Standard Terms of Business for Charles Taylor Adjusting Limited

1.    The Engagement

1.1.    The Engagement Terms – In these terms of business: 

1.1.1.    “the Client” means the person or party specified in the acceptance of instruction correspondence issued by CTA in relation to its engagement by the Client or with whom CTA has otherwise contracted to provide its services (“the Engagement”) in respect of the relevant matter, incident, loss or accident (the “Matter”).

1.1.2.     “CTA” means Charles Taylor Adjusting Limited and any of its trading divisions or affiliates instructed by, or on behalf of, the Client, including any CTA personnel (as defined in clause 6.5) involved in the Engagement. 

Unless otherwise agreed, these terms of business supersede any other agreement or arrangement (whether written or oral) previously agreed between CTA and the Client in relation to the Matter.  In the case of a conflict between these terms of business and any other terms agreed with the Client, these terms of business will prevail.

1.2.    The CTA Team – CTA will make reasonable efforts to ensure that those of its personnel notified to the Client are available to work for the Client on the Engagement.  CTA will endeavour to give the Client reasonable notice of any necessary change in such personnel and provide details of their proposed replacements.

1.3.    Timetable – CTA will make reasonable efforts to adhere to any timetable agreed in writing with the Client.  For the avoidance of doubt, time is not of the essence to CTA's performance of the Engagement, unless CTA has expressly agreed otherwise in writing.

1.4.    Reporting – CTA will report to the Client with appropriate information on the progress of the Engagement as regularly as may be appropriate for the Engagement or as otherwise agreed with the Client.  CTA will send its reports to the Client at the address notified to CTA by the Client from time to time or, where clause 1.5 applies, to the relevant broker or other third party.

1.5.    Instructions via third parties – Unless otherwise instructed by the Client, where CTA is instructed by a broker or other third party on behalf of the Client, CTA shall be entitled to accept and rely on instructions from such broker or third party as if those instructions were given by the Client and the Client hereby expressly authorises CTA to liaise and share information (including any of its reports relating to the Matter) with any such broker or third party. For the avoidance of doubt, where CTA provides a report to a broker or third party pursuant to this clause, it shall be deemed to have provided such report to the Client.

1.6.    CTA Sub-Contractors – The Client agrees that CTA may engage or use contractors, sub-contractors or other persons to provide the services for which it has been engaged by the Client.

1.7.    Third Party Experts – Where the Client appoints third party experts in connection with the Engagement (a “Third Party Expert”), or requests CTA to appoint such a Third Party Expert on its behalf, the Client hereby expressly authorises CTA to instruct, liaise and share information with any such Third Party Expert to the extent CTA considers it reasonably necessary in connection with the Engagement. 


2.    The Client’s Responsibilities

2.1.    Support – If CTA is required to work at the Client’s or any third party premises, the Client will obtain all consents and / or approvals required for CTA personnel to access such premises and shall ensure that CTA’s personnel are provided with such facilities and equipment as are reasonably necessary to enable them to perform the Engagement efficiently and in safety. 

2.2.    Information – The Client will give CTA all information, instructions and assistance reasonably necessary to enable CTA to perform the Engagement and the Client will ensure that its appropriate personnel are available to CTA for such purposes.  The Client hereby acknowledges that CTA will rely on such information, instructions and assistance when performing the Engagement.

2.3.    Payment – The Client will pay CTA’s fees, disbursements, expenses and applicable local taxes including value added tax (VAT) where appropriate (hereinafter "applicable taxes") in respect of the Engagement in accordance with clause 3 below or as otherwise agreed with the Client.


3.    Fees and Payment

3.1.    Method of Calculation – Unless otherwise agreed in writing, CTA’s fees will be charged to the Client on a time basis at the applicable hourly rates plus applicable taxes for all CTA personnel working on the Engagement.  Such fees may include, without limitation, time spent by such CTA personnel in connection with the Engagement on travelling, attending meetings and interviews, research, investigation and forensics, working on and preparing reports and associated papers, correspondence and telephone calls. 

