Terms & Conditions for the Supply of Services

1. Interpretation

1.1 In these conditions:

Agency – Means Face Facts Fieldwork trading as Face Facts Research (registered number 11594842) whose registered office is Granby House, 7 Otley Road, Headingley, Leeds, LS6 3AA.

Authorised Persons – Means the persons or categories of persons that the Client authorises to give the Agency written personal data processing instructions [as identified in Annex A and from whom the Agency agrees solely to accept such instructions.

Business Purposes – Means the Service to be provided by the Agency to the Client as described in the Contract any other purpose specifically identified in Annex A.

Client – Means the person named in the Quote/proposal for whom the Agency has agreed to provide the Service in accordance with these Conditions

Commissioner – Means the Information Commissioner as defined in Article 4 (A3), UK GDPR and section 114, Data Protection Act 2018.

Conditions – Means the terms and conditions of market research supply as set out in this document.

Confidential Information – All information which is confidential in nature regardless of the medium, whether written, oral or otherwise, concerning each party and its business, including the terms of the Agreement, but excluding any information which is in the public domain; or becomes generally available to third parties through no fault of the other party; or which was lawfully in the possession of the other party prior to such disclosure; or the disclosure of which is required by law; or the disclosure of which is expressly approved by the disclosing party.

Contract – Means the contract for the provision of the Service.

Controller – Means a person or organisation who determines the purposes and means of the Processing.

Data Protection Legislation – Means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority.

Data Subject – Means the individual to whom the Personal Data relates.

EU GDPR – Means the General Data Protection Regulation.

EEA – Means the European Economic Area.

Force Majeure – Means, in relation to either party, any circumstances beyond the reasonable control of that party (including, without limitation, any strike, lock-out or other industrial action).

Intellectual Property Rights – Means patents, trademarks, design rights, applications for any of the foregoing, copyright, moral rights, database rights, trade or business names, domain names, website addresses, whether registered or otherwise, (including applications for the right to apply for registration of any such rights), and any similar rights in any country whether currently existing or created in the future, in each case for their full term, together with any renewals or extensions.

Personal Data – Means any information relating to Data Subject that is processed by the Agency on behalf of the Client in connection with the provision of the Service under the Contract.

Personal Data Breach – Means a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

Price – Means the price for the Service as detailed in the Quote/proposal.

Processing – Means any activity that involves the use of the Personal Data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor – Means a person or organisation which processes personal data on behalf of the Controller.

Safe Countries – Means countries which the UK Secretary of State has deemed to have an adequate level of protection in relation to personal data by way of an adequacy decision.

Service – Means the service to be provided by the Agency for the Client and referred to in the Quote/proposal.

Quote/Proposal – Means the documents to which these conditions are supplied.

UK GDPR – Has the meaning given to it in section 3 (10) and section 205 (4) of the Data Protection Act 2018.

VAT – Value added tax chargeable under English law for the time being and any similar additional tax.

Written/Writing – Includes without limitation, writing by email, fax and comparable means of communication, such communications between authorised personnel of both the Agency & Client.

1.2 The heading in these conditions are for convenience only and shall not affect their interpretation

2. Supply of Service

2.1 The Agency shall provide the Service set out in the Quote/Proposal to the Client subject to these conditions. Any changes or additions to the Quote/proposal or these conditions must be agreed in writing by the Agency and the Client.

2.2 Each party warrants, undertakes and represents to the other that it has all necessary rights (including Intellectual Property Rights), consents and licenses in order to perform its obligations under this Agreement and to grant the rights granted to the other Party under this Agreement.

2.3 The Client shall at its own expense supply the Agency with all necessary documents or other materials, and all necessary data or other information relating to the Service, within sufficient time to enable the Agency to provide the relevant part of the Service in accordance with the Quote/proposal. The Client shall ensure the accuracy of all such documents and materials.

The client is responsible for ensuring that all documentation, materials, data and information provided to the Agency is accurate, does not breach any applicable Law or is not defamatory in any way.

2.4 The Client shall at its own expense retain duplicate copies of all documents and material provided to the Agency and insure against its accidental
loss or damage. The Agency shall have no liability for any such loss or damage, however caused.

2.5 All materials and other items/stimulus/documents produced by the Agency for the Client shall be at the sole risk of the Client from the time of delivery to the client.

