10.1. Both the Trust Company and the Hirer will comply with all applicable requirements of the Data Protection Legislation. This Clause 10 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. In this Clause 10, Applicable Laws means (for so long as and to the extent that they apply to the Trust Company) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.
10.2. The Trust Company and the Hirer acknowledge that for the purposes of the Data Protection Legislation, the Hirer is the controller and the Trust Company is the processor.
10.3. Without prejudice to the generality of Clause 10.1, the Hirer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to the Trust Company for the duration and purposes of this Agreement.
10.4. Without prejudice to the generality of Clause 10.1, the Trust Company shall, in relation to any personal data processed in connection with the performance by the Trust Company of its obligations under this Agreement:
10.4.1. process personal data on the documented written instructions of the Hirer for the performance of the Agremeent, unless the Trust Company is required by Applicable Laws to otherwise process that personal data. Where the Trust Company is relying on Applicable Laws as the basis for processing personal data, the Trust Company shall promptly notify the Hirer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Trust Company from so notifying the Hirer;
10.4.2. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
10.4.3. ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
10.4.4. not transfer any personal data outside of the European Economic Area unless the prior written consent of the Hirer has been obtained and the following conditions are fulfilled:
10.4.4.1. the Hirer or the Trust Company have provided appropriate safeguards in relation to the transfer;
10.4.4.2. the data subject has enforceable rights and effective legal remedies;
10.4.4.3. the Trust Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
10.4.4.4. the Trust Company complies with reasonable instructions notified to it in advance by the Hirer with respect to the processing of the personal data.
10.4.5. assist the Hirer, at the Hirer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
10.4.6. notify the Hirer without undue delay on becoming aware of a personal data breach;
10.4.7. at the written direction of the Hirer, delete or return personal data and copies thereof to the Hirer on termination of this Agreement unless required by Applicable Laws to store personal data; and
10.4.8. maintain complete and accurate records and information to demonstrate its compliance with this Clause 10 and immediately inform the Hirer if, in the opinion of the Trust Company, an instruction infringes Data Protection Legislation.
10.5. If required by the Trust Company, the Hirer consents to the Trust Company appointing software providers as a third-party processor of personal data in order to perform its obligations under this Agreement in relation the administering the booking system and invoicing. The Trust Company confirms that if entering into any agreements with third party processors it will incorporate terms which are substantially similar to those set out in this Clause 10, which the Trust Company undertakes will reflect the requirements of the Data Protection Legislation. As between the Hirer and the Trust Company, the Trust Company shall remain liable for all acts or omissions of any third party processor appointed by it pursuant to this Clause 10.
10.6. Either party may, at any time on not less than 30 days' notice, revise this Clause 10 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Agreement).
10.7. The details of data processing are:
10.7.1. the subject matter shall be the provision of the Trust Company’s Facilities and Services to the Hirer;
10.7.2. the duration of processing shall be for the period of this Agreement plus any period from the expiry of this Agreement until deletion of all personal data provided by the Hirer in accordance with the law;
10.7.3. the nature and purpose of the processing shall be that the Trust Company will process the personal data submitted, stored, sent or received by the Hirer for the purposes of providing the Facilities and Services as outlined further in Clause 10.8;
10.7.4 the categories of data may include: user IDs, names, dates of birth, email addresses, bank details, medical or accessibility information and other data as further outlined in our Privacy Notice; and
10.7.5. the data subjects are inclusive of the Hirer’s employees, customers, suppliers, subcontractors or any person who transmits data through the Hirer.
10.8. In performance of this Agreement the Trust Company will use the personal data provided to:
10.8.1. provide the Facilities or Services;
10.8.2. process your payment;
10.8.3. contact you in the event of a cancellation, amendment, alteration or refund;
10.8.4. to provide you with information, products or services that you request from us or which we feel may interest you, and to notify you about changes to our services, where you have consented to be contacted for such purposes, but the Hirer may stop receiving these communications at any time by contacting the Trust Company;
10.8.5. to book accommodation, book individuals onto training courses, and book individuals onto events;
10.8.6. to hold and process medical and accessibility information in relation to course provision when required for the safety of course attendees, or process and store in respect of our Facilities in the Centre to allow safe provision of facilities;
10.8.7. to process any accessibility information provided if relevant in order to ensure adequate Facilities are provided for individuals;
10.8.8. to process email addresses or other contact details to provide marketing or communications, request customer feedback only where individuals provide consent for us to carry out this type of activity;
10.8.9. to share photos/videos on our websites, social media and sportscotland publications if you have given us consent to take photos/videos of you;
10.8.10. to analyse customer booking trends for business and financial planning purposes; and
10.8.11. to provide workshop provision, delivery and tracking and providing workshops for individuals and arranging sport educators to deliver such workshops, and tracking workshops that have been delivered.
10.9. For more details on how the Trust Company collects and processes your personal data please see the Privacy Notice here: - https://sportscotland.org.uk/media/3650/general-privacy-notice-sportscotland.pdf
10.10. The Trust Company will only give your personal information to other third parties where required by law.
10.11. The Trust Company will maintain complete and accurate records and information to demonstrate its compliance with this Clause 10.