This Service Level Agreement (“Agreement“),
(I) SHEQ PORTAL, LTD. (“Controller/Provider “) acting on its own behalf;
COMPANY (“Processor/Customer“) acting on its own behalf and as agent for each Company Affiliate.
The terms used in this Agreement shall have the meanings set forth in this Agreement. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum
1. Agreement Overview
This Service Level Agreement (SLA) remains valid until mutually endorsed by the stakeholders. This SLA supplement the SHEQ PORTAL LTD. General Terms and Conditions of Business which is attached in Appendix 1 of this document. In the case of any conflict between the SLA, the General Terms and Conditions, and the Data Processing Agreement at Appendix 2, the order of priority shall be (1) the Data Processing Agreement, (2) the SLA, and (3) the General Terms and Conditions.
2. Goals & Objectives
The goal of this Agreement is to obtain mutual agreement between the Service Provider(s) and Customer(s).
The objectives of this Agreement are to:
- Provide a thorough understanding of service ownership and the roles and responsibilities.
- This Agreement represents a concise description of the services provided by the Service Provider.
- Match perceptions of expected service provision with actual service support & delivery.
The following Service Provider(s) and Customer(s) will be used as the basis of the Agreement and represent the primary stakeholders associated with this SLA:
Service Provider(s): SHEQ PORTAL, LTD. (“Controller/Provider”)
Customer(s): COMPANY (“Processor/Customer”)
4. Periodic Review
The terms stated in the Agreement shall be valid from the Effective Date. The revisions to this agreement shall be carried out every fiscal year, however, during the revision, the current Agreement shall be considered valid.
Review Period: Annually
Previous Review Date: 26th January 2021
SHEQ PORTAL LTD. has implemented ISO 27001 and maintains the required protocols in order to ensure that clients’ requirements are being met to the highest standards.
6. Confidentiality and Record-Keeping
SHEQ PORTAL LTD. will maintain confidentiality and will adhere to all requirements of the Data Protection legislation. Any breach of this obligation shall entitle the CLIENT to terminate this SLA with immediate effect and SHEQ PORTAL, LTD. will indemnify CLIENT against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by CLIENT arising out of or in connection with such breach.
7. Service Agreement
The following are the responsibility of the Service Provider in the ongoing support of this Agreement.
A. Service Scope
The following Services are covered by this Agreement (for more information please go to Appendixes 1 and 2):
a) Manual Handling
b) DSE – Display Screen Equipment Assessment
c) Contractor Portal
B. Customer Requirements
Customer responsibilities and/or requirements in support of this Agreement include:
I. Payment for all support costs at the agreed interval.
C. Service Provider Requirements
Service Provider responsibilities and/or requirements in support of this Agreement include:
I. Adhering to appropriate response times associated with service-related incidents.
II. Advance notification to the Customer for all maintenance.
D. Service Assumptions
Assumptions related to in-scope services and/or components include:
I. Changes to services will be communicated and documented to all stakeholders.
8. Service Management
For maintaining adequate customer-support levels, this Agreement lists the available scope of services/solutions provided by the Service Provider. This lists details regarding availability, monitoring, and other relevant factors.
A. Service Availability
I. Coverage parameters specific to the service(s) covered in this Agreement are as follows:
Telephone support: 0900 A.M. to 1700. Monday – Friday
II. Calls received out of office hours will be forwarded to a mobile phone and best efforts will be made to answer / action the call, however, there will be a backup answer phone service:
Email support: Monitored 0800 to 1800 Monday – Friday
III. Emails received outside of office hours will be collected, however, no action can be guaranteed until the next working day.
B. Service Requests
In support of services outlined in this Agreement, the Service Provider will respond to service-related incidents and/or requests submitted by the Customer within the following time frames:
I. 0-8 hours (during business hours) for issues classified as High priority.
II. Within 48 hours for issues classified as Medium priority.
III. Within 5 working days for issues classified as Low priority.
Remote assistance will be provided in-line with the above timescales dependent on the priority of the support request.
Any amendments and/or variations to this SLA can only be made with agreement from both parties and must be written with both parties’ signatures. Please also refer to the General Terms and Conditions of Business.
APPENDIX 1 – GENERAL TERMS AND CONDITIONS OF BUSINESS
- When you register with the Company and/or this Site, you expressly consent to receive any notices, announcements, agreements, disclosures, reports, documents, communications concerning new products or services, or other records or correspondence from the Company. You consent to receive notices electronically by way of transmitting the notice to you by email.
- While the Company uses reasonable efforts to include accurate and up-to-date information in the Site, the Company makes no warranties or representations as to its accuracy. The Company assumes no liability or responsibility for any errors or omissions in the content of the Site or related products.
- If you send comments or suggestions about the Site to the Company, including, but not limited to, notes, text, drawings, images, designs or computer programs, such submissions shall become, and shall remain, the sole property of the Company. No submission shall be subject to any obligation of confidence on the part of the Company. The Company shall exclusively own all rights to (including intellectual property rights thereto), and shall be entitled to unrestricted use, publication, and dissemination as to all such submissions for any purpose, commercial or otherwise without any acknowledgment or compensation to you.
