Customer Data. 6.1 The Customer shall own all right, title and interest in and to all the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data. 6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9). 6.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. 6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 6.5 The parties acknowledge that: (a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). (b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws. 6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf. 6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: (a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification; (b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government; (ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018; (iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.; (e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and (f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6. 6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request. 6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes. 6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained. 6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR. 6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability. 6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations 6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 2 contracts
Sources: Service Agreement, Service Agreement
Customer Data. 6.1 The Customer shall own all right, title and interest in and to all the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its [Back-Up Policy] available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇▇.▇▇▇/support/home or such other website address as may be notified to the Customer from time to time], as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its [Back-Up Policy]. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 6.2 The Supplier shall, in providing the Services, comply with its [Privacy and Security Policy Policy] relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇▇.▇▇ ▇▇/support/home or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 6.3 If the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreementFramework Agreement, the Parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(b) the 6.3.1 The Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If Framework Agreement;
6.3.2 The Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Framework Agreement on the Customer's ’s behalf.;
6.7 Without prejudice to 6.3.3 the generality of clause 6.1Customer shall ensure that the relevant third parties have been informed of, the Supplier shalland have given their consent to, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customersuch use, unless the Supplier is processing, and transfer as required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any all applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, protection legislation;
6.3.4 the Supplier shall promptly notify process the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies only in accordance with the UK GDPR terms of this Framework Agreement and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth lawful instructions reasonably given by the UK Information Commissioner's Office (ICO)Customer from time to time; and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party 6.3.5 each Party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Master Services Agreement
Customer Data. 6.1 1.4.1. The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data Personal Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy1.4.2. In the event of any loss or damage to Customer DataData caused by the Supplier, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicySupplier. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9).party
6.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 1.5.1. Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 Schedule 2, paragraph 1.4 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 1.5.2. The parties acknowledge that:
(ai) if the Supplier processes any personal data Personal Data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller Data Controller and the Supplier is the data processor Data Processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(bii) Schedule 3 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the personal data Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject.
iii) subject to Schedule 2, paragraph 1.5.4.ii), the Personal Data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 1.5.3. Without prejudice to the generality of clause 6.1Schedule 2, paragraph 1.5, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 1.5.4. Without prejudice to the generality of clause 6.1Schedule 2, paragraph 1.5, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(ai) Process process that Personal Data only on the written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the UK General Data Protection Regulation (UK GDPR), laws of the Data Protection Act 2018, or any European Union applicable international laws to the Supplier to process Personal Data (Applicable Laws). In instances where Where the Supplier's data processing activities are subject to the Supplier is relying on laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate European Union law as the basis for processing actions divergent from the Customer's instructionsPersonal Data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(bii) Not not transfer any Personal Data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(ia) the Customer or and/or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(iib) the data subject Data Subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iiic) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(ivd) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c; iii) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software Licence Agreement
Customer Data. 6.1 4.1 The Customer shall own all right, title and interest in and to all the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 4.2 The Supplier Customer acknowledges and agrees that the Customer Data shall follow its be transferred to and stored by the PaaS Supplier.
4.3 The archiving procedures for Customer Data as set out in its Back-Up Policyshall be notified to the Customer by the Supplier. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to require the PaaS Supplier to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the PaaS Supplier in accordance with the PaaS Supplier’s then current archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9)party.
6.3 4.4 The Supplier shall, in providing the Services, comply with its Privacy privacy and Security Policy IT and communications system policies relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document policies may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of 4.5 If the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under Supplier and/or the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the PaaS Supplier processes any personal data on the Customer's behalf when performing its the Supplier’s obligations under this agreementagreement (including the processing set out in Schedule 6), the parties record their intention that the Customer is shall be the data controller and the Supplier is the data and/or PaaS Supplier as appropriate shall be a processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(ba) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA United Kingdom or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If ;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and/or PaaS Supplier as appropriate for the duration and purposes of this agreement so that the Supplier and/or PaaS Supplier as appropriate may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf; and
(c) the Customer shall ensure that all relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable Data Protection Legislation.
6.7 Without prejudice to the generality of clause 6.1, the 4.6 The Supplier shall, in relation to any Personal Data personal data processed in connection with by it on the performance by the Supplier of Customer’s behalf when performing its obligations under this agreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where the Supplier's data Supplier is relying on Applicable Laws as the basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, Customer take all reasonable steps to delete or return Personal Data and copies thereof personal data to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Datapersonal data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 64 and immediately inform the Customer if an instruction infringes the Data Protection Legislation.
