Skip to content

Data processing agreement

The following Data Processing Agreement should be read in conjunction with the New Era Standard Terms and Conditions, available here.

Order of precedence. If there is any conflict between this DPA and any other service terms with Customer, this DPA controls for privacy and data protection matters. Where the EU Standard Contractual Clauses (SCCs 2021/914) or the UK Addendum/IDTA apply, they prevail over this DPA.

The Service Provider

  1. where the Customer is based in the United Kingdom: BCS Global Networks Limited
  2. where the Customer is based in Canada: New Era Technology VCD, CA Inc

each acting on its own behalf and/or on behalf of any of its affiliates or subsidiaries, collectively doing business as (“New Era Technology” or “New Era”)

And

Customer stated on the Sales Order Form (“The Customer ”) who are the Data Controller.

Effective on publication. This DPA applies when New Era Technology (the “Processor”) processes Personal Data on behalf of any customer or user of its services (each a “Customer” or “Controller”). By ordering, accessing, or using the services, Customer agrees to this DPA.

Alternatively, where the Customer acts as a processor for its own client, the parties acknowledge New Era acts as sub-processor and the obligations in Article 28(4) GDPR apply.

Duration

The Agreement will commence on the date stated on the Sales Order Form and will continue for the term of the Services and until deletion/return of Personal Data under clause 1.13 and clause 5.3 (as amended) unless otherwise agreed in writing between the Parties.

Nature and Purpose of the Processing

Data is processed in order to deliver the service to which the customer has subscribed, the purpose and the nature of the service are detailed in the Appendix A.

Type of personal data being processed

The Types of personal data being processed are detailed in Appendix A.

Categories of the Data Subjects

The category of data subjects will vary according to the service to which the customer has subscribed, as detailed in Appendix A.

Definitions

“Data Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Data Protection Legislation”: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and the UK GDPR and any national or regional implementing privacy laws, regulations and secondary legislation, as amended or updated from time to time; (ii) any successor legislation to the GDPR or the Data Protection Act 2018 and e-privacy/PECR to the extent applicable.

“Data Subject”: an individual who is the subject of Personal Data.

“Personal Data”: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”., in this Agreement, relates only to personal data, or any part of such personal data, of which The Customer is the Data Controller and in relation to which the Service Provider is providing services under this Agreement and as detailed in Appendix A.

“Processing and process”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purpose: the provision by the Service Provider of online services

“Sub-processor”: means any processor engaged by the Service Provider to process Personal Data on behalf of the Customer.

Clauses

1. Obligations of the Service Provider

1.1 The Customer and New Era acknowledge that, for the purposes of the Data Protection Legislation, The Customer is the Data Controller and New Era is the Service Provider and the Data Processor of any Personal Data. Where New Era acts as sub-processor, New Era will comply with the obligations applicable to processors under Article 28(4) GDPR.

1.2 The Service Provider shall comply with all applicable requirements of the Data Protection Legislation and, in particular, shall process the Personal Data only on the Customer’s documented instructions and only to the extent, and in such a manner, as is necessary for the Purpose and shall not process the Personal Data for any other purpose, unless the Service Provider is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Service Provider or by a regional applicable privacy law to process Personal Data (Applicable Laws). Where the Service Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Service Provider shall promptly notify The Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Service Provider from so notifying The Customer. If the Service Provider considers that an instruction infringes Data Protection Legislation, it will inform the Customer without undue delay.

1.3 The Customer will control and be responsible for amending, transferring or deleting the Personal Data; the Service Provider will only amend, transfer or delete data at the written request of The Customer or where required by Applicable Laws (in which case the Service Provider will notify the Customer unless legally prohibited).

1.4 The Customer may transfer data to the Service Provider via secure integration through a third party provider, via email using encrypted channels and appropriately protected files or any other means that complies with The Customer’s obligations under the Data Protection Legislation.

1.5 The Service Provider will ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it . The security measure are specified in Appendix B.

1.6 If the Service Provider receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with Data Protection Legislation, or becomes aware of any breach of Data Protection Legislation, it shall as soon as reasonably practicable notify The Customer and it shall provide The Customer with all due co-operation and assistance in relation to any such complaint, notice or communication.

