1. Application
    • 1.1 These Terms and Conditions shall apply to the provision of Services by the Service Provider to the Client.
    • 1.2In the event of conflict between these Terms and Conditions and any other terms and conditions (of the Client or otherwise), the former shall prevail unless expressly otherwise agreed by the Service Provider in writing.
  2. Definitions and Interpretation
    • 2.1In these Terms and Conditions, unless the context otherwise requires, the following expressions have the following meanings:
      “Agreed Proposal” means the Agreed Proposal between the Service Provider and the Client of which these Terms and Conditions form a part, for the work to which it is expressed to relate;
      “Business Day” means a day (excluding Saturdays) on which banks generally are open for the transaction of normal banking business (other than solely for trading and settlement in Euros);
      “Client” means any individual, firm or corporate body (which expression shall, where the context so admits, include its successors and assigns) in this agreement, which purchases services from the Service Provider;
      “Commencement Date” means whichever date of signature of the Agreed Proposal of which these Terms and Conditions form a part, by the Service Provider or the Client, is the later, or the date of signature by both Parties if both sign on the same day;
      “Fees” means the fees payable by the Client under Clause 4 in accordance with the Terms of Payment as particularised in the Fees section of the Agreed Proposal of which these Terms and Conditions form a part plus any and all accepted variations (such acceptance not to be unreasonably withheld)
      “Services” means the services to be provided by the Service Provider to the Client as set out in the Scope of Works section of the Agreement of which these Terms and Conditions form a part;
      Service Provider” means Activeplan Consulting Limited; and
      “Terms of Payment” means the terms of payment of Fees as set out in section ‘5.  Payment’ of these Terms and Conditions.
    • 2.2Unless the context otherwise requires, each reference in these Terms and Conditions to:
      • 2.2.1“writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
      • 2.2.2a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
      • 2.2.3“these Terms and Conditions” is a reference to these Terms and Conditions and any Schedules as amended or supplemented at the relevant time;
      • 2.2.4a Schedule is a schedule to these Terms and Conditions; and
      • 2.2.5a Clause or paragraph is a reference to a Clause of these Terms and Conditions (other than the Schedules) or a paragraph of the relevant Schedule.
      • 2.2.6a “Party” or the “Parties” refer to the parties to these Terms and Conditions.
    • 2.3The headings used in these Terms and Conditions are for convenience only
    • 2.4and shall have no effect upon the interpretation of these Terms and Conditions.
    • 2.5Words imparting the singular number shall include the plural and vice versa.
    • 2.6References to any gender shall include the other gender.
  3. The Services
    • 3.1 With effect from the Commencement Date the Service Provider shall, in consideration of the Fees being paid in accordance with the Terms of Payment, provide the Services to the Client.
    • 3.2 The Service Provider will use reasonable care and skill to perform the Services.
    • 3.3 The Service Provider shall use all reasonable endeavours to complete its obligations under these Terms and Conditions but time will not be of the essence in the performance of these obligations.
  4. Fees
    • 4.1The Client agrees to pay the Fees in accordance with the Terms of Payment.
    • 4.2In addition the Service Provider shall be entitled to recover from the Client its reasonable incidental expenses in connection with the provision of the Services.
    • 4.3The Client will pay the Service Provider for any additional services provided by the Service Provider that are not specified in the Scope of Works section of the Agreement of which these Terms and Conditions form a part, in accordance with the Service Provider’s then current, applicable daily rate in effect at the time of the performance or such other rate as may be agreed. Any charge for additional services will be supplemental to the amounts that may be due for expenses.
    • 4.4All sums payable by either Party pursuant to these Terms and Conditions are exclusive of any Value Added or other Tax (except Corporation Tax) or other taxes on profit, for which that Party shall be additionally liable.
  5. Payment
    • 5.1If an initial payment of the total net fees payable under the Agreed Proposal (plus VAT) is to be invoiced at the Commencement Date this is payable within 14 days of invoice in sterling in cleared funds to such bank in England as the receiving Party may from time to time nominate, without any set-off, withholding or deduction except such amount (if any) of tax as that Party is required to deduct or withhold by law. All subsequent payments required to be made pursuant to the Agreed Proposal by either Party shall be subject to the same terms (save for the amount of payment which will be as per the invoice concerned).
    • 5.2The time of payment shall be of the essence. If the Client fails to make any payment on the due date then the Service Provider shall, without prejudice to any right which the Service Provider may have pursuant to any statutory
      provision in force from time to time, have the right to charge the Client interest on a daily basis at an annual rate equal to the aggregate of 4% and the base rate of Barclays Bank from time to time on any sum due and not paid on the due date. Such interest shall be calculated cumulatively on a daily basis and shall run from day to day and accrue after as well as before any judgement.
  6. Confidentiality
    • 6.1Both the Service Provider and the Client shall undertake that, except as provided by sub-Clause 6.2 or as authorised in writing by the other Party, it shall at all times during the continuance of the work and for one year after its termination:
      • 6.1.1keep confidential all Confidential Information;
      • 6.1.2not disclose any Confidential Information to any other party;
      • 6.1.3not use any Confidential Information for any purpose other than as contemplated by these Terms and Conditions or the Agreed Proposal;
      • 6.1.4not make any copies of, record in any way or part with possession of any Confidential Information; and
      • 6.1.5ensure that (as applicable) none of its directors, officers, employees, agents or advisers does any act which, if done by that Party, would be a breach of the provisions of sub-Clauses 6.1.1 to 6.1.4.
    • 6.2Subject to sub-Clause 6.3, either Party may disclose any Confidential Information to:
      • 6.2.1any of their sub-contractors or suppliers;
      • 6.2.2any governmental or other authority or regulatory body; or
      • 6.2.3any of their employees or officers or those of any party described in sub-Clauses 6.2.1 or 6.2.2;
    • 6.3Disclosure under sub-Clause 6.2 may be made only to the extent that is necessary for the purposes contemplated by these Terms and Conditions and the Agreed Proposal of which they form a part, or as required by law. In each case the disclosing Party must first inform the recipient that the Confidential Information is confidential. Unless the recipient is a body described in sub-Clause 6.2.2 or is an authorised employee or officer of such a body, the disclosing Party must obtain and submit to the other Party a written undertaking from the recipient to keep the Confidential Information confidential and to use it only for the purposes for which the disclosure is made.
    • 6.4Either Party may use any Confidential Information for any purpose, or disclose it to any other party, where that Confidential Information is or becomes public knowledge through no fault of that Party.
    • 6.5When using or disclosing Confidential Information under sub-Clause 6.4, the disclosing Party must ensure that it does not disclose any part of that
    • 6.6Confidential Information which is not public knowledge.
    • 6.7The provisions of this Clause 6 shall continue in force in accordance with their terms, notwithstanding the termination of the work for any reason.
  7. Variation and Amendments
    • 7.1If the Client wishes to vary any details of the Services it must notify the Service Provider in writing as soon as possible. The Service Provider shall prepare a variation order for acceptance by the client. Upon acceptance the services, as varied, will be provided.