3.2.    Disbursements – CTA’s fees will exclude any fees payable by the Client for any Third Party Experts which the Client agrees will, unless otherwise agreed, be payable directly by the Client to the relevant Third Party Expert.  Upon receipt of an invoice, the Client agrees to pay all disbursements and expenses incurred by CTA in connection with the Engagement including charges for travel, subsistence, accommodation and out of office or on site expenses such as telephone calls and photocopying on an at cost plus applicable taxes basis.

3.3.    Estimates – Any estimate of fees or of the time likely to be involved in performing the Engagement will be given by CTA in good faith to the Client for planning or other purposes only and the estimate will not be contractually binding on either party.

3.4.    Payments on Account – CTA reserves the right to require the Client to pay CTA funds in advance on account of its fees and to enable CTA to pay the disbursements and expenses described in clause 3.2 above (payable either in advance on account or periodically as they become due for payment).  CTA may apply such funds paid in advance generally to pay its fees, disbursements and expenses for the Engagement upon delivery of its invoice or other written notification of its fees, disbursements and expenses to the Client. Further, CTA may apply any such funds to the settlement of any fees due to CTA in respect of the Engagement which remain outstanding beyond the due date for payment of such fees.

3.5.    Taxes including VAT – Insofar as any fees, disbursements and expenses are liable to any applicable taxes which CTA may be liable under applicable local law to pay or collect in respect of the Engagement, the Client agrees to pay all such taxes and reimburse CTA accordingly upon receipt of CTA's invoice in respect of such taxes.

3.6.    Fee Changes – CTA may vary its hourly rates as applicable from time to time including, without limitation, in the event of promotion of CTA personnel or as a result of any periodic review of such rates by CTA.

3.7.    Billing – Unless otherwise agreed, CTA normally renders interim invoices on a quarterly basis and a final invoice on completion of the Engagement.  Each invoice will attach details of the work undertaken and copies of any other invoices for significant disbursements and expenses described in clause 3.2 above.  Notwithstanding the foregoing, CTA reserves the right to issue interim invoices on a more frequent or some other basis for work performed to date. Unless otherwise agreed, all CTA's invoices will be addressed to the Client.

3.8.    Payment – All CTA's invoices (whether interim or final) are due for payment in full on receipt by the Client as stipulated on the invoice and the Client is liable for their payment to CTA.  If payment in full is not received by CTA within 30 (thirty) days of the Client’s receipt of an invoice, CTA will have the right, in addition to any statutory rights available to it (including the right to charge statutory interest at 8% above the current base rate of the Bank of England in terms of the Late Payments of Commercial Debts (Interest) Act 1998 as amended by the Late Payment of Commercial Debts Regulations 2013), to suspend the provision of its services and / or to terminate its Engagement in accordance with clause 4.3.1 below and / or to exercise a lien in accordance with clause 4.4.2 below, regardless of whether the Engagement has been terminated or not.

If arrangements are made for a third party to pay any of CTA’s fees or disbursements, the Client shall remain primarily responsible for the payment of any remaining fees or disbursements and any charges that CTA may incur to the extent that the third party does not pay CTA’s invoice in full, or CTA is unable to accept payment from it. 

3.9.    Client Funds – Where CTA receives funds from or for the Client, it shall hold such funds as agent of the Client. CTA will retain any interest earned on such funds held on the Client’s behalf, unless otherwise agreed with the Client.


4.    Termination

4.1.    Duration – The Engagement will terminate when all amounts invoiced to the Client in connection with CTA's Engagement have been received by CTA, unless the Engagement is terminated earlier in accordance with clause 4.2 or 4.3 below.

4.2.    The Client’s Right to Terminate – The Client may terminate the Engagement at any time by giving not less than 30 (thirty) days’ notice in writing to CTA.

4.3.    CTA’s Right to Terminate – CTA may terminate the Engagement immediately by giving written notice to the Client if:– 

4.3.1.    the Client fails to pay any of CTA’s invoices when due or fails to advance to CTA any funds requested by CTA in accordance with clause 3.4 above;

4.3.2.    the Client is unable to pay its debts or has a receiver, administrator or liquidator appointed;

4.3.3.    any conflict of interest arises in accordance with clause 5 below;

4.3.4.    CTA is prohibited from performing the Engagement due to applicable laws and regulations, including sanctions; or

4.3.5.    the Client is in breach of any of these terms of business and having received written notice from CTA to such effect requiring the Client to remedy such breach within the time reasonably specified in such notice, the Client has failed to remedy such breach in such time.