2.6 The Service shall be provided subject to these conditions and in accordance with the Quote/proposal.

2.7 All fees quoted are valid for 90 days. Any projects/services commissioned after 90 days may be subject to revised costs.

3. Delivery

3.1 The Agency shall not be liable to the Client or deemed to be in breach of this Agreement by reason of any late or non-delivery, if the delay or failure was due to any cause beyond the Agency’s reasonable control including (without limitation) any failure by, or on behalf of, the Client to provide the Agency with information, approvals or consents or any other materials as may be necessary to allow the Agency to provide the Services.

4. Delay by Client

4.1 If the completion of the Service in accordance with the Quote/proposal is delayed as a result of the Client’s instruction or lack of instruction, the inaccuracy of any documents, materials, data or information provided by the Client or any other cause attributable to the Client, the Agency reserves the right to invoice for work completed up to that time and any additional costs incurred by the Agency as a result of such delay.

5. Price & Payment

5.1 An invoice will be issued at the same time as delivery to the Client of the data or completion of the fieldwork/project requirements.

The Client shall pay each invoice submitted in full and in cleared funds, within 30 days of receipt of the invoice.

5.2 Subject to any special terms and any additional sums agreed between the Agency and the Client, the Client shall pay the Price for the provision of Service.

5.3 The Price and all additional charges quoted for the Service are exclusive of any VAT for which the Client shall be additionally liable at the applicable rate at that time.

5.4 If there is any deviation, amendment or increase in the scope of Services to be provided by the Agency, the Client agrees that the Agency is entitled to vary the Fee payable for the Services to take account of such deviation, amendment or increase, and further agrees to pay such varied Fee in accordance with this Agreement.

5.5 For any Quotes/projects whereby there are any upfront costs such as consumables, equipment hire/purchase or incentives, 50% of the total project cost
may be requested up front on commission of the project and payable within 7 days. The remainder of the fees will be invoiced on completion of the project
with 30 day payment terms.

5.6 For any Quote where the value exceeds £20,000 or for a Quote/project that has numerous waves over a period of time, staged payments may be requested
and outlined at commission stage.

5.7 Without prejudice to any other right or remedy that it may have, if the Client fails to pay the Agency on the due date, the Agency may:

5.7.1 Charge interest on such sum from the due date for payment at the annual rate of 2% above the base lending rate, accruing on a daily basis and being compounded quarterly until payment is made, whether before or after any judgement and the Client shall pay the interest immediately on demand. The Agency may claim interest under the Late Payment of Commercial Debts (Interest) Act 1998.

6. Cancellation

6.1 The Agency may terminate this Agreement with immediate effect at any time if the Client commits a material breach or any repeated or persistent breach of any of the terms of this Agreement and either such breach is incapable of remedy or the breach continues un-remedied for 14 days after notice specifying the breach and requiring the same to be remedied has been given to the Client; or the Client suffers any event of insolvency or is unable to pay its debts as and when they fall due or has an administrator, receiver or administrative receiver appointed over all or any part of its assets, or passes a resolution for winding up. If the Client terminates the Contract it shall:

6.1.1 Pay immediately all outstanding sums due to the Agency;

The amount due will be subject to the amount of work undertaken at the stage at which the project was terminated.

6.1.2 Accept & pay invoices from the Agency calculated at the Contract rate in respect of the Service completed or substantially completed prior to such termination.

6.1.3 Be responsible for all costs and expenses incurred by the Agency in respect of any uncompleted Service; and

6.1.4 Discharge any liability of the Agency to third parties incurred in relation to any Service originally envisaged pursuant to the Quote/proposal/commission spec.

6.2 Cancellation/Postponement Fees

6.2.1 Without prejudice if a project commissioned and then is placed on hold by the Client for a period greater than four weeks, the Agency shall be entitled to issue an invoice to the Client for all Fees plus all third party costs and expenses incurred and/or committed to by the Agency to the date of suspension. This invoice shall be paid by the Client in accordance with the provisions of clause 5.1.

6.2.2 Cancellation fees which will be charged to Client for cancellation or postponement of field interviewers dependent on how much notice is given;

• 4 or more days – no interviewer cancellation fees required
• 3 days prior – 50% of interviewer charged daily rate
• Up to 48 hours – 100% of the interviewer charged daily rate

These costs do not include any management, supplier or other additional costs which will be charged at cost in addition to the above. This is purely a guide if fieldwork dates are moved, rescheduled or cancelled once allocated.

