Data protection

  1. IT Security
    1. In supplying the Goods, Services or Deliverables, the Supplier shall:
      1. take all necessary steps to: (i) ensure that no computer viruses, trojan horses, malware or other destructive, disruptive or nuisance computer programs (each a “Virus”) is contained in or affects the Goods or Deliverables as at the date of delivery by the Supplier to AtlasEdge of such items; and (ii) prevent any Viruses being introduced via the Supplier’s Systems into AtlasEdge Group’s Systems; and
      2. use the current release of recognised market leading Virus detection software.
  2. AE Data and Data Security
    1. The Supplier shall:
      1. not use or reproduce AE Data in whole or in part in any form except as expressly permitted by AtlasEdge in accordance with the Purchase Order or relevant SoW;
      2. implement and maintain appropriate security procedures designed to secure AE Data against accidental or unlawful loss, access or disclosure in its collection, receipt, transmission, storage, disposal, use and disclosure of such data and take all precautions necessary to preserve the integrity of AE Data;
      3. maintain reasonable security, protection and backup of AE Data which may include routine archiving and the use of encryption technology to protect against unauthorized access;
      4. have in place, at a minimum physical, technical, administrative, and organizational measures and safeguards that provide for and ensure: (i) protection of business facilities, paper files, servers, computing equipment, and backup systems containing AE Data; (ii) network, application and platform security; (iii) secure transmission and storage of data with strong cryptography using industry standard best practices; (iv) authentication and access control mechanisms over data, media, applications, operating systems and equipment; (vi) training to personnel on how to comply with Supplier’s information security safeguards and confidentiality obligations; (vii) storage limitations such that AE Data resides only on servers located in data centres that comply with industry standard data centre security controls and restrictions to ensure that its personnel do not place any AE Data on any notebook hard drive or removable media, unless encrypted; (ix) implementing, updating and keeping current industry standard: (A) backup systems, network technology, firewalls, intrusion-detection and prevention systems, anti-virus protection and other network and technological security systems; and (B) computer systems, networks, and other equipment and software that secure AE Data during storage, manipulation, and dissemination and processes that secure AE Data during system or network changes; and (ix) routinely reviewing and updating network technology, anti-virus programs, backup systems, and other technological security systems; and
      5. restrict access to AE Data only to those of its personnel who have a need to know and procure that no unauthorised third party will, as a result of any act or omission of the Supplier or its personnel, obtain access to any AE Data.
    2. Where there has been any breach or where the Supplier suspects there has been a breach of this paragraph 2, the Supplier shall inform AtlasEdge immediately and the Supplier shall cooperate with AtlasEdge in the handling of the matter, including obtaining and making available to AtlasEdge all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or AtlasEdge’s reasonable request.
  3. Data Protection
    1. This paragraph 3 applies where, under or in connection with the provision of Goods, Services or Deliverables, the Supplier (acting as a Data Processor) or any of its permitted subcontractors generates, receives or otherwise processes personal data on behalf of AtlasEdge (in its capacity as a Data Controller). Terms defined in the GDPR have the same meanings when used in this paragraph 3.
    2. The Supplier shall, at all times, comply with (and not cause AtlasEdge to be in breach of) the Data Protection Laws in relation to Personal Data processed by it under any Purchase Order or SoW.
    3. Without limiting paragraph 3.2 the Supplier warrants, represents and undertakes to AtlasEdge that:
      1. it shall only process the Personal Data in accordance with this paragraph 3 and the documented instructions of AtlasEdge and as is reasonably necessary to provide the Goods, Services or Deliverables in accordance with the Purchase Order and relevant SoW;
      2. it shall not engage any other party to process the Personal Data (a “Sub-Processor”) without AtlasEdge’s prior written consent and it shall only engage such approved Sub-Processor by entering into a legally binding written contract imposing obligations on the Sub-Processor which are (at least) equivalent to those imposed on the Supplier in this paragraph 3, provided that if the Sub-Processor fails to fulfil its data protection obligations (including compliance with the terms of this paragraph 3) the Supplier shall remain fully liable to AtlasEdge for the performance of the Sub-Processor’s obligations;
      3. it shall not transfer any Personal Data to a country or territory outside the European Economic Area / UK without first obtaining AtlasEdge’s prior written consent;
      4. it shall maintain data secrecy in accordance with applicable Data Protection Laws and shall ensure that:
        1. access to Personal Data is only given to those Supplier personnel and personnel of the Supplier’s approved Sup-Processors, that really need to have access to Personal Data; and
        2. such personnel are subject to appropriate obligations of confidentiality in accordance with applicable Data Protection Laws and at all times act in compliance with Data Protection Laws and the obligations of this paragraph 3;
      5. it shall at all times have in place (and comply with) all appropriate technical and organisational measures to protect the processed Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access or other unauthorised processing. Such measures shall ensure best practice security, be compliant with Data Protection Laws at all times and comply with the Security Measures;
      6. it shall provide AtlasEdge with such assistance and co-operation as AtlasEdge may reasonably request to enable AtlasEdge to comply with its obligations under Data Protection Laws and cooperate with the competent authorities in relation to Personal Data processed by the Supplier, including, but not limited to, assisting AtlasEdge: (A) by taking appropriate technical and organisational measures, insofar as is possible, to respond to requests from data subjects for access to or rectification, erasure or portability, or restriction of or objection to processing, of processed Personal Data (but the Supplier shall not respond to any such request except with AtlasEdge’s prior written consent); and (B) in ensuring compliance with AtlasEdge’s security, data breach notification, impact assessment and data protection or data privacy authority consultation obligations under Data Protection Laws, taking into account the information available to the Supplier.