4.4.    Costs and Lien – On termination of the Engagement for any reason:

4.4.1.    the Client shall pay to CTA forthwith all fees, disbursements and expenses due to CTA up to and including the day of termination incurred in connection with the Engagement upon delivery of CTA's invoice to the Client; and

4.4.2.    until CTA has received payment in full for such invoice, CTA shall have a lien over and be entitled to retain all the Client's money, records, documents, deeds, storage media, books, papers and any other information in hard copy or stored electronically in CTA's possession relating to the Matter and the Engagement or otherwise in CTA's control.


5.    Conflicts of Interest

5.1.    Possible Termination – In circumstances where there is or may be a conflict of interest between CTA and another party involved in the Matter, CTA may be precluded from acting or may have to cease acting for the Client unless all parties involved in the Matter agree in writing that CTA shall continue acting in connection with the Matter.  CTA will make every reasonable effort to identify any such conflict and advise the Client accordingly prior to accepting an Engagement or if identified subsequently, then immediately. In the event that CTA subsequently discovers a conflict and is obliged to withdraw from acting for the Client, CTA shall be entitled to invoice the Client and be paid in full by the Client for any fees, disbursements, expenses and applicable taxes incurred in the Engagement prior to such withdrawal.  In the event that such conflict arises in respect of a Client (re)insured and a Client (re)insurer CTA will offer to continue acting for the Client (re)insurer who will become solely responsible for payment of such prior fees, disbursements, expenses and applicable taxes.

5.2.    Acting for Other Clients – CTA will not be prevented or restricted by anything contained in these terms of business from acting for other clients in connection with the Matter, unless otherwise agreed in writing with the Client. 


6.    Limitation of Liability

6.1.    Skill and Care – CTA will exercise reasonable care and skill in the performance of the Engagement.  All other such warranties and representations, whether express or implied by law, are excluded to the extent permitted by law.

6.2.    Limit of Liability – CTA's liability to the Client in respect of any claim for breach of contract, negligence, breach of trust or statutory duty or any other claim made against CTA or its personnel in connection with the Engagement is limited as follows: 

6.2.1.    in respect of any claim for personal injury or death caused by CTA’s negligence, no limit shall apply;

6.2.2.    in respect of any claim which results from any fraudulent act (including theft or conversion) by CTA, no limit shall apply;

6.2.3.    in respect of any other claim, CTA’s total liability in respect of all liability arising in connection with the Engagement shall be limited in the aggregate to the lesser of £1,000,000 (One Million Pounds) or 10 (ten) times the value of CTA's fees excluding disbursements, expenses and applicable taxes incurred in respect of the Engagement, and

6.2.4.    in any claim made against CTA where parties other than CTA also share liability for such claim, CTA's liability for such claim shall be limited to that proportion of any loss or damage so claimed for which it would be just and equitable for CTA to contribute having regard to the extent of CTA’s factual responsibility for such loss or damage, on the basis that those parties shall be deemed to have provided an undertaking in terms no less onerous than this clause.

6.3.    Excluded Liability:  Subject to the application of clauses 6.2.1 and 6.2.2 above CTA shall have no liability for:-

6.3.1.    any indirect or consequential loss or damage including, without limitation, loss of profits, loss of revenue, loss of opportunity and loss of contracts;

6.3.2.    any claim for breach of contract, negligence, breach of trust or statutory duty or other claim in respect of any delay or failure by CTA to perform any of its obligations under these terms of business or the Engagement where such failure results directly or indirectly from any negligent or wilful act of the Client or a third party;

6.3.3.    any loss or damage arising from CTA's reliance on any information, instruction or assistance given by the Client or resulting from the Client’s failure to give any relevant information, instructions or assistance in connection with the Engagement;

6.3.4.    any and all claims the Client may have against CTA in respect of which proceedings are not brought within 12 (twelve) months of the date when the Client's cause of action arose.

6.4.    Liability for Third Party Experts – CTA will have no liability to the Client or any third party either for the instructing or performance of, or any opinions, statements, acts or omissions of, any Third Party Expert, nor in respect of its own opinions, statements, acts or omissions insofar as these depend upon, are based upon, are derived from or are a consequence of opinions, statements, acts or omissions of any such Third Party Expert. Further, CTA makes no representation or recommendation to the Client as to any Third Party Expert’s experience, suitability or competence.