    If, due to circumstances beyond the Service Provider’s control, it has to make any change in the arrangements relating to the provision of the Services it shall notify the Client immediately. The Service Provider shall endeavour to keep such changes to a minimum and shall seek to offer the Client arrangements as close to the original as is reasonably possible in the circumstances.

  8. Termination
    • 8.1Either Party may terminate the work under the Agreed Proposal by giving written notice to the other Party if:
      • 8.1.1any sum owing to that Party by the other Party under any of the provisions of the Agreed Proposal is not paid within 14 days of the due date for payment;
      • 8.1.2the other Party commits any other breach of any of the provisions of the Agreed Proposal and, if the breach is capable of remedy, fails to remedy it within 14 days after being given written notice giving full particulars of the breach and requiring it to be remedied;
      • 8.1.3an encumbrancer takes possession, or where the other Party is a company, a receiver is appointed, of any of the property or assets of that other Party;
      • 8.1.4the other Party makes any voluntary arrangement with its creditors or, being a company, becomes subject to an administration order (within the meaning of the Insolvency Act 1986);
      • 8.1.5the other Party, being an individual or firm, has a bankruptcy order made against it or, being a company, goes into liquidation (except for the purposes of bona fide amalgamation or re-construction and in such a manner that the company resulting therefrom effectively agrees to be bound by or assume the obligations imposed on that other Party under the Agreed Proposal);
      • 8.1.6anything analogous to any of the foregoing under the law of any jurisdiction occurs in relation to the other Party;
      • 8.1.7the other Party ceases, or threatens to cease, to carry on business; or
      • 8.1.8control of the other Party is acquired by any person or connected persons not having control of that other Party on the date of the Agreement. For the purposes of this Clause 8, “control” and
      • 8.1.9“connected persons” shall have the meanings ascribed thereto by Sections 1124 and 1122 respectively of the Corporation Tax Act 2010.
    • 8.2For the purposes of sub-Clause 8.1.2, a breach shall be considered capable of remedy if the Party in breach can comply with the provision in question in all respects.
    • 8.3In the event of termination under sub-Clause 8.1 the Service Provider shall retain any sums already paid to it by the Client without prejudice to any other rights the Service Provider may have whether at law or otherwise.
  9. Sub-Contracting
    Neither Party may sub-contract the performance of any of its obligations under these Terms and Conditions without the prior written consent of the other Party. Where either Party sub-contracts the performance of any of its obligations under these Terms and Conditions to any person with the prior consent of the other Party, the sub-contracting Party shall be responsible for every act or omission of the sub-contractor as if it were an act or omission of the sub-contracting Party itself.
  10. Liability and Indemnity
    • 10.1Subject to any liability arising from death or personal injury resulting from the Service Provider’s negligence, the Service Provider shall not be held liable for any loss of profit or any indirect, special, or consequential loss, damage, costs, expenses, or other claims, whether caused by the Service Provider’s servants or agents or otherwise, in connection with the fulfilment of its obligations under these Terms and Conditions or the Client’s utilization of the Services. This exclusion of liability encompasses losses that do not naturally or directly arise from any breach but are instead caused by external factors or circumstances.
    • 10.2In alignment with the principle to exclude liability for consequential, special, or indirect losses and loss of profit, which are losses not directly stemming from a breach but rather result from other factors or circumstances, the Service Provider undertakes to warrant a performance standard no greater than reasonable care and skill. This implies that the services will be executed with the level of care and skill expected from a competent professional in the field. The Service Provider refrains from making explicit promises or guarantees of specific results or outcomes, as such commitments may heighten liability in the event of non-fulfilment.
    • 10.3The Client shall indemnify the Service Provider against all damages, costs, claims and expenses suffered by the Service Provider arising from loss or damage to any equipment (including that of third parties) caused by the Client, or his agents or employees.
  11. Force Majeure
    Neither the Client nor the Service Provider shall be liable for any failure or delay in performing their obligations under these Terms and Conditions where such failure or delay results from any cause that is beyond the reasonable control of that Party. Such causes include, but are not limited to: power failure, Internet Service Provider failure, industrial action, civil unrest, fire, flood, storms, earthquakes, acts of terrorism, acts of war, governmental action or any other event that is beyond the control of the Party in question.
  12. Waiver