6.8 4.7 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data the personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 4.8 The Customer consents to the Supplier will ensure that any subappointing the PaaS Supplier as a third-contractors appointed to process party processor of personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28under this agreement. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between business which reflect the Customer and requirements of the SupplierData Protection Legislation.
4.9 Either party may, the Supplier shall remain fully liable for all acts or omissions of at any third-party processor appointed by it pursuant to time on not less than 30 days' notice, revise this clause 6. Full details 4 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant an applicable certification scheme (which shall apply when replaced by attachment to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use ).
4.10 Both parties will comply with all applicable requirements of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018Legislation and acknowledge that this obligation is in addition to, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in does not relieve, remove or replace, a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject party's obligations or rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Customer Data. 6.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9).
6.3 The Supplier Posturite shall, in providing the Products and Professional Services, comply with its Privacy Information Security and Security Data Protection Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to timeCustomer’s request, as such document may be amended from time to time by the Supplier Posturite in its sole discretion.
6.4 Both 6.3 The parties will follow all applicable requirements agree that, in respect of the Customer Data, the Customer shall be the Data Controller and Posturite shall be a Data Processor and shall process the Customer Data in compliance with the obligations of Data Processors under Data Protection Legislation. This clause 6 is Laws.
6.4 The Customer warrants, represents and undertakes, that:
6.4.1 all data sourced by the Customer shall comply in addition all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and does not relieveobtaining all necessary consents from, remove or replaceData Subjects), a party's obligations under the with Data Protection LegislationLaws; and
6.4.2 all instructions given by it to Posturite in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
6.5 Posturite, as Data Processor, shall:
6.5.1 inform the Customer if Posturite becomes aware of any instruction that, in the Posturite’s opinion, infringes Data Protection Laws, provided that to the maximum extent permitted by mandatory law, Posturite shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information.
6.5.2 implement and maintain at its own cost and expense, technical and organisational measures, taking into account the nature of the processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Customer Data;
6.5.3 refer all Data Subject Requests it receives to the Customer within five Business Days of receipt of the request;
6.5.4 maintain, in accordance with Data Protection Laws binding on Posturite, written records of all categories of processing activities carried out on behalf of the Customer;
6.5.5 subject to condition 6.6.1, ensure that all persons authorised by Posturite to process Customer Data are subject to a binding written contractual obligation to keep the Customer Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Posturite shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure);
6.5.6 ensure that each Authorised Sub-Processor shall to the extent applicable, be subject to conditions substantially no less onerous to those conditions contained within this condition 6; in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Posturite’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer giving Posturite reasonable prior notice of such information request;
6.5.7 notify the Customer (for which email shall suffice) if Posturite adds or removes any Authorised Sub- Processors at least ten (10) days prior to any such change. The Customer acknowledges and agrees that Posturite may object in writing to an appointment of a new Authorised Sub-Processor within five (5) calendar days of such notice. In such event, the parties acknowledge thatshall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Customer may suspend or terminate the Contract (without prejudice to any fees incurred by the Customer prior to suspension or termination);
6.5.8 in respect of any Personal Data Breach, Posturite shall, without undue delay:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, notify the Customer is the data controller and the Supplier is the data processor for the purposes of the any Customer Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).Breach; and
(b) provide the Customer acknowledges with details of the Customer Data Breach; and
6.5.9 Posturite shall either delete or return all the Customer Data to the Customer in such form as the Customer reasonably requests within a reasonable time once processing by Posturite of any Customer Data is no longer required for the purpose of Posturite’s performance of its relevant obligations under the Contract.
6.6 The processing of Personal Data by Posturite to be carried out in accordance with the change control procedure in condition 5.9 and agrees shall comprise the information contained in the Contract Particulars, and may be updated from time to time in accordance with any change control procedure in condition 5.9.
6.7 Posturite shall not:
6.7.1 With the exception of the Authorised Sub-Processors, engage any other party (a ‘Sub-Processor’) for carrying out any processing activities in respect of the Customer Data without the Customer’s written authorisation authorising the appointment of that the specific Sub-Processor; or
6.7.2 transfer or store any personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Licensed Users are located in order to carry out the Products and Professional Services and the Supplier's Posturite’s other obligations under this agreement. If the Contract.
