Client Data Processing and Sharing Policy

This Data Processing and Sharing Policy ("DPSP") applies when Client Data is processed by Spinnaker. This DPSP applies irrespective of whether any Agreement has been formally executed.

  1. Purpose and Instructions: Spinnaker will not receive, access, store, use or otherwise process Client Data, except as necessary to provide the Services. Spinnaker will process Client Data in accordance with this DPSP, its Business to Business Marketing Policy, applicable Agreements and Clients' written instructions. Spinnaker will immediately notify Clients if, in Spinnaker's opinion, any instruction or direction from a Client infringes Data Protection Law.

  2. Definitions: All capitalized terms used in this DPSP will have the meanings given to them below:

    "Affiliate" means any entity that, now or in the future, owns, or is owned by or is under common ownership with Spinnaker. For the purposes of this definition, "Ownership" means control of more than a 50% interest of an owned entity or the ability to direct the actions of an owned entity according to the desires of the owning entity.

    "Agreement" means an underlying agreement between Spinnaker and the Client for the provision of Services including, but not limited to terms and conditions for HR consulting services, contingency recruitment, executive search, association memberships / salary benchmarking, website use, supply of training and development services and sponsorship.

    "Business to Business Marketing Policy" means Spinnaker's Legitimate Interests Assessment and Business to Business Marketing Policy.

    "Client" means any current, past or prospective Client of Spinnaker and its Affiliates.

    "Client Data" means the personal data of Clients and of their current, prospective & former employees, workers, consultants and contractors, which the Client is authorized to provide/transmit to Spinnaker.

    "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client data transmitted, stored or otherwise processed by Spinnaker or a subcontractor.

    "Data subject" has the meaning given to it in EU Data Protection Law but includes natural persons of all nationalities.

    "EEA" means the European Economic Area.

    "Data Protection Law" means the Regulation and other non-EU and non-UK data protection legislation to which processing of Client Data may be subject.

    "Personal Data" has the meaning given to it in Data Protection Law.

    "Processing" has the meaning given to it in Data Protection Law and "process", "processes" and "processed" will be interpreted accordingly and includes but is not limited to, receiving, accessing, storing and using Personal Data by various methods, as required in relation to the provision of the Services.

    "Regulation" and "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and any other directive, regulation or law imposing equivalent obligations.

    "Services" means the services provided by Spinnaker to Clients and includes informing Clients about the Services in accordance with Spinnaker's Business to Business Marketing Policy.

    "Spinnaker" means Spinnaker Global Ltd and Spinnaker Global (Singapore) Pte. Ltd.

  3. Spinnaker personnel: Spinnaker restricts access to Client Data to Spinnaker personnel who need to access Client Data to provide the Services to the Client. Spinnaker ensures that any Spinnaker personnel who process Client Data are bound by appropriate contractual confidentiality, data protection, and data security obligations, which are at least as restrictive as this DPSP.

  4. Point of Contact: Spinnaker's data protection lead for the receipt of any notices or requests by Spinnaker is Adrian Lansdowne who is contactable at: alansdowne@spinnaker-global.com

  5. Security: Spinnaker maintains appropriate technical and organisational measures to protect Client Data at all times against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, access, or processing.

  6. Disclosure: Spinnaker will not disclose Client Data to any government, authority or other third party without the Client's prior written consent unless required by law, statute or a court order to do so. To the extent permissible by law, Spinnaker will immediately notify the Client if Spinnaker receives a request to disclose Client Data. Where possible, the notice will (a) attach a copy of the request, and (b) if not covered by (a), specify (i) the identity of the requester, (ii) the scope and purposes of the request and (iii) the date of the request and any deadline for a response.

  7. Assistance: Spinnaker will provide any cooperation or assistance reasonably requested by the Client in connection with steps that the Client takes to comply with Data Protection Law insofar as they relate to the Services. This includes assistance provided where the Client is: (i) responding to requests from individuals or authorities, (ii) notifying data breaches to affected individuals or authorities; (iii) carrying out data protection impact assessments; and, (iv) prior consultations with authorities. Spinnaker shall notify the Client without delay if it receives a request from a data subject for access to that person's Client Data.

  8. Deletion/Return: Except as provided otherwise by law or contract, upon receipt of Clients' written instructions to do so, Spinnaker will (at the relevant Client's option) without delay delete or return all Client Data processed by Spinnaker on the Client's behalf in connection with the Services.

  9. Data Breaches: Spinnaker will notify the Client of any Data Breach without delay upon becoming aware of it. Spinnaker will include in the notice (a) to the extent possible at the time of the notice (i) the nature of the Data Breach (including the categories and number of individuals concerned and the categories and number of records involved), (ii) the likely consequences of the Data Breach and (iii) any steps Spinnaker has taken or proposes to take to address and/or mitigate the Data Breach, and (b) the point of contact at Spinnaker who the Client can contact about the Data Breach. Descriptions in the notice will be detailed enough to allow the Client to understand the impact of the Data Breach. If it is not possible for Spinnaker to provide any of the information required by this DPSP at the time of the notice, Spinnaker will provide such information to the Client as soon as possible thereafter. Spinnaker will take all reasonable steps to mitigate the effects and to minimize any damage resulting from the Data Breach. Spinnaker will promptly comply with any reasonable instructions provided by, and cooperate with, the Client in relation to the Data Breach.

  10. Records: Spinnaker will maintain a record of all processing of Client Data performed on the Client's behalf.

  11. Subcontractors: Spinnaker will obtain Clients' prior written consent before engaging a subcontractor to process any particular Client or Clients' Data on the Clients' behalf. Spinnaker will ensure that any such subcontractor is bound by the same standard of data protection obligations as set out in this DPSP.

  12. Waiver: Failure to enforce any provision of this DPSP will not constitute a waiver.

  13. Severability: If any provision of this DPSP is found unenforceable, the balance of this DPSP will remain in full force and effect.

  14. Governing Law: The construction, validity and performance of this DPSP and all non-contractual obligations arising from or connected with this DPSP shall be governed by English law.