1.7 At The Customer’s request, the Service Provider shall provide to The Customer a copy of all Personal Data held by it in the format and on the media reasonably specified by The Customer. The Service Provider will fulfil feasible export format requests within a reasonable period and subject to appropriate security checks.

1.8 The Service Provider shall only hold the Personal Data on its servers and may transfer Personal Data to authorised Sub-processors and third countries strictly in accordance with clause 7 (Sub-processors) and clause 8 (Data Transfers).

1.9 The Service Provider will hold the Personal Data only in secure New Era data centres or public accredited cloud-based data centres, depending on the service to which the customer has subscribed.

1.10 The Service Provider will ensure Data is securely backed-up to ensure disaster recovery

1.11 The Service Provider shall promptly and in any event no later than 72 hours after becoming aware, inform The Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable and, if this is caused by the negligence or breach of obligations of the Service Provider, will restore such Personal Data at its own expense.

1.12 The Service Provider will provide reasonable assistance with data protection impact assessments, prior consultations, and data subject request handling, taking into account the nature of processing and information available.

1.13 At the end of the contract The Service Provider shall delete all Data associated with The Customer as per Service Provider’s data retention schedule. . The Customer may request the early deletion of such data subject to local legal and regulatory obligations.

2. Obligations of the Customer

2.1 The Customer will comply with all applicable requirements of the Data Protection Legislation and, in particular, will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Service Provider for the duration of this Agreement and the Purpose.

  1. Service Provider’s Employees
    1. The Service Provider shall ensure that access to the Personal Data is limited to:
      1. those employees who need access to the Personal Data to meet the Service Provider’s obligations under this Agreement; and
      2. in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for performance of that employee’s duties.
    2. The Service Provider shall take reasonable steps to ensure the reliability of any of the Service Provider’s employees who have access to the Personal Data and shall ensure that all employees who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.

4. Rights of Data Subjects and compliance by The Customer

4.1 The Service Provider shall notify The Customer without undue delay if it receives a request from a Data Subject for access to that person’s Personal Data.

4.2 The Customer (as Data Controller) will handle all such requests and notify the Data Subject accordingly. The Service Provider will assist The Customer, at The Customer’s cost, in responding to any such request from a Data Subject and, generally, in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. Where legally required to respond directly, the Service Provider will limit its response to confirming it is a processor and will promptly redirect the requester to the Customer.

4.3 The Service Provider shall not disclose the Personal Data to any Data Subject or to a third party other than at the written request of The Customer or as provided for in this Agreement.

5. Rights of The Customer

5.1 The Customer is entitled, on giving 30 days’ notice to the Service Provider, to inspect or appoint representatives to inspect documents and electronic data relating to the processing of Personal Data by the Service Provider.

5.2 The requirement under clause 5.1 to give notice will not apply if The Customer reasonably believes that the Service Provider is in breach of any of its obligations under this Agreement.

5.3 At the written direction of The Customer, the Service Provider will delete or return Personal Data and copies thereof to The Customer on termination of this Agreement unless required by Applicable Law to store the Personal Data.

6. Indemnity

6.1 The Service Provider agrees to indemnify and keep indemnified The Customer against all costs, claims, damages or expenses incurred by The Customer or for which The Customer may become liable due to any failure by the Service Provider or its employees or agents to comply with any of its obligations under this Agreement. The indemnities in this clause 6.1 are subject to the liability limits in clause 9.

6.2 The Customer agrees to indemnify and keep indemnified the Service Provider against all costs, claims, damages or expenses incurred by the Service Provider or for which the Service Provider may become liable due to any failure by The Customer or its employees or agents to comply with any of its obligations under this Agreement.

7. Appointment of sub-contractors

7.1 The Service Provider gives the Service Provider general authorisation to appoint any third party (Sub-processor) to process the Personal Data, provided the Service Provider gives prior notice of any intended changes to Sub-processors (via email or portal) and the Customer may object on reasonable data-protection grounds within the notice period, and provided that the Sub-processor’s contract is on terms which are substantially the same as those set out in this Agreement;

    1. The Service Provider shall remain fully liable for all acts or omissions of any sub-contractor appointed by it pursuant to this clause.
    2. A list of current Sub-processors is included in Appendix A.