6.8 The Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement Posturite so that the Supplier Posturite may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement the Contract on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier 6.9 The Customer shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has relevant third parties have been deemed to provide an adequate level of protection for personal data informed of, and have given their consent to, such use, processing, and transfer as required by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the all applicable Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6Laws.
6.8 6.10 Each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Customer Data and against accidental loss or destruction of, any personal data or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Contract for Provision and Use of E Learning Product
Customer Data. 6.1 7.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 7.2 The Supplier Company shall follow its archiving procedures for Customer Data as set out in its Back-Up Policyown policies from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier Company shall be for the Supplier Company to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier Company in accordance with the archiving procedure described in its Back-Up Policyrelevant policy. The Supplier Company shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier Company to perform services any of the Services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.97.9).
6.3 7.3 The Supplier Company shall, in providing each of the Services, comply with its Privacy and Security Policy policies relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 7.4 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 7 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 7.5 The parties acknowledge that:
(a) if the Supplier Company processes any personal data on the Customer's behalf when performing its obligations under this agreementAgreement, the Customer is the data controller and the Supplier Company is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and or the Authorised Users are Group Company is located in order to carry out each of the Services and the SupplierCompany's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection lawsAgreement.
6.6 7.6 Without prejudice to the generality of clause 6.17.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier Company for the duration and purposes of this agreement Agreement so that the Supplier Company may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Agreement on the Customer's behalf.
6.7 7.7 Without prejudice to the generality of clause 6.17.4, the Supplier Company shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier Company of its obligations under this agreementAgreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier Company is required by the laws of any member of the United Kingdom, European Union or by the UK General Data Protection Regulation (UK GDPR), laws of the Data Protection Act 2018, or any European Union applicable international laws to the Company to process Personal Data personal data (Applicable Laws). In instances where Where the Supplier's data Company is relying on Applicable Laws as the basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier Company shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Company from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier Company has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance Company complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier Company complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data and copies thereof to the Customer on termination of the agreement Agreement unless required by Applicable Law to store the Personal Datapersonal data (and for these purposes the term "delete" shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 67 and immediately inform the Company if, in the opinion of the Company, an instruction infringes the Data Protection Legislation.
6.8 7.8 Each party shall ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 7.9 The Supplier will ensure that any subCustomer consents to the Company appointing third party cloud platform providers as a third-contractors appointed to process party processor of personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28under this Agreement. The Supplier Company confirms that it has entered or (as the case may be) will enter with the third- third-party processor into a written agreement substantially on that third party's standard terms of businessbusiness and in either case which the Company confirms reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Customer and the SupplierCompany, the Supplier Company shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request7.
6.10 The Supplier will update its Privacy Policy 7.10 Either party may, at any time on not less than 30 days' notice, revise this clause 7 by replacing it with any applicable controller to reflect any changes in sub-processors processor standard clauses or the addition similar terms forming part of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant an applicable certification scheme (which shall apply when replaced by attachment to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedAgreement).
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Terms and Conditions
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier 5.2 MY DIGITAL shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy, as such document may be amended by MY DIGITAL in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier MY DIGITAL shall be for the Supplier MY DIGITAL to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such ofsuch Customer Data maintained by the Supplier MY DIGITAL in accordance with the archiving procedure archivingprocedure described in its Back-Up Policy. The Supplier MY DIGITAL shall not be responsible for any lossanyloss, destruction, alteration or disclosure of Customer Data caused by any third party (except party(except those third parties sub-contracted by the Supplier MY DIGITAL to perform services related to Customer Data maintenance and back-up for which forwhich it shall remain fully liable under clause 6.95.10). The Customer shall ensure that each of its Authorised Users is aware of the Back Up Policy and MY DIGITAL’s obligations withregard to the restoration of Customer Data.
6.3 5.3 The Supplier Privacy Policy is incorporated into this contract by reference and applies to the Subscription Services. The Customer acknowledges and agrees that Customer Data shall be collected and used by MY DIGITAL in accordance with the Privacy Policy and shall ensure that each Authorised User is aware of the Privacy Policy and provides its prior written consent to the Customer which shall confirm that each Contractor User and End Client User hasseen and agrees to that party’s personal data being used by MY DIGITAL in accordance with the Privacy Policy. MY DIGITAL shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretionData.
6.4 5.4 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 5.5 The Customer shall not disclose (and shall not permit any data subject to disclose), any sensitive personal data/special categories of personal data to MY DIGITAL for processing.
