Data Processing Annex

1. . Privacy Compliance
   
2. • 1.1 The Parties shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing Personal Data in connection with this Customer Agreement.

• 2. Data Controllers
  
  • 2.1 Plan shall be a Data Controller in respect of any Personal Data processed for the purposes of (a) the provision of electronic communications services; (b) improving its electronic communications services; (c) billing; (d) account management (including entering into a Customer Agreement); (e) marketing; (f) research and analysis; and (g) customer support / services.
  • 2.2 The Customer shall be a Data Controller in respect of any Personal Data it provides to Plan and in any other circumstances set out in Specific Terms and Conditions.
  • 2.3 Plan shall only Process Personal Data as a Data Controller insofar as is necessary for Plan to provide services to the Customer, to comply with Applicable Laws or where Plan otherwise has a legitimate interest in carrying out that processing that is not overridden by the Customer’s rights and freedoms as a data subject. Plan shall only share Personal Data when it is necessary to comply with the Customer’s instructions to Plan, where it is required for the efficient working of Plan’s business or where Plan has a legal obligation to do so.
  • 2.4 Each of Plan and the Customer shall:
    
    • (a) have in place at all times appropriate technical and organisational measures to protect the Personal Data;
    • (b) use its reasonable endeavours to ensure that its personnel are subject to written (or statutory) obligations to maintain the confidentiality of Personal Data and are trained on the requirements of Data Protection Laws and their obligations in respect of Personal Data;
    • (c) notify the other if it receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data by the other or to either of our compliance with Data Protection Laws and shall provide the other with reasonable co-operation and assistance in relation to any such complaint, notice or communication; and
    • (d) without undue delay after discovering any Security Breach or any failure of security which leads to, or may lead to, a Personal Data Breach notify the other of the same and, where reasonably practicable, provide full details of the Security Breach and the consequences of the Security Breach. Each party shall fully co-operate with the other to seek to remedy the issue and to provide such notifications as may be required in accordance with Data Protection Laws.

• 3. Disclosure of Personal Data
  
  • 3.1 The Customer shall:
    
    • (a) only disclose to Plan the Personal Data that Plan requires in order to provide the Services;
    • (b) ensure that it has the necessary authority from the Data Subject or another lawful basis under the GDPR to disclose Personal Data to Plan; and
    • (c) ensure that it has the necessary authority and/or consent from each Data Subject whose use of Plan’s services are being monitored at the request of the Customer and the Customer shall comply with all Applicable Laws in respect of notification and consent in respect of all call recording and monitoring.
  • 3.2 The Customer shall indemnify and keep indemnified as its own expense Plan against all claims, liabilities, damages, administrative fines, costs or expenses incurred by Plan or for which Plan may become liable due to any failure by the Customer to comply with any of its obligations in paragraph 3.1.

• 4. Marketing
  
  • 4.1 Plan may occasionally send the Customer updates and marketing information about its services and events. If the Customer does not wish to receive these communications from Plan then it can opt-out by following the instructions in the messages the Customer receives from Plan, or by contacting our marketing team at marketing@plan.com. Personal data will always be processed in accordance with current data protection law which includes the General Data Protection Regulation (GDPR). The Privacy Notice sets out full information about how Plan use data and what an individual’s rights are under Data Protection Law. The Privacy Notice can be accessed online at . A hardcopy of the Privacy Notice is available upon request from either the Partner with whom the Customer deals or the Plan team.