    • 12.1No waiver by the Service Provider of any breach of these Terms and Conditions by the Client shall be considered as a waiver of any subsequent breach of the same or any other provision. A waiver of any term, provision or condition of these Terms and Conditions shall be effective only if given in writing and signed by the waiving Party and then only in the instance and for the purpose for which the waiver is given.No failure or delay on the part of any Party in exercising any right, power or privilege under these Terms and Conditions shall operate as a waiver of, nor shall any single or partial exercise of any such right, power or privilege preclude, any other or further exercise of any other right, power or privilege.
  13. Severance
    The Parties agree that, in the event that one or more of the provisions of these Terms and Conditions are found to be unlawful, invalid or otherwise unenforceable, that (those) provision(s) shall be deemed severed from the remainder of these Terms and Conditions. The remainder of these Terms and Conditions shall be valid and enforceable.
  14. Copyright
    The Service Provider reserves all copyright and any other rights (if any) which may subsist in the products of, or in connection with, the provision of the Services or facilities. The Service Provider reserves the right to take such action as may be appropriate to restrain or prevent infringement of such copyright.
  15. GDPR
    Activeplan Consulting is a GDPR compliant company, which only processes personal data as per the Processor Agreement (Appendix 1)
  16. Notices
    • 16.1 All notices under these Terms and Conditions shall be in writing and be deemed duly given if signed by, or on behalf of, a duly authorised officer of the Party giving the notice.
    • 16.2Notices shall be deemed to have been duly given:
      • 16.2.1when delivered, if delivered by courier or other messenger (including registered mail) during normal business hours of the recipient; or
      • 16.2.2when sent, if transmitted by fax or e-mail and a successful transmission report or return receipt is generated; or
      • 16.2.3on the fifth business day following mailing, if mailed by national ordinary mail, postage prepaid;

      in each case addressed to the most recent address, e-mail address, or facsimile number notified to the other Party.

    • 16.3Service of any document for the purposes of any legal proceedings concerning or arising out of these Terms and Conditions shall be affected by either Party by causing such document to be delivered to the other Party at its registered or principal office, or to such other address as may be notified to one Party by the other Party in writing from time to time.
  17. Law and Jurisdiction
    • 17.1These Terms and Conditions (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.

Any dispute, controversy, proceedings or claim between the Parties relating to these Terms and Conditions (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

Appendix 1



(1) Whereby Activeplan Consulting Ltd is data Processor

(2) Whereby Activeplan client is data Controller

    The following definitions and rules of interpretation apply in this Protocol.

