Service Specific terms

this document is to be read in conjunction with the terms and conditions docid\ twjsstj3oejjste8y3ggk 1\ interpretation the following definitions and rules of interpretation apply in the services agreement applicable data protection law uk gdpr applies, the law of the united kingdom or of a part of the united kingdom, that relates to the protection of personal data business day a day, other than a saturday, sunday or uk bank holiday business hours the period from 9 00 am to 5 00 pm gmt/bst on any business day or as outlined in the quote customer means the party referred to as customer on the quote and any persons, consultants, employees and those acting on its behalf services means a supplier service or multiple supplier services (which may be packaged) that are ordered by the customer as outlined in the quote supplier means the party referred to as supplier on the quote and any persons, consultants, employees and those acting on its behalf uk gdpr has the meaning given to it in section 3(10) as supplemented by section 205(4) of the data protection act 2018 2\ outsourced data protection officer (dpo) a managed service where customers can purchase some days (the smallest amount is 0 5 days) per month for dpo services where the customer does not use the total amount of time in any given month, that time may be carried over to the subsequent month (but not longer) supplier will provide virtual consultation to customer, information, advice and other related services, under the dpo service levels below, to ensure that customer processes the personal data of its staff, customers, service providers or any other individuals (also referred to as data subjects) in compliance with applicable data protection laws and best practice 2 1 supplier obligations 2 1 1 act as the data protection officer (dpo) for customer under applicable data protection laws; 2 1 2 facilitate customer compliance with the uk gdpr and other applicable data protection legislation by ensuring effective systems and controls are in place to enable customer to comply with their legal obligations; 2 1 3 act as the customer’s intermediary between relevant stakeholders, including supervisory authorities, data subjects, and business units; 2 1 4 report notifiable data breaches identified and notified to supplier by customer to the information commissioner’s office (ico) and any relevant supervisory authority at the end of any statutorily required notice period where the requisite notice has not been sent earlier either by customer or supplier at customer’s instruction; and 2 1 5 inform and advise customer’s senior management (where appointed to do so) under supplier’s position as dpo for the customer 2 2 customer obligations 2 2 1 customer will ensure compliance with all applicable data protection laws and in particular, customer will 2 2 2 report all notifiable and potential data breaches to the suppliers assigned dpo advice\@protection trudigital co uk as soon as the customer becomes aware of the breach; 2 2 3 submit details of data breach(es) to supplier for reporting to the ico and any relevant supervisory authority without undue delay; and 2 2 4 where customer fails to comply with reporting obligations above, supplier shall not be liable and customer will indemnify supplier for any penalties imposed by the ico, any relevant supervisory authority or any third party claims, because of failure and or delay in reporting notifiable breaches 2 3 dpo service levels 2 3 1 priority levels will be addressed in line with the following service levels type response time critical a scenario which will have serious immediate impact on the protection of personal data 1 hour urgent for advice on uk gdpr topics that are subject to time constraints 4 hours non urgent for advice and guidance on uk gdpr issues and longer term projects that do affect customer’s operations by the end of the next business day all service levels apply only to the business day and business hours all service requests must originate with an email sent to advice\@protection trudigital co uk 3\ additional services 3 1 data protection impact assessment supplier will provide customer access to up to 2 hours per month of remote support for queries and questions relating to data protection impact assessment matters customers can contact the dpia service by emailing advice\@protection trudigital co uk initially and then queries can be dealt with via email, phone or video conferencing included in the comprehensive service, additional credits can be bought for advice service customers 3 2 gdpr audit and analysis supplier will provide an audit and analysis the current level of compliance to gdpr the output of the audit will be a report that will outline any non conformities, with recommendations and an action plan outlining what needs to be done to achieve compliance during the audit, which will be conducted remotely, customer will need to provide access to key staff, documentation and evidence to support the audit included in the comprehensive service, additional credits can be bought for advice service customers 3 3 redacting supplier will provide the customer a redacting service to up to 5 redactions per annum in relation to subject access requests, the customer must provide the necessary data and the supplier will provide a tool so that the customer can review redactions before being sent to the data subject included in the comprehensive service (upto 5 redaction per annum), additional credits can be bought for both comprehensive and advice service customers