This is the contract template that the CSO will use when entering into a contract with a Public Service Body.
1.1 Subject matter of processing
The subject matter of processing is [xxxxxxxxx] which may involve the processing of personal information by the Contractor.
1.2 Nature of processing
Processing activity covers all operations that may be performed on protected data, including by manual or automated means, for the provision of the services specified in this contract.
1.3 Purpose of processing
The purpose of the processing of protected data is to provide the services described in the 'CSO Anonymisation Service Application Form for PSB's’ which details the nature and functional specifications of the Service.
1.4 Duration of the processing
The duration of processing of protected data will continue for the period the data is required to carry out the services as agreed in the contract. Protected data is kept as long as necessary to fulfil the purposes for which it was collected. Once the protected data is no longer required it will be securely destroyed.
2. Types of protected data
Protected data means data held by a public sector body which is protected on the grounds of:
(a) commercial confidentiality, including business, professional and company secrets,
(b) statistical confidentiality,
(c) the protection of intellectual property rights of third parties, or,
(d) the protection of personal data, insofar as such data fall outside the scope of Directive (EU) 2019/1024.
Protected data cannot be shared with any person other than as allowed in the contract.
3. Data Protection and Security Arrangements
The Contractor shall, in relation to any protected data processed in connection with the performance by the Contractor of its obligations under this Agreement: -
(a) process that protected data only on the written instructions of the Client;
(b) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of protected data and against accidental loss or destruction of, or damage to, protected data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting protected data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to protected data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process protected data are obliged to keep the protected data confidential
(d) ensure that protected data disclosed during the term of the contract shall remain confidential to the parties
4. Assistance to be provided by the Data Processor
The processor shall notify the controller as soon as it becomes aware of/discovers a breach affecting the data processed in accordance with the contract. The processor shall provide full co-operation and assistance on an on-going basis during the breach investigation and review and provide the controller with sufficient information to meet its obligations. The processor shall also cooperate with the controller and offer assistance with data protection requests and the preparation of data protection impact assessments as required.
5. Retention of Data
Data should only be retained for the period as defined in this contract and with reference to the Duration of Processing set out in Section 1.4 of this schedule.