5.6 The parties acknowledge that:
(a) if the Supplier that where MY DIGITAL processes any personal data as described in this contract on the Customer's ’s behalf when performing its obligations under this agreementcontract, and for the purposes of this Contract, the Customer is the data controller and the Supplier MY DIGITAL is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.7 Without prejudice to the generality of clause 6.15.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the Personal Data personal data to the Supplier MY DIGITAL for the duration and purposes of this agreement contract so that the Supplier MY DIGITAL may lawfully use, process and transfer the Personal Data personal data in accordance with accordancewith this agreement contract on the Customer's behalf.
6.7 5.8 Without prejudice to the generality of clause 6.15.4, the Supplier MY DIGITAL shall, in relation to any Personal Data anypersonal data processed in connection with the performance by the Supplier MY DIGITAL of its obligations under this agreementcontract:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier MY DIGITAL is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to MY DIGITAL and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where MY DIGITAL is relyingon Applicable Laws as the Supplier's data basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transferspersonal data, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier MY DIGITAL shall promptly notify the Customer of this requirement ofthis before commencing performing the processing required processingrequired by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit MYDIGITAL from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area andthe United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier MY DIGITAL has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) MY DIGITAL complies with its obligations under the Supplier ensures compliance with the UK Data Protection Legislation by providing an providingan adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier MY DIGITAL complies with reasonable withreasonable instructions notified to it in advance by the Customer with respect withrespect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance ensuringcompliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, ,impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a data personaldata breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data and copies thereof to the Customer on termination of the agreement this contract unless required by Applicable Law to store the Personal Datapersonal data; and
(f) maintain complete and accurate records accuraterecords and information to demonstrate its compliance with this clause 65 and immediately inform the Company if, in the opinion of the MY DIGITAL, an instruction infringes the Data Protection Legislation.
6.8 5.9 Each party shall ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unauthorisedor unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personaldata, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 5.10 The Supplier will ensure that any subCustomer consents to MY DIGITAL appointing AWS Europe as a third-contractors appointed to process party processor of personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28under this contract. The Supplier MY DIGITAL confirms that it has entered or (as the case may be) will enter with the third- third-party processor into a written agreement substantially on that third party's standard terms of businessbusiness and which reflectthe requirements of the Data Protection Legislation. As between the Customer and the SupplierMY DIGITAL, the Supplier MY DIGITAL shall remain fully liable for all acts or omissions of any third-third- party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request5.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 5.11 The Customer acknowledges and agrees that internet transmissions are never completely private or secure and that any message or information which is sent or received using the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. SpecificallyServices may be read or intercepted by others, Amazon Web Services (AWS) even if a particular transmission is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedencrypted.
6.12 5.12 The Supplier will ensure Customer consents (on behalf of itself and each Authorised User) to MY DIGITAL collecting and using technical informationabout the devices and related software, hardware and peripherals for services that are internet or wireless based to improve its products and to provide any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering Services to the standards of anonymisation defined under the UK GDPRCustomer.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Service Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 5.2 The Supplier retains primary responsibility for taking and maintaining backups of the Customer Data and shall take regular backups to protect against data loss, corruption or other damage.
5.3 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Privacy Policy, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Privacy Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 5.4 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ the Website or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 5.5 If the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(b) 5.5.1 the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If ;
5.5.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.;
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify 5.5.3 the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or shall ensure that the destination country has relevant third parties have been deemed to provide an adequate level of informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection for personal data by the UK governmentlegislation;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each 5.5.4 each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard damage.
5.6 The Customer hereby grants to the state Supplier a non-exclusive licence to use the Customer Data for the purposes of technological development internal software improvements, including for the purpose of optimising the Services provided by the Supplier by way of comparisons across any and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 all Customer projects. The Supplier will ensure that any sub-contractors appointed undertakes not to process personal data on behalf release details of the Customer are subject to written agreements that require them to process projects arising from such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon requestimprovements.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 5.2 The Supplier Customer acknowledges and agrees to create, assign and maintain the Unique Identifier assigned to their Customer Data across all types of Data Sources for the duration of this agreement
5.3 Activ8 Intelligence shall follow its archiving procedures for Customer Data as set out in its BackBackup Policy (available at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇▇.▇▇▇/en_US/saas-Up Policyterms-and-conditions)) or such other website address as may be notified to the Customer, as such a document may be amended by Activ8 Intelligence in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier Activ8 Intelligence to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier Activ8 Intelligence in accordance with the archiving procedure described in its Back-Up Backup Policy. The Supplier Activ8 Intelligence shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9)party.
