Skip to content

Schedule 2 – Data Processing Terms

These Data Processing Terms are incorporated into and form part of the Access Terms applicable to the Isambard service (“Access Terms”) applicable between the University of Bristol (“System Operator”) and organisations using the Isambard service.

Definitions

Controller has the meaning given to that term in Data Protection Laws;

Data Protection Laws means as applicable and binding on either party or the System:

(a) all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426);

(b) all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications)

(c) any laws which implement or supplement any such laws; and

(d) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing

Data Protection Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;

Data Subject has the meaning given to that term in Data Protection Laws;

Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR in relation to any Protected Data;

International Recipient means the organisations, bodies, persons and other recipients to which Transfers of Protected Data are prohibited under clause 6.1 without the User’s prior written authorisation;

Lawful Safeguards means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

Onward Transfer means a Transfer from one International Recipient to another International Recipient;

Personal Data has the meaning given to that term in Data Protection Laws;

Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data; Processing has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);

Processing End Date means the earlier of:

(i) the end of the provision of the relevant System related to processing of the Protected Data, being the date, on or subsequent to the project end date set out in the User’s written application to use the System, which may be notified to the User in writing; or

(ii) once processing by the System Operator of any Protected Data is no longer required for the purpose of the System Operator’s performance of its relevant obligations under these Data Processing Terms;

Processing Instructions has the meaning given to that term in clause 2.1.1;

Processor has the meaning given to that term in Data Protection Laws;

Protected Data means Personal Data received from or on behalf of the User in connection with the performance of the System Operator’s obligations under these Data Processing Terms;

Sub-Processor means a Processor engaged by the System Operator or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the User;

System means the Isambard 3 or Isambard AI high-performance computing system as referred to in the Access Terms;

Transfer bears the same meaning as the word ‘transfer’ in Article 44 of the UK GDPR. Related expressions such as Transfers and Transferring shall be construed accordingly

UK GDPR means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);

User means the legal entity defined as ‘you’ in the Access Terms.

User Controls means the controls, including security features and functionalities, that the System provides as described in the user documentation.

1 Processor and Controller

1.1 The parties agree that, for the Protected Data, the User shall be the Controller and the System Operator shall be the Processor. Nothing in these Data Processing Terms relieves the User of any responsibilities or liabilities under any Data Protection Laws.

1.2 The System Operator shall process Protected Data in compliance with: (i) the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under these Data Processing Terms; and (ii) the terms of these Data Processing Terms.

1.3 The User shall comply with:

(i) all Data Protection Laws in connection with the processing of Protected Data, the System and the exercise and performance of its respective rights and obligations under these Data Processing Terms, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

(ii) these Data Processing Terms.

1.4 The User warrants, represents and undertakes, that at all times:

1.4.1 - the processing of all Protected Data (if processed in accordance with these Data Processing Terms) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage

1.4.2 - fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the System Operator and its Sub-Processors in accordance with these Data Processing Terms

1.4.3 - it shall maintain complete and accurate backups of all Protected Data provided by the User to the System Operator (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the System Operator or any other person

1.4.4 - all instructions given by it to the System Operator in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and

1.4.5 -it is satisfied that the technical and organisational measures set out in Schedule 2 shall (if the System Operator complies with its obligations under such Schedule) ensure a level of security appropriate to the risk in regards to the Protected Data as required by Data Protection Law.

2 Instructions and details of processing

2.1 Insofar as the System Operator processes Protected Data on behalf of the User, the System Operator:

2.1.1 - unless required to do otherwise by applicable law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the User’s documented instructions as set out in these Data Processing Terms and provided via User Controls and configuration tools in respect of the System (Processing Instructions)

2.1.2 - if applicable law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the User of any such requirement before processing the Protected Data (unless applicable law prohibits such information on important grounds of public interest); and

2.1.3 - shall promptly inform the User if the System Operator becomes aware of a Processing Instruction that, in the System Operator’s opinion, infringes Data Protection Laws, provided that:

(i) this shall be without prejudice to clauses 1.3 and 1.4; and to the maximum extent permitted by applicable law, the System Operator shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Processing Instructions following the User’s receipt of that information. Taking into account the nature of the processing, the User agrees that it is unlikely the System Operator can form an opinion on whether Processing Instructions infringe Data Protection Laws.

2.2 The processing of Protected Data to be carried out by the System Operator under these Data Processing Terms shall comprise the processing set out in Schedule 1, as may be updated from time to time by agreement between the parties.

3 Technical and organisational measures

3.1 The System Operator shall implement and maintain, at its cost and expense, technical and organisational measures:

3.1.1 - in relation to the processing of Protected Data by the System Operator, as set out in Schedule 2; and

3.1.2 - taking into account the nature of the processing, to assist the User insofar as is possible in the fulfilment of the User’s obligations to respond to Data Subject Requests relating to Protected Data. The parties have agreed that (taking into account the nature of the processing) the System Operator’s compliance with clause 5.1 shall constitute the System Operator’s sole obligations under this clause 3.1.2.