- The Company shall use commercially reasonable efforts to restrict unauthorized access to our data and files. However, no system whether or not password protected can be entirely impenetrable. You acknowledge that it may be possible for an unauthorized third party to access, view, copy, modify, or distribute the data and files you store using the Site. Use of the Site and related products is completely at your own risk.
- NEITHER THE COMPANY NOR ANY OTHER PARTY INVOLVED IN CREATING, PRODUCING, OR MAINTAINING THE SITE AND/OR ANY CONTENT ON THE SITE SHALL BE LIABLE UNDER ANY CIRCUMSTANCES FOR ANY DIRECT, INCIDENTAL, CONSEQUENTIAL, INDIRECT, OR PUNITIVE DAMAGES ARISING OUT OF YOUR ACCESS TO OR USE OF THE SITEOR USE OF RELATED PRODUCTS SUCH AS THE MANUAL HANDLING APP OR DISPLAY SCREEN ASSESSMENT TOOL ETC. WITHOUT LIMITING THE FOREGOING, ALL CONTENT ON THE SITE IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THE COMPANY DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE MATERIALS IN THE SITE, THE RESULTS OF THE USE OF SUCH MATERIALS, THE SUITABILITY OF SUCH MATERIALS FOR ANY USER’S NEEDS OR THE LIKELIHOOD THAT THEIR USE WILL MEET ANY USER’S EXPECTATIONS, OR THEIR CORRECTNESS, ACCURACY, RELIABILITY, OR CORRECTION. THE COMPANY LIKEWISE DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS OR GUARANTEES THAT YOU WILL EARN ANY MONEY USING THE SITE OR THE COMPANY’S TECHNOLOGY OR SERVICES. YOU ACCEPT ALL RESPONSIBILITY FOR EVALUATING YOUR OWN EARNING POTENTIAL AS WELL AS EXECUTING YOUR OWN BUSINESS AND SERVICES. YOUR EARNING POTENTIAL IS ENTIRELY DEPENDENT ON YOUR OWN PRODUCTS, IDEAS, TECHNIQUES; YOUR EXECUTION OF YOUR BUSINESS PLAN; THE TIME YOU DEVOTE TO THE PROGRAM, IDEAS AND TECHNIQUES OFFERED AND UTILIZED; AS WELL AS YOUR FINANCES, YOUR KNOWLEDGE AND YOUR SKILL. SINCE THESE FACTORS DIFFER AMONG ALL INDIVIDUALS, THE COMPANY CANNOT AND DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS OR GUARANTEES REGARDING YOUR SUCCESS OR INCOME LEVEL. THE COMPANY DOES NOT WARRANT THAT USE OF THE MATERIALS WILL BE UNINTERRUPTED OR ERROR FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THIS SITE, THE CONTENT, AND/OR THE MATERIALS AVAILABLE ON THIS SITE ARE FREE FROM BUGS OR VIRUSES OR OTHER HARMFUL COMPONENTS. YOU ASSUME ALL RESPONSIBILITY FOR THE COST OF ALL NECESSARY REPAIRS OR CORRECTIONS. THE COMPANY SHALL NOT BE RESPONSIBLE FOR ANY PERFORMANCE OR SERVICE PROBLEMS CAUSED BY ANY THIRD-PARTY WEBSITE OR THIRD-PARTY SERVICE PROVIDER. ANY SUCH PROBLEM SHALL BE GOVERNED SOLELY BY THE AGREEMENT BETWEEN YOU AND THAT PROVIDER. Please note that the applicable jurisdiction may not allow the exclusion of implied warranties. Some of the above exclusions may thus not apply to you.
- IN NO EVENT SHALL THE COMPANY BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, PUNITIVE, RELIANCE OR CONSEQUENTIAL DAMAGES, WHETHER FORESEEABLE OR NOT, INCLUDING, BUT NOT LIMITED TO, DAMAGE OR LOSS OF PROPERTY, EQUIPMENT, INFORMATION OR DATA, LOSS OF PROFITS, REVENUE OR GOODWILL, COST OF CAPITAL, COST OF REPLACEMENT SERVICES, OR CLAIMS FOR SERVICE INTERRUPTIONS OR TRANSMISSION PROBLEMS, OCCASIONED BY ANY DEFECT IN THE SITE, THE CONTENT, AND/OR RELATED MATERIALS, THE INABILITY TO USE SERVICES PROVIDED HEREUNDER OR ANY OTHER CAUSE WHATSOEVER WITH RESPECT THERETO, REGARDLESS OF THEORY OF LIABILITY. THIS LIMITATION WILL APPLY EVEN IF THE COMPANY HAS BEEN ADVISED OR IS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.USERS OFPRODUCTS SUCH AS THE APP MUST DETERMINE THEMSELVES IF IT MEETS ALL THEIR REQUIREENTS AND ANY RELVANT LEGAL AND OTHER REQUIRMEENT THAT MATY APPLY.
- Use the products e.g., Manual Handling APP, only when instructed to do so by the trainer and following completion of the theoretical training course. Only compete the tasks that have been specified by your trainer. Do not complete the tasks if you are not medically fit to do so or are pregnant. Do not attempt the tasks if you are not comfortable doing so. The producers of the APP accept no liability for any injury sustained during the lifting exercises or use of the APP.