6.5.    Liability of CTA Personnel – The Client acknowledges that CTA has an interest in limiting the liability of all its personnel involved in the Engagement. Accordingly, the Client agrees not to bring any claim of any kind in connection with the Engagement against any individual employee of CTA, any person seconded to CTA or any agent, correspondent, subcontractor or self-employed consultant engaged by CTA (together "personnel").

6.6.    Force Majeure – Neither CTA nor the Client will be liable to the other for their failure to fulfil their respective obligations under these terms of business or the Engagement caused by circumstances outside their reasonable control.

6.7.    Reasonableness – The Client agrees that the foregoing limitations and exclusions of CTA's potential liability are reasonable based on:-

6.7.1.    the amount of any likely liability to the Client if a breach by CTA occurs

6.7.2.    the current and future availability and cost to CTA of professional indemnity insurance

6.7.3.    the amount of fees payable to CTA, and

6.7.4.    the level of risk assumed by CTA in connection with its obligations

in connection with the Engagement.  Should any limitation or provision contained in this clause 6 be held to be invalid under any applicable statute or rule of law, it shall only to that extent be deemed omitted from the terms of business and all other limitations and provisions of such terms shall remain in force.

6.8.    Claims – If a claim is made against the Client as a result of, or in connection with, a liability incurred to, or a dispute with, any third party, CTA will give the Client all reasonable facilities and co-operation to investigate such claim and will provide the Client with such information and assistance as the Client may reasonably require in connection with such claim, liability or dispute.

6.9.    Indemnity – Unless the subject matter of the indemnity provided for by this clause 6.9 has been caused by CTA’s breach of these terms of business, the Client undertakes to indemnify CTA and keep it indemnified fully at all times against all liability that may arise from time to time, and against all claims, demands, actions, proceedings, damages, losses, costs and expenses which are made, brought or claimed against or incurred by CTA in connection with the Engagement.


7.    Miscellaneous

7.1.    Compliance with Applicable Laws – Both parties will comply with all legal and regulatory requirements applicable to them and/or their activities in the jurisdictions in which they operate, including without limitation, any laws or regulations relating to data protection, data privacy, financial crime, bribery and corruption, sanctions and anti-trust. Further, both parties shall maintain adequate policies and procedures to prevent breaches of any such applicable laws or regulations by their employees, representatives and agents. The Client warrants to CTA that it has obtained and will maintain throughout the Engagement, all requisite legal, regulatory or other authorisations and approvals to operate in the relevant territory (including via CTA) and to appoint CTA to perform the services pursuant to the Engagement and that such appointment is compliant with all Applicable Laws.

7.2.    The Client acknowledges that CTA is an ultimate subsidiary of a US parent company. Consequently, CTA is subject to US (OFAC), UK (HMT), EU and UN sanctions lists.  

CTA has a responsibility to ensure that the Client meets its corporate standards in respect of international sanctions.

The Client represents and warrants that:

  • in appointing CTA to perform the services pursuant to the Engagement, it will not do anything which does or may place CTA in breach of any sanctions that are or may be applicable to CTA. 
  • it is not on the U.S. Government’s List of Specially Designated Nationals and Blocked Persons (“SDN List”) or owned 50% or more in the aggregate or individually by persons or entities on the SDN List.

The Client shall ensure that it has appropriate systems, procedures, controls and training in place to allow it to comply with sanctions provisions and restrictions applicable to CTA and that its employees, agents and contractors receive adequate training on this.

CTA reserves the right to screen new and existing insureds, beneficiaries or payees against sanction-related lists promulgated from time to time by the US, the UK, the EU and the UN  as may be required by the CTA’s sanctions program from time to time.  The Client acknowledges that CTA shall have no obligation to accept any appointment that would expose CTA to any sanction, prohibition or restriction, and shall have the right to block, freeze or reject any instruction in order for CTA to meet its legal and/or internal compliance requirements. In the event that Client’s appointment is blocked, frozen or rejected, CTA shall promptly inform the Client of the circumstances that led to the block, freeze or rejection.

