AOK Events Limited ("We") are committed to protecting the personal data of private individuals including our customers and the customers of the organisations we work with. On 25 May 2018, the General Data Protection Regulation will come into force and implement important changes to data protection laws in the United Kingdom and across the European Union.  As part of our commitment to data protection and to ensuring compliance with the GDPR, we confirm that:-


When we process data (as a data processor) on behalf of a data controller ("you"), we will not engage another data processor without prior specific or general written authorisation from you. In the case of general written authorisation, we shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes.


We will only process personal data supplied to us by you in accordance with your documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by law. In such cases, we shall inform you of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest;


We shall immediately  inform you if, in our opinion, an instruction from you infringes the General  Data  Protection  Regulation  ("GDPR")  or  other   applicable   data   protection provisions;


We will ensure that persons authorised to process  the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;


We will take all appropriate measures required pursuant to Article 32 of the GDPR;


Taking into account the nature of the processing, we will assist you by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter Ill of the GDPR ;


At your choice, we confirm that we will delete or return all the personal data to you after the end of the provision of services relating to processing, and delete existing copies unless the law requires storage of the personal data;


We will make available to you all information necessary to demonstrate compliance with the obligations laid down in the GDPR  and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you ;


Where we engage another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in our contract or other legal act between us shall be imposed on that other processor by way of a contract or other legal act under the law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR ;


Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate :-


the pseudonymisation and encryption of personal data ;


the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services ;


the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;


a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.


In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed ;


We shall take steps to ensure that any natural person acting under our authority who has access to personal data does not process them except on instructions from you unless he or she is required to do so by law;


In the case of a personal data breach pertaining to your data or your customer/client's personal data, we shall notify you without undue delay after becoming aware of a personal data breach.  The notification will at least include:-


a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned ;


the name and contact details of the person within our organisation from whom more information can be obtained ;


a description of the likely consequences of the personal data breach;


a description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;


Where it is not possible to provide the information at the same time, the information will be provided in phases without undue further delay;


We will carry out Data Protection Impact Assessments when required to do so under the GDPR ;


We will comply with the data processing Principles as set out by Chapter 2 of the GDPR;


We will comply with the requirements as set out by Chapter 3 of the GDPR concerning the rights of data subjects;


We will comply with our obligations under Chapter 5 of the GDPR concerning the transfer of personal data to third countries and international organisations.