and

ii) in relation to which the Company is providing goods and/or services or which the Company is required to process (subject to the Data Privacy Laws) in connection with these Conditions.

a) The provision of the goods or services may require the Company to process personal information for and on behalf of the Customer. In respect of such processing, the parties acknowledge and agree that

i) the Customer shall be the data controller and the Company shall be the data processor;

ii) the Company shall process personal information as set out in the Schedule (Data Processing Register); and

iii) Clauses 18(b) to 18(h) below shall apply.

b) The Customer shall

i) comply with all Data Privacy Laws;

ii) obtain and maintain all relevant registrations (and similar) required by Data Privacy Laws; and

iii) ensure that all instructions that it issues to the Company comply with Data Privacy Laws.

c) When processing personal information as part of the delivery of goods or services, the Company shall

i) process the personal information only on the documented instructions of the Customer, except to the extent that any processing of personal information is required by applicable laws;

ii) where processing of personal information by the Company is required by applicable laws, the Company shall inform the Customer of the relevant legal requirement before processing, unless such law prohibits the Company from doing so;

iii) notify the Customer where the Company reasonably believes any documented instructions from the Customer in respect of the processing of personal information infringe any Data Privacy Laws or any other applicable laws;

iv) ensure that its personnel who are authorised to process the personal information have committed themselves to confidentiality;

v) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing;

vi) only appoint a third party to process personal information on its behalf in accordance with clauses 18(d) and 18(e) below;

vii) taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Data Privacy Laws;

viii) notify the Customer without undue delay after becoming aware of

(1) any unauthorised loss, corruption, damage, destruction, alteration, disclosure or access to any personal information;

  1. (2) any unauthorised or unlawful Processing of Personal information; or

(3) any breach of Data Privacy Laws (“Data Breach”);

ix) assist the Customer in its compliance with its obligations under Data Privacy Laws in respect of notifying Data Breaches to the UK Information Commissioner’s Office (“ICO”) and affected data subjects, insofar as it is able taking into account the nature of the processing and the information available to the Company;

x) at the Customer’s discretion, delete or return to the Customer all of the personal information processed under the Contract, and delete any copies of such personal information unless any applicable laws require that copies are kept; and

xi) make available to the Customer all information necessary to demonstrate compliance with its obligations in this clause 18(c).

d) The Company shall not sub-contract its processing of personal information to a third party without the Customer’s prior specific or general written authorisation (not to be unreasonably withheld, conditioned, or delayed). Where any sub-contracting of processing of personal information is based on the Customer’s general written authorisation, the Company shall inform the Customer of any intended changes concerning the addition or replacement of any sub-contractors and the Customer shall notify the Company of any objections it has to any such changes in writing within five (5) business days, after which any such changes which the Customer has not objected to in accordance with this clause 18(d) shall be deemed to be accepted.

e) Where the Company sub-contracts its processing of personal information to a third party in accordance with clause 18(d) above, the Company shall

i) ensure that any such third party is subject to the same data protection obligations as those set out in clause 18(c) above,

ii) obtain sufficient guarantees from any such third party that they will implement appropriate technical and organisational measures in such a manner that the processing of personal information by such third party will meet the requirements of Data Privacy Laws, and

iii) remain liable to the Customer for any processing of personal information by any such third party.

f) Each party shall co-operate with the ICO on the request of the other party in respect of the performance of its tasks under these conditions.

g) The Company shall not transfer personal information to any country outside the EEA without the prior written consent of the Customer, such consent may be subject to and given on such terms as the Customer may in its discretion prescribe (acting reasonably and in compliance with Data Privacy Laws).

h) In the event that the Customer consents to the transfer of personal data from the Suppler to a country outside of the EEA under clause 18(g), the Company shall confirm in writing details of how the Company will ensure an adequate level of protection and adequate safeguards in respect of the personal information that will be processed in and/or transferred outside of the EEA so as to ensure compliance with the Data Privacy Laws.

Schedule – Data Processing Register

  1. 1) Subject matter of processing

a) The Personal Data to be processed by the Company pursuant to these conditions concerns the following subject matter(s):

Providing Prospects and Customers with quotations and taking of Customer orders and processing such orders through to delivery.

2) Duration of the Processing
a) The Personal Data to be processed under these conditions shall be Processed for the following duration:

For the duration of the commercial relationship with the Customer.

3) Nature and purposes of the Processing
a) The Personal Data to be Processed under these conditions shall be Processed for the following nature and purpose:

To facilitate the commercial relationship between the Company and the Customer including the processing of the Customer’s orders for goods and services provided by the Company.

4) Type of Personal Data

a) The Personal Data to be Processed by the Company pursuant to these conditions concerns the following type of Personal data:

Contact details including name, delivery addresses and contact telephone numbers.

5) Categories of Data Subjects

a) The Personal Data to be Processed under these conditions concern the following categories of Data Subjects:

Customers of the Company.

6) Additional Useful Data (e.g. storage limits and other relevant data)

N/A

7) Contact Details

a) The Personal Data queries arising from or in connection with these conditions, the parties shall contact the following:

Customer

Contact details capturing the ordering process

Company

The Data Protection Officer

Leeds Plywood & Doors Ltd

Midland road

Hunslet

Leeds, LS10 2RJ

By email: yourdata@lpddoors.co.uk