• 5. Processing and security
  
  • 5.1 In performing its obligations under this Customer Agreement, Plan shall only process the types of Personal Data, and only in respect of the categories of Data Subjects, and only for the nature and purposes of processing and duration, as is set out in Appendix 1 to this Annex.
  • 5.2 In processing the Customer Personal Data, Plan shall:
    
    • (a) Process Customer Personal Data only in accordance with the Customer’s written instructions from time to time (including those set out in this Customer Agreement) unless it is otherwise required by Applicable Laws (in which case, unless such law prohibits such notification on important grounds of public interest, Plan shall notify the Customer of the relevant legal requirement before processing the Customer Personal Data);
    • (b) not process the Customer Personal Data for any purpose other than those set out in the Customer Agreement, the Privacy Notice, this Annex or otherwise expressly authorised by the Customer;
    • (c) notify the Customer within two (2) Business Days if it receives a Data Subject Request in respect of the Customer Personal Data;
    • (d) provide the Customer with its full co-operation and assistance in relation to any Data Subject Request in respect of the Customer Personal Data;
    • (e) not disclose any Customer Personal Data to any Data Subject or to a third party (including any subcontractor or affiliate) other than at the written request of the Customer or as expressly provided for in this Customer Agreement;
    • (f) taking into account:
      
      • (i) the state of the art;
      • (ii) the nature, scope, context and purposes of the processing; and
      • (iii) the risk and severity of potential harm, protect the Customer Personal Data by ensuring that it has in place appropriate technical and organisational measures, including measures to protect the Customer Personal Data against the risks of a Security Breach; and
    • (g) ensure that only persons authorised by Plan process the Customer Personal Data and that such persons are (i) subject to binding obligations to maintain the confidentiality of the Customer Personal Data; and (ii) trained on both (1) the requirements of the Data Protection Laws, and (2) their obligations in respect of the Customer Personal Data under this Customer Agreement.
  • 5.3 Plan shall, without undue delay after discovering any Security Breach or any failure or defect in security which leads, to a Security Breach (together a “Security Issue”) notify the Customer of the same.
  • 5.4 Where a Security Issue arises, Plan shall:
    
    • (a) as soon as reasonably practicable, provide the Customer with full details of the Security Issue, the actual or expected consequences of it, and the measures taken or proposed to be taken to address or mitigate it;
    • (b) co-operate with the Customer, and provide the Customer with all reasonable assistance in relation to the Security Issue; and
    • (c) unless required by Applicable Law, not make any notifications to a DP Regulator or any Data Subjects about the Security Issue without the Customer’s prior written consent (not to be unreasonably withheld or delayed).

Return or destruction of Personal Data

• • 5.5 Subject to paragraph 5.6, Plan shall (at Plan’s option) return or irretrievably delete all the Customer Personal Data in its control or possession when it no longer requires such the Customer Personal Data to exercise or perform its rights or obligations under this Customer Agreement, and in any event on expiry or termination of this Customer Agreement unless and to the extent only that it is required to keep such data under any Applicable Laws.
  • 5.6 To the extent that Plan is required by Applicable Laws to retain all or part of the Customer Personal Data (the “Retained Data”), Plan shall:
    
    • (a) cease all processing of the Retained Data other than as required by the Applicable Law;
    • (b) keep confidential all such Retained Data in accordance with the terms of the Customer Agreement; and
    • (c) continue to comply with the provisions of this Annex in respect of such Retained Data.

Audit

• • 5.7 Plan shall comply with all requests from the Customer (and its auditors, and its and their internal or external representatives) to access and inspect Plan’s (and its Sub-Processors’) premises, records and personnel relevant to any processing of the Customer Personal Data, in each case to enable the Customer to audit and verify that Plan (and its Sub-Processors) is complying fully with its obligations under this Customer Agreement and under the Data Protection Laws in relation to the Customer Personal Data so long as the audit:
    
    • (a) does not disrupt Plan’s business;
    • (b) is conducted during Plan’s normal business hour;
    • (c) does not interfere with the interests of Plan’s other customers;
    • (d) does not cause Plan to breach its confidentiality obligations to other customers, suppliers or any other organisation; and
    • (e) the Customer will reimburse Plan for its reasonable costs and those of its Sub-Processors.
  • 5.8 Plan shall provide such information, co-operation and assistance in relation to any request made by the Customer (or its auditors, or its or their representatives) under paragraph 5.10 as the Customer may reasonably require.

