Data Processing Policy

As a new or existing customer of AR Digital Solutions Ltd, the following policy applies where you have confirmed an order via Email, Post, SMS or paid an invoice from AR Digital Solutions Ltd for the Services specified. Please note this document exists to protect both you and us and serves as an agreement all the while Our Services are fulfilled.

Words used in this policy have the same meaning as is attributed to them in the AR Digital Solutions Privacy Policy .

  1. Definitions and Interpretation

    In this Policy, the following terms shall have the following meanings

    "this Agreement" is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time; a Schedule is a schedule to this Agreement; and a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
    "Affiliate" any entity controlling, controlled by, or under common control with a party, where "control" is defined as: the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or the power to exercise a controlling influence over the management or policies of the entity.
    "Data Controller", "Data Processor", "processing", and "data subject" shall have the meanings given to the terms "controller", "processor", "processing", and "data subject" respectively in Article 4 of the GDPR;
    "Sub-Processor" means a sub-processor appointed by the Data Processor to process the Personal Data; and;
    "Sub-Processing Agreement" means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 10;
    "Personal Data" means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data. In this case, it means personal data that you give to Us via Our Site. This definition shall, where applicable, incorporate the definitions provided in the Data Protection Act 1998 and EU Regulation 2016/679 - the General Data Protection Regulation ("GDPR");
    "We/Us/Our" means AR Digital Solutions , a limited company registered in England under company number 07476134 , whose registered address is 46 Barkston House, Croydon Street, Leeds, West Yorkshire. LS11 9RT .
    "You/Your/Customer" an individual, partnership or organisation who pays for Our Services via email; via signed order or proposal; or upon first payment of invoice;
    "Service/Services" the services described by Email, Post, SMS or invoice by Us with You and supplied by Us to You;
  2. Summary

    1. As of 25th May 2018, all customers who continue to pay AR Digital Solutions for Website Hosting or the management of third party web servers acknowledge that for the purposes of the Data Protection Act 1998, You are the Data Controller and We are the data processor in respect of any Personal Data.
    2. We shall process the Personal Data only in accordance with Your instructions from time to time and shall not process the Personal Data for any purposes other than those expressly authorised by You.
    3. Customer/You authorise the engagement of any other third parties as Sub-processors ("Third Party Sub-processors").
  3. Provision of the Services and Processing Personal Data

    The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:

    1. for the purposes of those Services and not for any other purpose;
    2. to the extent and in such a manner as is necessary for those purposes; and
    3. strictly in accordance with the express written authorisation and instructions of the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).
  4. Data Protection Compliance

    1. All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise (as per Article 29 of the GDPR).
    2. The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data.
    3. The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller's written instructions.
    4. Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
    5. The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
    6. The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO .
    7. The Data Processor shall provide all reasonable assistance (at the Data Controller's cost) to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO .
    8. When processing the Personal Data on behalf of the Data Controller, the Data Processor shall:
      1. not process the Personal Data outside the United Kingdom and the European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) ("EEA") without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred;
      2. not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10;
      3. process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
      4. implement appropriate technical and organisational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures;
      5. if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
      6. make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor's compliance with the GDPR;
      7. on [at least 14 days'] OR [reasonable] prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties' compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the law; and
      8. inform the Data Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
  5. Data Subject Access, Complaints, and Breaches

    1. The Data Processor shall notify the Data Controller [without undue delay] OR [within 7 days] if it receives:
      1. a subject access request from a data subject; or
      2. any other complaint or request relating to the processing of the Personal Data.
    2. The Data Processor shall [, at the Data Controller's cost,] cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by:
      1. providing the Data Controller with full details of the complaint or request;
      2. providing the necessary information and assistance in order to comply with a subject access request;
      3. providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and
      4. providing the Data Controller with any other information requested by the Data Controller.
    3. The Data Processor shall notify the Data Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
  6. Data Protection Act Officer

    In accordance with Article 37 of the GDPR, Our Data Protection Officer can be contacted by email at [email protected] , or by post at the Nook, Kingsmill Industrial Estate, Cullompton, Devon. EX15 1BS .

