Supplier Security and Data Privacy Requirements

Introduction

Helios Global Group aims to maintains high standards of IT security and data privacy. All our suppliers must comply with these terms, regardless of their location. Failure to comply with these terms gives Helios the right to immediately terminate any contract with the supplier without liability. These terms are deemed to be incorporated in all contracts between Helios and its suppliers.

Part A: Information security requirements

Security programme requirements

All suppliers must:

  • Develop and maintain a comprehensive written information security programme
  • Implement safeguards to protect Helios confidential information and personal data
  • Apply the same level of security to Helios data as they would to their own sensitive information
  • Implement appropriate technical and organisational measures, including:
    • Pseudonymisation and encryption, when appropriate
    • Measures ensuring confidentiality, integrity, availability and resilience
    • Ability to restore data access quickly after incidents
    • Regular testing and evaluation of security controls
    • Maintain records of completed training and make these available to Helios upon request

Training

Suppliers must:

  • Ensure that all personnel with access to Helios Protected Data complete data privacy and security awareness training upon hiring and at least annually thereafter
  • Maintain records of completed training and make these available to Helios upon request

Data transmission

When transmitting Helios data, suppliers must: 

  • Use only Helios-approved secure solutions
  • Limit access duration to the minimum necessary time
  • Implement safeguards against unauthorised access or system compromise

Compliance oversight

Suppliers must:

  • Evaluate and test their security programme at least annually
  • Adjust security measures based on evaluation results
  • Provide Helios with security documentation upon request

Security breach handling

In case of a security breach, suppliers must:
  • Immediately remedy the breach and prevent further breaches
  • Notify Helios within 24 hours of the breach by emailing  privacy@heliosglobalgroup.com
  • Investigate the breach, keeping documentary evidence as appropriate, and take necessary actions to rectify and prevent recurrence
  • Reimburse Helios for costs incurred in responding to or mitigating the breach
  • Cooperate fully with Helios in investigating and responding to the breach
  • Not disclose information about the breach without prior written approval from Helios

Insurance requirements

Suppliers who process protected data or have access to Helios confidential information must maintain appropriate insurance with coverage appropriate to the nature of their business. Suppliers processing significant volumes of protected data or particularly sensitive information must maintain cyber liability insurance with coverage of at least £1m per incident. Helios may waive these insurance requirements for suppliers who do not process protected data or have minimal access to Helios confidential information, at the sole discretion of Helios.

By partnering with us, suppliers and contractors affirm their commitment to these principles and join us in promoting a more ethical, inclusive, and sustainable global supply chain.

Part B: Personal data processing requirements

Roles and responsibilities

When processing protected data (meaning personal data received from or on behalf of the client, or otherwise obtained in connection with the performance of the supplier’s obligations to Helios):

  • Helios is the Controller and the supplier is the Processor
  • Suppliers must comply with all data protection laws (meaning all applicable laws relating to data protection and privacy, including the UK General Data Protection Regulation [GDPR], EU GDPR and any applicable national implementing laws, as amended from time to time) that apply to the supplier in carrying out the services to Helios
  • Suppliers must provide accurate and complete information regarding data processing

Processing instructions

Suppliers must:

  • Process protected data only according to Helios instructions
  • Notify Helios if laws require processing outside these instructions
  • Inform Helios if they believe instructions infringe data protection laws
  • Ensure that only those of its personnel who need to know Helios protected data have access to it
  • Ensure that all personnel with access to Helios Protected data are bound by obligations of confidentiality

Sub-processors

Suppliers must:

  • Obtain specific prior written authorisation from Helios before engaging any sub-processor
  • Ensure that sub-processors are bound by written contracts with equivalent obligations to these terms
  • Ensure that sub-processors have appropriate skills and qualifications to perform the tasks allocated to them
  • Cease using a sub-processor immediately upon written notice from Helios
  • Remain liable for acts and omissions of sub-processors and its personnel at all times

Data subject rights and assistance

Suppliers must:

  • Record and promptly refer a request by a data subject (as defined by data protection laws) to Helios within 2 business days
  • Provide assistance with a request by a data subject as required by Helios
  • Not respond to a request by a data subject without approval from Helios
  • Assist Helios with all its compliance obligations, including cooperating with security reviews and impact assessments

International data transfers

Suppliers must:

  • Not transfer protected data outside the UK/EU without prior written authorisation from Helios
  • Ensure that appropriate data transfer mechanisms are identified in the Statement of Work with Helios

Audits and records

Suppliers must:

  • Allow and contribute to audits conducted by Helios or its customers
  • Provide access to facilities, staff and systems during normal business hours
  • Promptly resolve issues discovered during audits
  • Pay Helios reasonable costs of audits that reveal material non-compliance

Data breach notification

Suppliers must:
  • Notify Helios at privacy@heliosglobalgroup.com of any personal data breach within 24 hours
  • Provide detailed information about the breach within 48 hours of the breach occurring, explaining the nature of the breach, numbers of data subjects affected, likely consequences and measures taken
  • Give regular updates if complete details are not immediately available

Data return or deletion

Suppliers must: • Securely destroy or delete protected data within 10 business days of the last date that processing is required for providing services to Helios • Return data in the format requested by Helios within 5 days if requested • Confirm compliance with deletion/return requirements of Helios • Ensure that secure deletion methods are used

Breach consequences

Any breach of these terms is considered to be an irremediable material breach, allowing Helios to:

  • Suspend disclosure of protected data until rectified
  • Terminate the contract for cause

All obligations under these terms must be performed at the supplier’s own cost.
Any disputes in relation to these terms will be determined by the laws and courts of England and Wales.

© Helios Global Group Version 1.0 October 2025

Back >
Scroll to Top

Modern slavery statement

We take appropriate steps to ensure everyone who works for Helios Global Group has their fundamental human rights respected, and anyone we do business with upholds these principles.

Equal opportunities

We’re an equal opportunities employer. All applicants will be considered for employment at Helios without attention to age, disability, gender reassignment, marital status, pregnancy and maternity, race, religion or belief, sex and sexual orientation.
Skip to content