    4. The Supplier shall notify AtlasEdge as soon as possible and as far as it is legally permitted to do so, of any access request for disclosure of data which concerns Personal Data (or any part thereof) by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction. The Supplier shall, to the extent legally permitted, not disclose any Personal Data in response to such request served on the Supplier without first consulting with and obtaining the written consent of AtlasEdge.
    5. The Supplier shall promptly and without undue delay give written notice to AtlasEdge, with reasonable details, if it becomes aware of, or comes to have reasonable grounds to suspect, the occurrence of any personal data breach or other incident prejudicing, or revealing a weakness in, the security of the processed Personal Data while in its possession or under its control (a “Data Breach“). In relation to any Data Breach, the Supplier shall at its own cost (i) take all reasonable steps to identify and correct the underlying cause of the Data Breach so as to eliminate or minimise the risk of its repetition and the occurrence of similar Data Breaches; (ii) take such steps as AtlasEdge may request to assist in addressing the adverse consequences for AtlasEdge of, and complying with AtlasEdge’s obligations under Data Protection Laws in relation to, the Data Breach; and (iii) report to AtlasEdge promptly and at regular intervals, on these steps and their results.
    6. The Supplier shall make available to AtlasEdge all information necessary in connection with, and shall contribute to, all reasonable audits, including inspections, conducted by AtlasEdge or its mandated auditor, to demonstrate the Supplier’s compliance with this Schedule and Data Protection Laws.
    7. At the end of the provision of the Goods or Services or earlier upon request of AtlasEdge, the Supplier shall cease all use of Personal Data and, at AtlasEdge’s election, irrevocably delete, destroy, or transfer (in a mutually agreed format and by a mutually agreed method) to AtlasEdge (or its nominated agent) all Personal Data and copies thereof in its possession (unless EU, EU Member State or UK law requires the Supplier to store the Personal Data). The deletion and/or destruction thereof are to be documented in a suitable manner and evidenced to AtlasEdge.
    8. The Supplier shall indemnify AtlasEdge against all costs, claims, demands, fines, awards, expenses, losses, actions, proceedings and liabilities suffered or incurred by any member of the AtlasEdge Group in connection with any failure of the Supplier or any third party appointed by the Supplier to comply with the provisions of this Schedule and/or Data Protection Laws in respect of its processing of Personal Data.
    9. The Supplier shall not acquire any rights (including any retention rights) in the Personal Data processed by it or any of its Sub-Processors.
  4. Additional Definitions
    1. For the purpose of this Schedule, the following words and phrases shall have the following meaning unless the context otherwise requires:
      1. “Data Protection Laws” means all applicable laws, rules and regulations on data protection, data privacy, or relating to the processing of personal data and privacy, including the European Union’s General Data Protection Regulation (“GDPR”);
      2. “AE Data” means any data, information, drawings, specifications or other material (in whatever form and on any medium) relating to the AtlasEdge Group or their customers, suppliers or personnel which is: (i) supplied or made available to the Supplier or its and its subcontractors’ personnel by or on behalf of the AtlasEdge Group; (ii) obtained by, or in possession or control of, the Supplier or its and its subcontractors’ personnel for the purposes of enabling the provision of the Goods, Services or Deliverables or fulfilling its obligations under the Purchase Order; or (iii) created, generated, transmitted, stored or processed by the Supplier or its and its subcontractors’ personnel in connection with providing Goods, Services or Deliverables;
      3. “Security Measures” means AtlasEdge security policies and measures (including IT policies and measures) for the protection of Personal Data issued to Supplier by AtlasEdge from time to time;
      4. “Personal Data” means all personal data, in whatever form or medium which is: (i) supplied, or in respect of which access is granted to the Supplier (or any approved third party) whether by AtlasEdge or otherwise in connection with any Purchase Order or relevant SoW, or (ii) produced or generated by or on behalf of the Supplier (or any approved third party) in connection with any Purchase Order or relevant SoW; and
      5. “Systems” means communication systems, computer programs, software, computer and communications networks, hardware, firmware, servers, devices, cabling and related equipment, databases the tangible media on which they are recorded and their supporting documentation.