7.3.    Third Parties – The terms of business set out the rights and obligations of the Client and CTA only. For the purpose of the Contracts (Rights of Third Parties) Act 1999, nothing in the terms of engagement other than clause 6.5 above shall confer or purport to confer any benefit or right to enforce any of the terms of business on a third party.

7.4.    Confidentiality – CTA will keep confidential all information obtained from the Client, except insofar as CTA is required by law, regulation, a court of competent jurisdiction or any regulatory or governmental authority to disclose such information.  This clause does not apply to documents or information which CTA obtains or develops independently of the Engagement or other work done for the Client, which it receives from a third party which as far as it is aware is not under a duty of confidentiality to the Client or which are already in the public domain.

7.5.    Waiver and Amendment – No waiver of or amendment to any of these terms of business will be effective unless it is made or confirmed in writing and signed by both CTA and the Client.

7.6.    Soliciting Personnel – Without CTA’s approval, the Client shall not, during the Engagement or within six months after its termination or expiry, offer employment to or otherwise solicit any CTA personnel involved in the Matter.

7.7.    Record Retention – Unless the Client instructs otherwise in writing beforehand, CTA will be at liberty to destroy all records, files and papers including electronic records, to the extent technically and legally permissible, but excluding title deeds relating to the Matter and/or the Engagement, following expiry of 6 (six) years from the end of the Engagement.

7.8.    E-mail and the Internet – CTA and the Client recognise that e-mail transmissions and the Internet cannot be guaranteed as a 100% secure or error-free communications medium, as information may be intercepted, corrupted, lost, destroyed, arrive late, be incomplete, or contain viruses or other malware.  CTA monitors the contents of e-mails sent and received via its network for viruses or other malware and unauthorised use of email is controlled through access and delegation controls.  E-mail messages sent to or from CTA’s systems are not confidential to any named individual at CTA and CTA reserves the right to read them without prior notice.  CTA recommends that recipients should also check e-mail messages for viruses or other malware in accordance with good IT practice.

7.9.    Data Protection – The handling of personal data by CTA and the Client shall be in accordance with Schedule 1.

7.10.    Software – All software programs used by CTA, or made available to the Client by CTA, in the course of the Engagement (including any modifications, enhancements or upgrades thereto) shall remain at all times the property of CTA. To the extent that Client provides CTA with access to any of its software programs in the course of the Engagement, these shall remain at all times the property of the Client.

7.11.    Complaints Procedure – If the Client has any complaint to make about CTA’s performance of the Engagement, the Client should first raise it with its primary CTA contact and, if the complaint is still not resolved to the Client’s satisfaction, with CTA’s Chief Executive Officer at Charles Taylor Adjusting Limited, 2 Minster Court, Mincing Lane, London EC3R 7BB, United Kingdom (e-mail: complaints@charlestaylor.com) who will investigate the complaint and seek to resolve it with the Client.

7.12.    Governing Law and Jurisdiction – These terms of business (and any non-contractual obligations arising out of or in connection with them) will be governed by and interpreted in accordance with the laws of England and Wales and the parties to such terms agree that any unresolved dispute or difference arising in connection with these terms of business (and any non-contractual obligations arising out of or in connection with them) will be subject to the exclusive jurisdiction of the Courts of England and Wales.


© Charles Taylor Adjusting Limited 2023
Registered Office: 2 Minster Court, Mincing Lane, London EC3R 7BB
United Kingdom

Telephone +44 20 7623 1819
Facsimile +44 20 7623 1817
www.charlestaylor.com/adjusting

Registered in England under # 01994696. VAT Registration # GB577566485 
 

Schedule 1

Processing of Personal Data


1.    Definitions and interpretation

1.1    In this Schedule 1, “controller”, “data subject”, “personal data”, “personal data breach”, “process”, “processes” and “processing”, “privacy notice” and “special category personal data” shall have the meaning set out in the Data Protection Legislation.