- You agree to indemnify and hold the Company and each of its directors, officers employees, and agents, harmless from any and all liabilities, claims, damages and expenses, including reasonable attorney’s fees, arising out of or relating to (i) your breach of this Agreement, (ii) any violation by you of law or the rights of any third party, (iii) any materials, information, works and/or other content of whatever nature or media that you post or share on or through the Site, (iv) your use of the Site or any services that the Company may provide via the Site, and (v) your conduct in connection with the Site or the services or with other users of the Site or the services. The Company reserves the right to assume the exclusive defense of any claim for which we are entitled to indemnification under this Section. In such event, you shall provide the Company with such cooperation as is reasonably requested by the Company.
- This agreement shall be governed by and construed in accordance with the laws of Ireland, without giving effect to any principles of conflicts of law. You further submit to the exclusive jurisdiction of Ireland, If any provision of this agreement shall be unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from this agreement and shall not affect the validity and enforceability of any remaining provisions.
APPENDIX 2 – DATA PROCESSING AGREEMENT
This Data Processing Agreement (“Agreement“),
SHEQ PORTAL, LTD. (“Controller/Provider/ Processor / Joint Processor “) acting on its own behalf; and
CLIENT (“Processor/Customer“) acting on its own behalf and as agent for each Company Affiliate.
- Under an agreement between the Data Controller and the Data Processor – Service Level Agreement (SLA) / Data Processing Agreement (DPA) – the Data Processor provides to the Data Controller the Services described in Appendix 3.
- The provision of the Services by the Data Processor involves it in processing the Personal Data on behalf of the Data Controller – please refer to our Privacy and Personal Data Protection Policy, provided as an attachment to this SLA.
- Under EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organisation which processes personal data on its behalf governing the processing of that data.
- The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.
- The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.
1.1 Data Protection Legislation: The General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations, and secondary legislation, as amended or updated from time to time.
1.2 Data Controller, Data Processor, processing, and data subject: shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively in Article 4 of the GDPR.
1.3 DCO: means the Irish supervisory authority, the Data Commissioner’s Office.
1.4 Personal Data: means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the Data Processor on behalf of the Data Controller.
1.5 Services: means those services AND/OR solutions described in Appendix 1 which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purpose[s] described in Appendix 1;
1.6 Standard Contractual Clauses: means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to data processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.
1.7 Sub-Processor: means a sub-contractor appointed by the Data Processor to process the Personal Data.
1.8 Sub-Processor Agreement: means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 10.
1.9 Term: means the term of this Agreement, as set out in sub-Clause 14.1.
All terms used herein with capital letters and not otherwise defined shall have the meaning set forth in the GDPR.
2. Scope and Application of this Agreement
2.1 The provisions of this Agreement shall apply to the processing of the Personal Data described in Appendix 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
2.2 In the event of any conflict or ambiguity, the following shall apply:
2.2.1 Where there is any conflict or ambiguity between a provision contained in the body of this Agreement and any provision contained in a Schedule to this Agreement, the provision in the body of this Agreement shall prevail.
2.2.2 Where there is any conflict or ambiguity between the terms of any invoice or other document annexed to this Agreement and any provision contained in a Schedule to this Agreement, the provision contained in the Schedule shall prevail.
2.2.3 Where there is any conflict or ambiguity between a provision of this Agreement and a provision of the Service Agreement, the provision in this Agreement shall prevail; and
2.2.4 Where there is any conflict or ambiguity between a provision of this Agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses shall prevail.
3. Provision of the Services and Processing Personal Data
3.1 The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:
3.1.1 for the purposes of those Services and not for any other purpose;
3.1.2 to the extent and in such a manner as is necessary for those purposes; and
3.1.3 strictly in accordance with the express written authorisation and instructions of the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).
3.2 The Data Controller shall retain control of the Personal Data and shall remain responsible for its compliance obligations under the Data Protection Legislation including, but not limited to, providing the required notices, and obtaining any required consents, and for any and all processing instructions it gives to the Data Processor.
4. Rights and Obligations of the Parties
4.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove, or replace, a party’s obligations under the Data Protection Legislation.
4.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller, and the Provider is the Data Processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Appendix 2 to this DPA sets out the scope, nature, and purpose of processing by the Provider, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of data subjects.
4.3 Without prejudice to the generality of clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the duration and purposes of this agreement.
