Common use of Assistance to the Data Controller Clause in Contracts

Assistance to the Data Controller. 1. Taking into account the nature of the processing, the Data Processor shall assist the Data Controller as far as possible by appropriate technical and organisational measures in compliance with the Data Controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter III of the GDPR. This means that, to the extent possible, the Data Processor must assist the Data Controller in complying with: a. the duty to inform the data subject when personal data is collected from the data subject; b. the duty to inform the data subject if personal data has not been obtained from the data subject; c. the right of access; d. the right of rectification; e. the right of erasure ("the right to be forgotten"); f. the right to restriction of processing; g. the duty to inform in connection with the correction or deletion of personal data or restriction of processing; h. the right to data portability; i. the right to object; j. the right not to be the subject of a decision based solely on automatic processing, including profiling 2. Taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall also assist the Data Controller with the following: a. the obligation of the Data Controller to report the breach of personal data security to the competent supervisory authority, without undue delay and, if possible, no later than 72 hours after the breach, unless it is unlikely that the breach of personal data security poses a risk to natural persons' rights or freedoms b. the obligation of the Data Controller to notify the data subject of a breach of personal data security without undue delay when the breach is likely to entail a high risk to the rights and freedoms of natural persons c. the obligation of the Data Controller to carry out an analysis of the consequences of the intended processing activities for the protection of personal data prior to processing (impact assessment) d. the Data Controller's obligation to consult the competent supervisory authority, before processing if an impact analysis regarding data protection shows that the processing will lead to a high risk in the absence of measures taken by the Data Controller to limit said risk. 3. The Parties shall set out in Annex C the necessary technical and organisational measures with which the Data Processor is to assist the Data Controller, as well as the extent of these. This applies to the obligations that follow from Provisions 8.1. and 8.2.

Assistance to the Data Controller. 1. Taking The Data Processor, taking into account the nature of the processing, the Data Processor shall shall, as far as possible, assist the Data Controller as far as possible by with appropriate technical and organisational measures measures, in compliance with the fulfilment of the Data Controller's obligation ’s obligations to respond to requests for the exercise of the data subjects' ’ rights as set out in pursuant to Chapter III 3 of the GDPRGeneral Data Protection Regulation. 2. This means that, to the extent possible, the The Data Processor must shall assist the Data Controller in complying with: a. the duty to inform the data subject when personal data is collected from the data subject; b. the duty to inform the data subject if personal data has not been obtained from the data subject; c. the right of access; d. the right of rectification; e. the right of erasure ("the right to be forgotten"); f. the right to restriction of processing; g. the duty to inform in connection ensuring compliance with the correction or deletion Data Controller’s obligations pursuant to Articles 32-36 of personal data or restriction of processing; h. the right to data portability; i. the right to object; j. the right not to be the subject of a decision based solely on automatic processing, including profiling 2. Taking General Data Protection Regulation taking into account the nature of the processing and the information data made available to the Data Processor, cf. Article 28, sub-section 3, para f. This entails that the Data Processor shall also should, taking into account the nature of the processing, as far as possible assist the Data Controller with in the followingData Controller’s compliance with: a. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the Data Controller risk associated with the processing b. the obligation to report the breach of personal data security breaches to the competent supervisory authority, authority (Danish Data Protection Agency) without undue delay and, if possible, no later than within 72 hours after the breach, unless it is unlikely that the breach of personal data security poses a risk to natural persons' rights or freedoms b. the obligation of the Data Controller discovering such breach unless the personal data breach is unlikely to notify result in a risk to the rights and freedoms of natural persons c. the obligation – without undue delay - to communicate the personal data breach to the data subject of a breach of personal data security without undue delay when the such breach is likely to entail result in a high risk to the rights and freedoms of natural persons d. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons c. e. the obligation of to consult with the supervisory authority (Danish Data Controller to carry out an analysis of the consequences of the intended processing activities for the protection of personal data Protection Agency) prior to processing (impact assessment) d. the Data Controller's obligation to consult the competent supervisory authority, before processing if an impact analysis regarding a data protection impact assessment shows that the processing will lead to a high risk in the absence lack of measures taken by the Data Controller to limit said risk. 3. The Parties shall set out in Annex C the necessary technical and organisational measures with which the Data Processor is to assist the Data Controller, as well as the extent of these. This applies to the obligations that follow from Provisions 8.1. and 8.2.

Assistance to the Data Controller. 1. Taking The Data Processor, taking into account the nature of the processing, the Data Processor shall shall, as far as possible, assist the Data Controller as far as possible by with appropriate technical and organisational measures in compliance with meas the fulfilment of the Data Controller's obligation ’s obligations to respond to requests for the exercise of the data subjects' ’ rights as set out in pursuant to Chapter III 3 of the GDPRGeneral Data Protection Regulation. 2. This means that, to the extent possible, the The Data Processor must shall assist the Data Controller in complying with: a. the duty to inform the data subject when personal data is collected from the data subject; b. the duty to inform the data subject if personal data has not been obtained from the data subject; c. the right of access; d. the right of rectification; e. the right of erasure ("the right to be forgotten"); f. the right to restriction of processing; g. the duty to inform in connection ensuring compliance with the correction or deletion Data Controller’s obligations pursuant to Articles 32-36 of personal data or restriction of processing; h. the right to data portability; i. the right to object; j. the right not to be the subject of a decision based solely on automatic processing, including profiling 2. Taking General Data Protection Regulation taking into account the nature of the processing and the information data made available to the Data Processor, cf. Article 28, sub-section 3, para f. This entails that the Data Processor shall also should, taking into account the nature of the processing, as far as possible assist the Data Controller with in the following:Data Controller’s complianc a. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the Data Controller risk associated with the processing b. the obligation to report the breach of personal data security breaches to the competent supervisory authority, authority (Danish Data Protection Agency) without undue delay and, if possible, no later than within 72 hours after of th Controller discovering such breach unless the breach, unless it personal data breach is unlikely that the breach of personal data security poses to result in a risk to the rights and freedoms of natural persons' rights or freedoms b. c. the obligation of – without undue delay - to communicate the Data Controller personal data breach to notify the data subject of a breach of personal data security without undue delay when the such breach is likely to entail result in a high risk to the rights and freedoms of natural persons d. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons c. e. the obligation of to consult with the supervisory authority (Danish Data Controller to carry out an analysis of the consequences of the intended processing activities for the protection of personal data Protection Agency) prior to processing (impact assessment) d. the Data Controller's obligation to consult the competent supervisory authority, before processing if an impact analysis regarding a data protection impact assessment shows that the processing proc will lead to a high risk in the absence lack of measures taken by the Data Controller to limit said risk. 3. The Parties shall set out in Annex C the necessary technical and organisational measures with which the Data Processor is to assist the Data Controller, as well as the extent of these. This applies to the obligations that follow from Provisions 8.1. and 8.2.