3.2 Any additional technical and organisational measures shall be at the User’s cost and expense.

4 Using staff and other Processors

4.1 The System Operator shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data without the User’s prior written authorisation of that specific Sub-Processor. The System Operator will notify the User by email if the System Operator intends to add or replace any Sub-Processors.

4.2 The User shall reply to any email communication from the System Operator requesting any further prior specific authorisation of a Sub-Processor pursuant to clause 4.1 promptly and in any event within 14 days of request from time to time. The User shall not unreasonably withhold, delay or condition any such authorisation.

4.3 In the event the User fails to comply with any of its obligations in clause 4.2 or withholds any requested authorisation further to clause 4.2, the System Operator may terminate the User’s access to the System.

4.4 The System Operator shall:

(i) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially similar obligations as under these Data Processing Terms (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures) that is enforceable by the System Operator; and

(ii) ensure each such Sub-Processor complies with all such obligations.

4.5 The System Operator shall ensure that all natural persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with applicable law, in which case the System Operator shall, where practicable and not prohibited by applicable law, notify the User of any such requirement before such disclosure).

5 Assistance with the User’s compliance and Data Subject rights

5.1 The System Operator shall refer all Data Subject Requests it receives to the User within 7 days of receipt of the request, provided that if the number of Data Subject Requests exceeds 5 per calendar month, the System Operator reserves the right to charge the User for all work, time, costs and expenses incurred by the System Operator or any Sub-Processor(s) in connection with all further Data Subject Requests in such month calculated on a time and materials basis at the System Operator’s rates as notified to the User from time to time. The parties agree that User’s use of the User Controls and the System Operator forwarding Data Subject Requests to the User in accordance with this clause, represent the scope and extent of User’s required assistance in respect of Data Subject Requests.

5.2 By the means set out in clause 5.3 below, the System Operator shall provide such assistance as the User reasonably requires (taking into account the nature of processing and the information available to the System Operator) to the User in ensuring compliance with the User’s obligations under Data Protection Laws with respect to:

5.2.1 -security of processing;

5.2.2 -data protection impact assessments (as such term is defined in Data Protection Laws);

5.2.3 - prior consultation with a Data Protection Supervisory Authority regarding high risk processing; and

5.2.4 -notifications to the Data Protection Supervisory Authority and/or communications to Data Subjects by the User in response to any Personal Data Breach.

5.3 The User acknowledges and agrees that:

5.3.1 -the assistance in relation to clauses 5.2.1 to 5.2.3 will consist of the System Operator making available its user documentation to the User, including documentation in relation to the User Controls. If such documentation is insufficient for the User to comply with its compliance obligations referred to in clause 5.2, the System Operator shall, upon Customer’s request by email to [email protected], provide Customer with additional reasonable assistance;

5.3.2 - the assistance in relation to clause 5.2.4 will consist of the making available by the System Operator of such information about the Personal Data Breach as the System Operator is reasonably able to disclose to User, taking into account the nature of the processing, the information available to the System Operator, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, the User agrees that it is best able to determine the likely consequences of a Personal Bata Breach.

6 International Transfers

6.1 Subject to clause 6.2, the System Operator shall not Transfer (nor permit any Onward Transfer of) any Protected Data:

6.1.1 - to any country or territory outside the United Kingdom; and/or 6.1.2 - to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries, without the User’s prior written authorisation except where required by applicable law (in which case the provisions of clause 2.1 shall apply).

6.2 The User hereby authorises the System Operator (or any Sub-Processor) to Transfer Protected Data, provided all Transfers of Protected Data by the System Operator of Protected Data to an International Recipient (including any Onward Transfer) shall:

6.2.1 - be effected by way of Lawful Safeguards and in accordance with these Data Processing Terms; and

6.2.2 - be made pursuant to a written contract, including equivalent obligations on each Sub-Processor in respect of Transfers to International Recipients as apply to the System Operator under any of this clause 6.

The provisions of these Data Processing Terms shall constitute the User’s instructions with respect to Transfers of Protected Data to International Recipients for the purposes of these Data Processing Terms.

6.3 The System Operator and each Sub-Processor is not obliged to make any unlawful Transfer of Protected Data and shall not be liable to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under these Data Processing Terms due to:

6.3.1 - there being no available valid Lawful Safeguard from time to time for any of the Transfers authorised pursuant to clause 6.2; or

6.3.2 - the System Operator or any Sub-Processor declining to permit any Transfer(s) on the basis it believes that the circumstances in clause 6.3.1 apply. Any payment by the User to the System Operator in respect of the System shall not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this clause 6.3.

