1. DEFINITIONS
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer” means a Practitioner who has made an application to join the JCCP.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” in relation to a Customer means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Controller” means the entity which receives the Personal Data “Processor” means the entity which Processes Personal Data on behalf of the Controller.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, the JCCP is the Controller. When the JCCP receives personal data, they will act as data controllers for any activity they undertake in accordance with this Privacy Policy.
2.2 Customer’s Processing of Personal Data. The JCCP shall process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, a Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. A Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the JCCP acquires their Personal Data.
2.3 JCCP’s Processing of Personal Data. JCCP shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the JCCP Code of Practice and any Terms of Business(s); (ii) Processing initiated for the use of these Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by the JCCP is the performance of the Services pursuant to the Code of Practice and Terms and Conditions of Membership. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 4 (Details of the Processing) to this DPA.
2.5 Public Display of Information. The Customer understands that some of their Personal Data will be required to be displayed on the public facing JCCP member list. If the Customer wishes for any of the mandatory information to be removed from the member list then they can make a request to the JCCP specifying their reasons.
3. RIGHTS OF DATA SUBJECTS
The JCCP will, to the extent legally permitted, action a request from a Data Subject to access, correct or delete that person’s Personal Data or if a Data Subject objects to the Processing thereof (“Data Subject Request”).
4. JCCP PERSONNEL
4.1 Confidentiality. The JCCP shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. The JCCP shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2 Reliability. The JCCP shall take commercially reasonable steps to ensure the reliability of any JCCP personnel engaged in the Processing of Personal Data.
4.3 Limitation of Access. The JCCP shall ensure that the JCCP’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
5. SUB-PROCESSING
The JCCP membership functions are delivered by HF Resolution Limited and all parties agree and understand that they are acting on behalf of the JCCP in terms of processing any Personal Data related to someone’s membership of the JCCP.
We may also share with NEC Software Solutions UK Limited for the purposes of providing audit and analysis services to the JCCP and the Cosmetic Practice Standards Authority (CPSA).
This has always been a requirement but we feel that it is better to have this statement placed within the context of the Privacy Policy for the assurance of doubt.
6. SECURITY
The JCCP shall maintain appropriate technical and organisational measures for protection of the security (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. The JCCP regularly monitors compliance with these measures.
7. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
7.1 The JCCP maintains security incident management policies and procedures and shall notify the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by the JCCP.
7.2 “Customer Data Incident” – The JCCP shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as the JCCP deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within the JCCP’s reasonable control.
8. RETURN AND DELETION OF CUSTOMER DATA
The JCCP shall return and/or delete Customer Data to the extent allowed by applicable law.
9. LIMITATION OF LIABILITY
For the avoidance of doubt, the JCCP and its sub-processor’s total liability for all claims from a Customer arising out of or related to the Code of Practice or any Terms of Business and any other contract shall apply in the aggregate for all claims in breach of this GDPR Policy.
10. GDPR
With effect from 25 May 2018, the JCCP will Control Personal Data in accordance with the GDPR requirements directly applicable to the JCCP’s provision of its Services.
11. Data Protection Impact Assessment
With effect from 25 May 2018, the JCCP shall have in place a Data Protection Impact Assessment related to its Processing of any Personal Data.as required under the GDPR.
12. Transfer mechanisms for data transfers
The JCCP will not transfer any data received outside of the European Union without further contractual agreement to do so.
13. Legal Effect
This Policy shall only become legally binding between a Customer and the JCCP.
14. Certification of Deletion.
The parties agree that the certification of deletion of Personal Data that is described in Clause request.
15. Conflict
In the event of any conflict or inconsistency between the body of this GDPR Policy and any of its Schedules the GDPR Policy takes precedence.
DETAILS OF THE PROCESSING
Nature and Purpose of Processing
The JCCP will Process Personal Data as necessary to perform the Services pursuant to their Terms of Business and Service Agreement as further specified in the Documentation, and as further instructed by Customer in its use of the Services.
Duration of Processing
The JCCP will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing and for such time after as be required by law.
Categories of Data Subjects
The Customer may submit Personal Data to obtain the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
• Prospects, customers, business partners and vendors of Customer (who are natural persons)
• Employees or contact persons of Customer’s prospects, customers, business partners and vendors
• Employees, agents, advisors, freelancers of Customer (who are natural persons)
• Customer’s Users authorised by Customer to use the Services
Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
• First and last name
• Title
• Position
• Employer – Contact information (company, email, phone, physical business address)>
• ID data
• Professional life data – Personal life data
• Connection data – Localisation data
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the Customer’ means the person who provides their personal data to the JCCP;
(c) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(d) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Data subjects
The JCCP may collect Personal Data which falls under the following categories:
• Prospects, customers, business partners and vendors (who are natural persons)
• Employees or contact persons of prospects, customers, business partners and vendors
Clause 3
Categories of data
The personal data transferred could concern the following categories of data: The Customer may submit Personal Data to the JCCP which may include, but is not limited to the following categories of Personal Data:
•First and last name
•Title
•Position
•Employer
•Contact information (company, email, phone, physical business address)
•ID data
•Professional life data
•Personal life data
•Connection data
•Localisation data
Clause 4
Special categories of data (if appropriate)
The JCCP will not collect Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life.
Clause 5
Processing operations
The objective of Processing of Personal Data is the performance of the JCCP pursuant to the JCCP Code of Practice and any other contractual agreements between the parties.