The obligations set out below form part of and are subject to the Agreement entered into by Sky and the Supplier. Terms not otherwise defined in these provisions shall have the same meaning as in the Agreement. If there is a conflict or inconsistency between the Data Processor Obligations and the remainder of the Agreement, the Data Processor Obligations shall govern to the extent required to resolve such conflict or inconsistency, unless a provision of the Agreement explicitly overrides any provision of the Data Processor Obligations by specific reference to such provision(s).
1. Definitions and Interpretation
1.1 Capitalised words have the meaning assigned to them as follows:
“Applicable Data Protection Law” means (a) prior to 25 May 2018, the Data Protection Directive (95/46/EC), or, from 25 May 2018, the General Data Protection Regulation (EU 2016/679), and (b) the Directive on privacy and electronic communications (2002/58/EC, as amended), as well as, for each of (a) and (b) above, all Laws implementing such Directives and/or Regulation, as amended or updated from time to time. In the event, any such Directive, Regulation or Laws are repealed or replaced, the successor legislation to such repealed or replaced Directive, Regulation and/or Law shall be deemed to constitute Applicable Data Protection Law.
“Instruction” means a written instruction (including by email) from Sky to the Supplier relating to the Supplier’s processing of personal data as Sky’s processor.
Where defined in Applicable Data Protection Law, the terms “controller”, “data subject”, “data protection impact assessment”, “data protection officer”, “personal data”, “personal data breach”, “prior consultation”, "pseudonymisation”, “processor”, “processing”, “restriction of processing”, “supervisory authority concerned” shall have the same meanings as ascribed to them in Applicable Data Protection Law.
2. Data Protection Obligations
2.1 Sky, acting as controller, hereby appoints the Supplier for the duration of the Agreement as its processor. The details of such personal data processing (namely, the purpose(s), duration, subject-matter and nature of such processing as well as the types of personal data processed by the Supplier as Sky’s processor and the categories of data subjects to whom such personal data relate) are set out in the Order(s) and such details shall only apply in respect of the personal data processing carried out under such Order(s).
2.2 The Supplier shall comply with its obligations as processor under Applicable Data Protection Law and the Supplier acknowledges that nothing in the Data Processor Obligations relieves it from its responsibilities and liabilities under Applicable Data Protection Law.
2.3 The Supplier shall only process personal data as Sky’s processor in accordance with Sky’s lawful Instructions and notify Sky immediately in the event it reasonably believes any Instruction given by Sky is contrary to Applicable Data Protection Law. The parties agree that the Data Processor Obligations are comprised of Sky’s main set of Instructions and the Supplier acknowledges that Sky may issue supplemental Instructions in relation to personal data the Supplier processes as Sky’s processor, including for the Supplier to:
2.3.1 provide at its cost reasonable assistance to Sky, taking into account the nature of processing and the information available to the Supplier, so that Sky is able to: (a) access all documents (in full or only in so far as they relate to personal data processed by the Supplier as Sky’s processor) which the Supplier is required to maintain under Applicable Data Protection Law (if any) about such personal data processing; (b) discuss with the Supplier’s data protection officer (if appointed) the Supplier’s processing of personal data; (c) manage and respond to the exercise by any data subject of any of the rights afforded to data subjects under Applicable Data Protection Law;(d) manage and respond to any notices or questions addressed to Sky the supervisory authority concerned; (e) evaluate the technical and organisational measures the Supplier is required to implement under clauses 2.4, 2.6 and 2.8; (f) manage, mitigate and resolve any personal data breach, including the preparation and filing of any notification of any personal data breach to the supervisory authority concerned or relevant data subject(s); (g) carry out data protection impact assessments (at Sky’s discretion) and prior consultations with the supervisory authority concerned (where required under Applicable Data Protection Law) in relation to the personal data the Supplier processes as Sky’s processor; and (h) demonstrate its compliance with its obligations under Applicable Data Protection Law; and
2.3.2 allow for and reasonably collaborate with (both at the Supplier’s cost) Sky, an auditor mandated by Sky and/or the supervisory authority concerned carrying out desk-based audits, on-site audits and/or inspections of the Supplier, any of its sub-contractors and/or any of the facilities and IT systems used to process personal data on Sky’s behalf from time to time (including before such processing commences) to verify the Supplier’s compliance with its obligations under the Data Processor Obligations and Applicable Data Protection Law.
2.4 Subject to clauses 2.5 and 2.7, the Supplier shall:
2.4.1 keep the personal data it processes as Sky’s processor strictly confidential;
2.4.2 ensure that its personnel are bound by appropriate, written and enforceable confidentiality obligations concerning the personal data and that they process such personal data only in accordance with Sky’s Instructions;
2.4.3 not allow any third party access to the personal data or otherwise transfer the personal data to any third party; and
2.4.4 not transfer the personal data outside of the European Economic Area.
