27. Data protection
27.1 The Supplier acknowledges that Personal Data described in the scope of the Schedule Part 1 (Data Protection) will be Processed in connection with the Services under this Contract. For the purposes of any such Processing, Parties agree that the Supplier acts as the Processor and VisitScotland acts as the Controller.
27.2 Both Parties agree to negotiate in good faith any such amendments to this Contract that may be required to ensure that both Parties meet all their obligations under Data Protection Laws. The provisions of this Condition 27 are without prejudice to any obligations and duties imposed directly on the Supplier under Data Protection Laws and the Supplier hereby agrees to comply with those obligations and duties.
27.3 The Supplier will, in conjunction with VisitScotland and in its owns right and in respect of the Services, make all necessary preparations to ensure it will be compliant with Data Protection Laws.
27.4 The Supplier will provide VisitScotland with the contact details of its data protection officer or other designated individual with responsibility for data protection and privacy to act as the point of contact for the purpose of observing its obligations under the Data Protection Laws.
27.5 The Supplier must:
27.5.1 comply with the terms of the data processing provisions set out in the Schedule Part 1 (Data Protection);
27.5.2 process Personal Data only as necessary in accordance with obligations under the Contract and any written instructions given by VisitScotland (which may be specific or of a general nature), including with regards to any permitted transfers outside the UK, unless required to do so by applicable law or Regulatory Body to which the Supplier is subject; in which case the Supplier must inform VisitScotland of that legal requirement before processing unless prohibited by that law the Personal Data only to the extent, and in such manner as is necessary for the performance of the Supplier’s obligations under this Contract or as is required by the Law;
27.5.3 subject to Condition 27.5.2 only process or otherwise transfer any Personal Data in or to any country outside the UK with VisitScotland’s prior written consent;
27.5.4 take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel:
(a) are aware of and comply with the Supplier’s duties under this Condition;
(b) are subject to appropriate confidentiality undertakings with the Supplier or the relevant sub-contractor;
(c) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by VisitScotland or as otherwise permitted by this Contract; and
(d) have undergone adequate training in the use, care, protection and handling of Personal Data; and
27.5.5 implement appropriate technical and organisational measures including those set out in the Schedule Part 1 (Data Protection) and in accordance with the Data Protection Laws to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, such measures being appropriate to the harm which might result from any unauthorised or unlawful Processing accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected.
27.6 The Supplier shall not engage a sub-contractor to carry out Processing in connection with the Services without prior specific or general written authorisation from VisitScotland. In the case of general written authorisation, the Supplier much inform VisitScotland of any intended changes concerning the addition or replacement of any other sub-contractor and give VisitScotland an opportunity to object to such changes.
27.7 If the Supplier engages a sub-contractor for carrying out Processing activities on behalf of VisitScotland, the Supplier must ensure that the same data protection obligations as set out in this Contract are imposed on the sub-contractor by way of a written and legally binding contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Supplier shall remain fully liable to VisitScotland for the performance of the sub-contractor’s performance of the obligations.
27.8 The Supplier must provide to VisitScotland reasonable assistance including by such technical and organisational measures as may be appropriate in complying the Data Protection Laws. The Supplier must notify VisitScotland if it:
(a) receives a Data Subject Access Request (or purported Data Subject Access Request);
(b) receives a request to rectify, block or erase any Personal Data;
(c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Laws;
(d) receives any communication from the Supervisory Authority or any other regulatory authority in connection with Personal Data processed under this Contract; or
(e) received a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulatory order; and such notification must take place as soon as is possible but in any event within 3 business days of receipt of the request or any other period as agreed in writing with VisitScotland from time to time.
27.9 Taking into account the nature of the Processing and the information available, the Supplier must assist VisitScotland in complying with VisitScotland’s obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations in accordance with the Data Protection Laws. These obligations include:
(a) ensuring an appropriate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events;
(b) notifying a Personal Data breach to VisitScotland without undue delay and in any event no later than 24 hours after becoming aware of a Personal Data breach;
(c) assisting VisitScotland with communication of a personal data breach to a Data Subject;
(d) supporting VisitScotland with preparation of a data protection impact assessment;
(e) supporting VisitScotland with regard to prior consultation of the Supervisory Authority.
27.10 At the end of the provision of Services relating to processing the Supplier must, on the written instruction of VisitScotland, delete or return to VisitScotland all Personal Data and delete existing copies unless applicable law requires storage of the Personal Data.
27.11 The Supplier must:
(a) provide such information as is necessary to enable VisitScotland to satisfy itself of the Supplier’s compliance with this Condition 27;
(b) allow VisitScotland, its employees, auditors, authorised agents or advisers reasonable access to any relevant premises, during normal business hours, to inspect the procedures, measures and records referred to in this Condition 27 and contribute as is reasonable to those audits and inspections;
(c) inform VisitScotland if in its opinion an instruction from VisitScotland infringes any obligation under the Data Protection Laws.
27.12 The Supplier must maintain written records including in electronic form, of all Processing activities carried out in performance of the Contract or otherwise on behalf of VisitScotland containing the information set out in the Data Protection Laws.
27.13 If requested, the Supplier must make such records referred to in Condition 27.12 available to the Supervisory Authority on request and co-operate with the Supervisory Authority in the performance of its tasks.
27.14 Parties acknowledge that the inspecting party will use reasonable endeavours to carry out any audit or inspection under Condition 27.11 with minimum disruption to the Supplier’s day to day business.