IT and BTP data security, data protection
- In supplying the Goods, Services or Deliverables, the Supplier shall:
- take all necessary steps to: (i) ensure that no computer viruses, trojan horses, malware or other destructive, disruptive or nuisance computer programs (each a “Virus”) is contained in or affects the Goods or Deliverables as at the date of delivery by the Supplier to Belgium Tower Partners of such items; and (ii) prevent any Viruses being introduced via the Supplier’s Systems into Belgium Tower Partners Group’s Systems; and
- use the current release of recognised market leading Virus detection software.
- AE Data and Data Security.
- The Supplier shall:
- not use or reproduce AE Data in whole or in part in any form except as expressly permitted by Belgium Tower Partners in accordance with the Purchase Order or relevant SoW;
- implement and maintain appropriate security procedures designed to secure AE Data against accidental or unlawful loss, access or disclosure in its collection, receipt, transmission, storage, disposal, use and disclosure of such data and take all precautions necessary to preserve the integrity of AE Data;
- maintain reasonable security, protection and backup of AE Data which may include routine archiving and the use of encryption technology to protect against unauthorized access;
- have in place, at a minimum physical, technical, administrative, and organizational measures and safeguards that provide for and ensure: (i) protection of business facilities, paper files, servers, computing equipment, and backup systems containing AE Data; (ii) network, application and platform security; (iii) secure transmission and storage of data with strong cryptography using industry standard best practices; (iv) authentication and access control mechanisms over data, media, applications, operating systems and equipment; (vi) training to personnel on how to comply with Supplier’s information security safeguards and confidentiality obligations; (vii) storage limitations such that AE Data resides only on servers located in data centres that comply with industry standard data centre security controls and restrictions to ensure that its personnel do not place any AE Data on any notebook hard drive or removable media, unless encrypted; (ix) implementing, updating and keeping current industry standard: (A) backup systems, network technology, firewalls, intrusion-detection and prevention systems, anti-virus protection and other network and technological security systems; and (B) computer systems, networks, and other equipment and software that secure AE Data during storage, manipulation, and dissemination and processes that secure AE Data during system or network changes; and (ix) routinely reviewing and updating network technology, anti-virus programs, backup systems, and other technological security systems; and
- restrict access to AE Data only to those of its personnel who have a need to know and procure that no unauthorised third party will, as a result of any act or omission of the Supplier or its personnel, obtain access to any AE Data.
- Where there has been any breach or where the Supplier suspects there has been a breach of this paragraph 2, the Supplier shall inform Belgium Tower Partners immediately and the Supplier shall cooperate with Belgium Tower Partners in the handling of the matter, including obtaining and making available to Belgium Tower Partners all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or Belgium Tower Partners’ reasonable request.
- The Supplier shall:
- Data Protection.
- This paragraph 3 applies where, under or in connection with the provision of Goods, Services or Deliverables, the Supplier (acting as a Data Processor) or any of its permitted subcontractors generates, receives or otherwise processes personal data on behalf of Belgium Tower Partners (in its capacity as a Data Controller). Terms defined in the GDPR have the same meanings when used in this paragraph 3.
- The Supplier shall, at all times, comply with (and not cause Belgium Tower Partners to be in breach of) the Data Protection Laws in relation to Personal Data processed by it under any Purchase Order or SoW.
- Without limiting paragraph 3.2 the Supplier warrants, represents and undertakes to Belgium Tower Partners that:
- it shall only process the Personal Data in accordance with this paragraph 3 and the documented instructions of Belgium Tower Partners and as is reasonably necessary to provide the Goods, Services or Deliverables in accordance with the Purchase Order and relevant SoW;
- it shall not engage any other party to process the Personal Data (a “Sub-Processor”) without Belgium Tower Partners’ prior written consent and it shall only engage such approved Sub-Processor by entering into a legally binding written contract imposing obligations on the Sub-Processor which are (at least) equivalent to those imposed on the Supplier in this paragraph 3, provided that if the Sub-Processor fails to fulfil its data protection obligations (including compliance with the terms of this paragraph 3) the Supplier shall remain fully liable to Belgium Tower Partners for the performance of the Sub-Processor’s obligations;
- it shall not transfer any Personal Data to a country or territory outside the European Economic Area / Belgium without first obtaining Belgium Tower Partners prior written consent;
- it shall maintain data secrecy in accordance with applicable Data Protection Laws and shall ensure that:
- access to Personal Data is only given to those Supplier personnel and personnel of the Supplier’s approved Sup-Processors, that really need to have access to Personal Data; and
- such personnel are subject to appropriate obligations of confidentiality in accordance with applicable Data Protection Laws and at all times act in compliance with Data Protection Laws and the obligations of this paragraph 3;
- it shall at all times have in place (and comply with) all appropriate technical and organisational measures to protect the processed Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access or other unauthorised processing. Such measures shall ensure best practice security, be compliant with Data Protection Laws at all times and comply with the Security Measures;
- it shall provide Belgium Tower Partners with such assistance and co-operation as Belgium Tower Partners may reasonably request to enable Belgium Tower Partners to comply with its obligations under Data Protection Laws and cooperate with the competent authorities in relation to Personal Data processed by the Supplier, including, but not limited to, assisting Belgium Tower Partners: (A) by taking appropriate technical and organisational measures, insofar as is possible, to respond to requests from data subjects for access to or rectification, erasure or portability, or restriction of or objection to processing, of processed Personal Data (but the Supplier shall not respond to any such request except with Belgium Tower Partners’ prior written consent); and (B) in ensuring compliance with Belgium Tower Partners’ security, data breach notification, impact assessment and data protection or data privacy authority consultation obligations under Data Protection Laws, taking into account the information available to the Supplier.
