Data Processing Terms
SCHEDULE
Data Processing Terms (DP Terms)
These DP Terms govern data processing by The Myers-Briggs Company Limited (The Myers-Briggs Company) for and on behalf of Client in relation to the goods and/or services received by Client from The Myers-Briggs Company.
These DP Terms are supplemental to The Myers-Briggs Company Terms, and together form the contract between the Parties.
1. Background
1.1 The Myers-Briggs Company provides goods and/or services to Client which may involve the processing of personal data by The Myers-Briggs Company on behalf of Client as part of the provision of services to Client in the field of business psychology (“Services”), including personal data relating to Client, its personnel and where applicable, its Clients or other individuals with whom Client deals in the course of its business as relevant to the Services (“Relevant Data Subjects”). Further information on the subject matter, nature, purpose and duration of processing in relation to our provision of goods and services is set out from time to time in our Privacy Policy at https://eu.themyersbriggs.com/en/About/Privacy-Policy
2. Description of processing
The processing to be carried out by The Myers-Briggs Company is as follows:
2.1 the subject matter of the processing is as described in clause 1.1 above and the duration of the processing will be throughout the period within which The Myers-Briggs Company performs Services;
2.2 the nature of the processing is as described in clause 1.1 above and the purpose of the processing is to enable The Myers-Briggs Company to perform Services to the Client;
2.3 the personal data to be processed will be any personal data of Relevant Data Subjects provided in order to enable or facilitate the provision of Services by The Myers-Briggs Company as described in clause 1.1 above, and the categories of data subjects are Relevant Data Subjects; and
2.4 the obligations and rights of the data controller in relation to the processing are set out below.
3. Compliance with the Data Protection Regulations
3.1 Each of Client and The Myers-Briggs Company warrant and represent that it will comply with (and shall ensure that its staff and/or subcontractors comply) with the Data Protection Regulations in processing personal data in connection with the Services.
4. Relationship and roles of the parties
4.1 In relation to the processing of personal data in connection with Services, the parties acknowledge and agree that:
- 4.4.1 Client is the data controller; and
- 4.1.2 The Myers-Briggs Company is the data processor.
The Myers-Briggs Company agrees that it will process the personal data in accordance with these DP Terms.
5. Responsible individuals and enquiries
5.1 Client and The Myers-Briggs Company will each notify the other from time to time of the individual within its organisation authorised to respond to enquiries regarding the personal data and the processing which is the subject of these DP Terms. Client and The Myers-Briggs Company shall each deal promptly and reasonably with all such enquiries.
5.2 In respect of The Myers-Briggs Company, the individual authorised to respond to such enquiries is The Myers-Briggs Company DPO together with other members of The Myers-Briggs Company Data Protection Team. Any enquiries should be addressed to dpo@themyersbriggs.com. For information on our EU Representative, please see Section 12 of our Privacy Policy.
6. Processing of personal data by The Myers-Briggs Company
In relation to the processing of personal data in connection with the Services, The Myers-Briggs Company shall:
6.1 process the personal data (including when making an international transfer of the personal data) only for the purpose of and to the extent necessary for provision of the Services and then only in accordance with:
- 6.1.1 these DP Terms; and
- 6.1.2 Client's written instructions from time to time,
unless otherwise required by law. Where The Myers-Briggs Company is required by law to process the personal data otherwise than as provided by these DP Terms, it will notify Client before carrying out the processing concerned (unless the law also prevents The Myers-Briggs Company from doing so for reasons of important public interest);
6.2 implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed under these DP Terms, as set forth in Exhibit 1;
6.3 take all reasonable steps to ensure that only authorised personnel have access to the personal data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to the personal data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);
6.4 not engage any sub-processors in the performance of the Services without the prior written consent of Client and otherwise in accordance with clause 7 at all times;
6.5 not do, or omit to do, anything, which would cause Client to be in breach of its obligations under the Data Protection Regulations;
6.6 immediately notify Client if, in The Myers-Briggs Company's opinion, any instruction given to The Myers-Briggs Company infringes the Data Protection Regulations;
6.7 where applicable in respect of any personal data processed in relation to the Services, co-operate with and assist Client in ensuring compliance with:
- 6.7.1 Client's obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Chapter III of the GDPR, including by notifying Client of any written subject access requests The Myers-Briggs Company receives relating to Client's obligations under the Data Protection Regulations; and
- 6.7.2 Client's obligations under Articles 32 – 36 of the GDPR to:
- (a) ensure the security of the processing;
- (b) notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to personal data;
- (c) carry out any data protection impact assessments (each a "DPIA") of the impact of the processing on the protection of personal data; and
- (d) consult the relevant supervisory authority prior to any processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by Client to mitigate the risk.
