Terms of Service

Between: (The Company) and Data Controller, “Data Controller”

And Mollie Guest CA, registered offices at The Mill House, St Martins, Balbeggie, Perthshire, PH2 6AQ, ICO Registration number Z6846725 “ Data Processor ”

The Data Controller has contracted our Services (Accounts, Bookkeeping, Payroll, Business Services, Taxation or VAT) which imply the processing of personal data, to the Data Processor.

1.1 As the performance of the contract and the delivery of the Services implies the processing of personal data, the Data Controller and the Data Processor shall comply with the applicable data protection legislation and regulations

1.2 The Data Processor shall ensure that in relation to personal data disclosed to it by, or otherwise obtained from the Data Controller, it shall act as the Data Controller’s data processor in relation to such personal data and shall therefore:

1.2.1 Not process the personal data for any purpose other than to deliver the Services and to perform its obligations in accordance with the documented instructions of the Data Controller; if it cannot provide such compliance, for whatever reasons, it agrees to promptly inform the Data Controller of its inability to comply;

1.2.2 inform the Data Controller immediately if it believes that any instruction from the Data Controller infringes applicable data protection legislation and regulations;

1.2.3 not disclose the personal data to any person other than to its personnel as necessary to perform its obligations and ensure that such personnel is subject to statutory or contractual confidentiality obligations;

1.2.4 take appropriate technical and organisational measures against any unauthorised or unlawful processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measures where necessary;

1.2.5 ensure that access, inspection, processing and provision of the personal data shall take place only in accordance with the need-to-know principle, i.e. information shall be provided only to those persons who require the personal data for their work in relation to the performance of the Services;

1.2.6 promptly notify the Data Controller about (i) any legally binding request for disclosure of the personal data by a data subject, a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist the Data Controller therewith (ii) any accidental or unauthorised access, and more in general, any unlawful processing and to assist the Data Controller therewith;

1.2.7 deal promptly and properly with all reasonable inquiries from the Data Controller relating to its processing of the personal data;

1.2.8 at the request and costs of the Data Controller, submit its data processing facilities for audit or control of the processing activities;

1.2.9 refrain from engaging another data processor without the prior written consent of the Data Controller;

1.2.10 be responsible for imposing the contract terms required by Article 28.3 of the Regulation if it employs another data processor;

1.2.11 notify the Data Controller of any changes made by another data processor it has employed that could be deemed to affect the rights and freedoms of the individuals whose Personal Data is processed by such sub-processor and give the Data Controller the opportunity to object to those changes;

1.2.12 understand and accept that it is liable to the Data Controller for the processing activities of other data processors it employs;   

1.2.13 assist the Data Controller, subject to reasonable additional compensation, with the Data Controller’s obligation under application data protection laws and regulations, including (but not limited to) the obligations in respect of security, breach reporting and carrying out data protection impact assessments as applicable.

1.3 Personal data processed in the context may not be transferred to a country outside the European Economic Area without the prior written consent of the Data Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.