15. Confidentiality
15.1 Each Party shall maintain the confidentiality of the other Party’s Confidential Information and shall not, without the prior written consent of the other, use, disclose, copy or modify the other Party’s Confidential Information (or permit others to do so) other than as necessary for the performance of its rights and obligations under this Framework Agreement or any Service Contract.
15.2 Each Party undertakes to disclose the other Party’s Confidential Information only to those of its officers, employees, agents, contractors and professional advisers or to other members of the Group of companies to which it belongs and their officers, employees, agents, contractors and professional advisers to whom, and to the extent to which, such disclosure is necessary for the purposes contemplated under this Framework Agreement or any Service Contract and to procure that such persons are made aware of and are bound by obligations of confidentiality.
15.3 Each Party shall give notice to the other of any unauthorised misuse, disclosure, theft or other loss of the other Party’s Confidential Information immediately upon becoming aware of the same.
15.4 The provisions of this clause 15 shall not apply to Confidential Information which:
15.4.1 is in or comes into the public domain through no fault of the recipient, its officers, employees, agents or contractors;
15.4.2 was available to the recipient on a non-confidential basis before disclosure by the disclosing Party;
15.4.3 is lawfully received from a third party free of any obligation of confidence at the time of its disclosure;
15.4.4 is demonstrably independently developed by the recipient, its officers, employees, agents or contractors;
15.5.5 the Parties agree in writing is not confidential or may be disclosed; or
15.4.6 is required by law, by court or governmental order to be disclosed provided that, to the extent permitted by law, prior to any disclosure, as far as is reasonably and lawfully practicable the recipient notifies the disclosing Party and, at the disclosing Party’s request and cost, assists the disclosing Party in opposing any such disclosure.
16. Use of data
16.1 Any Member Data (other than Personal Data) will be considered non-confidential and non-proprietary. The Member consents to GS1 UK making available to third parties (which may include consumers), through both local and global GS1 services including the VbG Service, data relating to the Member, including Member Data (other than Personal Data), GS1 UK Numbers, GLNs, GTINs and weblinks/URLs, for purposes including enabling businesses and consumers to verify the authenticity of Member Products in the global supply chain. The Member may withdraw its consent to GS1 UK sharing the Member Product Data via the VbG Service, by notifying GS1 UK in writing.
16.2 The Member understands that its Member Data will be validated against and shall comply with the GS1 global standard management process (GSMP) approved data validation rules and any other technical specifications that may be implemented and/or amended from time to time. The Member shall be responsible for the quality of the Member Data.
16.3 Provided the Member is not an individual, GS1 UK has the right to disclose the Member’s identity to any third party who is claiming that any material posted or uploaded by the Member, Admin User or User constitutes a violation of their intellectual property rights or of their right to privacy.
17 Personal data
17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation:
17.1.1 the Member is a Data Controller of Personal Data incorporated in the Member Data;
17.1.2 GS1 UK is a Data Processor of such Personal Data where GS1 UK processes it on behalf of the Member in order to provide the Services; and
17.1.3 GS1 UK is a Data Controller of such Personal Data where GS1 UK processes it for its own purposes, including to market its products and services to Members and Users .