6.8 provide assistance where reasonably required by Client in relation to the fulfilment of Client’s obligations to co-operate with the relevant supervisory authority under Article 31 of the GDPR.
7. Sub-processors
7.1 The Myers-Briggs Company will ensure that any sub-processor it engages to provide any services on its behalf in connection with the Services does so only on the basis of a written contract which imposes on such sub-processor terms equivalent to those imposed on The Myers-Briggs Company under these DP Terms or such other alternative terms as may be agreed with Client (the "Relevant Terms"). The Myers-Briggs Company shall procure the performance by the sub-processor of the Relevant Terms and shall be directly liable to Client for:
- 7.1.1 any breach by the sub-processor of any of the Relevant Terms;
- 7.1.2 any act or omission of the sub-processor which causes:
- 7.1.2.1 The Myers-Briggs Company to be in breach of these DP Terms; or
- 7.1.2.2 Client or The Myers-Briggs Company to be in breach of the Data Protection Regulations.
7.3 Notwithstanding clauses 7.1 and 7.2, it is agreed that The Myers-Briggs Company shall be permitted to transfer personal data to such sub-processors as are set forth in the List of Third Party Sub-Processors And International Transfers.
8. Monitoring of The Myers-Briggs Company's performance
8.1 Client is entitled to monitor and audit The Myers-Briggs Company's compliance with the Data Protection Regulations and its obligations in relation to data processing in connection with the Services at any time during normal business hours. The Myers-Briggs Company agrees to provide Client promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If Client believes that an on-site audit is necessary, The Myers-Briggs Company agrees to give Client reasonable access to its premises (subject to any reasonable confidentiality and security measures), and to any stored personal data and data processing programs it has on-site. Client is entitled to have the audit carried out by a third party.
9. International transfers (including outside the EEA and to third parties)
9.1 We may transfer personal data internationally, including outside the EEA, and to any third party located internationally (including to The Myers-Briggs Company Limited in the UK in respect of EU personal data, and to our parent company, The Myers-Briggs Company, in the US) where we are permitted to do so for that transfer under Articles 44 to 49 of the GDPR. Where we transfer EU personal data to The Myers-Briggs Company Limited in the UK. this is covered by the European Commission’s decision on adequacy dated 28th June 2021, and where the transfer is to our parent company in the US, this is under EU standard contractual clauses.
9.2 For the purposes hereof, it is agreed that The Myers-Briggs Company shall be permitted to transfer personal data internationally, including outside the EEA, and to such third parties as set forth in the List of Third Party Sub-Processors And International Transfers, provided the appropriate safeguard mechanisms remain in place.
10. Completion of Services
10.1 Upon completion of the Services, The Myers-Briggs Company will at Client's discretion, on receipt of Client’s instruction, delete or return to Client, all personal data (including copies) processed in connection with the Services, except to the extent that The Myers-Briggs Company is required by law to retain any copies of the personal data and save to the extent that The Myers-Briggs Company receives instructions to the contrary from any Client Data Subject).
11. Governing Law
11.1 These DP Terms shall be governed by the laws of England and Wales and the courts of London, England shall have exclusive jurisdiction.
12. Definitions
12.1 For the purposes of these DP Terms, defined terms used are as follows:
Data Protection Regulations |
means all laws applicable to any personal data processed under or in connection with the Contract, including:
all as amended, re-enacted and/or replaced and in force from time to time; |
and |
|
Services |
means any goods and/or services provided to Client under The Myers-Briggs Company Terms of Business. |
The terms personal data; data controller; data processor; processing; and supervisory authority used in these DP Terms shall have the meaning given in the Data Protection Regulations.