4.4 Without prejudice to the generality of clause 1.1, the Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under this agreement:
- process any Personal Data only in accordance with Customer’s written instructions and for the purpose of carrying out its obligations under the Principal Agreement unless the Provider is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Provider to process Personal Data (Applicable Laws). Where the Provider is relying on Applicable Laws as the basis for processing Personal Data, the Provider shall promptly notify the Customer of this before processing any data as required by the Applicable Laws unless the Applicable Laws prohibit the Provider from notifying the Customer;
- ensure that Provider shall structure Provider’s internal corporate organisation to ensure compliance with the specific requirements of the protection of Personal Data. Provider shall take the appropriate technical and organisational measures to adequately protect Customer’s Personal Data against misuse and loss in accordance with the applicable Data Protection Legislation and Description of the Technical and Organizational Security Measures (attachment to Appendix 4). The technical and organizational measures shall be set in relation to how sensitive the Personal Data is, the risks of varying likelihood and severity for the rights and freedoms of natural persons that are associated with the processing as well as the nature, scope, context and purposes of the processing. In assessing the appropriate level of security, the Provider shall particularly take into account the risks that are presented by processing, especially the risks for accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data. The appropriate level of security shall be further set taking into account the technical possibilities available and the costs associated with implementing the measurements. The Personal Data shall be protected against any accidental or unlawful processing, such as accidental, unauthorized or unlawful destruction, loss, alteration, unauthorized disclosure or access.
- The Provider shall maintain, in electronic form, accurate and up-to-date records of all processing of Personal data, such as which persons have access to the Personal Data and in which locations the Personal Data are being Processed pursuant to this Agreement and the Principal Agreement, as well as all other information as set forth in the provisions concerning records of processing activities of the GDPR.
- ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
- assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify the Customer without undue delay but not later than 24 hours upon discovery of any completed or attempted case of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to of the Personal Data;
- consents that the Customer, or an independent third-party auditor mandated by the Customer, has a right to control and audit that the Processor complies with its obligations stated in this DPA and with the instructions issued by Controller. The Processor agrees to contribute to such audits and to cooperate with the Controller in this regard and upon request provide any relevant documentation needed in order to carry out such audit.
- at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Laws to store the Personal Data; and
- maintain complete and accurate records and information to demonstrate its compliance with this DPA and allow for audits by the Customer or the Customer’s designated auditor.
5. Data Protection Compliance, Transfer of Personal Data and Third-Party Processor
5.1 All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the Data Protection Legislation and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise.
5.2 The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data, or to cease, mitigate, or remedy any authorised processing.
5.3 The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions.
5.4 Both Parties shall comply at all times with the Data Protection Legislation and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the Data Protection Legislation.
5.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data and its use with respect to the Service Agreement and this Agreement shall comply with the Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing.
5.6 Provider shall not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and is carried out in accordance with the conditions stipulated in chapter V of the GDPR and this DPA.
5.7 Provider may only instruct a third party (Third-Party Processor) to process Customer’s Personal Data on Provider’s behalf with Customer’s prior written consent. If such consent is received the Processor may only engage a Third-Party Processor in compliance with the provisions concerning Processors in the GDPR and always provided that such engagement will be under a written agreement with the sub-processor under which the sub-processor is imposed the substantially same obligations as the Processor is under this DPA. The Customer consents to the Provider appointing the companies referred to in Appendix 2 (“Approved Third Party Processors”) as a third-party processor of Personal Data under this agreement. The Processor shall inform the Controller of any and all newly engaged sub-processors processing Personal Data.
5.8 In case the Third-Party Processor is located outside of the European Economic Area Provider shall ensure that the requirements according to clause 2.1 of this DPA are met. As between the Customer and the Provider, the Provider shall remain fully liable for all acts or omissions of any Third-Party Processor appointed by Provider.
6. Data Processor’s Personnel
6.1 The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data:
6.1.1 are aware both of the Data Processor’s duties and obligations, and of their own individual duties and obligations under this Agreement and the Data Protection Legislation;
6.1.2 have been given suitable training on the Data Protection Legislation with respect to the handling of Personal Data and how the Data Protection Legislation applies to their particular duties; and
6.1.3 are contractually obliged to keep the Personal Data confidential.
6.2 The Data Processor shall take reasonable steps to ensure the reliability, integrity, and trustworthiness of all personnel who are to access and/or process any of the Personal Data (carrying out background checks permissible by law where appropriate).
The Data Processor shall implement suitable technical and organisational security measures in order to protect the Personal Data against unauthorised or unlawful access, processing, disclosure, copying, alteration, storage, reproduction, display, or distribution; and against loss, destruction, or damage, whether accidental or otherwise. Such measures shall include, but not be limited to, those set out in Appendix 4. Such measures shall be fully documented in writing by the Data Processor and be reviewed at least annually to ensure that they remain up-to-date, complete, and appropriate. The Data Processor shall inform the Data Controller in advance of any changes to such measures.
8. Appointment of Sub-Processors
8.1 The Data Processor shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Data Controller.
8.2 In the event that the Data Processor appoints a Sub-Processor (with the written consent of the Data Controller), the Data Processor shall:
8.2.1 enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Data Processor by this Agreement and which shall permit both the Data Processor and the Data Controller to enforce those obligations;
8.2.2 provide copies of any and all Sub-Processing Agreements entered into to the Data Controller;
8.2.3 ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the Data Protection Legislation and does not process any of the Personal Data except on the instructions from the Data Controller.
8.3 The Data Processor shall maintain control over all Personal Data transferred to any Sub-Processor.
8.4 In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement.
8.5 Any and all Sub-Processing Agreements entered into shall terminate automatically on termination of this Agreement for any reason.