6.3 The Supplier 5.4 Activ8 Intelligence shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data (available at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ /en_US/saas- terms-and-conditions) and the Activ8 Intelligence Data Protection Agreement attached to these terms, or such other website address as may be notified to the Customer from time to time, as such document documents may be amended from time to time by the Supplier Activ8 Intelligence in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier 5.5 If Activ8 Intelligence processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the Activ8 Intelligence shall be a data processor for and in any such case:
a) Unless agreed otherwise in writing by the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) Company, the Customer acknowledges and agrees that the personal data may not be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's Activ8 Intelligence’s other obligations under this agreement. If ;
b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement Activ8 Intelligence so that the Supplier Activ8 Intelligence may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's ’s behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(ic) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or shall ensure that the destination country has relevant third parties have been deemed to provide an adequate level of informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection for legislation;
d) Activ8 Intelligence shall process the personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies only in accordance with the UK GDPR terms of this agreement and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth lawful instructions reasonably given by the UK Information Commissioner's Office (ICO)Customer from time to time; and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage damage.
f) Activ8 Intelligence may collect, use, and the nature disclose data derived from Customer’s use of the data to be protectedService for industry analysis, having regard to the state of technological development and the cost of implementing any measures (those measures may includebenchmarking, where appropriateanalytics, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incidentmarketing, and regularly assessing and evaluating the effectiveness other business purposes in support of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf provision of the Customer are subject to written agreements that require them to process Service. Any such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest aggregate form only and will not contain Customer identifiable data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days unless agreed in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the partieswriting.
Appears in 1 contract
Customer Data. 6.1 4.1 The Customer shall own all rightrights, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 4.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyData. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours endeavors to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 4.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ the website assigned to the Customer by the Supplier, or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 4.4 If the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(ba) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country state where the Customer and the Authorised Authorized Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If ;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the CustomerCustomer shall ensure that the relevant third parties have been informed of, at the Customer's costand have given their consent to, in responding to any request from a Data Subject such use, processing, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorstransfer as required by all applicable data protection legislation;
(d) notify the ICO within 72 hours Supplier shall process the personal data only in accordance with the terms of becoming aware of a data breach. Where this agreement and any lawful instructions reasonably given by the breach is likely Customer from time to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;time; and
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational organizational measures to protect against unauthorised unAuthorized or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software License & Service Agreement
Customer Data. 6.1 5.1 The Parties acknowledge the Customer shall own all right, title and interest in and to all is the owner of the Customer Data that is not personal and the data controller of the Customer Personal Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 The Supplier 5.2 AH shall follow its archiving procedures for Customer Data as set out in its Back-Up Policyback- up policy as may be notified to the Customer from time to time, as such document may be amended by AH in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier AH to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier AH in accordance with the archiving procedure described in its Backback-Up Policyup policy. The Supplier AH shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier AH to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating 5.3 Subject to the privacy terms and security conditions of this Agreement and clause 5.8 below, Customer hereby grants to AH a non-exclusive, limited, royalty-free licence, to use the Customer Data available at ▇▇▇as necessary to provide the Software and perform the Services under this Agreement.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified
5.4 To the extent applicable to the Services provided by AH to Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreementAgreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), AH will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures, implement and maintain commercially reasonable security measures designed to meet the following objectives (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Suppliercollectively, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to "AH Security Program"):
5.4.1 ensure the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use confidentiality of Customer Data in aggregated the custody and anonymised form under the control of AH;
5.4.2 protect against any anticipated threats or hazards to the security or integrity of such Customer Data;
5.4.3 protect against unauthorised access to or use of such Customer Data;
5.4.4 encrypt Customer Data as specified in clause 5.5 below; and
5.4.5 save as provided in clause 5.8 below, ensure that AH’s return or disposal of such Customer Data is done performed in a manner that fully ensures consistent with AH’s obligations under clauses 5.4.1 to 5.4.5 above.
5.5 AH will encrypt Customer Data in AH’s possession or under its control when transmitted, using any then current industry standard encryption technology. Where applicable, Customer is solely responsible for safeguarding all encryption keys applicable to Customer Data. Customer may not provide any such data cannot be re-identifiedkeys to AH without AH’s express, adhering prior written consent in each instance.