2.5 If the Supplier is required by Law to grant access to or otherwise transfer the personal data to a third party (whether nationally or internationally), it shall:
2.5.1 if permitted by Law, give Sky as much prior notice as is reasonably possible (including reasonable information concerning such access or transfer and the relevant requirement(s) under Law);
2.5.2 limit such access or transfer to the minimum reasonably possible; and
2.5.3 provide Sky at the Supplier’s cost with all reasonable assistance should Sky choose to challenge such access or transfer.
2.6 For the duration the Supplier acts as Sky’s processor under clause 2.1, the Supplier shall:
2.6.1 implement and document appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the rights and freedoms of the data subjects presented by the Supplier processing personal data as Sky’s processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of such processing as well as the varying likelihood and severity of such risk, including measures to: (a) guard against unauthorised or unlawful processing and personal data breaches; (b) as appropriate, apply pseudonymisation and encryption to the personal data; (c) ensure the ongoing confidentiality, integrity, availability and resilience of the Supplier’s and any sub-contractor’s processing systems and services; (d) restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (e) regularly test, assess and evaluate the effectiveness of such technical and organisational measures;
2.6.2 without prejudice to the generality of clause 2.6.1, comply with the Sky Security Standard; and
2.6.3 annually certify its compliance with clauses 2.6.1 and 2.6.2 to Sky in writing.
2.7 The Supplier shall only allow a sub-contractor to process the personal data the Supplier processes under the Data Processor Obligations as Sky’s processor if:
2.7.1 such sub-contractor’s processing of such personal data is carried out exclusively from a territory that is deemed to provide an adequate level of protection under Applicable Data Protection Law or where such processing is otherwise deemed to be subject to adequate levels of protection under Applicable Data Protection law;
2.7.2 it notifies Sky, providing reasonable details;
2.7.3 obtains Sky’s prior written consent; and
2.7.4 the written contract under which such sub-contractor processes such personal data is not less onerous than the Data Processor Obligations. For the avoidance of doubt, the requirements of this clause 2.7 also apply in the event the Supplier wishes to change the contract referred to in clause 2.7.4 and, in any case, the Supplier shall remain fully liable to Sky for acts and omissions of the Supplier’s sub-contractors.
2.8 For the duration the Supplier acts as Sky’s processor under clause 2.1, the Supplier shall implement appropriate technical and organisational measures in relation to the personal data it processes as Sky’s processor to ensure that it is able to promptly:
2.8.1 provide to Sky any such personal data in a commonly used electronic format, implement the restriction of processing of any such personal data, delete any such personal data and/or modify any such personal data if it receives an Instruction to do so by Sky; and
2.8.2 identify if any data subject requests to exercise any of the rights afforded to data subjects under Applicable Data Protection Law in relation to such personal data.
2.9 The Supplier shall notify Sky:
2.9.1 promptly if it receives any notice, request, query, consultation or complaint from the supervisory authority concerned or any data subject relating to the personal data the Supplier (or any sub-contractor) processes as Sky’s data (sub)processor (including the requests and/or notices referred to in clause 2.8.1) or that otherwise concern to Sky and/or the Supplier’s compliance with Applicable Data Protection Law;
2.9.2 without undue delay (and, in any event, within 24 hours) via email to DataIncidents@sky.uk, if it becomes aware of any personal data breach or breach of the Data Processor Obligations or reasonably suspects that a personal data breach or breach of this DPA occurred, providing, to the extent reasonably possible, the information Sky is required under Applicable Data Protection Law to provide to the supervisory authority concerned.
2.10 Subject to the Supplier’s requirements under Law, if the Supplier becomes aware of any personal data breach and without prejudice to clauses 2.3.1(f) and 2.9.2, Sky is exclusively responsible for preparing and managing any notification of and/or correspondence with the supervisory authority concerned, any data subject and/or other third party relating to such personal data beach. Subject to the preceding sentence and any Instruction under clause 2.3.1(f), the Supplier shall take all reasonable steps at its cost to investigate, mitigate and resolve such personal data breach.
2.11 Upon the Agreement’s or relevant Order’s (as applicable) termination or expiry (whichever is sooner) and subject to any Instruction to the contrary as well as the Supplier’s obligations under Law, return to Sky in a reasonably commonly used digital format the personal data it processes as Sky’s processor under the Agreement or the relevant Order (as applicable) and then promptly delete and cease processing all such personal data. The Supplier shall ensure that all of its sub-contractors (if any) comply with this clause 2.11 and certify its and such sub-contractors compliance to Sky in writing.
Version 1 – 12 April 2018