TERMS AND CONDITIONS OF BUSINESS
By accepting these terms, you (CUSTOMER) wish to appoint JBC Computing (PROCESSOR), a UK partnership 7486396274, as a data processor working under the written authority contained within this document.
- Definitions and Interpretation
- The words and expressions below will have the meanings set out next to them:
“Applicable Laws” means any other law or regulation that may apply to the processing of Personal Data;
“Appointed Agent” means any auditor or third party, formally appointed by the CUSTOMER to perform a range of tasks associated with the validation of the performance of the PROCESSOR.
“Confidential Information” means all confidential information imparted by CUSTOMER to [PROCESSOR] during the term of these Terms and Conditions or coming into existence because of [PROCESSOR]’s obligations hereunder which is either marked as confidential or which ought reasonably to be regarded as confidential;
“CUSTOMER Data” means all data processed by the PROCESSOR on behalf of the CUSTOMER under the terms of these terms and conditions of business..
“CUSTOMER” means “DATA CONTROLLER” or “DATA PROCESSOR” as defined in Article 4 (7) or (8) of the UK GDPR;
“Processor” means “data processor” or “sub-processor” as defined in Article 4 (8) of the GDPR;
“Data Subject” means “data subject” as defined in Article 4 (1) of the GDPR;
“GDPR” means the UK General Data Protection Regulation Directive 2016/679;
“Personal Data” means “personal data” as defined by Article 4 (1) of the GDPR and which is processed by PROCESSOR on behalf of CUSTOMER;
“Party” or “Parties” means a party or the parties to this agreement
“Services” means the provision of IT Recycling and Data Sanitisation Services deemed to be the subject matter as per Article 28 GDPR;
“Data Subject Rights Request” means a request under Chapter 3 of GDPR which relates to the processing of Personal Data by PROCESSOR on behalf of CUSTOMER; and
“Third Party” means a party which is not CUSTOMER, PROCESSOR or the Data Subject to whom the Personal Data relates.
- In these terms and conditions unless otherwise expressly stated:
- references to Clauses are to clauses of these Terms and Conditions;
- reference to the Schedules are to the schedules within these Terms and Conditions which form part of the Terms and Conditions and are incorporated herein;
- references to the singular include references to the plural and vice versa;
- headings are inserted for convenience only and shall not affect the construction or interpretation of these Terms and Conditions.
- any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression are illustrative and do not limit the sense of the words preceding those terms and such terms shall be deemed to be followed by the words “without limitation”;
- references to a statute, or any section of any statute, include any statutory amendment, modification or re-enactment and instruments and regulations under it in force from time to time;
- references to regulatory rules include any amendments or revisions to such rules from time to time; and
- references to regulatory authorities refer to any successor regulatory authorities.
- Subject and scope of the commissioned processing of Personal Data
- PROCESSOR processes the CUSTOMER Data n behalf of and on the instruction of CUSTOMER in accordance with Article 28 (1) GDPR (Commissioned Data Processing).
- Schedule B indicates the types of CUSTOMER Data the PROCESSOR may process, the nature and purpose of processing, the permitted duration of processing, and to which categories of data subjects the CUSTOMER Data relate as per Article 28 (3).
- The processing of CUSTOMER Data will take place exclusively within the territory of the United Kingdom. Data processing in other countries may only take place where the CUSTOMER has provided their prior written consent and, where applicable, additionally the requirements of Article. 44 to 47 GDPR are fulfilled, or there is an exception in accordance with Article 49 GDPR.
- Standards of Performance
-
-
- PROCESSOR hereby undertakes to CUSTOMER that it will undertake the Services on behalf of CUSTOMER in accordance with these Terms and Conditions using all reasonable skill and care.
- PROCESSOR hereby provides sufficient guarantees to implement appropriate technical and organisation measures in such a manner that processing meets the requirements of Article 28 (1) of GDPR.
- CUSTOMER and PROCESSOR hereby acknowledge that in relation to the Personal Data and for the purposes of the Applicable Laws, CUSTOMER is the Data Controller or a Data Processor acting on behalf of a Data Controller and PROCESSOR is the Data Processor or Sub-Processor.
-
- The Term
4.1 These Terms and Conditions shall continue in full force for the collection against which they were accepted.
- Obligations of CUSTOMER
-
-
- CUSTOMER shall have legal title on all goods being collected and therefore can instruct PROCESSOR to process equipment in accordance with the service agreed in the Schedule B laid out in these Terms and Conditions.
-
- Obligations of PROCESSOR
-
- PROCESSOR undertakes to CUSTOMER that it shall process the Personal Data in accordance with the terms of these Terms and Conditions which act as Written Authorisation.