5.6 AH will notify Customer of unauthorised access to, or use or disclosure of Customer Data within AH’s custody and control within ten (10) Business Days of AH’s confirmation of the same; each party will reasonably cooperate with the other with respect to the standards investigation and resolution of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of such unauthorised access, correctionuse or disclosure. Upon confirmation of any vulnerability or breach of AH’s security affecting Customer Data in AH’s custody and control, deletion, AH will modify its processes and data portability.
6.14 The customer shall have security program as necessary to mitigate the right to conduct an audit effects of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreementvulnerability or breach upon such Customer Data. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance notify AH of any such changes, which will only be implemented security compromise affecting its Authorised Users' authentication credentials used to access the Software and any Customer systems or networks that interoperate with the Customer's consent if they materially alter the or transmit data protection obligations to AH within two (2) Business Days of confirmation of the partiessame.
Appears in 1 contract
Sources: Software as a Service Agreement
Customer Data. 6.1 5.1. The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 5.2. The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its BackMetadata Maintenance Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/metadata-Up Policymaintenance-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.95.9).
6.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇://▇▇▇▇▇▇▇▇.▇▇.▇▇ /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 5.4. Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 5.5. The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) Schedule 2 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
(c) the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.6. Without prejudice to the generality of clause 6.15.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 5.7. Without prejudice to the generality of clause 6.15.4, the Supplier shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where the Supplier's data Supplier is relying on Applicable Laws as the basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) i. the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) . the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) . the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) . the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data it can reasonably identify and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Datapersonal data (and for these purposes the term "delete" shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 65 and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation.
6.8 5.8. Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 5.9. The Customer consents to the Supplier will ensure that appointing or otherwise hosting its Software with (i) Amazon Web Services EMEA SARL or any subother member of the Amazon Web Services Group; and (ii) any other third party processor the Supplier considers appropriate to the provision of the Services; as a third-contractors appointed to process party processor of personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28under this agreement. The Supplier confirms that it has entered or (as the case may be) will enter with the third- third-party processor into a written agreement substantially on that third party's standard terms of businessbusiness including terms related to the requirements of the Data Protection Legislation. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions use commercially reasonable efforts to enforce the terms of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon requestprocessor.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software License Agreement
Customer Data. 6.1 11.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not Materials and Customer Data, aside from the data subject’s personal data, of which the data subject retains ownership, and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data. All metadata created by the Supplier will remain the property of the Supplier.
6.2 11.2 The Supplier shall follow its archiving internal procedures for handling Customer Data as set out in its Back-Up Policyand will at all times comply with ISO27001. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. internal procedures The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services Services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.911.9).
6.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 11.3 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 11 is in addition to, and does not relieve, remove or replace, a party's ’s obligations or rights under the Data Protection Legislation.
6.5 11.4 The Supplier shall retain a copy of the Customer Data for 12 months after the completion of Services, unless otherwise requested by the Customer. If the Customer Data is stored within FreeDocs, the Customer Data will be retained until the Customer’s subscription to FreeDocs ceases.
11.5 The parties acknowledge that:
(a) 11.5.1 if the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreementAgreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) 11.5.2 Schedule 4 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
11.5.3 the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection lawsAgreement.
6.6 11.6 Without prejudice to the generality of clause 6.111.3, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement Agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Agreement on the Customer's ’s behalf.
6.7 11.7 Without prejudice to the generality of clause 6.111.3, the Supplier shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier of its obligations under this agreementAgreement:
(a) Process 11.7.1 process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by the laws of the United KingdomEuropean Union applicable to the Supplier, and/or Domestic UK Law, where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR)Legislation and any other law that applies in the UK, the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notificationpersonal data;
(b) Not 11.7.2 not transfer any Personal Data personal data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by and the UK Information Commissioner's Office (ICO)European Economic Area, nor between the United Kingdom and the European Economic Area, unless the following conditions are fulfilled:
(ia) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(iib) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iiic) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation and European Union’s GDPR, by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and;
(ivd) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) 11.7.3 assist the Customer, at the Customer's ’s cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the UK Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) 11.7.4 notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) 11.7.5 at the written direction of the Customer, delete or return Personal Data personal data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Datapersonal data; and
(f) 11.7.6 maintain complete and accurate records and information to demonstrate its compliance with this clause 611 and immediately inform the Company if, in the opinion of the VAR, an instruction infringes the Data Protection Legislation.