7. Code of Practice

7.1 Both parties shall abide by the rulings and codes of conduct of the Market Research Society.

8. Data Protection

8.1 The Client and the Agency agree and acknowledge that for the purpose of the Data Protection Legislation:

(a)  the Client is the Controller and the Agency is the Processor.

(b)  the Client retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Agency.

(c)  Annex A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Agency may process the Personal Data to fulfil the Business Purposes.

8.2 Agency’s Obligations

8.2.1 The Agency shall only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client’s written instructions and shall not process the Personal Data for any other purpose or in a way that does not comply with this Clause or the Data Protection Legislation.

8.2.2 The Agency shall promptly notify the Client if, in its opinion, the Client’s instructions do not comply with the Data Protection Legislation.

8.2.3  The Agency shall promptly comply with any Client written instructions requiring the Agency to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

8.2.4  The Agency shall maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Client or this Clause specifically authorises the disclosure, or as required by law.

8.2.5  The Agency shall provide the Client with reasonable assistance, at no additional cost to the Client, with meeting the Client’s compliance obligations under the Data Protection Legislation and in relation to Data Subject rights, data protection impact assessments and consulting with the Commissioner.

8.2.6 The Agency shall promptly notify the Client of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Agency’s performance of the Contract or this Clause.

8.2.7 The Agency shall only collect Personal Data for the Client using a notice or method that the Client specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Client’s identity, the purpose or purposes for which their Personal Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. The Agency will not modify or alter the notice in any way without the Client’s written consent. 

8.3 Agency’s Employees

8.3.1 The Agency shall ensure that all of its employees:

(a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data.

(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties.

(c) are aware both of the Agency’s duties and their personal duties and obligations under the Data Protection Legislation and this Clause.

8.3.2 The Agency shall take reasonable steps to ensure the reliability, integrity and trustworthiness of its employees with access to the Personal Data, including but not limited to background checks where relevant.

8.4 Security

8.4.1 The Agency shall at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the following:

(a) the pseudonymisation and encryption of personal data.

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

(e) the security measures set out in Annex B.

8.5 Personal Data Breach

8.5.1 The Agency shall notify the Client in writing within one working day if it becomes aware of any Personal Data Breach.

8.5.2 Where relevant, the Agency shall provide the Client with the following information:

(a) a description of the nature of the Personal Data Breach, including the categories of Personal Data and number of Data Subjects and Personal Data
records concerned.

(b) the likely consequences.

(c) a description of the measures taken or proposed to be taken to address the Personal Data Breach including measures to mitigate its possible
adverse effects.

8.5.3 The Agency shall provide the Client with reasonable assistance in responding to any Personal Data Breach including but not limited to:

(a) assisting with any investigation.

(b) providing the Client with physical access to any facilities and operations affected.

(c) facilitating interviews with the Agency’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors.

(d) making available all relevant records, logs, files, data reporting and other materials required to comply with the Data Protection Legislation or as otherwise reasonably required by the Client.

(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach.

8.5.4 The Agency shall not inform any third-party of any Personal Data Breach without first obtaining the client’s, except when required to do so by domestic law.

8.5.5 The Agency agrees that the Client has the sole right to determine:

(a) whether to provide notice of any Personal Data Breach to any Data Subjects, the Commissioner, other regulators, law enforcement agencies or others, as required by law or regulation or in the Client’s discretion, including the contents and delivery method of the notice.

(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

8.5.6 The Agency shall cover all reasonable expenses associated with the performance of the obligations under Clause 6.1 to Clause 6.3 unless the matter arose from the Client’s specific written instructions, negligence, wilful default or breach of this Clause, in which case the Client will cover all reasonable expenses.

8.6 Cross Border Transfers

8.6.1 The Agency and any subcontractor must not transfer or otherwise process the Personal Data outside the UK, the EEA or the Safe Countries without obtaining the Client’s prior written consent and any such transfer shall be validated a transfer mechanism which has been approved by the UK Secretary of State.

8.7 Subcontractors

8.7.1 The Agency may only authorise a subcontractor to process the Personal Data if:

(a) the Client is provided with an opportunity to object to the appointment of each subcontractor within 14 working days after the Agency supplies the Client with full details in writing regarding such subcontractor.

(b) the Agency enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Clause, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Client’s written request, provides the Client with copies of the relevant excerpts from such contracts.

(c) the Agency maintains control over all of the Personal Data it entrusts to the subcontractor.

