1. Definitions

    In these Data Protection provisions, the following terms shall apply:

    • Applicable Law – the law of the United Kingdom.
    • Controller, Processor, and Data Subject – as defined in the Data Protection Laws.
    • Data Protection Laws – all applicable UK data protection laws, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (as amended), as well as guidance from the ICO or successor bodies.
    • Data Processing Particulars – details of the processing set out in Schedule 1.
    • Data Subject Request – any request from a Data Subject exercising rights under Data Protection Laws (e.g. access, rectification, erasure, restriction, portability, or objection).
    • ICO – the UK Information Commissioner’s Office or any successor regulator.
    • Personal Data – any personal data (as defined in the Data Protection Laws) processed under this Agreement, including sensitive/special category data where applicable.
    • Personal Data Breach – as defined in the Data Protection Laws.
    • Processing – as defined in the Data Protection Laws (and “Process” and “Processed” shall be interpreted accordingly).
    • Security Requirements – technical and organisational measures required under Article 32 UK GDPR and other applicable legislation to ensure the security of Personal Data.
    • UK GDPR – the retained version of the General Data Protection Regulation (EU 2016/679) as it applies in the UK.
    1. Data Protection

    2.1 Relationship of the Parties

    1. The Customer shall generally act as the Controller, and Clever Centre Ltd (the Supplier) shall act as the Processor when processing Personal Data on behalf of the Customer.
    2. The Parties agree that Schedule 1 accurately describes the Data Processing Particulars.
    3. Each Party acknowledges its direct responsibilities under Data Protection Laws.

    2.2 Obligations of Clever Centre Ltd as Processor

    Where Clever Centre Ltd processes Personal Data as Processor on behalf of the Customer, it shall:

    1. a) Only process the Personal Data for the Permitted Purpose and in accordance with the Customer’s documented instructions.
      b) Maintain records of processing activities.
      c) Notify the Customer immediately if it believes any instruction infringes Data Protection Laws.
      d) Implement and maintain appropriate technical and organisational security measures.
      e) Allow audits/inspections by the Customer or its auditors on reasonable notice.
      f) Not disclose Personal Data to third parties or sub-contractors without prior written consent, except where legally required.
      g) Promptly comply with any request from the Customer to amend, transfer, or delete Personal Data.
      h) Notify the Customer of any Data Subject Request or ICO correspondence within 48 hours and provide assistance.
      i) Notify the Customer of any Personal Data Breach within 24 hours, support investigations, and assist with required notifications.
      j) Assist the Customer with Data Protection Impact Assessments and regulatory consultations where required.
      k) On termination of services or when data is no longer required, return or securely destroy all Personal Data (unless retention is required by law).
      l) Not transfer Personal Data outside of the UK without prior written consent.

    2.3 Personnel

    Clever Centre Ltd shall ensure that staff with access to Personal Data:

    • Are reliable and properly trained in data protection obligations.
    • Are bound by confidentiality undertakings.

    2.4 Sub-contractors

    • Sub-contractors may only be appointed with the Customer’s written consent.
    • Clever Centre Ltd will conduct due diligence before appointing any sub-contractor.
    • Sub-contractor agreements must contain data protection terms at least as protective as these provisions.
    • Clever Centre Ltd remains liable for all acts and omissions of its sub-contractors.
    1. Losses

    Nothing prevents the Customer from recovering any losses incurred as a result of a breach of this Data Protection clause.

    1. Indemnity

    Clever Centre Ltd shall indemnify and hold harmless the Customer against:

    • ICO fines or penalties.
    • Investigative or corrective costs required by regulators.
    • Claims or losses arising from Data Subjects or third parties.
    • Any other losses caused by Clever Centre Ltd’s (or its sub-contractors’) breach of these Data Protection provisions.

    Schedule 1 – Data Processing Particulars

    Subject matter of Processing
    Supply of goods and/or services.

    Nature of Processing

    • Collecting and storing details of employees, contractors, consultants, and agents of both parties.
    • Managing communications and service delivery.
    • Processing financial and payment details.

    Duration of Processing
    For the duration of the supply of goods and/or services under the Agreement.

    Purpose of Processing
    To perform contractual obligations and provide goods and/or services in accordance with the Terms & Conditions.

    Types of Personal Data

    • Identity and contact details (name, address, email, telephone).
    • Employment details.
    • Payment information (bank details, payment records).

    Categories of Data Subjects

    • Employees, contractors, consultants, and permitted agents of both parties.