  7. Liability and Indemnity

    1. The Data Controller shall be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Processor [and any Sub-Processor] arising directly or in connection with:
      1. any non-compliance by the Data Controller with the GDPR or other applicable legislation;
      2. any Personal Data processing carried out by the Data Processor [or Sub-Processor] in accordance with instructions given by the Data Controller that infringe the GDPR or other applicable legislation; or
      3. any breach by the Data Controller of its obligations under this Agreement, except to the extent that the Data Processor [or Sub-Processor] is liable under sub-Clause 7.2.
    2. The Data Processor shall be liable for, and shall indemnify (and keep indemnified) the Data Controller in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Controller arising directly or in connection with the Data Processor's Personal Data processing activities that are subject to this Agreement:
      1. only to the extent that the same results from the Data Processor's [or a Sub-Processor's] breach of this Agreement; and
      2. not to the extent that the same is or are contributed to by any breach of this Agreement by the Data Controller.
    3. The Data Controller shall not be entitled to claim back from the Data Processor [or Sub-Processor] any sums paid in compensation by the Data Controller in respect of any damage to the extent that the Data Controller is liable to indemnify the Data Processor [or Sub-Processor] under sub-Clause 7.1.
    4. Nothing in this Agreement (and in particular, this Clause 7) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party's direct obligations under the GDPR. Furthermore, the Data Processor hereby acknowledges that it shall remain subject to the authority of the ICO and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the GDPR may render it subject to the fines, penalties, and compensation requirements set out in the GDPR.
  8. Intellectual Property Rights

    All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Data Controller or the Data Processor) shall belong to the Data Controller or to any other applicable third party from whom the Data Controller has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). The Data Processor is licensed to use such Personal Data under such rights only for the term of the Services provided, and in accordance with this Agreement.

  9. Confidentiality

    1. The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.
    2. The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
    3. The obligations set out in in this Clause 9 shall continue for a period of 12 months after the cessation of the provision of Services by the Data Processor to the Data Controller.
    4. Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
  10. Appointment of Sub-Processors

    1. Consent to Sub-processor Engagement. Customer specifically authorises the engagement of AR Digital Solution's Affiliates as Sub-processors. In addition, Customer generally authorises the engagement of any other third parties as Sub-processors ("Third Party Sub-processors").
    2. Information about Sub-processors, including their functions and locations is available by contacting Our Data Protection Officer [email protected] .
    3. When engaging any Sub-processor, We will:
      1. ensure via a written contract that:
        1. the Sub-processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Application Agreement (including this Data Processing Policy); and
        2. if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this Data Processing Policy, are imposed on the Sub-processor; and
        3. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.
    4. Opportunity to Object to Sub-processor Changes
      1. When any new Third Party Sub-processor is engaged We will, at least 30 days before the new Third Party Sub-processor processes any Customer Data, inform Customer of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by sending an email to the Customer.
      2. Customer may object to any new Third Party Sub-processor by terminating their Agreement immediately upon written notice to AR Digital Solutions Limited, on condition that Customer provides such notice within 20 days of being information of the engagement of the Sub-processor as described in Section 10.3.1.1. This termination right is Customer's sole and exclusive remedy if Customer objects to any new Third Party Sub-processor.
  11. Deletion and/or Disposal of Personal Data

    1. The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:
      1. the end of the provision of the Services; or
      2. the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor's obligations under [this Agreement] AND/OR [Our Services].
    2. Following the deletion, disposal, or return of the Personal Data under sub-Clause 11.1, the Data Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Data Processor shall inform the Data Controller of such requirement(s) in writing.
    3. All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed of using the following method(s):
      1. All Paper evidence will be shredded;
      2. All Digital Data will be deleted and purged from their Storage Medium (Hard Disk, USB Pen/Flash Drive);
  12. Law and Jurisdiction

    This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.

    Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.