    • 1.1 Definitions:Data Protection Legislation:  all applicable data protection laws including GDPR and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).Data Subject:  an individual who is the subject of Personal Data.GDPR: General Data Protection Regulation ((EU) 2016/679).Personal Data:  means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services under the Services Protocol; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.Personal Data Breach:  a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    • 1.2 Where Schedules form part of this Protocol and will have effect as if set out in full in the body of this Protocol. Any reference to this Protocol includes the Schedules.
    • 1.3 A reference to writing or written includes email.
    • 2.1The Controller and the Processor acknowledge that the Controller is the controller and the Processor is the processor and that the Controller retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation.
    • 2.2Where the Processor appoints a subcontractor pursuant to clause 4 below, the Processor shall be a data controller in relation to such processing.
    • 2.3The Processor may process the Personal Data categories and Data Subject types as agreed with Controller.
    • 3.1The Processor shall:
      • 3.1.1implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Legislation and ensure the protection of the rights of the Data Subject, as further set out below in this Protocol
      • 3.1.2only use subcontractors to help with the processing of Personal Data in the circumstances set out in clause 4 below
      • 3.1.3process the Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest
      • 3.1.4ensure that persons authorised to process the personal data (such as its employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
      • 3.1.5take the security measures set out in clause 5 below
      • 3.1.6considering the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights as set out in clause 6 below
      • 3.1.7assist the Controller in ensuring compliance with the obligations set out in clause 7 below (data breach) taking into account the nature of processing and the information available to the Processor
      • 3.1.8at the choice of the Controller, delete or return all the Personal Data to the Controller after the termination or expiry of the Services Protocol and delete existing copies (unless Union or Member State law requires storage of the Personal Data)
      • 3.1.9make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
      • 3.1.10assist the Controller in ensuring compliance with the requirement to carry out Data Protection Impact Assessments as set out in Article 35 of GDPR, taking into account the nature of processing and the information available to the Processor
      • 3.1.11immediately inform the Controller, if in the opinion of the Processor, an instruction from the Controller infringes Data Protection Legislation.
    • 3.2The Processor will promptly comply with any request by or instruction from the Controller to process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
    • 3.3The Processor will keep all Personal Data confidential and not disclose such data to third parties unless specifically authorised in writing by the Controller or as required by law. If the Processor is required by law, court, regulator or supervisory authority to process or disclose any Personal Data, the Processor will first inform the Controller of this and allow the Controller to object or challenge the requirement, unless the law prohibits the Processor from informing the Controller.
    • 4.1The Processor may only authorise a third party (“subcontractor”) to process the Personal Data if:
      • 4.1.1the Processor has obtained the prior written consent from the Controller for each appointment of a subcontractor (or the subcontractor’s name is set out in Schedule A)
      • 4.1.2the Processor has carried out appropriate due diligence on any subcontractor to ensure that the subcontractor can satisfy its contractual obligations
      • 4.1.3the Processor and the subcontractor enter into a written contract containing terms the same as those set out in this Protocol, in particular, in relation to data security measures
      • 4.1.4the Processor maintains control over all Personal Data it shares with the subcontractor
      • 4.1.5the Processor ensures that the subcontractor does not process the Personal Data except on instructions from the Data Controller (unless required to do so by Union or Member State law)
      • 4.1.6the contract between the Processor and the subcontractor terminates automatically on termination of the Processors work for the Controller
    • 4.2The Processor shall be fully liable for the actions and inactions of the subcontractor and shall be responsible for the subcontractor’s performance of obligations.
    • 5.1The Processor shall, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
      • 5.1.1the pseudonymisation and encryption of Personal Data
      • 5.1.2the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
      • 5.1.3the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
      • 5.1.4a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
    • 5.2In assessing the appropriate level of security, the Processor shall take account of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
    • 6.1The Processor will put in place such technical and organisational measures as may be appropriate to enable the Controller to comply with the rights of Data Subjects under Data Protection Legislation, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing and the right to object to automated individual decision making.