8.6 The Data Processor shall, on the Data Controller’s written request, audit the compliance of any Sub-Processor with its obligations with respect to the Personal Data and shall provide the Data Controller with the results of such audits.
9. Cross-Border Transfers of Personal Data
9.1 The Data Processor shall not transfer or otherwise process any of the Personal Data outside of the European Economic Area (“EEA”) without the prior written consent of the Data Controller.
9.2 In the event that the Data Controller consents to such a transfer or processing, the Data Processor may only process (or permit the processing) of the Personal Data outside of the EEA if one or more of the following conditions are satisfied:
9.2.1 the Data Processor is processing the Personal Data in a territory that is subject to a current finding by the European Commission under the Data Protection Legislation that said territory provides adequate protection for the privacy rights of individuals; or
9.2.2 the Data Processor participates in a valid cross-border transfer mechanism under the Data Protection Legislation under which the Data Processor (and the Data Controller, where appropriate) can ensure that appropriate safeguards are in place to ensure an adequate level of data protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR. The Data Processor shall immediately inform the Data Controller of any changes thereto; or
9.2.3 the transfer of the Personal Data otherwise complies with the Data Protection.
9.3 In the event that any transfer of Personal Data between the Data Controller and the Data Processor requires execution of Standard Contractual Clauses in order to comply with the Data Protection Legislation (that is, where the Data Controller is exporting the Personal Data to the Data Processor, which is located outside of the EEA.
9.4 In the event that the Data Controller consents to the Data Processor (that is located within the EEA) appointing a Sub-Processor, in accordance with the provisions of Clause 10, and the Sub-Processor is located outside of the EEA, the Data Controller hereby authorises the Data Processor to enter into Standard Contractual Clauses, with the Sub-Processor in the Data Controller’s name and on the Data Controller’s behalf. The Data Processor shall make said executed Standard Contractual Clauses available to the Data Controller on request.
10. Appointment of a Data Protection Officer
10.1 The Data Controller has appointed a Data Protection Officer in accordance with Article 37 of the GDPR and details shall be provided to Data Processor at request.
10.2 The Data Processor shall appoint a Data Protection Officer in accordance with Article 37 of the GDPR and shall supply the details of the Data Protection Officer if/when requested.
11. Liability and Indemnity
11.1 The Data Controller shall be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Processor [and any Sub-Processor] arising directly or in connection with
11.1.1 any non-compliance by the Data Controller with the GDPR or other applicable legislation;
11.1.2 any Personal Data processing carried out by the Data Processor [or Sub-Processor] in accordance with instructions given by the Data Controller that infringe the GDPR or other applicable legislation; or
11.1.3 any breach by the Data Controller of its obligations under this Agreement, except to the extent that the Data Processor (or Sub-Processor) is liable under sub-Clause 4.2.
11.2 The Data Processor shall be liable for, and shall indemnify (and keep indemnified) the Data Controller in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data controller arising directly or in connection with the Data Processor’s Personal Data processing activities that are subject to this Agreement:
11.2.1 only to the extent that the same results from the Data Processor’s [or a Sub-Processor’s] breach of this Agreement; and
11.2.2 not to the extent that the same is or are contributed to by any breach of this Agreement by the Data Controller.
11.3 The Data Controller shall not be entitled to claim back from the Data Processor [or Sub-Processor] any sums paid in compensation by the Data Controller in respect of any damage to the extent that the Data Controller is liable to indemnify the Data Processor [or Sub-Processor] under sub-Clause 4.1.
11.4 Nothing in this Agreement (and in particular, this Clause) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR. Furthermore, the Data Processor hereby acknowledges that it shall remain subject to the authority of the DCO and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a Data Processor under the GDPR may render it subject to the fines, penalties, and compensation requirements set out in the GDPR.
12. Intellectual Property Rights
All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Data Controller or the Data Processor) shall belong to the Data Controller or to any other applicable third party from whom the Data Controller has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). The Data Processor is licensed to use such Personal Data under such rights only [for the term of the Service Agreement,] for the purposes of the Services, and in accordance with this Agreement.
13.1 The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.
13.2 The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
13.3 The obligations set out in in this Clause shall continue for a period of 2 months after the cessation of the provision of Services by the Data Processor to the Data Controller.
13.4 Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
14. Deletion and/or Disposal of Personal Data
14.1 The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:
14.1.1 the end of the provision of the Services (under the Service Level Agreement);
14.1.2 the termination of the Service Level Agreement; or
14.1.3 the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under this Agreement AND/OR the Service Level Agreement.
14.2 If the Data Processor is required by law, government, or other regulatory body to retain any documents or materials that the Data Processor would otherwise be required to return, delete, or otherwise dispose of under this Agreement, the Data Processor shall notify the Data Controller in writing of the requirement. Such notice shall give details of all documents or materials that the Data Processor is required to retain, the legal basis for that retention, and the timeline for deletion and/or disposal at the end of the retention period.
14.3 All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed.
14.4 The Data Processor shall certify in writing that the Personal Data has been deleted or otherwise disposed of within 30 days of such deletion or disposal.
