This Data Processing Agreement (“DPA”) forms part of the Specifier Terms and Conditions (“Specifier Terms”) entered into by and between Subscriber and NBS, pursuant to which Subscriber has purchased a subscription to NBS’ Services (as described in the Contract).
The purpose of this DPA is to reflect the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of applicable Data Protection Legislation.
This DPA consists of two parts: (1) the main body of the DPA, and (2) Annex A – Personal Data Processing Purposes and Details.
By signing an NBS Order Form you agree to be bound by this DPA. If you do not agree to this DPA then you must not sign the NBS Order Form.
In the course of providing the Services to Subscriber pursuant to the Contract, NBS may Process Personal Data on behalf of Subscriber and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
This DPA shall not replace any comparable or additional rights relating to Processing of Personal Data contained in the Specifier Terms.
1. DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this DPA.
Authorised Persons: the persons or categories of persons that the Subscriber authorises to give NBS written Personal Data processing instructions and from whom NBS agrees to accept such instructions.
Business Purposes: the services to be provided by NBS to the Subscriber as described in the Contract and any other purpose specifically identified in ANNEX A.
Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, Data Protection Act 2018).
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
Data Protection Legislation:
(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Subscriber or NBS is subject, which relates to the protection of Personal Data.
Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
EEA: the European Economic Area.
Standard Contractual Clauses (SCC): the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), or such alternative clauses as may be approved by the European Commission or by the UK from time to time.
Term: this DPA's term, as defined in Clause 10.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
1.2 This DPA is subject to the terms of, and is incorporated into, the Specifier Terms. Interpretations and defined terms set forth in the Specifier Terms apply to the interpretation of this DPA.
1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
1.4 A reference to writing or written includes email.
1.5 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this DPA, and any provision contained in the Annexes, the provision in the body of this DPA will prevail; and
(b) any of the provisions of this DPA and the provisions of the Contract, the provisions of this DPA will prevail.
2. PERSONAL DATA TYPES AND PROCESSING PURPOSES
2.1 The Subscriber and NBS agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) the Subscriber is the controller and NBS is the processor.
(b) the Subscriber retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to NBS.
(c) Annex A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which NBS may process the Personal Data to fulfil the Business Purposes.
3. PROCESSING OF SUBSCRIBER PERSONAL DATA
3.1 NBS will comply with all applicable Data Protection Legislation in the Processing of Subscriber Personal Data; and not Process Subscriber Personal Data other than on the Subscriber’s documented instructions, unless Processing is required by Applicable Laws to which NBS is subject, in which case NBS will, to the extent permitted by Applicable Laws, inform the Subscriber of that legal requirement before Processing.
3.2 The Subscriber instructs NBS (and authorises NBS to instruct each Subprocessor) to Process and transfer Subscriber Personal Data to any country or territory as reasonably necessary for the provision of the Services provided one of the following conditions is met:
3.2.1 NBS is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. The territory that is subject to such adequacy regulations is set out in Annex A; or
3.2.2 NBS participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that NBS (and, where appropriate, the Subscriber) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR. Such mechanism is identified in Annex A and NBS shall update Annex A should that status change.
3.3 NBS will not act on any specific instructions given by Subscriber from time to time unless they are documented and given by an Authorised Person.
3.4 NBS will Process the Subscriber Personal Data in accordance with the Agreement and disclose Subscriber Personal Data to:
(a) Subscriber's Users; and
(b) Subscriber's Authorised Persons.
3.5 Annex A to this DPA sets out certain information as required by article 28(3) of the UK GDPR. The parties may make reasonable amendments to Annex A by written agreement between them from time to time as necessary to meet those requirements.
4. SUBSCRIBER OBLIGATIONS
4.1 Subscriber warrants that:
(a) the Processing of Subscriber Personal Data has been carried out and will at all times be carried out by the Subscriber in compliance with Data Protection Legislation;
(b) Subscriber has made all necessary disclosures and obtained all necessary consents from Data Subjects to fulfil all of its obligations under this DPA, including the ability to disclose Subscriber Personal Data to NBS;
(c) it is and will remain duly and effectively authorised to give instructions to NBS under this DPA;
(d) all Subscriber Personal Data is necessary in relation to the purposes for which it is Processed, accurate and where necessary up-to-date; and
(e) any notification that it is required to be made to the Commissioner or other supervisory authority has been made, and is complete and correct.