(d) The subcontractor’s contract terminates automatically on termination of this Contract.

8.7.2 Those subcontractors approved as at the commencement of this Agreement are as set out in Annex A. The Agency must list all approved subcontractors in Annex A.

8.7.3 The Agency shall remain fully liable to the Client for the subcontractor’s non-performance of its obligations under the written agreement between the Agency and the subcontractor.

8.8 Data Subject Rights, Requests and Complaints

8.8.1 The Agency shall, at no additional cost to the Client, implement such technical and organisational measures as may be appropriate, and promptly provide such information to the Client as the Client may reasonably require, to enable the Client to comply with:

(a) requests by Data Subjects for access to the Personal Data, the erasure, rectification or portability of the Personal Data, objections to the processing of the Personal Data and requests for the processing of the Personal Data to be restricted.

(b) complaints by Data Subjects in relation to the processing of the Personal Data.

(b) information or assessment notices served on the Client by the Commissioner.

8.8.2 The Agency shall notify the Client immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.

8.8.3 The Agency shall notify the Client within three working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

8.8.4  The Agency shall provide to the Client, at no additional cost to the Client, reasonable co-operation and assistance in responding to any complaint, notice, communication or request from a Data Subject in relation to the processing of the Personal Data.

8.8.5 Except as otherwise provided for in this Clause, the Agency shall not disclose the Personal Data to any Data Subject or to a third party other than in accordance with the Client’s written instructions, or as required by domestic [or EU] law.

8.9 Data Return and Deletion

8.9.1 On termination of the Contract for any reason or expiry of its term, the Agency shall securely delete or destroy or, if directed in writing by the Client, return all of the Personal Data.

8.9.2 If any law, regulation, or government or regulatory body requires the Agency to retain any documents, materials or Personal Data that the Agency would otherwise be required to return or destroy, it will notify the Client in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

8.9.3 The Agency shall certify in writing to the Client that it has deleted or destroyed the Personal Data within 14 days after it completes the deletion or destruction.

8.10 Records

8.10.1 The Agency shall keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 8.4, and shall provide any such records to the Client upon request.

8.10.2 The Agency shall ensure that any such records are sufficient to enable the Client to verify the Agency’s compliance with its obligations under this Clause and the Data Protection Legislation and the Agency shall provide the Client with copies of the records upon request.

8.10.3 The Client and the Agency shall review the information listed in the Annexes at least once a year to confirm its accuracy and shall update it when required to reflect current practices.

8.11 Audit

8.11.1 The Agency shall permit the Client to audit the Agency’s compliance with its obligations under this Clause and shall give reasonable assistance in the conduct of audits at no additional cost to the Client, including but not limited to: 

(a) physical or remote electronic access to and copies of the Agencies records and information regarding the processing of the Personal Data.

(b) access to and meetings with any of the Agency’s personnel reasonably necessary to provide all explanations and perform the audit effectively.

(c) inspection of all records and information regarding the processing of the Personal Data and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.

8.11.2 In the event of a Personal Data Breach the Agency shall:

(a) promptly conduct its own audit to determine the cause.

(b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit.

(c) provide the Client with a copy of the written audit report.

(d) Remedy any deficiencies identified by the audit within a reasonable period of time.

8.11.3 At least every two years, the Agency shall conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Clause, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.

8.11.4  On the Client’s written request, the Agency shall make all of the relevant audit reports available to the Client.

8.11.5 The Agency shall promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan.

9. Confidentiality

9.1 Both parties agree to keep confidential – and to use all reasonable endeavours to prevent publication by third parties – any proprietary or sensitive information acquired by one from the other until such information is within the public domain.

9.2 The Client shall keep in strict confidence all technical or commercial know-how, specifications, inventions, processes, methodologies, or initiatives which are of a confidential nature and have been disclosed to the Client by the Agency or its agents and any other confidential information concerning the Agency’s business or its services (including the terms of this Agreement) which the Client may obtain and the Client shall restrict disclosure of such confidential material to such of its employees, agents or sub-contractors as need to know the same for the purpose of discharging the Client’s obligations to the Agency and shall ensure that such employees, agents or sub-contractors are subject to like obligations of confidentiality as bind the Client.

9.3 The Agency with the written agreement of the Client (which shall not be unreasonably withheld), shall be permitted to use the name and logos of the Client in selected promotional and advertising materials of the Agency including (without limitation) in its credentials presentation.

