Section 1: GDPR Privacy Notice

1. DEFINITIONS AND INTERPRETATIONS

In this GDPR Schedule the following definitions shall apply. Any definition not provided in this Schedule shall have the same meaning as set out elsewhere in the Agreement.   

"Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data; where the purposes and means of processing are determined by EU or Member State laws, the Controller (or the criteria for nominating the controller) may be designated by those laws. 

“Data Subject” means an identifiable natural person about whom a Controller holds Personal Data. For the purposes of this Agreement, this may include an individual whose details are provided to GBG by the Client as part of the Client Data or whose details are contained within the Supplier Data.  

“EEA” shall have the same meaning as given to it in clause 4.1. 

 “Personal Data” shall have the meaning set out in the GDPR specifically any information relating to a Data Subject; who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  

 "Processor" means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.  

"Sub-processor" means a natural or legal person, public authority, agency or any other body contracted by the Processor to process Personal Data for the purpose of carrying out a specific processing activity on behalf of the Controller.  

 “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.  

2. GENERAL
3. Both Parties warrant that they will comply with their respective obligations under the European Privacy and Data Protection Requirements and the terms of this GDPR Schedule.
4. For the purpose of this GDPR Schedule, the Client is the Controller and GBG is the Processor.

3. CONTROLLER OBLIGATIONS IN RELATION TO PROCESSING OF CLIENT DATA
4. The Client warrants and represents that all instructions provided to GBG in relation to the processing of Client Data  are lawful and shall as a minimum include: 
5. The nature and purpose of the processing of the Client Data;
6. The types of Personal Data to be processed; and 
7. The categories of Data Subjects to whom the Personal Data relates. 
8. The Client shall only provide instructions to GBG that are in accordance with the terms of the Agreement and this GDPR Schedule. Such instructions shall be limited to the subject matter of the relevant Services under the Agreement. 
9. The Client acknowledges that as Controller it is solely responsible for determining the lawful processing condition upon which it shall rely in providing instructions to GBG to process Client Data for the purposes of carrying out the Services as set out in the Agreement. 
10. The Parties acknowledge and accept that processing of Personal Data belonging to an EEA Data Subject and/or the processing of Personal Data in the context of the activities of an establishment  of a Controller or Processor within the EEA shall be lawful only if and to the extent that either an exemption, Article 2 GDPR or at least one of the following conditions (as specified on this GDPR Schedule or Order Form as may be applicable) applies:
11. the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
12. processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
13. processing is necessary for compliance with a legal obligation to which the Controller is subject;
14. processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
15. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; or
16. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.

4. PROCESSOR OBLIGATIONS IN RELATION TO THE PROCESSING OF CLIENT DATA
5. To the extent that the performance of GBG’s obligations, and any supporting and/or ancillary activities, involves processing Client Data, GBG acting as Processor shall:
6. only carry out processing of Client Data in accordance with the Client’s documented instructions , including where relevant  for transfers of  Client Data outside the European Economic Area (“EEA”) or to an international organization (unless GBG is otherwise required to process Client Data by European Union, Member State and/or UK law to which GBG is subject, in which case GBG shall inform the Client of that legal requirement before processing unless prohibited by that law on important grounds of public interest), and shall immediately inform the Client if, in GBG’s opinion, any instruction given by the Client to GBG infringes European Privacy and Data Protection Requirements; 
7. notify the Client without undue delay of any requests received from a Data Subject exercising their rights under European Privacy and Data Protection Requirements and, taking into account the nature of the processing, assist the Client by taking appropriate technical and organizational measures, insofar as this is possible, with fulfilling its obligations in respect of Data Subject rights under European Privacy and Data Protection Requirements, including assisting the Client in responding to any subject access requests or requests from Data Subjects for access to, rectification, erasure or portability of Personal Data, or for restriction of processing or objections to processing of Personal Data;
8. take all security  measures required in accordance with European Privacy and Data Protection Requirements (including Article 32 GDPR),  and at the request of the Client provide a written description of, and rationale for, the technical and organizational measures implemented, or to be implemented, to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted stored or otherwise processed; and detect and report Personal Data breaches without undue delay; 
9. taking into account the nature of the processing and the information available to GBG, use all measures to assist the Client in ensuring compliance with the Client’s obligations to; 

• keep Personal Data secure (Article 32 GDPR);
• notify Personal Data breaches to the Supervisory Authority (Article 33 GDPR);
• advise Data Subjects when there has been a Personal Data breach (Article 34 GDPR);
• carry out data protection impact assessments (Article 35 GDPR); and 
• consult with the Supervisory Authority where a data protection impact assessment indicates that there is an unmitigated high risk to the processing (Article 36 GDPR). 