- If PROCESSOR is of the reasonable opinion that an instruction by CUSTOMER breaches these Terms and Conditions, an earlier written instruction, or applicable data protection laws, PROCESSOR must inform CUSTOMER in writing of this immediately.
- PROCESSOR shall ensure that all employees used by it to provide the Services (i) have undergone training in the laws of data protection and in the care and handling of the Personal Data in accordance with such laws, and (ii) have undergone vetting to an appropriate level.
- In particular, PROCESSOR undertakes to CUSTOMER that it will not disclose the Personal Data or any part thereof to any Third Party unless and only to the extent instructed to do so in writing by CUSTOMER.
- PROCESSOR undertakes to CUSTOMER that it will not export the Personal Data or any part thereof outside the United Kingdom.
- If at any time PROCESSOR is unable to meet any of its obligations under these Terms and Conditions, it undertakes to inform CUSTOMER immediately by notice in writing.
- Assignment & Subcontracting
-
- PROCESSOR shall not be entitled to assign the service laid out in these Terms and Conditions nor all or any of its rights or obligations hereunder, without the prior written consent of CUSTOMER.
- Data Subject Requests
-
- CUSTOMER shall be responsible for responding to all Data Subject Requests in accordance with Article 12. GDPR (“data subject rights”) which may be received from Data Subjects to which the Personal Data relates.
- PROCESSOR hereby agrees to assist CUSTOMER with all applicable Data Subject Requests which may be received from the Data Subjects to which the Personal Data relates.
-
- Breach Identification and Notification
- Under the context of these Terms and Conditions a Data Breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
- PROCESSOR will ensure that there are sufficient checks being made on processing activities to ensure that data is being protected at all time.
- PROCESSOR will without undue delay inform CUSTOMER if the former becomes aware of an incident which under the definition of 12.1, constitutes a data breach.
- CUSTOMER will be responsible for informing the Local Supervisory Authority as denoted in Clause 20. This notification will be made no later than 72 hours from the “Initial Notification’ as per Article 33 GDPR.
- PROCESSOR will support the CUSTOMER or CUSTOMER]’s appointed agent, in the investigation of any data breach incident unless such activities contravene legal or contractual obligations already in place.
- Breach Identification and Notification
- Evidence and inspections
-
- PROCESSOR shall provide CUSTOMER with all necessary information to prove compliance with CUSTOMER’s obligations under these Terms and Conditions upon request.
- CUSTOMER or appointed agent is entitled, with reasonable notice, to enter the business premises of PROCESSOR during normal business hours (Mondays to Fridays from 09:00 until 18:00) and inspect the technical and organisational measures as well as the processes of PROCESSOR, to satisfy themselves of the compliance with the provisions of this Agreement as well as the relevant statutory data protection provisions by PROCESSOR.
- PROCESSOR guarantees CUSTOMER, or appointed agent, the access rights, information rights, and inspection rights necessary for this purpose. PROCESSOR will guarantee access to the data processing facilities, files, and other documents to allow for monitoring and auditing of the relevant data processing facilities, files and other documentation relating to the processing of the CUSTOMER Data. PROCESSOR will provide CUSTOMER, or an agent appointed by the same, with all information necessary for the inspection.
- CUSTOMER and PROCESSOR are subject to public audits by the competent data protection authorities. Upon request of CUSTOMER, PROCESSOR will provide the requested information to the supervisory authorities and will also grant the latter the opportunity to audit; this includes inspections of PROCESSOR by the supervisory authorities and persons appointed by them. PROCESSOR guarantees to the competent authorities in this context the necessary access rights, information rights, and inspection rights.
- PROCESSOR shall hold relevant industry certifications to evidence capabilities in their field. These are to be maintained throughout the duration of the service specified in Schedule B.
- Indemnity
-
- PROCESSOR hereby agrees to indemnify CUSTOMER up to a maximum of £50,000 per incident against all losses, costs, expenses, damages, liabilities, demands, claims, fines, penalties, actions or proceedings which CUSTOMER may incur arising out of any failure by PROCESSOR or its employees to comply with any of its obligations under these Terms and Conditions.
- Ownership
-
-
- All right, title and interest in the Confidential Information shall vest solely with CUSTOMER.
-
- Confidentiality
-
- PROCESSOR shall procure that all Confidential Information disclosed to it by CUSTOMER under these Terms and Conditions or which at any time come into PROCESSOR’s knowledge, possession or control, shall be kept secret and confidential and shall not be used for any purposes other than those required or permitted by these Terms and Conditions and shall not be disclosed to any third party.