    • 6.2If the Processor receives any complaint or other communication relating to the processing of the Personal Data or a Subject Access Request from a Data Subject, it must notify the Controller as soon as possible after it receives it and in any event within 3 working days and will provide the Controller with all reasonable assistance in helping the Controller to reply to such communications.
    • 6.3The Processor will provide to the Controller such information as the Controller may reasonably require in order for the Controller to comply with the rights of Data Subjects under Data Protection Legislation. The Processor may not charge an additional amount for fulfilling its obligations under this clause 6.
    • 6.4The Processor will provide all appropriate assistance to the Controller to enable it to comply with any information or assessment notices served on the Controller by any supervisory authority under the Data Protection Legislation.
    • 6.5The Processor shall not disclose Personal Data to any third party other than at the Controller’s written request or as set out in this Protocol or as required by law.
    • 7.1If any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable (“Personal Data Loss”), the Processor will notify the Controller without undue delay (and in any event within 24 hours) after learning of such Personal Data Loss and the Processor shall to the extent possible restore any such data at its own expense.
    • 7.2If the Processor becomes aware of any unauthorised or unlawful processing of the Personal Data or any Personal Data Breach, it will notify the Controller without undue delay (and in any event within 24 hours) including all relevant information such as:
      • (a)a description of the nature of the Personal Data Breach, the unauthorised or unlawful processing and/or the Personal Data Loss, including the categories and approximate number of both Data Subjects and Personal Data records concerned
      • (b)the likely consequences
      • (c)description of the measures taken, or proposed to be taken, including measures to mitigate the impact
    • 7.3The parties will co-ordinate and co-operate with each other to investigate any matters arising as contemplated by this clause.
    • 7.4The Processor shall take all reasonable steps to mitigate the effects and reduce the impact of any Personal Data Breach or unlawful Personal Data processing.
    • 7.5The Processor agrees that it shall not (and the Controller is solely responsible to):
      • (a)provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or any other third party, except when the Processor (as opposed to the Controller) is required by law or regulation to provide such notice
      • (b)offer any type of remedy to affected Data Subjects
    • 7.6The Processor will cover all reasonable expenses associated with the performance of its obligations under this clause 7.
    • 8.1The Processor (or any subcontractor of the Processor) shall not transfer or otherwise process Personal Data outside the European Economic Area (EEA) without obtaining the Controller’s prior written consent (except where the Processor is required to transfer such data by Union or Member State law, in which case the Processor shall inform the Controller of such legal requirement before processing takes place, unless any law prohibits such disclosure on important grounds of public interest).
    • 8.2If the Controller consents to the transfer or other processing of the Personal Data outside of the EEA and no appropriate safeguards exist (such as an adequacy decision or the Processor being part of the EU-US Privacy Shield), the Processor and the Controller will each execute the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Schedule to Commission Decision 2010/87/EU (“SCCs”).
    • 9.1This Protocol will continue for so long as the Processor processes any Personal Data related to supplied Services.
    • 9.2If the Processor breaches this Protocol, such breach shall constitute a material breach of any Services agreement and the Controller may terminate the Services agreement immediately on written notice to the Processor without further liability or obligation for the Controller.
    • 10.1The Processor will, on the request of the Controller, provide the Controller with a copy of or access to the Personal Data in its possession or control in the format and on the media reasonably specified by the Controller.
    • 10.2On termination or expiry of any Services agreement, the Processor will at least 7 days prior to the date of expiry or termination ask the Controller whether the Controller wants the Personal Data to be deleted, destroyed, returned or retained and shall follow the Controller’s instructions accordingly.
    • 10.3If the Processor is required by any law, regulation, or government or regulatory body to retain any documents or materials, the Processor will inform the Controller in writing of such requirement, providing details of the legal basis for retention and setting out the timings for deletion when such retention period ends.
    • 10.4If the Controller requires the Processor to delete or destroy certain documents or materials or anything else containing Personal Data, the Processor shall certify in writing that it has so deleted or destroyed the Personal Data within 3 days of doing so.
    The Processor will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Controller and shall send the Records to the Controller as reasonably requested.

