Privacy Policy

10. Data protection
Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation. For Agreements which are with Scrum Facilitators UK:

10.1 Data Protection Scrum Facilitators UK
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications). UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018. The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the controller and Scrum Facilitators UK is the processor. The parties will comply with the Data Protection Legislation. Scrum Facilitators UK shall, in relation to any Personal Data processed in connection with this Agreement:

process that Personal Data only on the Client written instructions;
keep the Personal Data confidential;
comply with the Client data protection policy;
comply with the Client reasonable instructions with respect to processing Personal Data;
only transfer Personal Data to a third country or an international organisation with the Client prior written approval. When the approval for transfer is given by the Client, it must be contingent upon a transfer performed in compliance with the exceptions and / or conditions provided for by the applicable Data Protection Legislation.
assist the Client in responding to any data subject access request and to ensure compliance with the Client's obligations under the Data Protection Legislation with respect to security, breach notifications, privacy impact assessments and consultations with supervisory authorities or regulators;
notify the Client without undue delay on becoming aware of a Personal Data breach or communication which relates to the Client or Scrum Facilitators UK compliance with the Data Protection Legislation;
delete or return Personal Data (and any copies of the same) to the Client on termination of this Agreement unless required by the Data Protection Legislation to store the Personal Data; and
maintain complete and accurate records and information to demonstrate compliance with this clause. Including records of: a. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; b. the transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the UK GDPR, the documentation of suitable safeguards.
Scrum Facilitators UK shall ensure that it has in place appropriate technical or organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Such measures may include, where appropriate:

pseudonymisation and encrypting Personal Data;
ensuring confidentiality, integrity, availability and resilience of its systems and services;
ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and
regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by Scrum Facilitators UK.
Scrum Facilitators UK shall not subcontract the processing of personal data to another processor (a "Sub-processor") without the prior specific written authorisation of the Client. The Sub-processor shall not be permitted to further subcontract the processing of personal data to another processor. Scrum Facilitators UK shall ensure the obligations in this clause are imposed on each Sub-processor in a written agreement (a "Processing Subcontract"). Scrum Facilitators UK shall be liable to the Client for each Sub-processor's performance and shall provide a copy of each Processing Subcontract to the Client upon request.

For Agreements which are with Scrum Facilitators NL:
10.2 Data Protection Scrum Facilitators NL
Data Protection Legislation: All applicable data protection and privacy legislation in force from time to time in the European Union, including the General Data Protection Regulation (EU) 2016/679 (GDPR); Directive 2002/58/EC on Privacy and Electronic Communications (as amended, including by Directive 2009/136/EC, and as transposed into the national laws of EU Member States); and all other applicable legislation and regulatory requirements in force from time to time within the EU relating to the use of personal data (including, without limitation, the privacy of electronic communications). GDPR (EU 2016/679): The overarching regulation for personal data protection within the EU, equivalent to the UK GDPR. Directive 2002/58/EC (ePrivacy Directive): Corresponds to the UK's Privacy and Electronic Communications Regulations 2003 (PECR), though it is implemented at the Member State level. Other National Legislation: Reflects the transposition of directives like the ePrivacy Directive into individual Member State laws. The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the controller and Scrum Facilitators NL is the processor. The parties will comply with the Data Protection Legislation. Scrum Facilitators NL shall, in relation to any Personal Data processed in connection with this Agreement:

Process that Personal Data only on the Client's written instructions;
Keep the Personal Data confidential;
Comply with the Client's data protection policy;
Comply with the Client's reasonable instructions with respect to processing Personal Data;
Only transfer Personal Data to a third country or an international organisation with the Client's prior written approval. When the approval for transfer is given by the Client, it must be contingent upon a transfer performed in compliance with the exceptions and/or conditions provided for by the applicable Data Protection Legislation, including the General Data Protection Regulation (EU) 2016/679 (GDPR).
Assist the Client in responding to any data subject access request and to ensure compliance with the Client's obligations under the Data Protection Legislation with respect to security, breach notifications, privacy impact assessments, and consultations with supervisory authorities or regulators;
Notify the Client without undue delay upon becoming aware of a Personal Data breach or communication which relates to the Client's or Scrum Facilitators NL's compliance with the Data Protection Legislation;
Delete or return Personal Data (and any copies of the same) to the Client on termination of this Agreement unless required by the Data Protection Legislation to store the Personal Data; and
Maintain complete and accurate records and information to demonstrate compliance with this clause, including records of: ○ The categories of recipients to whom the Personal Data have been or will be disclosed, including recipients in third countries or international organisations; ○ The transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards.
Scrum Facilitators NL shall ensure that it has in place appropriate technical or organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction, or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Such measures may include, where appropriate:

Pseudonymisation and encrypting Personal Data;
Ensuring confidentiality, integrity, availability, and resilience of its systems and services;
Ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and
Regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by Scrum Facilitators NL.
Scrum Facilitators NL shall not subcontract the processing of Personal Data to another processor (a "Sub-processor") without the prior specific written authorisation of the Client. The Sub-processor shall not be permitted to further subcontract the processing of Personal Data to another processor. Scrum Facilitators NL shall ensure the obligations in this clause are imposed on each Sub-processor in a written agreement (a "Processing Subcontract"). Scrum Facilitators NL shall be liable to the Client for each Sub-processor's performance and shall provide a copy of each Processing Subcontract to the Client upon request.