1.2    “Data Protection Legislation” “Data Protection Legislation” means:

1.2.1    any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the Processing of Personal Data to which a Party is subject, including the Privacy and Electronic Communications Regulations 2003 (as amended by SI 2011 no. 6), the Data Protection Act 2018 and the EU GDPR as each is amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586) and incorporated into UK law under the European Union (Withdrawal) Act 2018 (each, as amended, shall be referred to as “PECR”, the “DPA 2018” and the “UK GDPR” accordingly;

1.2.2    applicable data protection and privacy laws, legislations and regulations relating to the processing of personal data and privacy in force applying to CTA and the Client or as amended, re-enacted, replaced or superseded from time to time in the jurisdictions in which they operate or as otherwise applicable; and 

1.2.3    any mandatory code of practice or mandatory guidance published by a relevant Data Supervisory Authority from time to time.

1.3    “Data Subject” means the individual to whom the Personal Data relates.

1.4    “Data Supervisory Authority” means a “supervisory authority” as defined under the UK General Data Protection Regulation (“UK GDPR”), and/or outside the UK the relevant regulator or authority with regard to matters pertaining to data protection or as defined in the Data Protection Legislation.

1.5    “Notifiable” means where, in the opinion of CTA acting reasonably, a Security Breach is sufficiently serious to merit notification to either the Data Subject(s) or the relevant Data Supervisory Authority.

1.6    “Personal Data” means any information relating to an identified or identifiable Data Subject which is Processed under or in connection with this Agreement. A Data Subject is an individual who can be identified, directly or indirectly (including in combination with other information), including whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

1.7    “Process” or “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction.

1.8    “UK Restricted Transfer” means a transfer of Personal Data and/or special category personal data (by either party acting as a data exporter) to a recipient in a Third Country (acting as a data importer).

1.9    “Sub-processor” means any third party appointed by or on behalf of CTA to Process Personal Data on behalf of the Client in connection with the agreement (where CTA acts as a Processor).

1.10    “Third Country” means any country in the world, except for:

(i)    the United Kingdom;
(ii)    a country within the EEA; or
(iii)    an Adequate Country

1.11    “UK Controller-Controller SCCs” means those UK specific standard contractual clauses for the international transfer of Personal Data from a Controller to another Controller in the form of the EU Controller-Controller SCCs amended by the addendum published by the Information Commissioner.


2.    Role of the Parties 

The parties acknowledge that in most circumstances, to the extent a party processes Personal Data, each party shall be a controller in relation to such processing. In respect of such processing, each party shall comply with its obligations as a controller under the Data Protection Legislation.


3.    Data Protection Obligations

Without prejudice to the generality of clause 2, the party disclosing the Personal Data (the “Disclosing Party”) shall ensure that:

3.1    Personal Data has been collected and disclosed to the party receiving the Personal Data (the “Receiving Party”) in accordance with the Data Protection Legislation;

3.2    the Personal Data is accurate and up to date; 

3.3    it has provided data subjects with a privacy notice on its own behalf and on behalf of the Receiving Party that allows the Receiving Party to process the Personal Data for the purpose of performing their obligations under this Agreement (the “Purpose”) including a point of contact for all data protection enquiries; and

3.4    to the extent that consent of the data subjects is required:

3.4.1    It has obtained the consent of the data subjects to:

(i)    its transfer of the Personal Data to the Receiving Party; and 

(ii)    the processing of the Personal Data in connection with the Purpose; and

3.4.2    it will as soon as practicable notify the Receiving Party in the event that a data subject withdraws or amends this consent.

3.5    No party shall process Personal Data for any purposes other than the Purpose. 

3.6    The Disclosing Party shall transfer Personal Data using appropriate technical and organisational security measures.

3.7    Without prejudice to the generality of clause 2, the Receiving Party shall: 

3.7.1    implement and maintain appropriate technical and organisational measures to preserve the confidentiality and integrity of the Personal Data and prevent any unlawful processing or disclosure or damage, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects (the "Security Measures");

3.7.2    ensure that employees who have access to personal data have undergone training in respect of the Data Protection Legislation and in the care and handling of personal data;

3.7.3    not disclose any Personal Data to any third party in any circumstances except as required or permitted by this Schedule;

3.7.4    notify the other party promptly, and in any event within 72 hours of becoming aware, of any personal data breach, where the breach has affected or may have affected the Personal Data. Each such notice must (to the extent then known) specify the nature and details of the breach or incident (or suspected breach or incident), the type of Personal Data potentially affected and the proposed actions to be taken in response. 

