IROTA DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum (the Addendum) forms part of the contract with the Service User (the Controller) in conjunction with the following terms:

and, as updated or amended from time to time, between you, the Controller and Gillett Limited (the Processor).

DEFINITIONS

In our associated documents and this Addendum, the following terms have the following meanings:

a) controller, Processor, data subject, personal data, processing (and process) and special categories of personal data have the meanings given in UK General Data Protection Regulation

b) Data Protection Law means the UK General Data Protection Regulation (the UK GDPR) and UK laws made under or pursuant to UK GDPR.

RELATIONSHIP OF THE PARTIES

The Service User (Controller) subscribes to the iRota service and appoints Gillett Ltd as a processor to process the personal data only on the controller’s documented instructions (and as per the terms set out in this Addendum) for the purposes described in iRota Terms and Conditions Of Use and iRota Privacy and Consent Statement or as otherwise agreed in writing by the parties. Each party must comply with the obligations that apply to it under Data Protection Law.

CONFIDENTIALITY OF PROCESSING

The Processor will ensure that any person it authorises to process the Data will protect the Data in accordance with Gillett Ltd’s confidentiality obligations under the T&Cs and are bound by a duty of confidence.

SECURITY

The Processor will implement technical and organisational measures, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a Security Incident). The processor utilises an internal information security management system (ISMS) to manage its compliance.

SUBCONTRACTING

The Processor does not engage third-party sub-processors to process the data. In the event of using a third-party processor, the Processor will inform the Controller. Additionally, the Processor will impose data protection terms on any sub-processor it appoints, requiring it to protect the data to the required standard set by Data Protection Law.

COOPERATION AND DATA SUBJECTS' RIGHTS

The Processor will provide reasonable and timely assistance to the Controller to enable the Controller to respond to:

(i) any request from a data subject to exercise any of its rights under Data Protection Law; and

(ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to the Processor, the Processor will promptly inform the Controller, providing full details.

DATA PROTECTION IMPACT ASSESSMENT

If the Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it will inform the Controller and provide reasonable cooperation to the Controller in connection with any data protection impact assessment that may be required under Data Protection Law.

SECURITY INCIDENTS

If the Processor becomes aware of a confirmed Security Incident, the Processor will inform the Controller without undue delay and will provide reasonable information and cooperation to the Controller so that they can fulfil any data breach reporting obligations they may have under (and in accordance with the timescales required by Data Protection Law.

The Processor will take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep the Controller informed of developments in connection with the Security Incident.

AUDIT

The Processor will submit to audits and inspections and provide the Controller with what it needs to ensure they are both meeting their Article 28 obligations.

SUMMARY OF DATA PROCESSING

Subject matter & processing

The subject matter of personal data to be processed is that of the Controllers' employees/workers’ data that is entered into the iRota service.

Duration of processing

The duration of processing is defined in the Retention of Data section of the iRota Privacy & Consent Statement.

Nature and purpose of processing personal data

The nature and purpose of processing personal data is to enable the functionality of the iRota service.

Types of Personal Data involved

The types of data involved is listed on the Information Held within iRota section of the iRota Privacy and Consent Statement. No special category data is processed.

Categories of Data Subjects