15. Record Keeping
15.1 The Data Processor shall keep suitably detailed, accurate, and up-to-date written records of any and all processing of the Personal Data carried out for the Data Controller. Such records shall include, but not be limited to, access, control, security, sub-contractors, affiliates, the purpose(s) for which the Personal Data is processed, the category or categories of processing, transfers of the Personal Data to non-EEA territories and related safeguards, and details of the technical and organisational security measures referred to in Clause 9.
15.2 The Data Processor shall ensure that such records are sufficient to enable the Data Controller to verify the Data Processor’s compliance with the provisions of this Agreement and with the Data Protection Legislation. The Data Processor shall provide the Data Controller with copies of such records on request.
15.3 The Data Processor shall review the information contained in the Appendixes to this Agreement in order to ensure that it remains accurate and up-to-date with current practices
16.1 The Data Processor shall permit the Data Controller and any third-party representatives that the Data Controller may from time to time appoint to audit its compliance with its obligations under this Agreement, on a reasonable prior notice during the Term of this Agreement.
16.2 The Data Processor shall provide to the Data Controller and any third-party representatives all necessary assistance in conducting such audits including, but not limited to:
16.2.1 physical and electronic access to, and copies of, records kept under Clause 16 and any other information pertaining to the processing of the Personal Data;
16.2.2 access to (and meetings with) any of the Data Processor’s personnel that are reasonably necessary to audit the Data Processor’s compliance with this Agreement; and
16.2.3 inspection of any and all infrastructure, systems, facilities, equipment, electronic data, and software used for the storage, transfer, and processing of the Personal Data.
16.3 Prior to commencing the processing of the Personal Data and thereafter on an annual basis, the Data Processor shall:
16.3.1 carry out an information security audit in order to identify any security deficiencies;
16.3.2 produce a written report of its audit which shall include plans to remedy any such deficiencies;
16.3.3 provide the Data Controller with a copy of the report; and
16.3.4 remedy any defects identified in its audit within 30 days.
16.4 The notice requirement set out in sub-Clause 17.1 shall not apply if the Data Controller has reason to believe that a personal data breach has taken place or is taking place, or that the Data Processor is in breach of any of its obligations under this Agreement or the Data Protection Legislation.
16.5 In the event of a personal data breach (including if the Data Processor becomes aware of any breach of its obligations under this Agreement or the Data Protection Legislation), the Data Processor shall:
16.5.1 conduct its own audit to determine the cause of said breach within 24 hours of the triggering event;
16.5.2 produce a written report of its audit which shall include plans to remedy any deficiencies identified thereby;
16.5.3 provide the Data Controller with a copy of the report; and
16.5.4 remedy any defects identified in its audit within 72 hours.
17. Term and Termination
17.1 This Agreement shall remain in full force and effect:
17.1.1 for as long as the Service Agreement remains in effect; or
17.1.2 for as long as the Data Processor retains any Personal Data relating to the Service Agreement in its possession or control,
17.1.3 whichever period is longer.
17.2 Where any provision of this Agreement, whether expressly or by implication, either comes into force, or continues in force on or after the termination of the Service Agreement in order to protect the Personal Data, that provision shall remain in full force and effect.
17.3 Any failure by the Data Processor to comply with the terms of this Agreement shall be deemed to be a material breach of the Service Agreement. In the event of such a breach, the Data Controller shall have the right to terminate the Service Agreement OR any part of the Service Agreement under which Data Processor processes the Personal Data, such termination to be effective immediately on written notice to the Data Processor, without further liability or obligation.
17.4 If any change to the Data Protection Legislation prevents either Party from fulfilling any of its obligations under the Service Agreement, the processing of the Personal Data shall be suspended until such processing can be made to comply with the Data Protection Legislation, as amended. If such processing cannot be made to comply within 30 days, the Parties may terminate the Service Agreement on written notice to one another
18.1 The appendices 3 and 4 form an essential part of this DPA.
18.2 Either party may, at any time on not less than 30 days’ notice, request to replace this DPA with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).
18.3 The parties hereby submit to the place of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
18.4 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
18.5 This DPA is the entire agreement between the parties relating to its subject matter.
19. Law and Jurisdiction
19.1 This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of Ireland.
19.2 Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of Ireland.
APPENDIX 2 – SERVICES / SOLUTIONS PROVIDED by SHEQ PORTAL, LTD.
SHEQ PORTAL, LTD. a business solutions provider, a company that provides applications/software’s to businesses to help them measure, analysis and improve their operations and management system.
DISPLAY SCREEN EQUIPMENT (DSE) TOOL:
The Safety, Health and Welfare at Work Act, 2005 • Safety, Health and Welfare at Work (General Application) Regulations, 2007 (S.I. 299/2007); Chapter 5 of Part 2; Display Screen Equipment outline the requirements that must be adhered to in relation to Display Screen Equipment. The DSE Assessment tool developed by SHEQ Portal Ltd (SHEQ) is to assist employers with conducting remote training and one-to-one assessments of an employee’s workstation on a timely basis by a “competent individual (referred by “Ergonomist” for the purposes of this document. The purpose of the DSE Workstation Assessment Tool is not to replace the Ergonomist – its purpose is to facilitate training and the one-to-one assessment that is required by law.
MANUAL HANDLING TOOL:
The MANUAL HANDLING ASSESSMENT TOOL is comprised of two components: a Console application that the Employer and Trainers can use and a mobile app for the end user.
Employers create an Admin account within the console application. The admin account collects username, contact number and email information.
Employers using the MANUAL HANDLING ASSESSMENT TOOL will add trainers to their console. If the trainer is a third party, there must be a process by which the appropriate Data Processing Agreement (between Trainer Company and Employer) is in place prior to adding the trainer to the console. Trainer information includes, name of trainer, contact phone number and email address. In addition, a logo of the training company, certificate # sequence, certificate validity term, and image of signature are added.
Trainers should be made aware that their data is used solely for the purposes of reviewing training and for the printing of certificates.
APPENDIX 3 – PERSONAL DATA
|Type of Personal Data||Category of Data Subject||Nature of Processing Carried Out||Purpose(s) of Processing||Duration of Processing|
|Registering you on Our Site.||End-users of the site.||Collecting, sorting, saving, transferring, restricting, and deleting data||Contract||Processing shall begin on the date of account creation and be carried out for an unspecified period until the account is deleted by the data controller or until 7 years post-employment.|
|Collect self-assessment answers on the DSE Checklist||End-users of the DSE tool.||Collecting, sorting, saving, transferring, restricting, and deleting data||Contract||Processing shall begin on the date of account creation and be carried out for an unspecified period until the account is deleted by the data controller or until 7 years post-employment.|
|Collect photos of Workstation in use||End-users of the Display Screen Equipment tool.||Collecting, sorting, saving, transferring, restricting, and deleting data||Contract||Processing shall begin on the date of account creation and be carried out for an unspecified period until the account is deleted by the data controller or until 7 years post-employment.|
|Collect videos of Manual Handling movements being performed||End-users of the Manual Handling tool.||Collecting, sorting, saving, transferring, restricting, and deleting data||Contract|
|Collect photos of Manual Handling Item being lifted.||End-users of the Display Screen Equipment tool.||Collecting, sorting, saving, transferring, restricting, and deleting data||Contract|
|Personalising and tailoring your experience on Our Site.||End-users of the site.||Collecting, sorting, saving, transferring, restricting, and deleting data||Legitimate Interests – providing you with the best experience on our website.||Processing shall begin on the date of account creation and be carried out for an unspecified period until the account is deleted by the data controller.|
|Administering Our Site||End-users of the site.||Collecting, sorting, saving, transferring, restricting, and deleting data||Legitimate Interests – providing you with the best experience on our website.|
|Administering Our business||End-users of our tools.||Collecting, sorting, saving, transferring, restricting, and deleting data||Legitimate Interests – providing you with the best experience on our website.|
|Supplying Our products AND/OR services to you||End-users of our tools.||Collecting, sorting, saving, transferring, restricting, and deleting data||Legitimate Interests – Consent given|
|Communicating with you||End-users of our tools.||Collecting, sorting, saving, transferring, restricting and deleting data||Legitimate Interests – Consent given|
|Supplying you with information by email AND/OR post that you have opted-in-to (you may opt-out at any time by clicking the unsubscribe button at the end of the email||End-users of our tools.||Collecting, sorting, saving, transferring, restricting and deleting data||Legitimate Interests – Consent given|
APPENDIX 4 – TECHNICAL AND ORGANISATIONAL DATA PROTECTION MEASURES
Description of the technical and organisational security measures provided in this document apply to all services provided by Provider to Client, except where the parties agree on different security measures (the defined measures are derived from ISO 27001 Standard).
SHEQ PORTAL, LTD.’s personnel will not process Customer Data without authorization. Personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after their engagement ends.
2 Technical and Organization Measures
General Practices. The data importer has implemented and will maintain appropriate technical and
organizational measures, internal controls, and information security routines intended to protect
https://sheqportal.ie/privacy-policy/) and also as described in this Additional Agreement and EU
Standard Contractual Clauses, as against accidental loss, destruction, or alteration; unauthorized
disclosure or access; or unlawful destruction as follows:
- Organization of Information Security.
- Security Ownership. SHEQ PORTAL, LTD. has appointed one or more security
officers responsible for coordinating and monitoring the security rules and
- Security Roles and Responsibilities. SHEQ PORTAL, LTD. personnel with access
to Customer Data are subject to confidentiality obligations.
- Risk Management Program. SHEQ PORTAL, LTD. performed a risk assessment
before processing the Customer Data or launching the Services.
- SHEQ PORTAL, LTD. retains its security documents pursuant to its retention
requirements after they are no longer in effect.
- Security Ownership. SHEQ PORTAL, LTD. has appointed one or more security
Asset Inventory. SHEQ PORTAL, LTD. maintains an inventory of all media on which Customer Data is stored. Access to the inventories of such media is restricted to SHEQ PORTAL, LTD. personnel authorized in writing to have such access.
SHEQ PORTAL, LTD. classifies Customer Data to help identify it and allow for access to it to be appropriately restricted (e.g. through encryption).
SHEQ PORTAL, LTD. imposes restrictions on printing Customer Data and has procedures for disposing of printed materials that contain Customer Data.