1. without undue delay, inform the Client of becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Client Data transmitted, stored or otherwise processed. GBG accepts and acknowledges that the Client shall direct in its sole discretion, any and all steps and measures taken to remedy a breach by GBG under European Privacy and Data Protection Requirements, including but not limited to any communications with a Supervisory Authority. GBG agrees not to act in any way upon such disclosure without the prior written consent of the Client; 
2. make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this GDPR Schedule and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client as set out in clause 6; and
3. in addition to the confidentiality obligations contained within the Agreement, ensure that persons authorized to process the Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 
4. On expiry or termination of the Agreement, GBG shall immediately cease to use Client Data (and any copies of it) and shall arrange for its safe return or destruction as shall be required by the Client (unless European Union, Member States and/or UK Law requires storage of any Personal Data contained within the Client Data or an exemption under GDPR applies).  

5. USE OF SUPPLIER DATA
6. Where the Client uses or receives Supplier Data as part of the Services, the Client acknowledges that:
7. the Supplier Data may be subject to Additional Terms; 
8. where relevant for the provision of Services under the Agreement, the Client shall comply with the Additional Terms; and 
9. where the Additional Terms specify that Personal Data belonging to EEA Data Subjects cannot be processed by a particular Data Supplier, the Client warrants that it will not use that element of the Service for the processing of Personal Data belonging to an EEA Data Subject. 
10. GBG shall promptly notify the Client in the event of a change to the Additional Terms. 

6. AUDIT RIGHTS
7. Upon the Client’s reasonable request, GBG agrees to provide the Client with any documentation or records (which may be redacted to remove confidential commercial information not relevant to the requirements of this GDPR Schedule) which will enable it to verify and monitor GBG’s compliance with its data protection and security obligations under the terms of this GDPR Schedule, within 14 days of receipt of such request, and to notify the Client of the person within GBG’s organization who will act as the point of contact for provision of the information required by the Client. 
8. Where, in the reasonable opinion of the Client, such documentation is not sufficient in order to meet the obligations of Article 28 of the GDPR (or where applicable Article 22 of the LED), the Client will be entitled, upon reasonable prior written notice to GBG and upon reasonable grounds, to conduct an on-site audit of GBG’s premises used in connection with the Service, solely to confirm compliance with its data protection and security obligations under this GDPR Schedule.  
9. Any audit carried out by the Client will be conducted in a manner that does not disrupt, delay or interfere with GBG’s performance of its business.  The Client shall ensure that the individuals carrying out the audit are under the same confidentiality obligations as set out in the Agreement. 
10. Any audit right granted to GBG under the Agreement shall remain in full force and effect. In the event that there is no audit right in favor of GBG or the audit right contained in the Agreement in favor of GBG is not sufficient to enable it to verify and monitor the Client’s compliance with its data protection and security obligations under the terms of this GDPR Schedule, then, GBG shall be entitled to carry out an audit of the Client on reciprocal terms as those set out in clauses 1, 6.2 and 6.3.

7. USE OF SUB-PROCESSORS
8. The Client provides their consent for GBG to use Sub-processors in the delivery of the Service. Where GBG uses third party Data Suppliers or any other third party and where they are acting as a Sub-processor in relation to the Client Data GBG shall:
9. enter into a legally binding written agreement that places the equivalent data protection obligations as those set out in this GDPR Schedule to the extent applicable to the nature of the services provided by such Sub-processor, in particular, unless otherwise stated in the Additional Terms in accordance with clause 5.1(c), providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; 
10. shall remain liable for any act or omission of a Sub-processor that does not comply with the data protection obligations as set out in this GDPR Schedule; and
11. where required by law, GBG shall inform the Client of any intended changes concerning the addition or replacement of a Sub-processor with access to Client Data and give the Client the opportunity to object to such changes. 

8. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS 
9. GBG shall not cause or permit any Client Data to be transferred outside of the EEA unless such transfer is necessary for the purposes of GBG carrying out its obligations under the Agreement in which case, the provisions of this clause 8 shall apply. 
10. Transfer subject to adequate safeguards: Subject to clauses 3 and 8.4,  if Personal Data is to be processed outside of the EEA, GBG agrees to provide and maintain appropriate safeguards as set out in Article 46 GDPR or where applicable, LED Article 37 to lawfully transfer the Personal Data to a third country.
11. Transfers based on adequacy decisions: Clause 2 shall not apply if the processing of the Personal Data is carried out in a country that the European Commission has considered as offering an adequate level of protection.
12. Derogations for specific situations: The Client has consented to such transfer and acknowledges and accepts that certain Data Suppliers engaged by GBG in the provision of the products and services are located in a country that the European Commission has not formally declared to have an adequate level of protection (Clause 3/ Article 45(3) GDPR) and are not able to demonstrate appropriate safeguards (Clause 8.2/ Article 46 GDPR). In such circumstances this will be stated in the Additional Terms and where GDPR applies to the Client by virtue of Article 3 GDPR, the Client as Controller acknowledges that prior to submitting Client Data to GBG for processing it shall determine, and is solely liable for ensuring, that one of following exceptions set out in Article 49 GDPR applies:
13. the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards;
14. the transfer is necessary for the performance of a contract between the Data Subject and the Client or the implementation of pre-contractual measures taken at the Data Subject's request; 
15. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Client and another natural or legal person; 
16. the transfer is necessary for important reasons of public interest;
17. the transfer is necessary for the establishment, exercise or defense of legal claims;
18. the transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent; or
19. the transfer is made from a register which according to European Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by European Union or Member State law for consultation are fulfilled in the particular case.

The terms of this clause 8.4 shall not apply where the Client is subject to LED. In such circumstance clause 8.5 of this GDPR Schedule shall apply.  

5. Derogations for specific situations where the LED is applicable to the Client: The Client has consented to such transfer and acknowledges and accepts that certain Data Suppliers engaged by GBG in the provision and services are located in a country that the European Commission has not formally declared to have an adequate level of protection (Clause 8.3/ Article 36 LED) and are not able to demonstrate appropriate safeguards (Clause 8.2/Article 37 LED).  In such circumstances this will be stated in the Additional Terms and the Client as Controller acknowledges that prior to submitting Client Data to GBG for processing it shall determine, and is solely liable for ensuring that, one of the following exceptions set out in Article 38 LED applies:
6. the transfer is necessary to protect the vital interest of the Data Subject or another person;
7. to safeguard legitimate interest of the Data Subject, where the law of the Member State transferring the Personal Data so provides; 
8. for the prevention of an immediate and serious threat to public security of a Member State or a third country;
9. in individual cases for the purposes set out in Article 1 (1) LED; or
10. in an individual case for the purpose set out in Article 1 (1) LED. 

9. SECURITY
10. For the avoidance of doubt, both Parties acknowledge that any provisions in relation to User IDs and passwords used in connection with the Service under the Agreement shall remain unchanged and in full force and effect. 

10. LIABILITY
11. Neither Party excludes or limits its liability in respect of the terms of this GDPR Schedule. 

11. MISCELLANEOUS 
12. This GDPR Schedule and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed and construed in accordance with the laws of England  and subject to any dispute resolution procedure as set out in the Agreement, both Parties submit to the exclusive jurisdiction of the English Courts, save that GBG may elect to bring proceedings against the Client in the courts of any jurisdiction where the Client or any of the Client’s property or assets may be found or located. 
13. A person who is not a Party to this GDPR Schedule has no rights under the Contracts (Rights of Third Parties) Act 1999 or otherwise) to enforce the provisions of this GDPR Schedule. 
14. Where applicable, the Parties agree that if, upon review following GDPR and LED coming into force, the provisions of this GDPR Schedule do not comply with GDPR or LED then both Parties agree to cooperate in good faith to re-negotiate the terms of this GDPR Schedule to ensure compliance with GDPR or LED.