Privacy of Customer Information Company Customer Information in the possession of the Agent, other than information independently obtained by the Agent and not derived in any manner from or using information obtained under or in connection with this Agreement, is and shall remain confidential and proprietary information of the Companies. Except in accordance with this Section 10.10, the Agent shall not use any Company Customer Information for any purpose, including the marketing of products or services to, or the solicitation of business from, Customers, or disclose any Company Customer Information to any Person, including any of the Agent’s employees, agents or contractors or any third party not affiliated with the Agent. The Agent may use or disclose Company Customer Information only to the extent necessary (i) for examination and audit of the Agent’s activities, books and records by the Agent’s regulatory authorities, (ii) to protect or exercise the Agent’s, the Custodian’s and the Lenders’ rights and privileges or (iii) to carry out the Agent’s, the Custodian’s and the Lenders’ express obligations under this Agreement and the other Facilities Papers (including providing Company Customer Information to Approved Investors), and for no other purpose; provided that the Agent may also use and disclose the Company Customer Information as expressly permitted by the relevant Company in writing, to the extent that such express permission is in accordance with the Privacy Requirements. The Agent shall take commercially reasonable steps to ensure that each Person to which the Agent intends to disclose Company Customer Information, before any such disclosure of information, agrees to keep confidential any such Company Customer Information and to use or disclose such Company Customer Information only to the extent necessary to protect or exercise the Agent’s, the Custodian’s and the Lenders’ rights and privileges, or to carry out the Agent’s, the Custodian’s and the Lenders’ express obligations, under this Agreement and the other Facilities Papers (including providing Company Customer Information to Approved Investors). The Agent agrees to maintain an Information Security Program and to assess, manage and control risks relating to the security and confidentiality of Company Customer Information pursuant to such program in the same manner as the Agent does so in respect of their own customers’ information, and shall implement the standards relating to such risks in the manner set forth in the Interagency Guidelines Establishing Standards for Safeguarding Company Customer Information set forth in 12 CFR Parts 30, 208, 211, 225, 263, 308, 364, 568 and 570. Without limiting the scope of the foregoing sentence, the Agent shall use at least the same physical and other security measures to protect all Company Customer Information in the Agent’s possession or control as the Agent uses for their own customers’ confidential and proprietary information.
Customer Data 6.1 The Customer shall own all right, title and interest in and to all the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9).
6.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.