5.1 NBS will maintain the confidentiality of the Subscriber Personal Data and will not disclose the Subscriber Personal Data to third parties unless the Subscriber or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner).
5.2 NBS will ensure that persons authorised to Process the Subscriber Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
6.1 NBS shall at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Subscriber Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Subscriber Personal Data including, but not limited to, the security measures set out in ANNEX B.
7.1 The Subscriber authorises NBS to appoint Subprocessors in accordance with this Clause 7. NBS may continue to use those Subprocessors identified in Annex A as at the date of this DPA. NBS will inform Subscriber of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Subscriber the opportunity to object to such changes as set out in Annex A.
7.2 With respect to each Subprocessor, NBS shall ensure that the arrangement between NBS and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Subscriber Personal Data as those set out in this DPA and meet the requirements of Article 28(3) of the UK GDPR.
8.1 NBS shall assist the Subscriber in ensuring compliance with the Subscriber's obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to NBS, including as set out in section 8.3.
8.2 NBS will promptly notify the Subscriber if it receives a request from a Data Subject under any Data Protection Legislation in respect of Subscriber Personal Data and will, taking into account the nature of the processing, assist the Subscriber by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Subscriber's obligation to respond to requests.
8.3 NBS shall promptly notify the Subscriber if it becomes aware of a Personal Data Breach affecting Subscriber Personal Data and will co-operate with the Subscriber and take such commercially reasonable steps as the Subscriber requests to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. DELETION OF SUBSCRIBER PERSONAL DATA
9.1 The Subscriber chooses, and NBS agrees, that on the termination of the provision of data processing services, NBS will delete Subscriber Personal Data from NBS' systems two years from the date of termination, except to the extent that Applicable Laws require it to retain copies of such data.
9.2 Subscriber acknowledges that it bears the sole responsibility for exporting any Subscriber Personal Data it wishes to retain prior to such deletion.
10. TERM AND TERMINATION
10.1 This DPA will remain in full force and effect so long as:
(a) the NBS Order Form and Specifier Terms remain in effect; or
(b) NBS retains any of the Personal Data related to the NBS Order Form and Specifier Terms in its possession or control (Term).
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the NBS Order Form and Specifier Terms in order to protect the Personal Data will remain in full force and effect.
11. INFORMATION & AUDIT RIGHTS
11.1 NBS will make available such information as is reasonably requested by the Subscriber to demonstrate compliance with the obligations laid down in Article 28 UK GDPR. The Subscriber will be entitled to conduct an audit for that same purpose, provided (a) the Subscriber gives NBS no less than fourteen (14) days’ prior written notice, (b) the audit is conducted remotely, and (c) such audits are conducted no more than once per calendar year, excluding any audit required by the Commissioner.
11.2 NBS shall immediately inform the Subscriber if, in its opinion, the Subscriber's instruction to NBS infringes Data Protection Legislation or other Applicable Laws relating to data protection.
11.3 No audit under section 11.1 will provide the Subscriber with any access to NBS’s code base, data centres, detailed network schematics or detailed records of security vulnerabilities unless such access is required by the Commissioner or by Applicable Law.
11.4 Subscriber shall bear the costs of any audit under section 11.1, unless such audit reveals that NBS is responsible for a Personal Data Breach or has otherwise materially failed to comply with its obligations under this DPA, the Specifier Terms, or the Data Protection Legislation, in which case NBS shall bear the cost.
12.1 Nothing in this DPA is intended to impose upon NBS any obligations materially more burdensome that those required by Article 28 of the UK GDPR as it relates to Processors.
12.2 In the event of conflict between the terms set out in this DPA and the Specifier Terms, the terms set out in this DPA shall prevail solely to the extent of such conflict.
