GDPR notice to customers
The law relating to the protection of personal data has changed. The General Data Protection Regulation 2016/679 ("GDPR") came into force on 25 May 2018 and, together with the Data Protection Act 2018, replaces the UK Data Protection Act 1998 ("DPA").
We take our responsibilities under data protection law seriously, and like many businesses, we've been preparing for these changes since they were announced last year. As part of this we have updated our privacy notice to comply with GDPR - please take some time to read it: www.verifile.co.uk/privacy
As a client of Verifile, we're also informing you of changes we're required to make to the agreement for the provision of services between us (the "Agreement"). As the Agreement between us is governed by the law of England, which references the DPA, it is important we have agreed terms to reflect this change in regulation.
Under the Agreement, we process personal data on your behalf as your processor. Article 28 of the GDPR requires the contract between us to include a number of mandatory provisions. Failing to insert these mandatory provisions will put us both in breach of our respective obligations under the GDPR.
We set out in this letter agreement, a data protection addendum (the "Addendum"), amending the Agreement as it relates to the processing of personal data. We have done this so that our respective obligations meet the new GDPR requirements (the amendments will be compliant with both the DPA, the GDPR, and the new Data Protection Act 2018 as far as is currently possible), and it is agreed between us that our processing activities under the Agreement mean that our status is that of a data processor.
If the interpretation we have jointly made in relation to our processing status falls to be determined by a competent body in a manner inconsistent with this view, this letter agreement shall be deemed null and void, and the Agreement shall stand without variation, unless and until we both determine otherwise.
The Addendum contains the standard clauses issued in the guidance by the Information Commissioner's Office so shouldn't be anything contentious.You will note that the Addendum refers to numerous points to actions being taken at your cost. It is important for us to stress that at the moment we do not foresee any additional costs to you, as a result of this variation, but we had to make the necessary provisions should the need arise for extra support. While we are of course prepared to pay as necessary to ensure our compliance with the GDPR, we cannot provide all assistance to you to comply with your own obligations as a controller under the GDPR free of charge - this is simply not practical or equitable. We will, of course, discuss any additional costs with you before they are incurred.