6.8 11.8 Each party shall ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and servicesServices, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 11.9 The Customer consents to the Supplier will ensure that any subappointing a third-contractors appointed to process party processor of personal data on behalf of under this Agreement, if the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28Supplier deems it necessary. The Supplier confirms that it has entered or (as the case may be) will enter with the third- third-party processor into a written agreement agreement, substantially on that third party's ’s standard terms of business, or incorporating terms which are substantially similar to those set out in this clause 11, and in either case which the VAR confirms or undertakes, and will continue to reflect the requirements of the Data Protection Legislation. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request11.
6.10 The Supplier will update its Privacy Policy 11.10 Either party may, at any time on not less than 30 days’ notice, revise this clause 11 by replacing it with any applicable controller to reflect any changes in sub-processors processor standard clauses or the addition similar terms forming part of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant an applicable certification scheme, which shall apply when replaced by attachment to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedAgreement.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Service Agreement
Customer Data. 6.1 4.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 4.2 The Supplier shall follow its standard archiving procedures for Customer Data as set out in its Back-Up PolicyData. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the its standard archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 4.3 The Customer acknowledges that the Supplier does not, as part of its operations in providing the Services, collect personal data for its own purposes. All data collected as a result of the use of the Services is stored anonymously by the Supplier. However, the Supplier shall, in providing the Services, comply with its Privacy legal and Security Policy statutory obligations relating to the privacy and security of any personal data provided by the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as Customer’s service users. Anonymised data may be notified to the Customer from time to time, as such document may be amended from time to time used by the Supplier in to improve its sole discretionservices or for general dissemination of anonymised analysis to the relevant industry and to Customers.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 4.4 If the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreementobligations, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(ba) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If obligations;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement these terms on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the CustomerCustomer shall ensure that the relevant third parties have been informed of, at the Customer's costand have given their consent to, in responding to any request from a Data Subject such use, processing, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorstransfer as required by all applicable data protection legislation;
(d) notify the ICO within 72 hours of becoming aware of a Supplier shall process the personal data breach. Where only in accordance with these terms, the breach is likely Agreement and any lawful instructions reasonably given by the Customer from time to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;time; and
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Terms and Conditions
Customer Data. 6.1 The Customer shall own all right, title and interest in and to all the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 14.1 The Supplier shall follow its archiving procedures for promptly notify the Customer Data as set out in its Back-Up Policywriting of any actual or suspected loss or damage to the Customer Data. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or unauthorised access to or disclosure of Customer Data caused by any third party (except those third parties sub-(excluding Microsoft) sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 The Supplier shall14.2 For the purposes of this Clause 14, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in providing the Services, UK Data Protection Legislation.
14.3 Both Parties will comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Applicable Data Protection LegislationLaws. This clause 6 Clause 14 is in addition to, and does not relieve, remove or replace, a partyParty's obligations or rights under the Applicable Data Protection LegislationLaws.
6.5 14.4 The parties acknowledge Parties have determined that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Applicable Data Protection Legislation (where Data Controller and Data Processor have Laws, the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that Supplier shall process the personal data may be transferred or stored outside set out in Error! Bookmark not defined.Error! Reference source not found., as a processor on behalf of the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection lawsCustomer.
6.6 14.5 Without prejudice to the generality of clause 6.1Clause 14.3, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalfAgreement.
6.7 14.6 In relation to the Customer Personal Data, 0 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
14.7 Without prejudice to the generality of clause 6.1, 14.3 the Supplier shall, in relation to any Customer Personal Data processed in connection with the performance by the Supplier of its obligations under this agreementData:
(a) Process process that Customer Personal Data only on the written documented instructions of the Customer, unless the Supplier is required by Applicable Laws to otherwise process that Customer Personal Data. Where the laws of Supplier is relying on Applicable Laws as the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionsCustomer Processor Data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable LawsLaws unless those Applicable Laws prohibit the Supplier from so notifying the Customer on important grounds of public interest. The Supplier shall inform the Customer if, unless prohibited by those laws from providing such notificationin the opinion of the Supplier, the instructions of the Customer infringe Applicable Data Protection Legislation;
(b) Not transfer any Personal Data outside of implement appropriate the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures measures;
(those measures may includec) ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
(d) assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Supplier), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
(f) at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless the Supplier is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this Clause Error! Reference source not found. Customer Personal Data shall be considered deleted where appropriateit is put beyond further use by the Supplier; and
(g) maintain records to demonstrate its compliance with this Clause 14 and allow for reasonable audits by the Customer or the Customer's designated auditor, pseudonymisation and encr ypting for this purpose, on reasonable written notice.