3.7.5    Unless prohibited by Applicable Law, the party in breach shall obtain the other party’s approval (not to be unreasonably withheld) prior to issuing any relevant notification statements to the relevant Data Supervisory Authority and affected individuals in accordance with the Data Protection Legislation. The contact point for each party in respect of breach notifications shall be:

For Customer, notifications shall be made to <insert details> with a copy to: <insert details>.

For CTA, notifications in respect of shall be for the attention of the Group Data Protection Officer and sent to DPO@charlestaylor.com;

3.7.6    notify the other party promptly, and in any event within 3 working days, if it receives any request or enquiry from a Regulator or data subject with regard to the Personal Data, and keep the Disclosing Party regularly updated as to how it handles such request or enquiry; 

3.7.7    take reasonable steps to ensure the reliability of any of its Employees, agents and sub-contractors who have access to the Personal Data; 

3.7.8    ensure that only those of its employees, agents and sub-contractors who need to have access to the Personal Data are granted such access to the Personal Data and only for the purposes of performing the Services under this Agreement. Each party shall ensure that access to Personal Data is promptly removed when employees, agents and sub-contractors leave or cease to be involved in the provision or receipt of the Services (as applicable); and

3.7.9    ensure that the employees, members, agents and sub-contractors who, in accordance with clause 3.7.8, have access to the Personal Data:

(i)    are informed of the confidential nature of the Personal Data and are subject to appropriate contractual obligations of confidentiality;

(ii)    undergo training in Data Protection Legislation and in the care and handling of personal data; and

(iii)    comply with the obligations set out in this Schedule 1.

 

4.    Restricted Transfers

4.1    If the performance of the obligations in this Agreement involves any Restricted Transfers between the Client and CTA, the parties shall enter into and comply with the UK Controller-Controller SCCs (together with the UK Addendum) as amended by paragraph 4.2. 

4.2    CTA shall procure that, where it enters into UK Controller-Controller SCCs with the Client, the clauses are amended as follows:

4.2.1    the governing law of the clauses shall be the law of England and Wales, disputes are subject to the jurisdiction of the English courts and the competent Supervisory Authority shall be the UK Information Commissioner's Office.

4.2.2    Clause 7 shall be held to apply; 

4.2.3    the Option within Clause 11 shall not be held to apply;

4.2.4    Annex I of this Data Protection Schedule shall serve as Annex I to the UK Controller-Controller SCCs; and

4.2.5    Annex II of this Data Protection Schedule shall serve as Annex II. 

4.3    Alternatively, the parties may agree to enter into the IDTA or to rely on such other mechanism as is approved by the Data Supervisory Authority from time to time (where required) to govern the transfer of the Personal Data. In such circumstances, the parties shall take such additional steps as required to ensure the transfer is subject to adequate safeguarding measures taking into account the level of risk to the data subjects in the data importer’s location and is compliant with the Data Protection Legislation.

4.4    CTA shall only make Restricted Transfers to any third party where it has taken all steps as reasonably required to ensure the compliance of the transfer with the Data Protection Legislation, including entering into appropriate “Standard Contractual Clauses” or other mechanism approved by the Data Supervisory Authority from time to time with the data importer and putting in place such adequate safeguarding measures taking into account the level of risk to the data subjects in the data importer’s location and is compliant with the Data Protection Legislation.

4.5    If any Personal Data in the possession or control of CTA is lost, corrupted or rendered unusable for any reason, CTA shall promptly notify Customer in writing and use commercially reasonable endeavours to restore such Personal Data including by using its back up procedures or Business Continuity Plan.


5.    Rights of audit

5.1    CTA shall submit and contribute to inspections and audits undertaken by the Client, any agent appointed by the Client and/or any Governmental or supervisory body in relation to its data processing activities. This includes providing access to any premises under CTA’s control and where processing under this Schedule is undertaken, subject to the appropriate security controls, on reasonable notice and during normal working hours. In the event of an emergency or crisis situation, CTA shall provide immediate access to such premises.


6.   Compliance 

6.1    CTA shall notify the Client upon it becoming aware that it is or is likely to become unable to comply with either its obligations under this Schedule or Data Protection Legislation, and/or the Client’s requirements or instructions regarding the processing of the Personal Data.