    • 11.2The Processor will ensure that the Records are sufficiently detailed to enable the Controller to confirm the Processor’s compliance with its obligations under this Protocol and Data Protection Legislation.
    • 11.3The Controller and the Processor shall review the information listed in the Schedules to this Protocol at least once a year to confirm their current accuracy and update them when required to reflect current practices.
  12. AUDIT
    • 12.1The Controller (and any third-party representatives) may audit the Processor’s compliance with its obligations under this Protocol and the Processor will give the Controller (and its third-party representatives) all necessary assistance and co-operation to conduct such audits.
    • 12.2If a Personal Data Breach occurs, or the Processor becomes aware of a breach of any of its obligations under this Protocol or any Data Protection Legislation, or if the Controller so requires it, the Processor will:
      • (a)conduct its own investigation to confirm the cause of such Personal Data Breach or breach of obligations
      • (b)provide to the Controller a written report on the investigation including any proposals to remedy any problems identified by the investigation
      • (c)remedy the problems identified within 7 days of the date of the written report.
    • 12.3On the Controller’s written request, the Processor will audit a subcontractor’s compliance with its obligations regarding the Controller’s Personal Data and provide the Controller with the audit results.
    • 12.4The Processor will carry out an annual security audit (or at such other periods required by the Controller) identifying any areas of deficiency (when taking into account the scope and nature of the processing of Personal Data and the best practice technologies available at such time) and will provide the written report to the Controller.
    The Processor warrants and represents that:

    • (a)its employees, subcontractors, agents and any other person or persons processing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation
    • (b)it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation
    • (c)it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Services agreed
  14. NOTICE
    • 14.1Any notice or other communication given to a party under or in connection with this Protocol must be in writing and delivered to:
      For the Processor: Andrew Sutton at email andrew.sutton@activeplan.co.uk
    • 14.2Clause 15.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
    • 15.1This Protocol, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with the law of England and Wales.
    • 15.2Each party irrevocably agrees that the courts of England and Wales shall have non-exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Protocol or its subject matter or formation (including non-contractual disputes or claims).