HeadBox Third Party Processors Policy

Introduction

All Third Party supplier (Cloud Service Providers) that process personal data on behalf of HeadBox are within the scope of this procedure.

Responsibilities

The Data Protection Officer is responsible for approving the selection of all sub-contracted processors of personal data in line with the requirements of this procedure.

The stake holders of third-party relationships are responsible for ensuring that all data processing is carried out in line with this procedure.

The Data Protection Officer is responsible for ensuring that adequate technical and other resources that might be required are made available to support the relationship owner in the monitoring and management of the relationship.

The Data Protection Officer is responsible for carrying out regular audits of third-party compliance.

Policy

1. HeadBox selects only Third party suppliers that can provide technical, physical and organisational security that meet HeadBox’s requirements in terms of all the personal information they will process on HeadBox’s behalf.

2. Third Party service providers will provide a written statement of GDPR compliance.

3. Third Party service providers will ensure the following are included in the service contract:

   • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation;

   • ensures that persons authorised to process the personal data have committed themselves to confidentiality;

   • the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,

   • abide by the rules regarding appointment of sub-processors;

   • implement measures to assist with the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights;

   • assist the controller in obtaining approval from Data Protection Authorities where required;

   • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing (except as required by EU or Member State law); and

   • provide the controller with all information necessary to demonstrate compliance with the GDPR and contribute to audits, including inspections, conducted by the controller

4. The Third Party Service Provider will keep adequate processing records as pursuant to Article 30 of the GDPR.

5. All Third Party service providers are forbidden from using further subcontractors for the processing of personal information without HeadBox’s written authorisation.

6. Contracts with second-level subcontracted processors will only be approved if they require the subcontractors to comply with at least the same security and other provisions as the primary Third Party service provider.

7. All Third Party service providers will guarantee that when the contract is terminated, related personal information will either be destroyed or returned to HeadBox at our request.

8. Suppliers from outside the EU will only be selected under the following conditions, in addition to the conditions noted elsewhere in this procedure.

   • If the supplier or the state in which it resides has been positively identified in an adequacy decision by the EU Commission; or

   • Where there are legally binding corporate rules, and organizational and technical safeguards, established between HeadBox and the supplier to secure the rights and freedoms of data subjects at least equal to those afforded within the EU; or

   • Where the arrangement has been approved by the [Information Commissioner] / [supervisory authority];

   • Where the arrangement is in compliance with the HeadBox Data Transfer Policy

For more information about our Third Party service providers contact the Data Protection Officer on data-security@headbox.com