10. Force Majeure

10.1 The Agency shall have no liability to the Client under the Contract if it is prevented from, or delayed in performing, its obligations under the Contract or from carrying on its business by acts, events, omissions or accidents beyond its reasonable control, including (without limitation) strikes, lock-outs or other industrial disputers (whether involving the workforce of the Agency or any other party), failure of a utility service or transport network, act of God, disease, war, riot, civil commotions, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident breakdown of plant or machinery, fire, flood, storm or default of supplier or subcontractors.

11. Entire Agreement; Amendments

11.1 These terms and conditions, the Quote/Proposal and all other email or oral confirmation by the Client of the Quote/proposal, shall constitute the entire agreement between the parties in connection with the subject matter hereof, and supersedes all prior agreements, understandings, negotiations and discussions, whether oral or Written, between the parties.

11.2 No amendment to or modification of these terms and conditions shall be binding unless in writing (not including email) and signed by a duly authorised representative of each party.

12. Retention Policy

12.1 The Agency has a retention policy that ensures that all project information is only retained for as long as required. Retention periods vary from 3 months to a couple of years. If you have any special requirements for data/information, relating to one of your projects, to be retained for periods different to our standard policy, this must be communicated when the project is commissioned.

ANNEX A
PERSONAL DATA PROCESSING PURPOSES AND DETAILS
Subject matter of processing:
Face Facts are a qualitative and quantitative market research fieldwork agency who provide a vast array of methodologies. The processing of personal data is provided as a service to our clients (the data controller) as relevant for the project we have been commissioned to undertake.

Duration of Processing:
Face Facts will process the data for up to 3 months after the end of the provision of the service, after which the data will be anonymised/securely deleted.

Nature of Processing:
The nature of processing could take many forms including collecting the data, retaining, combining data sets, analysis and for quality checking.

Business Purposes:
Offering a data collection and market research service for our clients to help them understand consumer opinion, customer satisfactions, service to help them offer/improve their offering to meet their research goal.

Personal Data Categories:
The categories of data collected are dependant on the specific of objective of each project. As required to meet our clients need we may collect;
– Gender
– Age
– Address
– Postcode
– Social Grade
– Ethnicity
– Other special category data (eg, religion, sexual orientation, health data etc)

Data Subject Types:
As requested by clients we research varying data subject types ie, consumer, customer, members of the public, businesses or client’s customer via client supplied sample/lists.

Authorised Persons:
External market research fieldwork interviewers & recruiters.

Approved Subcontractors:
Askia software platform (Coreix UK Data Centre,) – Coreix are ISO27001, ISO9001 and ISO14001.
Hyve Managed Hosting Data Centre (Tier 3 resilient data centre based in the UK).
AMS File Transfer – ISO27001 certified.

ANNEX B

SECURITY MEASURES

Face Facts are ISO27001 certified and are registered with the ICO registration number ZA039478. We have an Information Security Policy that covers all areas of Data Security. It is the policy of Face Facts Research to maintain an information management system designed to meet the requirements of ISO 27001:2013 in pursuit of its primary objectives, the purpose and the context of the organisation.

It is the policy of Face Facts Research to:

– make the details of our policy known to all other interested parties including external where appropriate and determine the need for communication and by what methods relevant to the business management system.

– comply with all legal requirements, codes of practice and all other requirements applicable to our activities; therefore, as a company, we are committed to satisfy applicable requirements related to information security and the continual improvement of the ISMS.

– provide all the resources of equipment, trained and competent staff and any other requirements to enable these objectives to be met.

– ensure that all employees are made aware of their individual obligations in respect of this information security policy.

– maintain a management system that will achieve these objectives and seek continual improvement in the effectiveness and performance of our management system based on “risk”.

This information security policy provides a framework for setting, monitoring, reviewing and achieving our objectives, programmes and targets. To ensure the company maintains its awareness for continuous improvement, the business management system is regularly reviewed by the Senior Management Team to ensure it remains appropriate and suitable to our business. The Business Management System is subject to both internal and external annual audits. Face Facts are also an MRS Fair Data company. This is an MRS accreditation that show companies handle their customers’ personal data fairly. A Fair Data company must meet the 12 Fair Data principles. Fair Data is a recognisable mark that enables consumers to make educated choices about their personal data. When you interact with a Fair Data organisation, you have confidence that your information is safe.