SHEQ PORTAL, LTD. personnel must obtain authorization prior to storing Customer Data on portable devices, remotely accessing Customer Data, or processing Customer Data outside SHEQ PORTAL, LTD.’s facilities. This includes removing media (e.g., USB sticks and CD ROMs) and documents containing Customer Data from SHEQ PORTAL, LTD.’s facilities.
Human Resources Security:
SHEQ PORTAL, LTD. informs its personnel about relevant security procedures and their respective roles. SHEQ PORTAL, LTD. also informs its personnel of possible consequences of breaching the security rules and procedures.
Physical and Environmental Security.
Physical Access to Facilities. SHEQ PORTAL, LTD. limits access to facilities where information systems that process Customer Data are located to identified and authorized individuals.
Physical Access to Components. SHEQ PORTAL, LTD. maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media, and the types of Customer Data they contain.
Protection from Disruptions. SHEQ PORTAL, LTD. uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
Component Disposal. SHEQ PORTAL, LTD. uses industry standard processes to delete Customer Data when it is no longer needed.
Communications and Operations Management.
Operational Policy. SHEQ PORTAL, LTD. maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.
Data Recovery Procedures.
On an ongoing basis, but in no case less frequently than once a week (unless no Customer Data has been updated during that period), SHEQ PORTAL, LTD. maintains multiple copies of Customer Data from which Customer Data can be recovered.
SHEQ PORTAL, LTD. stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located.
SHEQ PORTAL, LTD. has specific procedures in place governing access to copies of Customer Data.
SHEQ PORTAL, LTD. reviews data recovery procedures at least every six months.
SHEQ PORTAL, LTD. logs data restoration efforts, including the person responsible, the description of the restored data and which data (if any) had to be input manually in the data recovery process.
Malicious Software. SHEQ PORTAL, LTD. has antimalware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks.
- Data Encryption.
- SHEQ PORTAL, LTD. is currently encrypting Customer Data that is transmitted over public networks.
- SHEQ PORTAL, LTD. is also enhancing restrictions to access to Customer Data in media leaving its facilities (e.g., through encryption).
- Event Logging
- SHEQ PORTAL, LTD. is implementing logging for the use of our data processing systems.
- SHEQ PORTAL, LTD. logs access and use of information systems containing Customer Data, registering the access ID, time, authorization granted, and relevant activity.
- Access Control.
- Access Policy. SHEQ PORTAL, LTD. maintains a record of security privileges of individuals having access to Customer Data.
- Access Authorization.
- SHEQ PORTAL, LTD. maintains and updates a record of personnel authorized to access SHEQ PORTAL, LTD. systems that contain Customer Data.
- SHEQ PORTAL, LTD. is working to deactivate authentication credentials that have not been used for a period of time not to exceed six months.
- SHEQ PORTAL, LTD. identifies those personnel who may grant, alter, or cancel authorized access to data and resources.
- SHEQ PORTAL, LTD. ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/logins.
- Least Privilege.
- Technical support personnel are only permitted to have access to Customer Data when needed.
- SHEQ PORTAL, LTD. restricts access to Customer Data to only those individuals who require such access to perform their job function.
- Integrity and Confidentiality.
- SHEQ PORTAL, LTD. instructs its personnel to disable administrative sessions when leaving premises SHEQ PORTAL, LTD. controls or when computers are otherwise left unattended.
- SHEQ PORTAL, LTD. stores passwords in a way that makes them unintelligible while they are in force.
- SHEQ PORTAL, LTD. are adding industry standard practices to identify and authenticate users who attempt to access information systems.
- Where authentication mechanisms are based on passwords, SHEQ PORTAL, LTD. requires that the passwords are renewed regularly.
- Where authentication mechanisms are based on passwords, SHEQ PORTAL, LTD. will require the password to be at least six characters long.
- SHEQ PORTAL, LTD. ensures that deactivated or expired identifiers are not granted to other individuals.
- SHEQ PORTAL, LTD. monitors repeated attempts to gain access to the information system using an invalid password.
- SHEQ PORTAL, LTD. is developing industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- SHEQ PORTAL, LTD. is adopting industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
- Network Design.
- SHEQ PORTAL, LTD. has controls to avoid individuals assuming access rights they have not been assigned to gain access to Customer Data they are not authorized to access.
- Information Security Incident Management.
- Incident Response Process.
- SHEQ PORTAL, LTD. maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.
- SHEQ PORTAL, LTD. is implementing a tracking system for disclosures of Customer Data, including what data has been disclosed, to whom, and at what time.
- Service Monitoring. SHEQ PORTAL, LTD. security personnel verify logs at least every six months to propose remediation efforts if necessary.
- Business Continuity Management.
- SHEQ PORTAL, LTD. maintains emergency and contingency plans for the facilities in which SHEQ PORTAL, LTD. information systems that process Customer Data are located.
- SHEQ PORTAL, LTD.’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original state from before the time it was lost or destroyed.
- The security measures described in this Section set forth SHEQ PORTAL, LTD.’s responsibility with respect to the security of Customer Data and do not contemplate or require additional or increased security measures.