GDPR: Clients

In-country Limited provides services to clients as described in digital or written contracts which are agreed upon and signed by both parties (In-country Limited and the Client) on or prior to commencement of the services. Data processing and data protection agreements are part of these contracts and ensure the following.

Data Protection Law

In-country ensures that the Company and the Client are subject to written contractual obligations concerning the personal data (including obligations of confidentiality). All of In-country’s data protection and privacy legislation comply with the General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018, any other European Union legislation relating to personal data; and all other legislation and regulatory requirements relating to the use of personal data.
Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures have the meanings as set out in the UK Data Protection Legislation in force at the time.
In-country ensures that it has all necessary notices and consents in place to enable lawful transfer of the personal data to the Client for the agreed purposes.
In-country does not transfer any personal data received from the Data Discloser outside the EEA unless the transferor: (i) complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller); and (ii) ensures that (1) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 of the GDPR; or (2) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (3) Binding corporate rules are in place or (4) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.

Purpose of Data Transfers

Personal data shall be processed only for the purposes of complying with the requirements written in the contract with the Client, and for any legal or statutory obligations.
In-country consents to the Client holding and processing of relevant personal data for legal, personnel, administrative and management purposes and in particular to the processing of any sensitive personal data (as defined in the Data Protection Act 2018).
In-country agrees to process the personal data only on behalf of the Client and in compliance with the applicable data protection law. If In-country cannot provide such compliance for whatever reasons, it agrees to inform promptly the Client of its inability to comply.

Confidentiality

In-country undertakes that it does not disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except to its employees and as may be required by law.
In-country does not use the other party’s confidential information for any purpose other than to exercise its rights and perform its obligations as agreed upon.
In-country does not disclose or allow access to the personal data to anyone other than the Client.
In-country agrees at the request of the Client to submit its data-processing facilities for audit of the processing activities which shall be carried out by the Client or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality.

Data Transfer Processes

In-country ensures that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
In-country provides the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the UK Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the UK Data Protection Legislation.
In-country agrees that in the event of sub-processing, it has previously informed the Client and obtained its prior written consent.

Data Protection

In-country uses compatible technology for the processing of personal data to ensure that there is no lack of accuracy resulting from personal data transfers.
In-country will notify the Client without undue delay on becoming aware of any breach of the Data Protection Legislation.
In-country and the Client shall indemnify the other against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses suffered or incurred by the indemnified party arising out of or in connection with the breach of the UK Data Protection Legislation by the indemnifying party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle.
In-country agrees that on the termination of the provision of data-processing services, In-country, at the choice of the Client, will return all the personal data transferred and the copies thereof to the Client or shall destroy all the personal data and certify to the Client that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, In-country warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.