17.2 Without limiting this clause 17, both Parties will comply with the Data Protection Legislation.
17.3 Without limiting the generality of clause 17.2, GS1 UK shall, in relation to any Personal Data it processes as a Data Processor in connection with the provision of the Services:
17.3.1 be entitled to share such Personal Data with those of its agents, contractors, and companies within its Group which need to access or process the information to enable GS1 to discharge its obligations under this Framework Agreement or any Service Contract or to deliver the Services, provided that all personnel who have access to and/or process Personal Data are informed of the confidential nature of the Personal Data and are obliged to keep the Personal Data confidential;
17.3.2 process the Personal Data only for the purposes of performing its obligations under this Framework Agreement or a Service Contract or in accordance with the written instructions contained in any Service Contract or received from the Member from time to time, unless required to process it for the purposes of applicable law (in which case GS1 UK shall inform the Member before such processing, unless it is prohibited from doing so by law);
17.3.3 not disclose or permit the disclosure of any of the Personal Data to any third party unless such disclosure is made in accordance with clause 17.3.1 or 17.3.2 or is specifically authorised in writing by the Member;
17.3.4 having regard to the state of technological development and the cost of implementing any measures, take appropriate technical and organisational measures in respect of the Personal Data to ensure a level of security appropriate to:
17.3.4.1 the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage; and
17.3.4.2 the nature of the processing and the Personal Data;
17.3.5 not transfer Personal Data outside the UK and European Economic Area (“EEA”) without obtaining the prior written consent of the Member, except when transferring Personal Data to a Member which is located outside the UK and EEA;
17.3.6 taking into account the nature of the processing, assist the Member in responding to any request from a Data Subject to exercise its rights under the Data Protection Legislation;
17.3.7 taking into account the nature of the processing and the information available to GS1 UK, assist the Member in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
17.3.8 notify the Member without undue delay and in any event within 2 Business Days on becoming aware of a Personal Data Breach;
17.3.9 at the written direction of the Member, following termination of this Framework Agreement, delete or return Personal Data and copies thereof to the Member, except to the extent required for GS1 UK’s processing as a Data Controller or unless required by applicable law to store the Personal Data; and
17.3.10 maintain a record of the processing carried out on behalf of the Member, provide information to demonstrate GS1 UK’s compliance with this clause 17.3 and allow audits of such compliance by the Member or its representative on reasonable notice and within Working Hours.
17.4 The Member consents to GS1 UK’s use of all sub-processors engaged in the processing of the Member’s Personal Data as at the date of this Framework Agreement, by way of general authorisation. GS1 UK shall provide to the Member on request a list of its current sub-processors (which are mainly IT companies which have access to GS1 UK’s systems in order to provide support services to GS1 UK). GS1 UK shall notify the Member of changes to such list, to give the Member an opportunity to object to any such change. If the Member objects to any such change, it shall notify GS1 UK within 14 days of the date of such notification, specifying its grounds for objecting. If GS1 UK receives such an objection, then GS1 UK may (at its sole option):
17.4.1 address the Member’s concerns to the Member’s reasonable satisfaction, and appoint the new sub-processor; or
17.4.2 decide not to appoint the relevant sub-processor. If GS1 UK decides that the options listed at clause 17.4.1 and 17.4.2 are not practical, or if GS1 UK is unable to resolve the objection to the Member’s reasonable satisfaction, then either Party may terminate this Framework Agreement on one month’s written notice to the other, without liability.
17.5 For the purposes of this clause 17, where GS1 UK is acting as a Data Processor, the details of the processing are set out below: Subject matter of processing: to provide the Services and/or any Additional Services. Duration: subject to clause 23.7, the duration of this Framework Agreement and/or any applicable Service Contract. Nature: collecting, hosting, storing and transferring Personal Data in order to provide the Services and/or any Additional Services. Purpose: in order for GS1 UK to comply with its obligations under this Framework Agreement and/or any Service Contract. Types of Personal Data: name, email address, password provided by the Member, Admin User or User. Categories of Data Subject: Members (if individuals), Admin Users and Users.
17.6 Where either Party is acting as a Data Controller under this Framework Agreement or any Service Contract, it shall comply with all the obligations imposed on a Data Controller under the Data Protection Legislation.
17.7 Without limiting the generality of clause 17.8, each Party acting as a Data Controller shall:
17.7.1 ensure that it has all necessary notices and consents and lawful bases in place for the processing carried out by it or on its behalf (including the lawful transfer of the Personal Data to the other Party);
17.7.2 give full information to any Data Subject whose Personal Data of the nature of such processing;
17.7.3 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data; and
17.7.4 not transfer any Personal Data received from the disclosing Party outside the UK and EEA unless the transferor ensures that:
17.7.4.1 the transfer is to a country approved under the Data Protection Legislation as providing adequate protection;
17.7.4.2 there are appropriate safeguards or binding corporate rules in place pursuant to the Data Protection Legislation;
17.7.4.3 the transferor otherwise complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; or
17.7.4.4 one of the derogations for specific situations in the Data Protection Legislation applies to the transfer.
17.8 Each Party acting as a Data Controller shall provide reasonable assistance to the other Party (at the other Party’s cost) in complying with all applicable requirements of the Data Protection Legislation.