Data Processing Terms
Data Processing Terms of Michael Christopher Handforth, Notary Public
In order that you as a service provider and data processor may provide or continue to provide certain services to my notary business as a data controller, you have agreed that these data processing terms shall apply together with any other relevant terms or conditions applicable to the delivery of services required by law, in order to address the compliance obligations imposed upon my notary business and its clients pursuant to Data Protection law. These terms shall constitute a separate agreement or they may be incorporated by reference to the relevant services agreement as the case may be.
BY ACCEPTING ANY MATERIALS OR COMMISSION FROM MY NOTARY BUSINESS OR OTHERWISE COMMENCING THE SERVICES, YOU AGREE THAT THE PROCESSOR WILL PROCESS NOTARY BUSINESS PERSONAL DATA IN ACCORDANCE WITH THESE TERMS WHICH YOU HEREBY ACCEPT FOR AND ON BEHALF OF THE PROCESSOR.
PURSUANT TO WHICH IT IS HEREBY AGREED as follows:
1. Definitions. In this agreement, words in bold font shall have the meaning as set out below:
affiliate means any entity that directly or indirectly controls or is controlled by or is under common control with a party from time to time during the term
term means the period within which contractual arrangements exist between my notary business and you as service provider and data processor
data protection law means the data privacy laws applicable to the processing in connection with the services including where applicable the Directive 95/46/EC as amended or replaced by any subsequent regulation, directive or other legal instrument of the European Union including by the General Data Protection Regulation or similar law or the applicable data privacy laws of any other relevant jurisdiction
client means any client of my notary business
contractual clauses means the standard contractual clauses of the European Commission for the transfer of personal data across borders as amended or replaced from time to time or any equivalent set of contractual clauses approved for use under Data Protection law
notary business personal data (NBPD) means the personal data processed by a processor in connection with the services provided by my notary business during the term. The processing may include activities ancillary to my notary business such as postal, courier, legalisation, translation, hosting, administrative and other services. This will include names and other information about data subjects included in client materials and the words data subject, personal data, processing, controller and processor shall have the meaning attributed to them in Data Protection law
security breach means a breach of security leading to the accidental or unauthorised destruction, loss, alteration, disclosure of or access to NBPD whether transmitted, stored or otherwise processed
2. Appointment. My notary business is designated by its clients, client affiliates and notary business affiliates collectively described as instructing parties to provide and manage various services on their behalf. Accordingly, NBPD may contain personal data in relation to which instructing parties are controllers. My notary business confirms that it is authorised to communicate to the processor any instructions or other requirements on behalf of instructing parties in respect of processing of NBPD by the processor in connection with the services. The processor is appointed by my notary business to process NBPD on behalf of the business and/or the instructing parties as the case may be as is necessary to provide the services or as otherwise agreed by the parties in writing.
3. Duration. The terms shall commence on the effective date of instructions and shall continue in full force and effect until such time as all services have ceased, instructions have been carried out and all NBPD in the processor's possession or within its reasonable control has been returned or destroyed.
4. Data Protection Compliance. In relation to its processing of NBPD, save as otherwise required by law, you agree to:
(a) process NBPD only as required in connection with the services and in accordance with lawful instructions
(b) inform me if in your opinion an instruction infringes data protection law
(c) ensure that all personnel authorised by you to process NBPD have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
(d) implement appropriate technical and organisational measures to safeguard NBPD having regard to the nature of the personal data which is to be protected and the risk of harm which might result from any security breach at a minimum of the measures set out in the schedule
(e) promptly inform us of any data subject requests under data protection law or regulatory or law enforcement requests relating to NBPD. You shall not acknowledge or otherwise respond to the subject access request except with our prior written approval which shall not be unreasonably withheld
(f) provide such assistance as the notary business may reasonably require in order to ensure my or the instructing parties compliance with data protection law in relation to data security, data breach notifications, data protection impact assessments and prior consultations with the Information Commissioner's Office or other competent authority
(g) at my choice, without delay delete or return all NBPD to me and delete existing copies of all NBPD in the processor's possession or within its reasonable control and
(h) make available to my notary business information reasonably necessary to demonstrate your compliance with these terms and allow for and contribute to audits and inspections carried out by my notary business
5. Sub-processors. The processor may sub-contract, outsource, assign, novate or otherwise transfer obligations under these terms or engage any subcontractors involved in the processing of NBPD only with my prior consent and subject to these conditions:
(a) the processor will carry out reasonable due diligence
(b) enter into a contract on terms that are the same or similar to those set out in these terms and which may include contractual clauses to provide adequate safeguards with respect to the processing of NBPD and
(c) inform me of any intended changes concerning the addition or replacement of a sub-processor. If I object to any such change on reasonable grounds, then acting in good faith the parties will work together to resolve such objection.