12.3 No other terms or conditions of the Specifier Terms shall be amended as a result of this DPA.
12.4 The parties will cooperate in good faith to amend this DPA where required by any change in the Data Protection Legislation applicable to either party.
12.5 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by the law governing the Agreement, without regard to any conflicts of law principles that would require a different result. Each party irrevocably submits to the jurisdiction of the same courts, arbitrators, or other dispute resolution bodies as set out in the Specifier Terms, under the same terms set out in the Specifier Terms.
ANNEX A Personal Data processing purposes and details
|Subject matter of the processing
||Providing a cloud-based specification system to Subscriber
|Duration of the processing
||The Term of Subscriber’s subscription to NBS’ Chorus product
|Nature and purposes of the processing
||Hosting of the specification data within the NBS Chorus platform
|Type of Personal Data
||Names, email addresses and telephone numbers of Project Participants
|Categories of Data Subject
||Project Participants e.g., Subscriber’s Client, Engineer, Project Manager, Principal Contractor, Principal Designer, Civil Engineer, Quantity Surveyor
Identify NBS' legal basis for processing Personal Data outside the UK in order to comply with cross-border transfer restrictions:
· SCCs between NBS as "data exporter" and NBS Enterprises Pty Limited as "data importer" for transfers to Australia.
· Canada is subject to adequacy regulations.
NBS Enterprises Pty Limited (NBS’ Australian subsidiary)
Digicon Information, Inc. (NBS’ Canadian subsidiary)
Amazon Web Services EMEA SARL (suppliers of our data centres in the UK and Ireland)
NBS will provide notice to Subscriber of its intention to engage third parties as Subprocessors by updating the above Approved Subprocessors list, such notice to be given not less than ten (10) days prior to the engagement of such Subprocessors.
ANNEX B Security measures
NBS has technological safeguards in place according to Article 32(1) of the UK GDPR and equivalent articles under current or equivalent Data Protection Legislation to provide the following:
1. Information Security Policies and Standards
NBS’ security measures shall include, at a minimum:
- Preventing unauthorised persons from gaining access to Personal Data processing systems (physical access control);
- Preventing Personal Data processing systems being used without authorisation (logical access control);
- Ensuring that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorisation (data access control);
- Ensuring that Personal Data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage, and that the target entities for the transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
- Ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data processing (entry control);
- Ensuring that Personal Data are Processed solely in accordance with the Subscriber’s instructions (control of instructions);
- Ensuring that Personal Data are protected against accidental destruction or loss (availability control); and
- Ensuring that Personal Data collected for different purposes can be processed separately (separation control).
These measures are kept up to date ad revised whenever relevant changes are made to the information system that uses or stores Personal Data, or to how that system is organised.
Security policies and standards include:
- Access Control Policy
- Business Continuity Policy
- Data Protection Policy
- Data Retention and Destruction Policy
- Data Rights Access Policy
- Information Security Policy
- Physical Security Policy
2. Physical Security
NBS and its subsidiaries shall maintain adequate security systems at all sites at which an information system that uses or stores Personal Data is located and shall reasonably restrict access to such Personal Data appropriately.
3. Organisational Security
NBS shall ensure:
- Procedures have been implemented to prevent any retrieval or use of Personal Data stored on media which has been disposed of or reused.
- All Personal Data security incidents are managed in accordance with appropriate incident response procedures.
4. Network Security
NBS shall maintain network security using commercially available equipment and industry standard techniques, including anti-virus and malware protection software, firewalls, access control lists and routing protocols.
5. Access Control
- Only authorised NBS employees can grant, modify or revoke access to an information system that uses or stores Personal Data.
- User administration procedures define user roles, how access is granted, changed and terminated, addresses appropriate segregation of duties, and defines the logging/monitoring requirements and mechanisms.
- NBS implements commercially reasonable physical and electronic security to create and protect passwords.
6. Data Centres
NBS uses AWS datacentres based in the UK and Ireland. Data centre physical and environmental security is managed by AWS as documented here Data Centers - Our Controls (amazon.com).
Last Updated: 24th June 2022