Common use of Audit Obligations Clause in Contracts

Audit Obligations. (1) Supplier shall document and, upon request, prove to Company (at Company's expense) Supplier’s compliance with the obligations agreed upon in this DPA by appropriate methods, provided that Company shall not issue such a request more than once per year. Company and Supplier agree that documentation and proof can be submitted through the production of the following documentation and/or certifications: - conducting an self-audit - internal compliance regulations including external proof of compliance with these regulations - certifications on data protection and/or information security (e.g. ISO 27001) - codes of conduct approved in accordance with Article 40 of the GDPR - certifications in accordance with Article 42 of the GDPR. (2) To the extent (i) that Company can prove that the information provided by Supplier according to Section 6.1 is not sufficient to enable Company to carry out data protection impact assessments as required by law, and (ii) that Supplier is required under GDPR, Company may (at its own expense), upon reasonable and timely advance notice, during regular business hours, without interrupting Supplier’s business operations, and not more than once a year, conduct an on-site inspection of Supplier’s DPA-relevant business operations or have the same conducted by a qualified third party which shall not be a competitor of Supplier. Supplier may request that such on-site inspections are subject to (i) Company’s prior written confirmation to bear all of Supplier’s costs related to such on-site inspections, and (ii) the execution of a confidentiality statement, protecting the data of other customers of Supplier and the confidentiality of the technical and organizational measures and safeguards implemented by Supplier.

Audit Obligations. (1) Supplier shall document and, upon request, prove to Company (at Company's expense) Supplier’s compliance with the obligations agreed upon in this DPA by appropriate methods, provided that Company shall not issue such a request more than once per year. Company and Supplier agree that documentation and proof can be submitted through the production of the following documentation and/or certifications: - conducting an self-audit - internal compliance regulations including external proof of compliance with these regulations - certifications on data protection and/or information security (e.g. ISO 27001) - codes of conduct approved in accordance with Article 40 of the GDPR - certifications in accordance with Article 42 of the GDPR. (2) To the extent (i) that Company can prove that the information provided by Supplier according to Section 6.1 is not sufficient to enable Company to carry out data protection impact assessments as required by law, and (ii) that Supplier is required under GDPR, Company may (at its own expense), upon reasonable and timely advance notice, during regular business hours, without interrupting Supplier’s business operations, and not more than once a year, conduct an on-site inspection of Supplier’s DPA-relevant business operations or have the same conducted by a qualified third party which shall not be a competitor of Supplier. Supplier may request that such on-site inspections are subject to (i) Company’s prior written confirmation to bear all of Supplier’s costs related to such on-on- site inspections, and (ii) the execution of a confidentiality statement, protecting the data of other customers of Supplier and the confidentiality of the technical and organizational measures and safeguards implemented by Supplier.