This GDPR/DPA Agreement forms part of any current or proposed Contract, Service Level Agreement (SLA) or other written or electronic agreement between Court Enforcement Services Limited (CES) and The Client for the provision of High Court, civil enforcement and debt recovery (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services” to reflect the parties’ agreement with regards to the Processing of Personal Data.
The Client enters this GDPR/DPA Agreement on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorised Affiliates, if and to the extent CES processes Personal Data for which such Authorised Affiliates qualify as the Controller. For the purposes of this GDPR/DPA Agreement only, and except where indicated otherwise, the term “The Client” shall include The Client and Authorised Affiliates. All capitalised terms not defined herein shall have the meaning set forth in the Agreement. In providing the Services to The Client pursuant to the Agreement, CES may Process Personal Data on behalf of The Client and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common
control with the subject entity. “Control,” for purposes of this definition, means direct or indirect
ownership or control of more than 50% of the voting interests of the subject entity.
“Authorised Affiliate” means any of The Client’s Affiliate(s) which (a) is subject to the data protection
laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between The Client and CES, but has not signed its own Contract, Service Level Agreement or other written or electronic agreement with CES and is not “The Client” as defined under the Agreement.
“Controller” means the entity which determines the purposes and means of Processing of Personal Data.
“The Client Data” means what is defined in the Agreement as “The Client Data” or “Your Data” or “Data”.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“DPA” means the Data Protection Act 2018
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is The Client Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“ISO27001 Information Security Management System Documentation” means the Information Security Management Documentation applicable to the specific Services requested by The Client, as updated from time to time.
“Sub‐processor” means any Processor engaged by CES.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR. In England it is the Information Commissioner
2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, The Client is the Controller, CES is the Processor and that CES will engage Sub processors pursuant to the requirements set forth in Section 9 “Sub‐processors” below.
2.2. The Client’s Processing of Personal Data. The Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, The Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. The Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and how The Client acquired Personal Data.
2.3. CES’s Processing of Personal Data. CES shall treat Personal Data as Strictly Confidential Information and shall only Process Personal Data on behalf of and in accordance with The Client’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable High Court writ or Instruction(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by The Client (e.g., via email) where such instructions are consistent with the terms of the Agreement.
2.4. Details of the Processing. The subject‐matter of Processing of Personal Data by CES is for the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this GDPR/DPA Agreement are further specified in Schedule 1 (Details of the Processing) to this GDPR/DPA Agreement.
3.1. Data Subject Request CES shall, to the extent legally permitted, promptly notify The Client if CES receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Considering the nature of the Processing, CES shall assist The Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of The Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent The Client, in its use of the Services, does not have the ability to address a Data Subject Request, CES shall upon The Client’s request provide commercially reasonable efforts to assist The Client in responding to such Data Subject Request, to the extent CES is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, The Client shall be responsible for any costs arising from CES’s provision of such assistance.
4.1. Confidentiality. CES shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. CES shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2. Reliability. CES shall take commercially reasonable steps to ensure the reliability of any CES personnel engaged in the Processing of Personal Data.
4.3. Limitation of Access. CES shall ensure that CES’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.4. Data Protection Officer (DPO). CES have appointed a DPO. The appointed person is Alan Smith may be reached at DPO@courtenforcementservices.co.uk
5.5 Controls for the Protection of The Client Data. CES shall maintain appropriate technical and organisational measures for protection of the security (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, The Client Data), confidentiality and integrity of The Client Data, as set forth in the ISO27001 Information Security Management System Documentation. CES regularly monitors compliance with these measures. CES will not materially decrease the overall security of the Services during the term of the Agreement.
5.2. Third‐Party Certifications and Audits. CES has third‐party certification by BSI and carries out internal audits as set out in the ISO 27001:2015 Information Security Management System Documentation.
6.1. CES maintains incident management policies and procedures specified in the ISO 27001:2015 Information Security Management System Documentation and shall, notify The Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to The Client Data, including Personal Data, transmitted, stored or otherwise Processed by CES or its Sub‐processors of which CES becomes aware (“Information Security Incident”). CES shall make reasonable efforts to identify the cause of such an Incident and take those steps as CES deems necessary and reasonable to remediate the cause of the same to the extent the remediation is within CES’s reasonable control. The obligations herein shall not apply to incidents that are caused by The Client or The Client’s Users.
7.1. CES shall return The Client Data to The Client and, to the extent allowed by applicable law, delete The Client Data in accordance with the procedures and timeframes specified in the ISO27001 Information Security Management System Documentation.
8.1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, The Client enters into the GDPR/DPA Agreement on behalf of itself and, as applicable, in the name and on behalf of its Authorised Affiliates, thereby establishing a separate GDPR/DPA Agreement between CES and each such Authorised Affiliate subject to the provisions of the Agreement and this Section 8 and Section 9. Each Authorised Affiliate agrees to be bound by the obligations under this GDPR/DPA Agreement and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorised Affiliate is not and does not become a party to the Agreement and is only a party to the GDPR/DPA Agreement. All access to and use of the Services and Content by Authorised Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorised Affiliate shall be deemed a violation by The Client.