- The Supplier shall notify Belgium Tower Partners as soon as possible and as far as it is legally permitted to do so, of any access request for disclosure of data which concerns Personal Data (or any part thereof) by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction. The Supplier shall, to the extent legally permitted, not disclose any Personal Data in response to such request served on the Supplier without first consulting with and obtaining the written consent of Belgium Tower Partners.
- The Supplier shall promptly and without undue delay give written notice to Belgium Tower Partners, with reasonable details, if it becomes aware of, or comes to have reasonable grounds to suspect, the occurrence of any personal data breach or other incident prejudicing, or revealing a weakness in, the security of the processed Personal Data while in its possession or under its control (a “Data Breach“). In relation to any Data Breach, the Supplier shall at its own cost (i) take all reasonable steps to identify and correct the underlying cause of the Data Breach so as to eliminate or minimise the risk of its repetition and the occurrence of similar Data Breaches; (ii) take such steps as Belgium Tower Partners may request to assist in addressing the adverse consequences for Belgium Tower Partners of, and complying with Belgium Tower Partners’ obligations under Data Protection Laws in relation to, the Data Breach; and (iii) report to Belgium Tower Partners promptly and at regular intervals, on these steps and their results.
- The Supplier shall make available to Belgium Tower Partners all information necessary in connection with, and shall contribute to, all reasonable audits, including inspections, conducted by Belgium Tower Partners or its mandated auditor, to demonstrate the Supplier’s compliance with this Schedule and Data Protection Laws.
- At the end of the provision of the Goods or Services or earlier upon request of Belgium Tower Partners, the Supplier shall cease all use of Personal Data and, at Belgium Tower Partners election, irrevocably delete, destroy, or transfer (in a mutually agreed format and by a mutually agreed method) to Belgium Tower Partners (or its nominated agent) all Personal Data and copies thereof in its possession (unless EU, EU Member State or UK law requires the Supplier to store the Personal Data). The deletion and/or destruction thereof are to be documented in a suitable manner and evidenced to Belgium Tower Partners.
- The Supplier shall indemnify Belgium Tower Partners against all costs, claims, demands, fines, awards, expenses, losses, actions, proceedings and liabilities suffered or incurred by any member of the Belgium Tower Partners Group in connection with any failure of the Supplier or any third party appointed by the Supplier to comply with the provisions of this Schedule and/or Data Protection Laws in respect of its processing of Personal Data.
- The Supplier shall not acquire any rights (including any retention rights) in the Personal Data processed by it or any of its Sub-Processors.
- Additional Definitions.
- For the purpose of this Schedule, the following words and phrases shall have the following meaning unless the context otherwise requires:
- “Data Protection Laws” means all applicable laws, rules and regulations on data protection, data privacy, or relating to the processing of personal data and privacy, including the European Union’s General Data Protection Regulation (“GDPR”);
- “AE Data” means any data, information, drawings, specifications or other material (in whatever form and on any medium) relating to the Belgium Tower Partners Group or their customers, suppliers or personnel which is: (i) supplied or made available to the Supplier or its and its subcontractors’ personnel by or on behalf of the Belgium Tower Partners Group; (ii) obtained by, or in possession or control of, the Supplier or its and its subcontractors’ personnel for the purposes of enabling the provision of the Goods, Services or Deliverables or fulfilling its obligations under the Purchase Order; or (iii) created, generated, transmitted, stored or processed by the Supplier or its and its subcontractors’ personnel in connection with providing Goods, Services or Deliverables;
- “Security Measures” means Belgium Tower Partners security policies and measures (including IT policies and measures) for the protection of Personal Data issued to Supplier by Belgium Tower Partners from time to time;
- “Personal Data” means all personal data, in whatever form or medium which is: (i) supplied, or in respect of which access is granted to the Supplier (or any approved third party) whether by Belgium Tower Partners or otherwise in connection with any Purchase Order or relevant SoW, or (ii) produced or generated by or on behalf of the Supplier (or any approved third party) in connection with any Purchase Order or relevant SoW; and
- “Systems” means communication systems, computer programs, software, computer and communications networks, hardware, firmware, servers, devices, cabling and related equipment, databases the tangible media on which they are recorded and their supporting documentation.
- For the purpose of this Schedule, the following words and phrases shall have the following meaning unless the context otherwise requires: