Our terms: Trace® DPO client services

 

Definitions

In these terms, the following definitions apply: 

"Client Information" means Information clients share with us pursuant to the DPO services work;

“Data subjects” means the individual whose personal data is being processed

"Documentation" means relevant project reports or artefacts pursuant to the DPO services work;

“DPO” means a Data Protection Officer as defined in Article 39 of the General Data Protection Regulation (GDPR); your DPO means a Trace appointed consultant assigned to provide DPO services for your organisation as Trace’s client;  

"DPO Services" means the professional DPO services provided to you by us, which may include consulting, advisory services, training or liaison with the supervisory authorities or data subjects;

"Intellectual Property Rights" means copyright, patents, know-how, trade secrets, trade marks, trade names, design rights, rights in get-up, rights in goodwill, rights in Confidential Information; in whichever part of the world existing;

“Supervisory authority” means the country specific independent public authority responsible for monitoring the application of the GDPR (as defined in Article 51 of the GDPR)

"Us" "we" and "our" refers to Trace Data Limited, a company registered in Scotland with registered number SC484420 and having its registered office at Ground Floor, 11-15 Thistle Street, Edinburgh, Scotland, EH2 1DF;

"You" means our Client, an organisation engaging us for and receiving DPO Services.

Our relationship with you

We will perform the DPO services using reasonable skill and care for the sole benefit of you, our Client;

We will provide the DPO services to you as an independent contractor and not as your employee, agent, partner or joint venturer. Neither you nor we have any right, power or authority to bind the other;

We may subcontract portions of the DPO services to our service providers, who may deal with you directly. Nevertheless, we alone will be responsible for the performance of the DPO services;

We will not assume any management responsibilities in connection with the DPO services. We will not be responsible for the use or implementation of the output of the DPO services.

Your responsibilities

You shall assign a qualified person to oversee the DPO services. You are responsible for all management decisions relating to the DPO services, the use or implementation of the output of the DPO services and for determining whether the DPO services are appropriate for your purposes;

You shall provide to us, promptly, the information, resources and assistance (including access to records, systems, premises and people) that we reasonably require to perform the DPO services;

All information provided by you or on your behalf (“Client Information”) shall be accurate and complete. The provision of Client Information to us will not infringe any copyright or other third-party rights;

We may rely on Client Information made available to us and, unless we expressly agree otherwise, will have no responsibility to evaluate or verify it.

You agree to ensure that:

  • Trace’s ‘DPO’ appointed for your organisation is involved, closely and in a timely manner, in all data protection matters;
  • Your appointed DPO has communication and access to the highest management level of your organisation, ie board level;
  • Your DPO operates independently and is not penalised for performing their tasks;
  • You provide adequate resources to enable the DPO to help you meet your Data Protection compliance obligations;
  • You will give the DPO appropriate access to personal data and processing activities;
  • You will give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;
  • You will seek the advice of your DPO when carrying out a Data Protection Impact Assessment (DPIA); and
  • You will record the details of your DPO as part of your records of processing activities, and if you are based in the UK, you will publish their details.

When you appoint Trace as your DPO you acknowledge Trace nor your appointed individual will not be personally liable for your data protection compliance posture. As the controller or processor it remains your responsibility to comply with the relevant data protection regulations (such as the GDPR). 

Intellectual Property Rights

We may use data, software, designs, utilities, tools, models, systems and other methodologies and know-how (“Materials”) that we own in performing the DPO services. Notwithstanding the delivery of any client reports, we retain all intellectual property rights in the Materials (including any improvements or knowledge developed while performing the DPO services), and in any working papers compiled in connection with the DPO services  (but not Client Information reflected in them).

Confidentiality

Except as otherwise permitted by these terms, neither of us may disclose to third parties any information provided by, or on behalf of the other that ought reasonably to be treated as confidential and/or proprietary. Either of us may, however, disclose such information to the extent that it:

  1. ) is or becomes public other than through a breach of these terms
  2. ) is subsequently received by the recipient from a third party who, to the recipient’s knowledge, owes no obligation of confidentiality to the disclosing party with respect to that information,
  3. ) was known to the recipient at the time of disclosure or is thereafter created independently,
  4. ) is disclosed as necessary to enforce the recipient’s rights under this agreement, or
  5. ) must be disclosed under applicable law.

Fees and expenses

You shall pay our professional fees and specific expenses in connection with the DPO services as detailed in the Statement of Work or any of its appendices. You shall also reimburse us for other reasonable expenses incurred in performing the DPO services

Our fees are exclusive of Value Added Tax (or other taxes); we are VAT registered. Our VAT number is: 322820923

We may claim appropriate advances on remuneration and reimbursement of expenses and may make the delivery of our Services dependent upon complete satisfaction of our claims. Unless otherwise set forth in the applicable Statement of Work, payment is immediately due following receipt of each of our invoices and within 14 days

We may charge additional professional fees if there is a change of scope 

If you fail to pay our invoice within 30 days, we reserve the right terminate your services or withhold information relating to your DPO services work or charge reasonable late payment fees for overdue invoices and interest in line with the UK ‘statutory interest’ rate (8% plus the Bank of England base rate).

Force majeure

Neither you nor we shall be liable for breach of this Agreement (other than payment obligations) caused by circumstances beyond your or our reasonable control.

Term and termination

This Agreement applies to the DPO services whenever performed (including before the date of this Agreement)

This Agreement shall terminate on the completion of the DPO services. Either of us may terminate it, or any particular Services, earlier upon 90 days’ prior written notice to the other. In addition, we may terminate this Agreement, or any particular Services, immediately upon written notice to you if we reasonably determine that we can no longer provide the DPO services  in accordance with applicable law or professional obligations

You shall pay us for all work-in-progress, Services already performed, and expenses incurred by us up to and including the effective date of the termination of this Agreement

Our respective confidentiality obligations under this Agreement shall continue for a period of ten years following the termination of this Agreement. The other provisions of this Agreement that give either of us rights or obligations beyond its termination shall continue indefinitely following the termination of this Agreement.

Governing law and jurisdiction

This Agreement, and any non-contractual matters or obligations arising out of this Agreement or the DPO services, shall be governed by, and construed in accordance with, the laws of Scotland.

For details of your data rights and how we process your personal data, please refer to our privacy notice.