Privacy Policy

This policy explains how both parties keep and protect data, to ensure both the companies involved and the end customers are protected

BETWEEN:

(1) Broker Admin Technology Ltd hereinafter called “BAT”

and

(2) The Member – as defined

THE PARTIES HEREBY MUTUALLY AGREE AS FOLLOWS:

  1. The Member and BAT will comply with the General Data Protection Regulation (GDPR) and any related national legislation (‘Data Protection Legislation’) applicable to any personal data processed as part of the products and services you receive from us. We may process personal data in connection with the provision of the services and products and in accordance with the law.
  2. Where BAT process data supplied by the member in relation to the products and services BAT provide as your Processor (as defined by the ‘Data Protection Legislation’)
    1. The subject matter, nature, purpose and duration of the supplied personal data processing is for Client Management System services.
    2. BAT will only process the supplied personal data on your documented instructions, unless required to process it for purposes set out by Law, in which case BAT will give notice unless required by law to act without these instructions. (Article 29 GDPR).
      1. BAT will comply with the obligations of a processor under article 28(3)(b) to 28(3)(h) of the GDPR. However, the member may not instruct us to delete copies of data BAT holds as a Controller (as defined in the GDPR).
      2. BAT must ensure that people processing the data are subject to a duty of confidence;
      3. BAT must take appropriate measures to ensure the security of processing;
      4. BAT must only engage a sub-processor with the prior consent of the member (the data controller) and a written contract;(Article 28.2 GDPR)
      5. BAT must assist the member (the data controller) in providing subject access and allowing data subjects to exercise their rights under the GDPR;
      6. BAT must assist the member (the data controller) in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
      7. BAT must delete or return all personal data to the member as requested at the end of the contract; and
      8. BAT must submit to audits and inspections, provide the member (the controller) with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the member (the controller) immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
  3. Nothing within this contract relieves BAT of its own direct responsibilities and liabilities under the GDPR; namely that BAT
    1. only act on the written instructions of the controller, the member (Article 29);
    2. not use a sub-processor without the prior written authorisation of the controller, the member (Article 28.2);
    3. co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;
    4. ensure the security of its processing in accordance with Article 32;
    5. keep records of its processing activities in accordance with Article 30.2;
    6. notify any personal data breaches to the controller, the member in accordance with Article 33;
  4. This amended contract reflects any indemnity that has been agreed.

BAT is aware that:

  1. it may be subject to investigative and corrective powers of supervisory authorities (such as the ICO) under Article 58 of the GDPR;
  2. if it fails to meet its obligations, it may be subject to an administrative fine under Article 83 of the GDPR;
  3. if it fails to meet its GDPR obligations it may be subject to a penalty under Article 84 of the GDPR; and
  4. if it fails to meet its GDPR obligations it may have to pay compensation under Article 82 of the GDPR.

The member confirms that any supplied data provided to BAT by the member behalf has been collected and disclosed in accordance with Data Protection Legislation. When using BAT’s products and services, the member will take reasonable steps to ensure that the member and its employees, agents and contractors do not input, upload or disclose to us any irrelevant or unnecessary information about individuals.

SECURITY OBLIGATIONS

The member and BAT will each maintain and will require the member and BAT’s processors to maintain appropriate physical, technical and organisational measures to protect data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access (Data Breach). the member will without delay tell us of any actual or suspected non-trivial Data Breach relating to personal data that may also impact BAT or the security of BAT’s systems, products or services. Where BAT acts as the member processor, we will notify the member, without any undue delay, of any non-trivial Data Breach that may adversely affect the supplied personal data.

GOVERNING LAW

This Agreement shall be governed by and construed in accordance with the national law of England in which the Processor is established AS WITNESS this Agreement has been signed on behalf of each of the parties by its duly authorised representative on the day and year first above written.

SIGNED on behalf of BAT
Dan Rey
Head of IT