Common use of Independent Controllers of Personal Data Clause in Contracts

Independent Controllers of Personal Data. The Parties acknowledge that they are Independent Controllers for the purposes of the Data Protection Legislation in respect of: ● Business contact details of Supplier Personnel for which the Supplier is the Controller, ● Business contact details of any directors, officers, employees, agents, consultants and contractors of Relevant Authority (excluding the Supplier Personnel) engaged in the performance of the Relevant Authority’s duties under the Contract) for which the Relevant Authority is the Controller, ● [Insert the scope of other Personal Data provided by one Party who is Controller to the other Party who will separately determine the nature and purposes of its Processing the Personal Data on receipt e.g. where (1) the Supplier has professional or regulatory obligations in respect of Personal Data received, (2) a standardised service is such that the Relevant Authority cannot dictate the way in which Personal Data is processed by the Supplier, or (3) where the Supplier comes to the transaction with Personal Data for which it is already Controller for use by the Relevant Authority] [Guidance where multiple relationships have been identified above, please address the below rows in the table for in respect of each relationship identified] Duration of the Processing The duration of the Processing shall be contained to the term of the contract which begins on 16/10/23 and ends on 15/10/26 unless the optional extensions 2 x 12 months are enacted and therefore the end date will be extended to 16/10/27 or 15/10/28. Nature and purposes of the Processing [Please be as specific as possible, but make sure that you cover all intended purposes. The nature of the Processing means any operation for delivering Managed Print Services to the NDA Group Type of Personal Data ● The names of HP Inc UK and Apogee Corporation Staff ● The personal/home address of HP Inc UK and Apogee Corporation Staff ● HP / Apogee staff work email addresses ● HP / Apogee staff work telephone numbers ● NDA Group - The Names, Job Titles, Work Email Addresses & Work Telephone Numbers Categories of Data Subject Staff (including volunteers, agents, and temporary workers) Plan for return and destruction of the data once the Processing is complete Unless requirement under Union or Member State law to preserve that type of data Data will be retained for the duration of the contract and will be returned or destroyed at the end of the contract, as indicated by the client at the time of contract termination Data Transfer The Supplier agrees that they will not transfer Personal Data or Metadata outside of the European Economic Area unless the prior written consent of the Controller has been obtained To the extent any Deliverables to be supplied by Supplier pursuant to a Call Off Contract requires Supplier to act as a Processor, Supplier’s delivery will be subject to the Controller providing consent: (i) in accordance with paragraph 6(d) of Joint Schedule 11, to enable HP to transfer Personal Data outside the EU in accordance with applicable Data Protection Legislation, because the UK is no longer part of the EU and Supplier is a global company and many of our business processes use a global operational model. We would expect to document the appropriate safeguards in relation to the transfer in any Call Off Contract (to include Processor Binding Corporate Rules and EU Standard Contractual Clauses); and (ii) in accordance with paragraph 13(b) of Joint Schedule 11, to enable Supplier to transfer Personal Data or give access to Personal Data to members of Supplier’s group and third parties as sub-processors (and permit sub-processors to do so in accordance with Joint Schedule 11) for the purposes of the performance of the Supplier’s obligations under the Call Off Contract or other purposes identified in Annex 1 to Joint Schedule 11, and the Controller acknowledging and agreeing that it shall be compliant for the Supplier to notify the Controller under paragraph 7 and provide information/assistance under paragraph 9 without undue delay upon Supplier becoming aware that the request, complaint, communication or breach relates to the Personal Data processed by HP as a Processor (or its sub-processors) in the course of providing the Deliverables under the Call Off Contract, to reflect what is achievable in practice and envisaged under the UK GDPR. JOINT SCHEDULE 13 (CONTINUOUS IMPROVEMENT)‌

Independent Controllers of Personal Data. The Parties acknowledge that they are Independent Controllers for the purposes of the Data Protection Legislation in respect of: ● Business contact details of Supplier Personnel for which the Supplier is the Controller, ● Business contact details of any directors, officers, employees, agents, consultants and contractors of Relevant Authority (excluding the Supplier Personnel) engaged in the performance of the Relevant Authority’s duties under the Contract) for which the Relevant Authority is the Controller, ● [Insert the The scope of other Personal Data provided by one Party who is Controller to the other Party who will separately determine the nature and purposes of its Processing the Personal Data on receipt e.g. where (1) the Supplier has professional or regulatory obligations in respect of Personal Data received, (2) a standardised service is such that the Relevant Authority cannot dictate the way in which Personal Data is processed by the Supplier, or (3) where the Supplier comes to the transaction with Personal Data for which it is already Controller for use by the Relevant Authority] [Guidance where multiple relationships have been identified above, please address the below rows in the table for in respect of each relationship identified] Authority Duration of the Processing Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s respective obligations under the Contract. The duration Supplier is required to exercise its regulatory and/or legal obligations in respect of the Processing shall be contained Personal Data. The Authority may request access to the term Personal Data relating to performance of the contract which begins on 16/10/23 and ends on 15/10/26 unless the optional extensions 2 x 12 months are enacted and therefore Temporary Worker compliance checks as detailed in paragraph 6 of Framework Schedule 1 (Specification) up to one (1) year after the end date will be extended of an Assignment in order to 16/10/27 or 15/10/28perform its duties under paragraph 20 of Framework Schedule 1 (Specification). Nature and