8.2. Communication. The Client that is the contracting party to the Agreement shall remain responsible for coordinating all communication with CES under this GDPR/DPA Agreement and be entitled to make and receive any communication in relation to this GDPR/DPA Agreement on behalf of its Authorised Affiliates.
8.3. Rights of Authorised Affiliates. Where an Authorised Affiliate becomes a party to the GDPR/DPA Agreement with CES, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this GDPR/DPA Agreement, subject to the following:
8.3.1. Except where applicable Data Protection Laws and Regulations require the Authorised Affiliate to exercise a right or seek any remedy under this GDPR/DPA Agreement against CES directly by itself, the parties agree that (i) solely The Client that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorised Affiliate, and (ii) The Client that is the contracting party to the Agreement shall exercise any such rights under this GDPR/DPA Agreement not separately for each Authorised Affiliate individually but in a combined manner for all of its Authorised Affiliates together (as set forth, for example, in Section 8.3.2, below).
8.3.2. The parties agree that The Client that is the contracting party to the Agreement shall, when carrying out an on‐site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on CES and its Sub‐Processors by combining, to the extent reasonable possible, several audit requests carried out on behalf of different Authorised Affiliates in one single audit.
9.1. Appointment of Sub‐processors. The Client acknowledges and agrees that CES respectively may engage third‐party Sub‐processors in connection with the provision of the Services providing CES has entered into a written agreement with each Sub‐processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of The Client Data to the extent applicable to the nature of the Services provided by such Sub‐processor.
9.2. CES shall make available to The Client the details of any Sub‐processors for the Services (except Enforcement Agents). CES shall provide notification of a new Sub‐processor(s) (except Enforcement Agents) before authorising any new Sub‐processor(s) to Process Personal Data in connection with the provision of the applicable Services.
9.3. Objection Right for New Sub‐processors. The Client may object to CES’s use of a new Sub processor by notifying CES promptly in writing within ten (10) business days after receipt of CES’s notice in accordance with the mechanism set out in Section 9.2. In the event The Client objects to a new Sub‐processor, as permitted in the preceding sentence, CES will use reasonable efforts to make available to The Client a change in the Services or recommend a commercially reasonable change to The Client’s use of the Services to avoid Processing of Personal Data by the objected to new Sub‐processor without unreasonably burdening the Client. If CES is unable to make available such change within a reasonable period, which shall not exceed thirty (30) days, The Client may terminate the applicable services with respect only to those Services which cannot be provided by CES without the use of the objected‐to new Sub‐processor by providing written notice to CES. without imposing a penalty for such termination on The Client.
9.4. Liability. CES shall be liable for the acts and omissions of its Sub‐processors to the same extent CES would be liable if performing the services of each Sub‐processor directly under the terms of this GDPR/DPA Agreement, except as otherwise set forth in the Agreement.
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this GDPR/DPA Agreement, and all GDPR/DPA Agreement’s between Authorised Affiliates and CES, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all GDPR/DPA Agreement’s together. For the avoidance of doubt, CES’s and its Affiliates’ total liability for all claims from The Client and all of its Authorised Affiliates arising out of or related to the Agreement and each GDPR/DPA Agreement shall apply in the aggregate for all claims under both the Agreement and all GDPR/DPA Agreement’s established under this Agreement, including by The Client and all Authorised Affiliates, and, in particular, shall not be understood to apply individually and severally to The Client and/or to any Authorised Affiliate that is a contractual party to any such GDPR/DPA Agreement. Also, for the avoidance of doubt, each reference to the GDPR/DPA Agreement in this GDPR/DPA Agreement means this GDPR/DPA Agreement including its Schedules and Appendices.
11.1. GDPR. CES will Process Personal Data in accordance with the GDPR requirements directly applicable to CES’s provision of its Services.
11.2. Data Protection Impact Assessment. Upon The Client’s request, CES shall provide The Client with reasonable cooperation and assistance needed to fulfil The Client’s obligation under the GDPR to carry out a data protection impact assessment related to The Client’s use of the Services, to the extent The Client does not otherwise have access to the relevant information, and to the extent such information is available to CES.
11.3. Any transfers of Personal Data under this GDPR/DPA Agreement, CES will not transfer personal data from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations.
This GDPR/DPA Agreement shall only become legally binding between The Client and CES when the formalities steps set out in the Section “HOW TO IMPLEMENT THIS GDPR/DPA AGREEMENT” above have been fully completed.
Schedule 1 ‐ Nature and Purpose of Processing
Nature and Purpose of Processing
CES will process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by The Client in its use of the Services.
Subject to Section 7 of the GDPR/DPA Agreement, CES will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects. The Client may submit Personal Data for the purposes of the Services, the extent of which is determined and controlled by The Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Types of Personal Data
The Client may submit Personal Data for the purposes of the Services, the extent of which is determined and controlled by The Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