8. Data Transfers

8.1. Transfers from the EU, UK, and Switzerland. Subject to Section 7 (Sub-processors), any Personal Data subject to the GDPR, UK GDPR, or the Swiss Federal Act on Data Protection (“FADP”), as amended, that is transferred to the Service Provider will be conducted pursuant to Module 2 (Controller -Processor) and, where applicable to onward transfers to Sub-processors, Module 3 (Processor-Processor) of the standard contractual clauses for the transfer of Personal Data to processors in third countries according to Decision (EU) 2021/914 of the EU Commission of 4 June 2021 (the “Standard Contractual Clauses”)

8.1.1. If there is any conflict between this DPA or the Master Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail;

8.1.2. Details in Appendix A of this DPA will be used to complete Annex I and III of the Standard Contractual Clauses;

8.1.3. Details in Appendix B of this DPA will be used to complete Annex II of the Standard Contractual Clauses;

8.1.4. The following additional safeguards will be added by reference in the SCC Annexes: Service Provider: (a) represents that it has not, as of the Effective Date, received any requests under Section 702 of the U.S. Foreign Intelligence Surveillance Act for the Personal Data of residents of Europe; (b) warrants that it will provide Partner with notice if it becomes unable to comply with the Standard Contractual Clauses, without requirement to detail the reasons for such notice, and that Partner may immediately terminate the Master Agreement upon notice in the event of receipt of any such notice (in such case, Customer will have no further payment obligation and Company will promptly reimburse Customer for the pro-rata amount of any prepaid but unused fees); and (c) will encrypt during transmission any Personal Data received from Customer. For UK transfers, the UK Addendum (or IDTA, as elected by Customer) applies in addition.

8.2. Jurisdiction-Specific Data Transfers. For jurisdictions not covered by the SCCs/UK Addendum/IDTA, the parties will implement the applicable transfer tool required by law.

9. Limits of liability

9.1 Neither party’s liability arising out of this Agreement shall exceed the amount paid to the Service Provider under this Agreement.

9.2 Nothing in this Agreement shall exclude either party’s liability for death or personal injury to the extent it results from the negligence of itself, its employees or its agents, or for fraud or for any other matter in respect of which law prescribes that liability may not be limited or excluded.

10. Assignment and Delegation

Customer may not assign, transfer or delegate its rights or obligations under this Agreement, in whole or in part, by operation of law or otherwise without the prior written consent of New Era. Any attempted assignment or delegation in violation of this Section is null and void. New Era may assign its rights and obligations under this contract, without the consent of Customer, to (a) any Affiliate, (b) in connection with a merger, consolidation, corporate reorganization, sale of all or substantially all of its assets or similar business transaction or (c) to a third party, including its right to receive payments to such third party.

11. Notices

Any notice served under this Agreement shall be delivered to the appropriate party either by recorded delivery post or by facsimile transmission at its principal place of business, or to such other address as may from time to time be notified in writing by the party concerned, or by electronic mail to the email address as may from time to time be notified in writing by the party concerned. Any notice shall be deemed to be duly served:

 

10.1 if sent by recorded delivery post, three (3) calendar days after date of posting;

10.2 if sent by facsimile transmission, on receipt of successful facsimile transmission;

10.3 Notices may be given by email to the addresses notified by each party and are deemed received on transmission if no bounce-back is received and a contemporaneous record is kept and followed up such notice by recorded delivery post in the event that the electronic mail has not been acknowledged by the other party within twenty-four hours of sending the electronic mail, (unless any such date is a Saturday, Sunday or bank holiday in which case it shall be deemed served on the next working day).

12. No waiver

No failure or delay on the part of either party to this Agreement relating to the exercise of any right, power, privilege or remedy provided under this Agreement shall operate as a waiver of such right, power, privilege or remedy or as a waiver of any proceedings or succeeding breach by the other party to this Agreement.

13. Entire agreement

This Agreement contains the full and complete understanding between the parties relating to its subject matter and supersedes all prior arrangements and understandings whether written or oral relating to such subject matter and may not be varied except by written agreement signed by both parties.

