This personal data policy (the "Policy") describes the privacy practices of THINK with respect to the Processing of Personal Data of the directors and/or employees of its Clients as part of the provision of Services to its Clients.
Pursuant to the GDPR if THINK provides Services to its Clients, the Client will be acting as Controller of Personal Data and THINK will be acting as Processor of Personal Data.
The terms of this Policy are to apply to all processing of Personal Data carried out for the Client by the THINK and to all Personal Data held by the THINK in relation to all such processing.
The privacy statement in relation to Personal Data collected on the Sites can be found at: https://www.thinkglobalcompliance.com/privacystatement
- In this Policy, unless the context otherwise requires, the following expressions have the following meanings:
- means the counterparty to the Service Agreement with THINK;
- shall have the meaning given to the term in Article 4 of the GDPR;
- “Data Subject”
- means former and current officers, employees and/or directors of the Client;
- means Regulation (EU) 2016/679 (General Data Protection Regulation);
- “Personal Data”
- means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the THINK on behalf of the Client;
- “Service Agreement”
- means any agreement or contract between the Client and THINK;
- means the global compliance and corporate administration services which are provided by THINK to the Client;
- means a sub-processor appointed by the THINK to process the Personal Data;
- “Sub-Processing Agreement”
- means an agreement between the THINK and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor; and
- Think Global Compliance Limited
- This Policy shall apply to the processing of the Personal Data, carried out for the Client by THINK, and to all Personal Data held by the THINK in relation to all such processing.
- Personal Data may include names, dates of birth, and email addresses of Data Subjects. The exact details of the Personal Data that will be processed by THINK as Processor and held by THINK on behalf of the Client, is described in the Service Agreement.
Provision of the Services and Processing Personal Data
- THINK is only to carry out the Services, and only to process the Personal Data received from the Client:
- for the purposes of those Services and not for any other purpose; and
- to the extent and in such a manner as is necessary for those purposes.
Data Protection Compliance
- THINK shall promptly comply with any request from the Client and/or Data Subject(s) requiring THINK to amend, transfer, delete, or otherwise dispose of the Personal Data.
- THINK shall transfer all Personal Data to the Client on the Client’s request in the formats, at the times.
- The Client and THINK shall comply at all times with the GDPR and other applicable data protection laws and shall not perform their obligations under this Policy or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
- The Client warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
- THINK agrees to comply with any reasonable measures required by the Client to ensure that its obligations under this Policy are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR).
- THINK shall provide all reasonable assistance (at the Client’s cost) to the Client in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, and the conduct of data protection impact assessments.
- When processing the Personal Data on behalf of the Client, THINK shall:
- in case of a transfer of the Personal Data to a country that is outside of the EEA comply with the obligations of data processors under the provisions applicable set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred;
- transfer any of the Personal Data to any third party strictly subject to the terms of a suitable agreement;
- process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Client or as may be required by law (in which case, the THINK shall inform the Client of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
- taking in account that no service or system is completely secure, implement technical and organisational measures, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure;
- on reasonable prior notice, submit to audits and inspections and provide the Client with any information reasonably required in order to assess and verify compliance with the provisions of this Policy and both Parties’ compliance with the requirements of the GDPR; and
- inform the Client immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
Data Subject Access, Complaints, and Breaches
- THINK shall, at the Client’s cost, assist the Client in complying with its obligations under the GDPR.
- THINK shall, at the Client’s cost, cooperate fully with the Client and assist as required in relation to any subject access request, complaint, or other request, including by:
- providing the necessary information and assistance in order to comply with a subject access request;
- providing the Client with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Client); and
- providing the Client with any other information requested by the Client.
- THINK shall notify the Client immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
Liability and Indemnity
- The Client shall be liable for, and shall indemnify (and keep indemnified) THINK in respect of any and all action, proceeding, liability, cost, claim, loss, expense, or demand suffered or incurred by, awarded against, or agreed to be paid by, the THINK and any Sub-Processor arising directly or in connection with:
- any non-compliance by the Client with the GDPR or other applicable legislation;
- any Personal Data processing carried out by THINK or Sub-Processor in accordance with instructions given by the Client that infringe the GDPR or other applicable legislation; or
- any breach by the Client of its obligations under this Agreement, except to the extent that the THINK or Sub-Processor is liable.
- THINK shall be liable for, and shall indemnify (and keep indemnified) the Client in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Client arising directly or in connection with THINK’s Personal Data processing activities:
- only to the extent that the same results from the Data Processor’s or a Sub-Processor’s breach of this Agreement; and
- not to the extent that the same is or are contributed to by any breach of this Policy by the Client.
- The Client shall not be entitled to claim back from THINK or Sub-Processor any sums paid in compensation by the Client in respect of any damage to the extent that the Client is liable to indemnify the THINK or Sub-Processor.
- Nothing in this Policy shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR.
- THINK shall maintain the Personal Data in confidence, and in particular, unless the Client has given written consent for the THINK to do so, the THINK shall not disclose any Personal Data supplied to the THINK by, for, or on behalf of, the Client to any third party. THINK shall not process or make any use of any Personal Data supplied to it by the Client otherwise than in connection with the provision of the Services to the Client.
- THINK shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
- Nothing in this Policy shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
Appointment of Sub-Processors
- At times THINK may appoint third parties to provide some of the Services or assist with providing technical support, for instance IT service providers or other suppliers. By signing the Service Agreement, the Client authorises THINK to subcontract the Processing of Personal Data to Sub-Processors. In the event that THINK appoints a Sub-Processor, the THINK shall enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the THINK by this Policy and which shall permit both the THINK and the Client to enforce those obligations.
Deletion and/or Disposal of Personal Data
- THINK shall, at the written request of the Client, delete (or otherwise dispose of) the Personal Data or return it to the Client in the format(s) reasonably requested by the Client within a reasonable time after the earlier of the following:
- the end of the provision of the Services under the Service Agreement; or
- the processing of that Personal Data by THINK is no longer required for the performance of THINK’s obligations under the Service Agreement.
- Following the deletion, disposal, or return of the Personal Data, THINK shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the THINK shall inform the Client of such requirement(s) in writing.
- If Data Subjects have been given access rights to THINK Online™ by their THINK account manager, it is recommended that they take note of the privacy notice associated with this service. Data Subjects will have access to the notice once they log onto THINK Online™.
- If Data Subjects have any questions about their Personal Data or this Personal Data Policy, please contact THINK by email at firstname.lastname@example.org, by telephone on +44 20 3963 1950, or by post at Eagle House, 167 City Rd, London EC1V 1AW, United Kingdom..