7 Records, information and audit

7.1 The System Operator shall, in accordance with Data Protection Laws make available to the User such information (including user documentation) as is reasonably necessary to demonstrate the System Operator’s compliance with its obligations under Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by the User (or another auditor mandated by the User) for this purpose, subject to the User:

7.1.1 - giving the System Operator reasonable prior notice of such information request, audit and/or inspection being required by the User;

7.1.2 - ensuring that all information obtained or generated by the User or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Data Protection Supervisory Authority or as otherwise required by applicable law);

7.1.3 - hereby agreeing that the System Operator shall be entitled to withhold information where it is confidential to it or its suppliers or its other users;

7.1.4 - ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to the System Operator’s business, the Sub-Processors’ businesses and the business of any Users of the System Operator or of any of the Sub-Processors; and

7.1.5 - if notified by the System Operator in advance, paying the System Operator for all work, time, costs and expenses reasonably incurred by the System Operator or any Sub-Processor(s) in connection with the provision of information and allowing for and contributing to inspections and audits. For the avoidance of doubt, no such charges shall be payable in respect of the System Operator making available to the User the user documentation.

7.2 If System Operator declines to follow any instruction requested by the User regarding audits, including inspections, the User is entitled to terminate its use of the System.

8 Breach notification

8.1 In respect of any Personal Data Breach, the System Operator shall, without undue delay:

8.1.1 - notify the User of the Personal Data Breach; and

8.1.2 - provide the User with details of the Personal Data Breach.

8.2 In the event that the User becomes aware of a Personal Data Breach having occurred in relation to the System, the user shall email the System Operator at [email protected] with a subject heading ‘Urgent – Isambard Personal Data Breach’.

9 Deletion or return of Protected Data and copies

9.1 The System Operator shall (and shall ensure that each of the Sub-Processors shall) delete or (if requested by the User in writing prior to the Processing End Date) return the Protected Data (in such format as the System Operator holds it) promptly after the Processing End Date except to the extent that storage of any such data is required by applicable law (and, if so, the System Operator shall inform the User of any such requirement and shall (and shall ensure any relevant Sub-Processor shall) securely delete such data promptly once it is permitted to do so under applicable law).

10 Liability, and compensation claims

10.1 The User acknowledges that the System Provider shall have no responsibility or liability to the User in connection with any:

10.1.1 - non-compliance by the User with the Data Protection Laws;

10.1.2 - processing carried out by the System Operator or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Law; or

10.1.3 - breach by the User of any of its obligations under these Data Processing Terms.

10.2 To the fullest extent permitted by law, the System Operator shall be liable for losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with these Data Processing Terms in no circumstances to the extent that any losses (or the circumstances giving rise to them) are contributed to or caused by any breach of these Data Processing Terms by the User (including in accordance with clause 2.1.3).

10.3 If a party receives a compensation claim from a person relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim.

10.4 The parties agree that the User shall not be entitled to claim back from the System Operator any part of any compensation paid by the User in respect of such damage to the extent that it falls within the scope of clause 10.1.

10.5 IMPORTANT: The extent of the System Operator’s liability under or in connection with these Data Processing Terms (regardless of whether such liability arises in tort, contract or in any other way and whether or not caused by negligence or misrepresentation) howsoever arising shall not exceed the sum of £1,000 (one thousand pounds).

10.6 The System Operator shall not be liable for any of the following (whether direct or indirect): loss of revenue, loss of profit, or loss of business; loss of data that is not Protected Data; loss of use; loss of savings; harm to reputation or goodwill; or wasted expenditure.

10.7 Nothing in these Data Processing Terms shall limit the System Operator’s liability in any way in respect of any liability which cannot be excluded or limited by applicable law.

SCHEDULE 1

DATA PROCESSING DETAILS

1 Subject-matter of processing:

User’s use of the Isambard high performance computing facility

2 Duration of the processing:

For the duration of the User’s use of the System and any period required to perform a party’s post-termination obligations.

3 Nature and purpose of the processing:

Storage, processing and retrieval of data by means of the System

4 Type of Personal Data:

As may be comprised in the User’s applications deployed on the System

5 Categories of Data Subjects:

Data subjects whose personal data is comprised in any research projects facilitated by the User’s applications

6 Lawful Basis of processing:

The User will ensure it has a lawful basis for processing both Personal Data and ‘special category data’ (as set out in Article 9(1) UK GDPR) at the point of application for use of the Service.

7 Deletion of Data

The User instructs the System Operator to delete the Protected Data within 60 days after the Processing End Date.

8 Special categories of Personal Data:

The User may submit special categories of data to the System, the extent of which is determined and controlled by User in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

SCHEDULE 2

TECHNICAL AND ORGANISATIONAL MEASURES

The System Operator shall implement and maintain the technical and organisational security measures to protect the Protected Data as set out in the user documentation at https://docs.isambard.ac.uk/policies/shared_responsibility as updated from time to time. The User acknowledges that such measures are only applied to the System, and not to any transfer by the User of Protected Data to or from the System.