14. Jurisdiction and Governing Law

14.1 Where the New Era contracting entity is BCS Global Networks Limited this agreement shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably agree that the courts of Slough, Berkshire, or the courts having proper jurisdiction, as the case may be, in England and Wales shall have the exclusive jurisdiction to settle any dispute or claim (including any non-contractual disputes or claims) that arises out of or in connection with this agreement or its subject matter.

14.2 Where the New Era contracting entity is BCS Global Networks Inc. or New Era Technology VCD, CA, Inc., this agreement shall be governed by and construed in accordance with the laws of the Province of Ontario, Canada. The parties irrevocably agree that the courts of the city of Toronto, Ontario, or the courts having proper jurisdiction in the Province of Ontario, as the case may be, in Canada shall have the exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this agreement or its subject matter.

 

Signed by The Service Provider

Dawn Mulholland

Director

New Era Technology

 

Signed by the Customer

Customer stated on the Sales Order Form.

By signing the order form, the customer agrees to this agreement.

APPENDIX A Personal Data processing purposes and details

Subject matter of processing:

Provision and service management of Education Products including DB Primary, School Ping, Websites and Able+.

Provision and service management of video managed services. (a) virtual meeting room services with dial-in capability; (b) management of video conferences, including the scheduling of meetings requested by a requestor or meeting participants.

Duration of Processing: The Agreement will commence on the date stated on the Sales Order Form and will continue for the term of the Services and

up to 90 days thereafter for return/deletion and standard backup cycles, unless longer retention is required by law.

Nature of Processing: Personal data may be collected according to the Services Agreement to support the service, and the processing activity may involve collection, storage, duplication, electronic viewing, deletion and destruction of personal data.

Business Purposes: Data Processor processes Personal data on behalf of the Data Controller in order to provision and provide Education products and video conference management services to the Controller. According to the Service Agreement, the subject matter, nature of data processing, and categories of data subjects are defined below.

Personal Data Categories: Education Products: The category of data subjects will vary according to the service to which the customer has subscribed but may include employees of the Controller and its affiliates, children/students attending the customer’s organisation, parents of the children attending the customers organisation.

Note: For student/children data, the Customer confirms it has provided appropriate notices and, where required, obtained consents or authorisations under applicable law.

Video managed services: The categories of data subjects may include employees of the Controller and its affiliates, including partners and contractors and, Controller’s meeting participants.

Data Subject Types:

Education Products:

DB Primary: The following Personal Data is processed:

  • Employees of the customer’s organisation:
    • Name
    • Username
    • Email address
    • Telephone number
    • IP address
  • Children attending the customer’s organisation
    • Name
    • Username
    • Year Group
    • Class
    • IP address
  • Employees of the customer’s organisation:
    • Name
    • Username
    • Email address
    • Telephone number
    • IP address
  • Children attending the customer’s organisation
    • Name
    • Year Group
    • Class
  • Parents/Guardians of the children attending the customer’s organisation
    • Name
    • Email address
    • Telephone number
    • IP address
  • Employees of the customer’s organisation:
    • Name
    • Username
    • Email address
    • Telephone number
  • Name
  • Username
  • Address
  • Email address
  • Telephone number
  • IP address

 

School Ping -

 

Websites -

 

Able+ users -

 

Support Data & Billing

  • Contact Name
  • Email Address
  • Phone Number
  • Geographic location
  • Contact Name
  • Email Address
  • Phone Number
  • Geographic location
  • Job Title
  • Contact Name
  • Email Address
  • Phone Number
  • Geographic location
  • Job Title
  • Contact Name
  • Email Address
  • Phone Number
  • Geographic location
  • Call/Meeting Data
  • Device logs
    • Call log details if applicable for troubleshooting, which usually includes H323 and SIP call negotiation and maintenance events from the local and remote terminals.
    • Device specific details such as applications, operating system, hardware components, performance metrics, and firmware, application names for applications that are able to be shared from the end users device, global contact/address lists associated to the device.

No special-category data is required to deliver the service. If Customer users submit additional data to that listed above, they are responsible for ensuring a valid legal basis and appropriate safeguards.

Video managed services:

 

Provisioning Data: The following provisioning data is collected to establish services for video users. This information is stored and associated with an individual’s profile.

  • Contact Name
  • Email Address
  • Phone Number
  • Geographic location
  • Dialing address

 

Support Data: The following data could be associated with incident management (ticketing), if a user opens a ticket with the support desk, via telephone or email, and requests help with their video estate.

 

Reporting Data: The following information is stored in a database to facilitate generating a report for the purpose of support and audit purposes.

 

Billing: The following data could be associated with billing, either directly or in association with a partner.

  • VMR Subscription Inventory (quantity of rooms provisioned, often associated with individual users)
  • Device Subscription Inventory (census of managed devices)
  • Usage data (utilisation metrics)
  • VMR Subscription Inventory (quantity of rooms provisioned, often associated with individual users)
  • Device Subscription Inventory (census of managed devices)

 

Meeting Metadata: The following information is collected only if a person uses the portal to schedule a meeting and invite other participants.

  • Meeting Title
  • Meeting participant names
  • Call log details
    • Display name of participants
    • Inbound URIs and/or IP addresses of participants
    • Call duration
  • Participant Name
  • Chat Message
  • Timestamp of Message
  • File transferred (when applicable)

 

Conference Media: The following media may be processed during any videoconferencing session:

  • Audio streams
  • Video streams
  • Content sharing
  • Online presence

 

Meeting Chat Messages: The following information may be collected if a person uses the chat tool to relay instant messages to others or groups attending the meeting.

 

Reporting Data: The following information is stored in a database to facilitate generating a report for the purpose of support and audit, and to provide utilisation metrics in regards to the service.

  • Meeting Title
  • Meeting participant names
  • Call log details
    • Display name of participants
    • Inbound URIs and/or IP addresses of participants
    • Call duration

 

Recording When Applicable: The following information is only applicable if a user records a video meeting; this must be initiated by the users, and at the time of recording initiation, all participants in the meeting are notified that the session is being recorded.

 

  • Name
  • Email Address
  • Call Log Details (Display name, URI, duration, stream title, stream viewer IP, IP address);
  • Virtual Meeting Room Dialing Information
  • Virtual Meeting Room Pin Code (if applicable)
  • Customer meta data (Meeting title, meeting participant names, index tag)
  • Audio Media
  • Video Media
  • Content Sharing Media

 

Support Data: The following data could be associated with incident management (ticketing), if a user opens a ticket with the support desk and requests help to redress a conference issue.

 

Billing: The following data, if applicable, could be associated with billing, either directly or in association with a partner that is required to provide usage data with invoicing.

 

Call Monitoring: The following data may be associated with activate call monitoring, either by a conference operator or an automated system, or both.

  • Real time automated monitoring
    • Call/Meeting data such as H323 or SIP call statistics, from negotiation to maintenance to teardown.
    • Live monitoring by a call operator—by request only—who may hear and see all content of a meeting.
  • Microsoft: Email, SharePoint, Central Security Hub
  • ConnectWise: Sales and operations CRM
  • HubSpot: Sales and marketing CRM
  • Business Central (Microsoft Dynamics 365): Finance and accounting system
  • Education Products only:
    • Groupcall Ltd (if/where MIS Integration is part of the service provision)
    • Google Analytics (DB Primary and Websites only)
  • Video managed services only:
    • Voxbone- Used to supply PSTN services to video calls.
    • Record & Stream (MNS.VC) - Used for conference recordings.

No special-category data is required to deliver the service. If Customer users submit additional data to that listed above, they are responsible for ensuring a valid legal basis and appropriate safeguards.

Authorised Persons: those employees who need access to the Personal Data to meet the Service Provider’s obligations under this Agreement; and in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for performance of that employee’s duties.

Sub-Processors: Data Controller has granted its authorization to the following approved sub-processors who may process data according to the terms and conditions of the Services Agreement and the Data Processing Addendum:

APPENDIX B Security measures

Data Processor has established a mature information security management system (ISMS), aligned to ISO/IEC 27001:2022 and independently audited. Certification information is available on request.

