A message to all organisations which process personal data on behalf of Charity Bank
At Charity Bank we take our responsibilities very seriously and do all we can to protect the personal data of our customers, business contacts and employees. This includes ensuring that our data processors meet the requirements of the new General Data Protection Regulation (GDPR). You have received this message as you have been identified as an organisation which processes Personal Data on behalf of Charity Bank. This notice is sent as a reminder of Charity Bank’s responsibilities as a Data Controller, and of the responsibilities of organisations which process personal data on our behalf as Data Processors.
Our role as Data Controller
As a Data Controller, Charity Bank, is responsible for its own compliance with the GDPR and must only appoint Data Processors who can provide sufficient guarantees that they can meet the requirements of the GDPR and will respect and protect the rights of Data Subjects.
Your role as Data Processor
As a Data Processor for Charity Bank, the GDPR requires that you must only process Personal Data (i) on the written instruction of Charity Bank, (ii) in compliance with the GDPR, and (iii) for the sole purpose of providing Charity Bank with the services set out in the contract between us.
Our existing contracts do not usually permit an organisation to sub-contract data processing activity to a third party, but if we have permitted this as an exception, you will be responsible for that third party’s activities as an authorised Sub-Processor.
By continuing to provide data processing services to Charity Bank beyond 25th May 2018, you confirm that you will:
- only process Personal Data in accordance with our written instructions;
- put in place appropriate technical and organisational measures (which we will have the right to check) to protect against unauthorised or unlawful processing of that Personal Data and to protect against accidental loss or destruction of or damage to Personal Data;
- ensure that all personnel who have access to and/or process Personal Data are obliged to keep that Personal Data confidential;
- not transfer any Personal Data outside the EEA unless we have already agreed to this in writing; and you agree to (i) provide appropriate safeguards; (ii) provide an adequate level of protection to any Personal Data which is transferred; (iii) ensure the Data Subject’s rights are not adversely affected; and (iv) you will meet any additional conditions required by us;
- assist us in promptly dealing with and responding to any Data Subject request;
- notify us within 48 hours of any suspected or actual Personal Data breach;
- at our request, delete and/or return Personal Data on termination of the contract other than to the extent we have agreed you may retain that Personal Data for audit purposes;
- maintain records demonstrating your compliance with these obligations;
- indemnify us against any loss arising out of or in connection with your processing of Personal Data on our behalf and your obligations as a Data Processor; and
- maintain in force a sufficient level of insurance to cover your liabilities to us.
In order to ensure that our contractual arrangements with you are correct and comply with the GDPR, please complete the table below which will enable us to issue an updated contract to you.
<span id="selection-marker-1" class="redactor-selection-marker" data-verified="redactor"></span>
Data Privacy Impact Assessment
We reserve the right to require you to carry out a Data Privacy Impact Assessment if we deem that the nature of your processing requires this.