Call-Off Contract. Legal Consultancy Services Framework Call-Off Number DCCT0012 Legal consultancy on GDPR. Version: V1.0

Transcription

1 Call-Off Contract Legal Consultancy Services Framework Call-Off Number DCCT0012 Legal consultancy on GDPR Version: V1.0 Date: 16 August 2017 Author: Classification: Redacted DCC Public

2 CONSULTANCY LEGAL SERVICES FRAMEWORK CALL- OFF TERMS AND CONDITIONS Call-Off Contract Ref: DCCT0012 Parties: BETWEEN (1) SMART DCC LIMITED a company registered in England and Wales under company number of 2nd Floor, Ibex House, Minories, London, EC3N 1DY and whose registered office is at 17 Rochester Row, London, SW1P 1QT ( DCC or Smart DCC ); AND (2) FIELDFISHER LLP, a limited liability partnership registered in England and Wales under company nymber OC whose registered office is at Riverbanck House, 2 Swan Lane, London EC4R 3TT ( the Contractor ). BACKGROUND RECITALS A This Call-off Contract is made pursuant to the Legal Consultancy Services Framework Agreement dated 2 nd of March 2017 made between Smart DCC and the Contractor. DCCT0012 DCC Public Page 2 of 11

3 1. Definitions In these conditions the definitions in the Framework Agreement apply. 2. Term 2.1. The Commencement Date for this Contract is 21 th August The expiry date for this Contract is 30 th September Requirements 3.1. The Services to be delivered by the Contractor are described in Schedule 1 of this Call-Off Contract. 4. Contractor Obligations 4.1. The Contractor agrees to deliver the DCC requirements and ensure that their solution is compliant with the Contractor Solution in Schedule The Contractor must conform in full with the terms and conditions of the Framework Agreement and the Call-Off Contract The duration of the Call-Off Contract (unless terminated earlier as set out in Condition 9 of the Framework Agreement or as set out in this Call-Off Contract. 5. Charges 5.1. In return for the provision of the Services by the Contractor, we shall pay the Contractor the Contract Price as stated in Schedule Special terms (to be added as required) 6.1. N/A DCCT0012 DCC Public Page 3 of 11

4 Schedule 1 - Requirements Project /work package Title General Data Protection Regulation (GDPR) review of Smart Energy Code and Fundamental Service Provider contracts for compliance with the GDPR. Background The GDPR will apply in the UK from 25 May The government has confirmed that the UK s decision to leave the EU will not affect the commencement of the GDPR. DCC wishes to review its current contractual arrangements to ensure it will be GDPR compliant. Requirement DCC is conducting a review of its Fundamental Service Provider contracts with CGI, Arqiva, Telefonica, BT and Critical Technologies with a view to establishing whether the current provisions for protection of personal data are compliant with the GDPR. In parallel, we would also like to conduct a review of the relevant provisions of the Smart Energy Code dealing with protection of personal data (Section I Data Privacy). The review will require discussion with DCC to establish (i) the nature of personal data held by DCC; (ii) its obligations are as a controller and/or processor of personal data under the GDPR; (iii) if the GDPR imposes additional risks or liabilities on DCC as compared to the Data Protection Act; and (iv) how DCC can best mitigate or manage those risks. Duration The report would need to be completed by Friday 15th September 2017 with a meeting in the following week. Deliverables Report on the areas covered above in Requirements plus one follow-up meeting to discuss the contents of the report. DCCT0012 DCC Public Page 4 of 11

5 Schedule 2 Supplier Solution Capacity, capability and availability We have one of the best and biggest EU privacy and cybersecurity law practices with a unique track record supporting some of the world's most complex businesses. The wealth of specialist experience, technical expertise and commercial acumen held by our specialist lawyers means that we are knowledgeable enough to advise you on the most complex aspects of the law, but also pragmatic enough to recognise that sometimes you just need to "get it done" and confident enough to help you get it done. We have over 35 specialist privacy lawyers across our offices in the UK, Germany, Belgium, France, Italy, Silicon Valley and China. The team we have proposed is available to work immediately. Our core areas of expertise We cover the whole spectrum of data privacy, data security, and information law. In broad terms, we divide our data protection support across five key areas: (1) Global Information Governance advising clients on multinational data protection compliance for their customer, HR and supplier data, including policy and process development, and on international data export solutions (including BCR and Privacy Shield certification). We work closely with a wide number of clients on their General Data Protection Regulation readiness programmes and on monitoring the development of the e- Privacy Regulation. (2) e-privacy and Disruptive Technologies advising clients on the data privacy aspects of digital and disruptive technologies, such as product reviews, privacy impact assessments and e-privacy compliance, including online profiling, interest-based advertising and e-marketing. (3) Regulatory Outreach we have strong connections with various authorities throughout the EU, and can facilitate client outreach activities as and when required. (4) Incident and Risk Management we help our clients to develop procedures for managing data security incidents as and when they arise, and support them in any subsequent incident response actions, including containment, regulatory notification and remedial action. We also help clients with preparing for other 'risk flash points' and managing such risk when it materialises, for instance in the context of data subject requests or complaints, regulatory investigations and audits, and data disputes. (5) Commercial Transactions we help our clients close commercial transactions and data deals by supporting them in drafting terms of contract and negotiation playbooks, and in negotiating complex privacy issues that increasingly become the sticking point on deals. GDPR Tools: Checklists, Precedents and Template Clauses Complying with the GDPR can be a significant undertaking. We believe that simple tools like checklists, precedents and clauses can help simplify this undertaking. In addition, they can be used to enhance your team's self-sufficiency and improve their skills. This is why we have developed several such tools and are in the process of creating more. You may find a list of our existing and nearly ready tools below. DCCT0012 DCC Public Page 5 of 11