This Appendix B describes the minimum security measures within the ISMS.

Standard Security Measures

  1. Organisational measures
    1. Security / Compliance Officer
      1. A person responsible for the overall compliance with these minimum security requirements shall be designated as the Security Officer. This person shall be suitably trained and experienced in managing information security and provided with appropriate resources to effectively ensure compliance.
      2. The contact details of the Security Officer shall be provided to the Controller
    2. Security Documentation (available on request)
      1. The Data Processor has implemented a Business Continuity and Disaster recovery policy and plan to include measures to minimize disruption to functions and systems and support the restoration of normal business operations
      2. The security documentation shall be available to all staff who have access to Personal Data and the Information Systems.
      3. iii The security document and any related records and documentation shall be retained for a minimum period of 5 years from the end of the Processing.
  2. Functions and Obligations of Staff
    1. Only those employees who have demonstrated honesty, integrity and discretion should be Authorised Users or have access to premises where Information Systems or media containing Personal Data are located. Staff should be bound by a duty of confidentiality in respect of any access to Personal Data.
    2. The necessary measures shall be adopted to train and make staff familiar with these minimum security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Personal Data and the consequences of any breach of these requirements.
    3. The functions and obligations of staff having access to Personal Data and the Information Systems shall be clearly defined and documented.
    4. Authorised Users shall be instructed to the effect that electronic equipment should not be left unattended and made accessible during Processing sessions.
    5. Physical access to areas where any Personal Data are stored shall be restricted to Authorised Users.
  3. Technical Measures
    1. Authorisation
    2. Identification
    3. Authentication
    4. Access Controls
    5. Management of Media
    6. Distribution of Media and Transmission
    7. Preservation, Back-up copies and Recovery
    8. Anti-Virus and Intrusion Detection
    9. Vulnerability Management
    10. Software Updates
  4. Record Keeping
    1. Access Record
      1. A history of Authorised Users’ access to or disclosure of Personal Data shall be recorded on a secure audit trail.
    2. Physical Access Record
      1. Only those staff duly authorised in the security document may have physical access to the premises where Information Systems and media storing Personal Data are stored. A record of staff who access such premises shall be maintained, including name, date and time of access.
    3. Record of Incidents
      1. An incident Response policy and procedure shall be implemented including procedures for reporting, recording, responding to and managing incidents and events such as data security breaches or unauthorized access attempts
  5. Security & Privacy Policies

The disciplinary measures for a breach of the security plan shall be clearly defined and documented and communicated to staff.

The Data Processor has implemented technical measures, with policies and procedures covering:

A copy of our Security & Privacy policies can be found on our website: www.neweratech.com

APPENDIX C UK Addendum to the EU Standard Contractual Clauses

This Addendum is entered into by and between the parties identified in Table 1 below and forms part of the EU Standard Contractual Clauses (SCCs) Module 2: Controller-to-Processor.

 

Part 1: Tables

Table 1: Parties

Data Exporter

New Era UK Holdings Ltd

Address

17-23 High Street, Slough, Berkshire, SL11DY

United Kingdom

Contact person’s name, position and contact details

Dawn Mulholland, Managing Director, GVC International - dawn.mulholland@neweratech.com

Role

Controller (Exporter)

 

Data Importer

New Era Technology, LLC

Address

901 S. Bolmar St. Bldg. 1, Suite G, West Chester, PA 19382
United States

Contact person’s name, position and contact details

Cherie Schaible, General Counsel - cherie.schaible@neweratech.com

Role

Processor (Importer)

 

Table 2: Selected SCCs

EU SCCs

The Addendum applies to the EU SCCs (June 2021) Module 2: Controller-to-Processor (and Module 3 for onward transfers to Sub-processors).

 

Table 3: Addendum Terms

Governing Law

The law of England and Wales

Jurisdiction

Courts of England and Wales

Competent Authority

Information Commissioner’s Office (ICO), United Kingdom

 

Part 2: Mandatory Clauses

The Mandatory Clauses of the UK Addendum as published by the UK Information Commissioner’s Office are incorporated by reference and apply in full. These clauses ensure that the SCCs operate for transfers subject to UK GDPR.