Co-operation and assistance

• • 5.9 Plan shall at the request and cost of the Customer promptly co-operate with the Customer, and promptly provide such information and assistance as the Customer may reasonably require, to enable the Customer to:
    
    • (a) comply with the Customer’s obligations under the Data Protection Laws (including Articles 32-36 of GDPR) in respect of the Customer Personal Data; and
    • (b) deal with and respond to all investigations and requests for information relating to the Customer Personal Data from any DP Regulator.
  • 5.10 If Plan receives any complaint, notice or communication from a DP Regulator or other third party (excluding a Data Subject Request) which relates directly or indirectly to the Customer Personal Data or to either party’s compliance with the Data Protection Laws, it shall notify the Customer as soon as reasonably practicable.

Sub-Processors

• • 5.11 Where any provision of this paragraph 5 places an obligation on Plan, that obligation shall be construed as an obligation on Plan to procure that all its Sub-Processors, and its own and its Sub-Processors personnel, comply with such obligation.
  • 5.12 The Customer hereby authorises Plan to appoint Sub-Processors provided that Plan will inform the Customer of proposed changes to its Sub-Processors from time to time and if the Customer does not object to the proposed change within 30 days of the date of this notice, the Customer will be deemed to have authorised the use of the new Sub-Processors. The Customer may object to the use of a new Sub-Processor by giving Plan notice of its objections setting out material and substantiated concerns that the Sub-Processor will not be able to comply with the Data Protection Legislation. If such notice is received within the 30 days set out above then the parties will address the Customer’s objection in accordance with the dispute resolution set out in Customer Agreement and Plan may use the relevant Sub-Processor to provide the services until the objection is resolved.
  • 5.13 If Plan appoints a Sub-Processor, Plan shall ensure that:
    
    • (a) such Sub-Processor shall only process the Customer Personal Data in order to perform one or more of Plan’s obligations under this Customer Agreement; and
    • (b) it enters into a written agreement with that Sub-Processor, prior to any processing by the Sub-Processor, requiring the Sub-Processor to:
      
      • (i) process the Customer Personal Data only in accordance with the written instructions of Plan or the Customer; and
      • (ii) comply with data protection obligations equivalent in all material respects to those imposed on Plan under this paragraph.
  • 5.14 Notwithstanding the appointment of a Sub-Processor, Plan is responsible and liable to the Customer for any processing by the Sub-Processor in breach of this paragraph.

Transfer of Personal Data

• • 5.15 Plan shall process the Customer Personal Data, or otherwise transfer or access any the Customer Personal Data, outside of the United Kingdom, the Isle of Man and the European Economic Area (“Permitted Region”) only if there is adequate protection and appropriate safeguards for such the Customer Personal Data in accordance with applicable Data Protection Laws when it is transferred or accessed outside of the Permitted Region. Such adequate protection and appropriate safeguards may include, where specified by the Customer, Plan (or applicable third party): (a) taking such steps, and/or providing such legally binding assurances, as may reasonably be required by the Customer on an on-going basis; and/or (b) entering into the Standard Contractual Clauses with the Customer.
  • 5.16 If either (a) the means by which adequate protection for the transfer is achieved ceases to be valid, or (b) any DP Regulator (or other supervisory or regulatory authority) requires transfers of Personal Data pursuant to such Standard Contractual Clauses to be suspended, then the Customer may (at its discretion) require Plan immediately to cease transfers of Personal Data and delete or return all Personal Data previously transferred.

• 6. Records and complaints
  
  • 6.1 Each Party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws and shall make such information available to any DP Regulator on request.
  • 6.2 If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data by the other party or to either party’s compliance with the Data Protection Laws, it shall as soon as reasonably practicable notify the other party and it shall provide the other party with reasonable co-operation and assistance in relation to any such complaint, notice or communication.