6. Security incidents. The processor will notify me without delay if the processor becomes aware of a security breach and will investigate it and take reasonable action to identify, prevent and mitigate the effects of the security breach. The processor will take such further action as I may reasonably request in order to comply with data protection law. The processor may not release or publish any filing, communication, notice, press release or report concerning any security breach without my prior written consent such consent not to be unreasonably withheld.
7. International Data Transfers. The processor will ensure that no NBPD is transferred out of either the European Economic Community or any other territory in which restrictions are imposed on the transfer of NBPD across borders under data protection laws without my prior written consent, but I will ensure that contractual clauses or other mechanisms are in place to ensure an adequate level of data protection.
8. Indemnity. Subject to any relevant services agreement to the contrary, the processor shall and hereby does agree to indemnify my notary business and instructing parties and their officers, employees, agents and subcontractors from and against any claims, losses, demands, actions, liabilities, fines, penalties, administrative charges, reasonable expenses, damages, interest and settlement amounts including reasonable legal fees and costs incurred by any indemnified party as a result of any gross negligence or wilful breach by the processor of these terms.
(a) to the extent that there is any conflict, these terms shall prevail over terms in a service or other agreement whether oral or in writing
(b) nothing in these terms shall exclude or limit the liability of either party which cannot be limited or excluded under applicable law. Subject thereto, these terms constitute the entire agreement between the parties pertaining to the subject matter hereof and it supersedes all prior agreements, understandings, negotiations and discussions of the parties relating to its subject matter and in relation to the subject matter of these terms neither party has relied upon and neither party will have any right or remedy based upon any statement, representation or warranty whether made negligently or innocently except those expressly set out in these terms
(c) the processor shall agree any amendment to these terms that may be required from time to time in order to continue to comply with amendments to data protection law
(d) all notices of termination or breach must be in English and in writing and addressed to the other party's primary contact. Notice will be treated as given on receipt. Postal notices will be deemed received 48 hours from the date of posting if sent by recorded delivery or registered post
(e) the Notaries Society is not a party to these terms and it shall have no liability whatsoever
(f) the provisions of these terms are severable. If any phrase, clause or other provision is invalid or unenforceable either in whole or in part, that defect shall affect only that particular provision and the remaining provisions shall continue to stand in full force and effect
(g) these terms are governed by the law of England and the parties agree to submit to the exclusive jurisdiction of the English courts in relation to any dispute whether contractual or non-contractual concerning these terms save that either party may apply to any court for an injunction or other relief to protect its property or confidential information
SCHEDULE: Security measures
 The processor shall put in place the following minimum technical measures as applicable:
- Firewalls which are properly configured and using the latest software
- User access control management
- Unique passwords of sufficient complexity and regular expiry on all devices
- Regular Software updates by using patch management software as appropriate
- Timely decommissioning and secure wiping of old software and hardware that renders data irrecoverable
- Real time protection anti-virus, anti-malware and anti-spyware software
- Encryption of all portable devices ensuring appropriate protection of the key
- Encryption of personal data in transit by using suitable encryption solutions
- Multi-factor authentication for remote access
- WPA-TKIP secured Wi-Fi access
- Delinquent web filtering and other appropriate internet access restrictions
- Intrusion detection and prevention systems
- Appropriate and proportionate monitoring of personnel and
- Data backup and disaster recovery measures and procedures
 Minimum organizational measures
- Vet all personnel including staff, contractors, vendors and suppliers and sub-processors on a continuing basis
- Having non-disclosure agreements with all personnel
- Regular training of all personnel on confidentiality, data processing obligations, identification of security breaches and risks
- Apply principle of least authority including a restricted or strictly controlled transit of data and material outside of office
- Physical security on premises including reception or front desk, security passes, clean desk policy, storage of documents in secure cabinets, secure disposal of materials and CCTV
- Apply appropriate policies including information security policy, data protection policy, acceptable use policy, limited and monitored personal use of work resources as appropriate.