purposes of the Processing [Please For all Assignments placed under the terms of the Framework Contract, Personal Data pertaining to the Temporary Worker will be as specific as possiblecollected, but make sure validated and retained by the Supplier in order to meet the Relevant Authorities specification with regards to the performance of Worker Compliance checks. For NHS Contracting Authorities such checks will be conducted in accordance with the NHS Employers Check Standards (see paragraph 6 of Framework Schedule 1). All Buyers have the right to request access to files containing Personal Data on Temporary Workers in order to assure that you cover all intended purposesTemporary Worker compliance checks are conducted in accordance with their local policy and Framework Schedule 1 (Specification). The nature Authority may request, under the terms of this Framework Contract, access to files containing Personal Data on Temporary Workers deployed to Buyers in the NHS in order to perform its duties in providing a Temporary Worker compliance Audit function (see paragraph 20 of Framework Schedule 1). This may be conducted by a third party nominated by the Authority and provisions for processing Personal Data by the third party are to be no less onerous than those outlined in this Framework Contract. This Processing is required under the Conduct of Employment Agencies and Employment Businesses Regulations 2003 and NHS England policy relating to vetting of all workers. The Parties may retain business contacts for Supplier and Authority personnel for the purposes of the Processing means any operation for delivering Managed Print Services to routine management of the NDA Group Framework Contract. Type of Personal Data Personal Data to be processed in relation to the performance of Temporary Worker compliance checks as detailed in paragraph 6 of Framework Schedule 1 (Specification) shall include: ● The names Identity checks ● Right to work checks ● Criminal record checks ● professional registration checks ● employment history and reference checks ● workers health assessments ● English language competency ● statutory and mandatory training ● appraisals and revalidation ● umbrella company information This could include Processing of HP Inc UK the following Personal Data - please note this list is not exhaustive: ● Temporary Worker name and Apogee Corporation Staff surname ● The personal/Temporary Worker home address ● Temporary Worker email address ● Copies of HP Inc UK and Apogee Corporation Staff Temporary Worker ID documents such as Passport, driving licence, ID card ● HP / Apogee staff work Temporary Worker location data ● Temporary Worker race or ethnic origin ● Temporary Worker genetic data, biometric, data concerning health ● Temporary Worker criminal history ● Temporary Worker professional qualifications Other Processing for the purposes of routine framework management may require Processing of the following types of Personal Data: ● Customer contact details including email addresses ● HP / Apogee staff work telephone and phone numbers ● NDA Group - The Names, Job Titles, Work Email Addresses & Work Telephone Numbers Supplier contact details including email addresses and phone numbers Categories of Data Subject Staff (including volunteers, agents, and temporary workers) Categories of Data Subject include: ● Temporary Workers ● Supplier staff ● Buyer staff Plan for return and destruction of the data once the Processing is complete Unless UNLESS requirement under Union or Member State law to preserve that type of data Personal Data will shall not be retained or processed for longer than is necessary to perform each Party’s respective obligations under the Contract. The Supplier is required to exercise its regulatory and/or legal obligations in respect of Personal Data. The Parties will have and maintain privacy policies for the duration management of the contract and will be returned or destroyed at the end of the contract, as indicated by the client at the time of contract termination Data Transfer The Supplier agrees that they will not transfer Personal Data or Metadata outside of under the European Economic Area unless the prior written consent of the Controller has been obtained To the extent any Deliverables to be supplied by Supplier pursuant to a Call Off Contract requires Supplier to act as a Processor, Supplier’s delivery will be subject to the Controller providing consent: (i) in accordance with paragraph 6(d) of Joint Schedule 11, to enable HP to transfer Personal Data outside the EU in accordance with applicable Data Protection LegislationLegislation and, because plans for destruction of data once the UK Processing is no longer part complete. The Parties agree to erase Personal Data from any computers, storage devices and storage media that are to be retained, and to destroy any physical copies of the EU Personal Data, as soon as practicable after it has ceased to be necessary for them to retain such Personal Data under applicable Data Protection Legislation and Supplier is a global company and many of our business processes use a global operational model. We would expect to document the appropriate safeguards in relation their privacy policy (save to the transfer in any Call Off Contract (to include Processor Binding Corporate Rules and EU Standard Contractual Clauses); and (ii) in accordance with paragraph 13(b) of Joint Schedule 11, to enable Supplier to transfer Personal Data or give access to Personal Data to members of Supplier’s group and third parties as sub-processors extent (and permit sub-processors to do so in accordance with Joint Schedule 11) for the limited period) that such information needs to be retained by the Party for statutory compliance purposes of or as otherwise required by the performance of the Supplier’s obligations under the Call Off Contract or other purposes identified in Annex 1 to Joint Schedule 11Contract), and the Controller acknowledging taking all further actions as may be necessary to ensure its compliance with Data Protection Legislation and agreeing that it shall be compliant for the Supplier to notify the Controller under paragraph 7 and provide information/assistance under paragraph 9 without undue delay upon Supplier becoming aware that the request, complaint, communication or breach relates to the Personal Data processed by HP as a Processor (or its sub-processors) in the course of providing the Deliverables under the Call Off Contract, to reflect what is achievable in practice and envisaged under the UK GDPR. JOINT SCHEDULE 13 (CONTINUOUS IMPROVEMENT)‌privacy policy.