• 7. Definitions

• • In this Annex the following words and phrases shall have the following meaning unless the context requires otherwise:
  • “Applicable Laws” means any law, regulation, binding code of practice, rule or requirement of any relevant government or governmental agency, professional or regulatory authority, sanctions (economic trade and financial sanctions laws, regulations, embargoes or restrictive measures administered), trade or export control laws each as relevant to this Customer Agreement.
  • “Customer” means a person or organisation who has entered into a Customer Agreement with Plan;
  • “Customer Agreement” means a contract between the Customer and Plan for the provision of certain services by Plan.
  • “Customer Personal Data” means all Personal Data processed by Plan as a processor on behalf of the Customer under or in connection with this Customer Agreement.
  • “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including: (i) EU Regulation 2016/679 (“GDPR”); (ii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR (including, in the UK, the Data Protection Act 2018 (“DPA”) and (to the extent in force) the UK GDPR as defined in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”)); (iii) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC) (including, in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003); and (iv) any guidance or codes of practice issued by a governmental or regulatory body or authority in relation to compliance with the foregoing; in each case, as updated, amended or replaced from time to time; and (b) the terms “Data Subject”, “Personal Data”, “processing”, “processor” and “controller” shall have the meanings set out in the GDPR.
  • “Data Subject Request” means a request from a Data Subject to exercise its rights under the Data Protection Laws in respect of that Data Subject’s Personal Data.
  • “DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws. “Plan” means Plan Communications Limited, a company incorporated and registered in the Isle of Man (company number: 010273V) with registered address: No.5 Victoria Street, Douglas, Isle of Man, IM1 2LR.
  • “Security Breach” means any actual loss, unauthorised or unlawful processing, destruction, damage, or alteration, or unauthorised disclosure of, or access to the Customer Personal Data.
  • “Sub-Processor” means a subcontractor (including any affiliates of Plan) appointed by Plan to process the Customer Personal Data.
  • “Standard Contractual Clauses” means the standard contractual clauses set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 for the transfer of Personal Data to processors established in third countries.

Appendix 1 

Data Processing Activities

The Personal Data processing activities carried out by Plan under the Customer Agreement may be described as follows:

1. Subject matter of processing

Connection-specific usage (e.g. calls, data and texts), compliance with the Agreement and Charges incurred as a result of that usage. 

2. Nature and purpose of processing

We will process the Personal Data for the following purposes:

Providing our Customer with products and services

•      To provide the relevant product or service to our Customer by identifying the user of a Connection (e.g. via a SIM) to our network

•      To provide the Customer with network usage data and content for our Customer’s training, quality, productivity monitoring, compliance monitoring (e.g. health and safety) or other purposes

•      To monitor and manage the quality of our customer service and to identify training and development needs and for evidential purposes if required to resolve a dispute or enquiry

Managing our networks and understanding network usage

•      To understand how Customers and individuals use our networks, products and services to enable us to review and improve these, and develop more existing and new products and services, as well as personalising Plan’s products and services.

•       To ensure that Plan is meeting its commitments around fair use, to detect and resolve fraudulent use of our networks (and our partners’ roaming networks) and to solve technical issues.

3. Categories of Personal Data

We may collect the following Personal Data in respect of a Data Subject:

•      name and mobile number.

•      data, voice and messaging traffic data, for e.g. the numbers called or messages sent and received, the time and duration of the call or SMS using our network.

•      voice and messaging content data, for e.g. the content of a calls or SMS made or received using our network.

•      the time and duration of network data usage for e.g. the duration of network data usage and the volume of any file downloads or streaming whilst connected to our network

•      network data usage, (including web sites visited, apps used) and classification of content visited, in order to apply blocks and filters.

•      location data. This can be precise where it uses Global Positioning System (GPS) data or by identifying nearby mobile phone masts where a user has enabled location-based services or features. Or less precise where, for example, a location is derived from your data such as a post code or name of a town or city.

•      contact with us, such as a note or recording of a call made to us, an email or letter sent, or other records of any contact with us.

4.  Categories of data subjects

Employees, consultants, agents, owners or directors of Plan’s Customers.

5.   Duration

The processing will be undertaken for the duration of the Customer Agreement in order to effectively deliver the Services provided under that Customer Agreement,