- The obligations of confidence contained in this Clause 17 shall not prevent PROCESSOR from disclosing information to the extent required by law or for any regulatory purposes, provided that prior written notice is given to CUSTOMER of such disclosure.
- The obligations of confidence contained in this Clause 7 shall not apply to any information which:
- is or becomes generally available to the public through no act or default of PROCESSOR or its directors, employees or agents; or
- PROCESSOR can demonstrate from its written records, prior to its receipt from CUSTOMER was in its possession and at its free lawful disposal; or
- PROCESSOR can demonstrate from its written records, is after its receipt from CUSTOMER, generated by employees of PROCESSOR independently of, and without knowledge of, the Confidential Information; or
- PROCESSOR can demonstrate from its written records, is subsequently disclosed to it without any obligation of confidence by a third party who has not derived it directly or indirectly from CUSTOMER.
- The obligations of confidence contained in this Clause 17 shall survive the termination of these Terms and Conditions for whatever reason for a period of: (i) three (3) years following the final disclosure of the Confidential Information by CUSTOMER to PROCESSOR; or (ii) if longer, but only to the extent reasonably required, for as long as the ongoing confidentiality of the Confidential Information, or any part thereof, remains of value to CUSTOMER and or its interests.
- Notices
-
- Any notice under or in connection with these Terms and Condition shall be in put in writing including email to the following addresses:
Notices to JBC Computing
Address: Unit 4 Swaines Industrial Estate, Lee Con Way, Ashingdon Road, Rochford, SS4 1RG
Marked for the attention of: Sarah Kerrighen
Email: sarahkerrighen@jbccomp.co.uk
A notice shall become effective on the date it is delivered to the address of the recipient Party shown above. A Party may notify the other of a change to its notice details.
- Local Supervisory Authority for the purposes of these Terms and Conditions is agreed to be the UK, Information Commissioners Office.
- Severability
-
-
- Should any provision of these Terms and Conditions be held to be illegal, invalid or unenforceable in any respect by any judicial or other competent authority under the law of any jurisdiction:
- If by substituting a shorter time period or more restricted application of the provision, it would be valid and enforceable, such shorter time period or more restricted application shall be substituted.
-
- Waiver and Remedies
-
- A failure to exercise or any delay in exercising any right or remedy provided by these Terms and Conditions or by law does not constitute a waiver of that right or remedy or a waiver of any other rights or remedies.
- Governing Law
-
- These Terms and Conditions shall be governed in all respects by the laws of England and Wales and each Party hereby irrevocably submits for all purposes in connection with these Terms and Conditions to the exclusive jurisdiction of the England and Wales Courts.
Schedule A Type of Data being processed.
Purposes and scope of the processing, type of data, and categories of data subjects
Type of CUSTOMER Data | Personal Data, Special Category Data and Corporate Data |
Type of processing and scope | Data Sanitisation Services as listed in Schedule B |
Categories of data subjects | Employees, Customers and Prospects. |
Length of processing | DIAL 2 – 45 working days |
Schedule B The Services
As part of the collection request the customer must include their DIAL rating as per UK GDPR Certification Scheme – ADISA Standard 8.0.
JBC is expected to achieve a DIAL 2 approval but at this stage it is not a certified site. We will provide DIAL 2 services which are detailed as follows;
A1- Collection.
- JBC will use our own GPS tracked vehicle to make the collection and each collection will be returned to the processing facility on the day of collection. No hubs or staging areas will be used.
- The collection can be a dedicated collection or can be part of a multi-point collection.
- The vehicle specification is solid sided, solid bulkhead, alarmed with immobilizer.
- All collection staff and processing staff are DBS screened.
A2- Asset Management and Custody
- JBC will record the make model and serial number of every device and will report back on the type of sanitisation undertaken on storage media.
- Transfer of custody from customer to JBC will take place at point of collection but title will only transfer once the report and final service fee is agreement.
- Any additional assets found within the consignment which were not known at the point of release will be recorded as a separate asset and processed with the other assets.
A3– Data Sanitisation
Media Type | Technique Re-Use | Technique Destruction |
Magnetic Hard Drives | Blancco | Drive board removed and shredded |
Solid State Drives | Blancco | Each Nand cell broken and shredded |
Smart Phones | Blancco | Dismantled, and shredded |
Networking Devices | Sent to Techbuyer | Dismantled and data erasure run |
A4 – Time to data safe.
Each piece of storage media will undergo the sanitisation technique in A3 within 45 working days of date of collection.
A5- Reporting
All clients will be issued a log in for the customer portal. Here you can download reports for your collection for your own data protection and compliance required.