Exhibit 1
The Myers-Briggs Company Technical and Organisational Measures
Key Controls
1.1 The Myers-Briggs Company’s Information Security Management System and Data Protection systems detail:
- Policy;
- Governance;
- Process and procedures;
- Roles and responsibilities;
- Assurance process;
- Risk assessment process including DPIAs; and
- Improvement plans.
1.2 The Myers-Briggs Company’s Physical Security measures include:
- ISO27001 certified datacentres used to provide colocation for systems and services;
- The fitting of appropriate locks and other physical controls to the doors and windows of rooms where computers are kept, including swipecard entry;
- Physically securing unattended lap tops (eg by locking them in a secure drawer or cupboard);
- Ensuring control of and security of all removable media, such as removable hard-drives, CDs, floppy disks and USB drives, attached to business-critical assets;
- Destroying or removing all business-critical information from media such as CDs, and floppy disks before disposing of them;
- Ensuring that all business-critical information is removed from the hard drives of any used computers before disposing of them; and
- Storing back-ups of business-critical information off-site and/ or in a fire and water-proof container.
1.3 The Myers-Briggs Company’s Access Controls measures include:
- Using unique passwords, that are not obvious and change them regularly;
- Using complex password policies;
- Ensuring that employees understand good password security;
- Auditing unauthorised logins; and
- Monitoring for account compromise and suspicious activity.
1.4 The Myers-Briggs Company’s Security and Privacy Technologies include:
- Ensuring that all computers used have anti-virus software installed, and the virus definitions are updated at least once a week. All incoming and outgoing traffic is scanned for viruses, as are any disk or CD that is used, even where from a ‘trusted’ source. At least once a month, computers are scanned for viruses.
1.5 The Myers-Briggs Company’s awareness, training and security checks in relation to personnel include:
- Performing integrity checks on all new employees to ensure that they have not lied about their background, experience or qualifications;
- Giving all new employees a simple introduction to information security, and ensuring that they have read and understand The Myers-Briggs Company’s Information Security Policy and Data Protection Policy;
- Ensuring employees know where to find details of the Information Security standards and procedures relevant to their role and responsibilities;
- Ensuring that employees have access only to the information assets they need to do their jobs. If employees change jobs, we ensure that they do not retain access to the assets they needed for their old job. When dismissing employees, we ensure that they do not take with them any business-critical information;
- Ensuring that no ex-employees have access rights to The Myers-Briggs Company systems; and
- Ensuring employees know about the common methods that can be used to compromise systems.
1.6 The Myers-Briggs Company’s Incident/Response Management/Business Continuity include:
- Ensuring that employees understand what is meant by a Security Incident, being any event that can damage or compromise the confidentiality, integrity or availability of your business–critical information or systems;
- Ensuring that employees are trained to recognise the signs of Security Incidents;
- Ensuring that employees receive training on the need to notify anything which may be a sign of a Security Incident and are kept informed as to the identity of the person to whom such notifications should be made;
- Ensuring that if a Security Incident occurs, employees know who to contact and how;
- Having in place a Business Continuity Plan to assure business continuity in the event of a serious Security Incident. The Plan specifies:
- Designated people involved in the response;
- External contacts, including law enforcement, fire and possibly technical experts;
- Contingency plans for foreseeable incidents such as:
- Power loss;
- Natural disasters and serious accidents;
- Data compromise;
- No access to premises;
- Loss of essential employees;
- Equipment failure; and
- Pandemic.
- Ensuring that the Business Continuity Plan is issued to all required employees and is tested at least once a year, regardless of whether there has been a Security Incident; and
- After every incident when the Business Continuity Plan is used, and after every test, re-examining and updating, where necessary, the Business Continuity Plan using the lessons learned.
- Auditing of who has access to its systems;
- Logging of such access to the systems; and
- Auditing of compliance with security procedures.
1.7 The Myers-Briggs Company’s Audit Controls/Due Diligence include:
Ensuring that appropriate security audit arrangements are in place including:
The Myers-Briggs Company Limited
Registered in England and Wales
Company Number 2218212