 

7.    Deletion or return of Personal Data

7.1    CTA shall retain a copy of the Personal Data in accordance with its document retention policy. 

7.2    The Personal Data retained by CTA post termination of this Agreement shall be retained on an archived basis and in accordance with the Security Measures.  

7.3    CTA undertakes to permanently delete any retained Personal Data upon the expiry of a term of 7 years commencing on the date of the last activity undertaken in relation to that Personal Data, unless any applicable legal obligation upon CTA means that further retention of a copy of certain Personal Data is necessary.

 

ANNEX I: DATA PROCESSING DETAILS

Type of relationship  Controller to controller
The Supplier will act as a controller in respect of the following services:
•    Fraud prevention activities
•    Fraud investigations
•    Loss adjusting services
 
Types of Data Subject whose Personal Data is Processed •    Customers
•    Policy Holders
•    Third Parties
•    Next of Kin/Relatives
•    Vendors
Types of Personal Data Processed •    Name
•    Address
•    Date of Birth
•    Gender
•    Email contact details
•    Telephone contact details
•    Details of family members
Special Category Personal Data Processed •    Financial information including financial position and bank account details. 
•    Special category personal data including, potentially, medical history, race, ethnicity, sexual orientation, religious beliefs, trade union membership, genetic and biometric data, political opinions, and any other physical or mental health details including injury details. 
The purpose, nature and subject matter of the Processing The purpose, nature and subject matter of the Processing of Personal Data by the CTA, under this Agreement, are those Processing operations which are necessary to provide the Services which are referred to in Schedule 1 of the Agreement.
Duration of Processing The Processing of the Personal Data referred to in this paragraph shall occur throughout the term of this Agreement. 
Obligations and rights of the Controller The rights and obligations of the Controller are as set out in the Agreement including in this paragraph
Permitted Purpose For the purpose of performing the Services
Permitted Recipients As required for the performance of the Services [or as set out in the table below.]

 

Classes of Permitted Recipients

Type of recipient Location Description of processing
Third Party Experts    

 

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
 

1.    Access control to premises and facilities

Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:

  • Access control system
  • ID reader, magnetic card, chip card
  • (Issue of) keys
  • Door locking (electric door openers etc.)
  • Surveillance facilities
  • Alarm system, video/CCTV monitor
  • Logging of facility exits/entries
     

2.    Access control to systems

Measures must be taken to prevent unauthorised access to IT systems and to limit any access to authorised Data Processor Personnel only. These must include the following technical and organisational measures for user identification and authentication:

  • Password procedures (incl. special characters, minimum length, forced change of password)
  • No access for guest users or anonymous account.
  • Central management of system access
  • Access to IT systems subject to approval from HR management and IT system administrators
  • The implementation of network, device application, database and platform security
     

3.    Access control to data

Measures must be taken to prevent authorised users from accessing data beyond their authorised access rights and prevent the unauthorised [input, reading, copying, removal] modification or disclosure of data.  These measures shall include:

  • Differentiated access rights
  • Access rights defined according to duties
  • Automated log of user access via IT systems
  • Software security measures
     

4.    Disclosure control

Measures must be taken to prevent the unauthorised access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

  • Compulsory use of a wholly-owned private network for all data transfers
  • Encryption using a VPN for remote access, transport and communication of data.
  • Prohibition of portable media
  • Creating an audit trail of all data transfers
     

5.    Input control

Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained.
Measures should include:

  • Logging user activities on IT systems
     

6.    Job control

Measures should be put in place to ensure that data is processed strictly in compliance with the Data Controller's instructions. These measures must include:

  • Unambiguous wording of contractual instructions
  • Monitoring of contract performance
  • Employee screening 
  • Employee supervision
     

7.    Availability control

Measures should be put in place to ensure that data are protected against accidental destruction or loss.
These measures must include:

  • Uninterruptible power supply (UPS)
  • Business Continuity procedures
  • Remote storage
  • Anti-virus/firewall systems
     

8.    Segregation control

Measures should be put in place to allow data collected for different purposes to be processed separately.
These should include:

  • Restriction of access to data stored for different purposes according to staff duties
  • Segregation of business IT systems
  • Segregation of IT testing and production environments
     

9.    Storage control

Measures should be put in place to secure business facilities, data centres, paper files, servers, back-up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability.