ECA Software Data Protection Policy
ECA Software Terms – Data Protection Addendum
This current consolidated Data Protection Addendum was published on 30 June2021. For previous versions, see www.eca.co.uk/eca-software-support.
- 1.1 In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:
- Applicable Law means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Services:
- (a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time;
- (b) the common law and laws of equity as applicable to the parties from time to time;
- (c) any binding court order, judgment or decree; or
- (d) any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
- Controller has the meaning given to that term in Data Protection Laws;
- Data Protection Laws means as applicable and binding on either party or the Services:
- (a) the GDPR;
- (b) the Data Protection Act 2018;
- (c) the Privacy and Electronic Communications Regulations 2003
- (d) any laws which implement any such laws; and
- (e) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
- Data Protection Losses means all liabilities, including all:
- (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
- (b) to the extent permitted by Applicable Law:
- (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
- (ii) compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and
- (iii) the reasonable costs of compliance with investigations by a Supervisory Authority;
- Data Subject has the meaning given to that term in Data Protection Laws;
- Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR;
- GDPR means General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);
- International Recipient means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Customer’s prior written authorisation;
- Lawful Safeguards means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
- List of Sub-Processors means the latest version of the list of Sub-Processors used by ECA, as Updated from time to time, which as at Order Acceptance is available at on request;
- Personal Data has the meaning given to that term in Data Protection Laws;
- Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
- Processing has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);
- Processing Instructions has the meaning given to that term in paragraph 3.1.1;
- Processor has the meaning given to that term in Data Protection Laws;
- Protected Data means Personal Data in the Customer Data;
- Sub-Processor means a Processor engaged by ECA or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer;
- Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; and
- Transfer bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).
2 Processor and Controller
- 2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and ECA shall be the Processor. Nothing in our Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.
- 2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct ECA to process the Protected Data in accordance with our Agreement.
- 2.3 ECA shall process Protected Data in compliance with:
- 2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under our Agreement; and
- 2.3.2 the terms of our Agreement.
- 2.4 The Customer shall ensure that it, its Affiliates and each Authorised User shall at all times comply with:
- 2.4.1 all Data Protection Laws in connection with the control and processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
- 2.4.2 the terms of our Agreement.
- 2.5 The Customer warrants, represents and undertakes, that at all times:
- 2.5.1 the processing of all Protected Data (if processed in accordance with our Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;
- 2.5.2 fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by ECA and its Sub-Processors in accordance with our Agreement;
- 2.5.3 the Protected Data is accurate and up to date;
- 2.5.4 the Protected Data is not subject (or potentially subject) to any laws from time to time to the extent giving effect to Article 71 (Protection of personal data) of the agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community;
- 2.5.5 except to the extent resulting from Transfers to International Recipients made by ECA or any Sub-Processor, the Protected Data is not subject to the laws of any jurisdiction outside of the United Kingdom;
- 2.5.6 it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to ECA (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by ECA or any other person;
- 2.5.7 all instructions given by it to ECA in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
- 2.5.8 it has undertaken due diligence in relation to ECA’s processing operations and commitments and it is satisfied (and all times it continues to use the Services remains satisfied) that:
- (a) ECA’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage ECA to process the Protected Data;
- (b) the technical and organisational measures set out in our Agreement (as Updated from time to time) shall (if ECA complies with its obligations thereunder) ensure a level of security appropriate to the risk in regards to the Protected Data as required by Data Protection Laws; and
- (c) ECA has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
3 Instructions and details of processing
- 3.1 Insofar as ECA processes Protected Data on behalf of the Customer, ECA:
- 3.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in our Agreement (including with regard to Transfers of Protected Data to any International Recipient), as Updated from time to time (Processing Instructions);
- 3.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, ECA shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
- 3.1.3 shall promptly inform the Customer if ECA becomes aware of a Processing Instruction that, in ECA’s opinion, infringes Data Protection Laws, provided that:
- (a) this shall be without prejudice to paragraphs 2.4 and 2.5; and
- (b) to the maximum extent permitted by Applicable Law, ECA shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph 3.1.3.
- 3.3 The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Subscribed Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the User Manual). The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command ECA is under no obligation to seek to restore it.
- 3.4 Subject to applicable Subscribed Service Specific Terms or the Acceptance the processing of the Protected Data by ECA under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the schedule.
4 Technical and organisational measures
- 4.1 ECA shall implement and maintain technical and organisational measures to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with ECA’s standard rates for such activities. The parties have agreed that (taking into account the nature of the processing) ECA’s compliance with paragraph 6.1 shall constitute ECA’s sole obligations under this paragraph 4.1.
- 4.2 During the period in which ECA processes any Protected Data, the Customer shall regularly undertake a documented assessment of whether the security measures implemented in accordance with paragraph 4.1 are sufficient to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access to the extent required by Data Protection Laws in the circumstances. The Customer shall promptly notify ECA of full details of any additional measures the Customer believes are required as a result of the assessment. The Customer acknowledges that ECA provides a commoditised one-to-many service and the needs or assessments of other customers may differ. ECA shall not be obliged to implement any further or alternative security measures, but this is without prejudice to the Customer ’s right to terminate our Agreement for convenience in accordance with the express provisions of our Agreement if it concludes the measures adopted by ECA are no longer sufficient for its needs.
5 Using staff and other Processors
- 5.1 Subject to paragraph 5.2, ECA shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data in connection with our Agreement without the Customer’s prior written authorisation. The Customer shall not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors).
- 5.2 The Customer:
- 5.2.1 authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as at Order Acceptance; and
- 5.2.2 authorises the appointment of each Sub-Processor (or any change to any of the Sub-Processors) identified on the List of Sub-Processors as Updated from time to time. The Customer’s right to object to the appointment of a new Sub-Processor (or any change to any of the Sub-Processors) following the relevant Update Notice introducing that change may be exclusively exercised by terminating our Agreement in accordance with its rights following the Update Notification introducing the change before that Update takes effect in accordance with our Agreement.
- 5.3 ECA shall:
- 5.3.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures);
- 5.3.2 ensure each new Sub-Processor identified on the List of Sub-Processors further to paragraph 5.2.2 meets the following criteria at the time the addition of that Sub-Processor is first made:
- (a) has been operating for at least two years, and
- (b) has not been sanctioned by any Supervisory Authority in relation to any breach of any Data Protection Laws in the previous five years.
- 5.3.3 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
- 5.4 ECA shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case ECA shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).
6 Assistance with compliance and Data Subject rights
- 6.1 ECA shall refer all Data Subject Requests it receives to the Customer without undue delay. The Customer shall pay ECA for all work, time, costs and expenses incurred by ECA or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at ECA’s standard rates for such activities.
- 6.2 ECA shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to ECA) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
- 6.2.1 security of processing;
- 6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
- 6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
- 6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,
provided the Customer shall pay ECA for all work, time, costs and expenses incurred ECA or any Sub-Processor(s) in connection with providing the assistance in this paragraph 6.2 , calculated on a time and materials basis at ECA’s standard rates for such activities.
7 International data Transfers
- 7.1 Subject to paragraphs 7.2 and 7.4, ECA shall not Transfer any Protected Data:
- 7.1.1 from any country to any other country; and/or
- 7.1.2 to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without the Customer’s prior written authorisation except where required by Applicable Law (in which case the provisions of paragraph 3.1 shall apply).
- 7.2 The Customer hereby authorises ECA (or any Sub-Processor) to Transfer any Protected Data for the purposes referred to in paragraph 3.4 to any International Recipient(s) in accordance with paragraph 7.3, provided all Transfers of Protected Data by ECA of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws and our Agreement. The provisions of our Agreement (including this Data Protection Addendum) shall constitute the Customer’s instructions with respect to Transfers in accordance with paragraph 3.1.1.
- 7.3 ECA (and its Sub-Processors) may only Transfer the Protected Data to (or process Protected Data in) the United Kingdom, Channel Islands and to any country which is a member of the European Union.
- 7.4 The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that ECA does not control such processing and the Customer shall ensure that Customer Affiliates and Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.
8 Information and audit
- 8.1 ECA shall maintain, in accordance with Data Protection Laws binding on ECA, written records of all categories of processing activities carried out on behalf of the Customer.
- 8.2 ECA shall ensure that it has appropriate mechanisms in place to ensure its Sub-Processors meet their obligations under Data Protection Laws.
9 Breach notification
- 9.1 In respect of any Personal Data Breach, ECA shall, without undue delay (and in any event within 72 hours):
- 9.1.1 notify the Customer of the Personal Data Breach; and
- 9.1.2 provide the Customer with details of the Personal Data Breach.
10 Deletion of Protected Data and copies
- Following the end of the provision of the Services (or any part) relating to the processing of Protected Data ECA shall dispose of Protected Data in accordance with its obligations under our Agreement. ECA shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement.
11 Compensation and claims
- 11.1 ECA shall be liable for all reasonably and directly incurred and fully substantiated Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Agreement:
- 11.1.1 only to the extent caused by the processing of Protected Data under our Agreement and directly resulting from ECA’s breach of our Agreement; and
- 11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by the Customer (including in accordance with paragraph 3.1.3(b)).
- 11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Agreement or the Services, it shall promptly provide the other party with notice and full details of such claim.
- 11.3 The parties agree that the Customer shall not be entitled to claim back from ECA any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify or otherwise compensate ECA in accordance with our Agreement.
- 11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
- 11.4.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and
- 11.4.2 that it does not affect the liability of either party to any Data Subject.
- This Data Protection Addendum (as Updated from time to time) shall survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in the possession or control of ECA or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.
13 Data protection contact
- If you wish to contact ECA’s Data Protection Officer,, please send an email to firstname.lastname@example.org, or write to the ECA Data Protection Officer @ ECA Electrical Contractors’ Association Ltd (The) registered office is at Eca Court, 24-26 South Park, Sevenoaks, Kent, TN13 1DU registered number 00143669 or call 02073134800.
DATA PROCESSING DETAILS
Subject-matter of processing:
- Adaptation and compilation of templates and materials and storage of records including the
Duration of the processing:
- Until the earlier of termination or expiry of our Agreement, except as otherwise expressly stated in our Agreement;
Nature and purpose of the processing:
- Processing in accordance with the rights and obligations of the parties under our Agreement;
- Processing as reasonably required to provide the Services;
- processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Customer, in each case in a manner consistent with our Agreement; and/or
- in relation to each Subscribed Service, otherwise in accordance with the nature and purpose identified in its Subscribed Service Specific Terms;
Type of Personal Data:
- Job Role including any past role if they have changed roles as there is a history retained
- Employment Status
- Reference - could be the company reference or ECS reference as open to be used how the company wishes.
- Training record
- Observation on the operative around risk
- Any certificates/qualifications that have been uploaded that the operative has gained as part of the training
Categories of Data Subjects:
- Customer’s: Authorised Users, employees, customers, operative and labour force