6 GDPR Checklists Data Processing Agreement (Checklist for contractual obligations) Data Processing Records GDPR Checklist and GDPR Readiness Questionnaire Fair Processing Notice Requirements (Privacy Notice) Checklist GDPR Gap Analysis Report Data Processor Clauses (Balanced) GDPR Precedents Data Processor Clauses (Processor Friendly) Data Protection Impact Assessment (including WP29 consultation guidelines) Data Mapping Questionnaire (Processor version) Data Mapping Questionnaire (Controller version) General Privacy Notice (GDPR Compliant) for offline use Website Privacy Notice (GDPR compliant) GDPR Data Protection Consent Template Security Incident / Data Breach Response Plan Supplier Data Protection Due Diligence Questionnaire GDPR Project Plan Workshop (slide deck) GDPR Precedents in progress GDPR Readiness Implementation Plan / Roadmap (Breakdown of activities required to be undertaken) GDPR Readiness Questionnaire GDPR DPO FAQs GDPR Schedule of documents required to have Record of Supplier Contracts Employee Privacy Notice Data Subject Rights' Policy DCCT0012 DCC Public Page 6 of 11

7 General Privacy Notice (Standard policy including new principles and also a section about privacy by design and default, the need for DPIAs and any other 'new' items coming out of GDPR) Processor to Sub-processor Agreement DPO services Our recently launched DPO service includes: monitoring your compliance with the GDPR, as well as with your own data protection policies; advising you on your internal data protection governance arrangements, internal awareness-raising activities, and training of staff involved in data processing; supporting any data protection audits you choose to undertake or to which you are subject; providing advice in relation to, and monitor performance of, any data protection impact assessments you ask us to support; helping you to cooperate with EU data protection authorities; and acting as the contact point for EU data protection authorities on matters relating to EU data protection (including any prior consultations that may be necessary for GDPR compliance). Fieldfisher's DPO service saves management time and resources on engagement with third party services providers, and recruiting an in-house officer. We have various pricing options which we would be happy to discuss with you, if this DPO service would be suitable for DCC. We have designed our delivery model to be cost effective and flexible to meet client demands. The way we assign resources is determined by customer expectations and project drivers around time, cost, quality and risk. We ask questions upfront and listen to quantify need and align our capabilities accordingly. "The whole Fieldfisher team works together seamlessly and provides the highest level of client service." Chambers, 2017 DCCT0012 DCC Public Page 7 of 11

8 Schedule 3 Contract Duration and Timing Start Date End Date Effort (days) 21 th August th September 2017 (estimated) 8-10 DCCT0012 DCC Public Page 8 of 11

9 Schedule 4 Contract Price Fixed Price: Redacted 1. Review of Smart Energy Code Section 1 (Data Privacy) and updating for GDPR compliance and a meeting to discuss revisions: estimate 3 4 days 2. Review of CGI, Arqiva, Telefonica, BT and Critical Technologies contracts for GDPR compliance and meeting to discuss revisions: estimate 3 days 3. Preparation for meeting to discuss "(i) the nature of personal data held by DCC; (ii) its obligations are as a controller and/or processor of personal data under the GDPR; (iii) if the GDPR imposes additional risks or liabilities on DCC as compared to the Data Protection Act; and (iv) how DCC can best mitigate or manage those risks." Creating high level briefing note on these issues in advance of the meeting (to be shared with DCC) and discussion with DCC at meeting: estimate 1.5 days Rate cards: Redacted General All prices are to be exclusive of VAT and shall include all expenses. All expenses, including but not limited to the following are included in the fixed price: travel, accommodation and subsistence This fixed price fee includes all aspects of the work carried out to deliver the requirements. No additional fees will be paid. Payment Profile Payment Milestone Invoice once only at the end of the project. Payment Value Redacted DCCT0012 DCC Public Page 9 of 11

10 Schedule 5 - Contacts For this Call-off contract the points of contact will be as follows: For Smart DCC: Contract Manager (main point of contact): For Contractor: Redacted Contract Manager (main point of contact): Redacted DCCT0012 DCC Public Page 10 of 11

11 Signed for and on behalf of Smart DCC Limited By... Name... Title... Date... Signed for and on behalf of Contractor By... Name... Title... Date... DCCT0012 DCC Public Page 11 of 11