14.8 The Customer hereby provides its prior, general authorisation for the Supplier to:
(a) appoint processors to process the Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring provided that availability of and access to Personal the Supplier:
(i) shall ensure that the terms on which it appoints such processors comply with Applicable Data can be restored in a timely manner after an incidentProtection Laws, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance consistent with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially obligations imposed on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to in this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon requestClause Error! Bookmark not defined.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data canError! Reference source not be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.found.4;
Appears in 1 contract
Sources: Master Framework Agreement
Customer Data. 6.1 5.1. The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 5.2. The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its BackMetadata Maintenance Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/metadata-Up Policymaintenance-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.95.9).
6.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇://▇▇▇▇▇▇▇▇.▇▇.▇▇ /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 5.4. Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 5.5. The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) Schedule 2 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
(c) the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.6. Without prejudice to the generality of clause 6.15.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 5.7. Without prejudice to the generality of clause 6.15.4, the Supplier shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where the Supplier's data Supplier is relying on Applicable Laws as the basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data it can reasonably identify and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Datapersonal data (and for these purposes the term "delete" shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 65 and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation.
6.8 5.8. Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 285.9. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services consents to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update appointing or otherwise hosting its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.Software with
Appears in 1 contract
Sources: Software License Agreement
Customer Data. 6.1 4.1 The Customer Customer, or the relevant GP Practice as applicable, shall own all right, title and interest in and to all the Customer Data that and is not personal data and shall have sole responsibility responsible for the legality, reliability, integrity, accuracy and quality of all such the Customer Data. The Customer shall ensure that it has all necessary rights and notices in place to enable the lawful transfer of Personal Data to the Supplier for the duration and purposes of the Agreement and that it is authorised to instruct the Supplier regarding the processing of any such data on behalf of any GP Practice(s). To the extent that the Supplier is processing such data on behalf of a GP Practice then the terms of this clause 4 shall apply to govern that processing (with references to the Customer being to the relevant GP Practice on a mutatis mutandis basis).
6.2 4.2 The Supplier shall follow its archiving backup procedures for Customer Data as set out described in its Back-Up PolicySchedule 3. In the event of any loss of, or damage to to, any Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 The Supplier shall, in providing the Services, 4.3 Each party will comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 4 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 4.4 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor that for the purposes of the Data Protection Legislation Legislation, the Customer is a data controller and the Supplier is a data processor (where Data Controller data controller and Data Processor data processor have the meanings as defined in the Data Protection Legislation).
4.5 Schedule 6 (bas may, from time to time, be updated to reflect any changes to the scope of the processing) sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the personal data may be transferred or stored outside Supplier, the EEA or duration of the country where the Customer processing and the Authorised Users are located to carry out types of Personal Data and categories of Data Subject (both as defined in the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICOData Protection Legislation), will be implemented to ensure compliance with UK data protection laws.
6.6 4.6 Without prejudice to the generality of clause 6.14.3, the Customer will ensure that it has all necessary appropriate consents rights and notices in place to enable the lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalfagreement.
6.7 Without prejudice to the generality of clause 6.1, the 4.7 The Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process process that Personal Data only on the written instructions of the Customer, Customer (unless the Supplier is otherwise required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPRlaw), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not ensure that it has in place appropriate technical and organisational measures designed to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, such measures being appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
(c) take all reasonable steps to ensure the reliability and integrity of personnel who have access to and/or process Personal Data;
(d) not transfer any Personal Data outside of the United Kingdom UK or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject Data Subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(ce) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(df) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a data Personal Data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(eg) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the this agreement unless required by Applicable Law law to store the Personal Data; and
(fh) maintain complete and accurate records and information to demonstrate its compliance with allow for audits by the Customer or the Customer’s designated auditor in respect of the Supplier’s data processing activities under this clause 6agreement.
6.8 Each party 4.8 The Supplier is given general authorisation to engage third-parties to process the Personal Data ("Sub-Processors") without obtaining any further written, specific authorisation from the Customer. The Supplier shall complete a written sub-processor agreement with any Sub- Processors which shall include protections substantially similar to those under this agreement. The Supplier is accountable to the Customer for any Sub-Processor in the same way as for its own actions and omissions. A list of the Supplier’s material sub-processors as at the date of this agreement is set out on the Supplier’s website (or will otherwise be notified to the Customer). Any objection to an amendment to the list of Sub-Processors may be escalated for discussion within 10 days after receipt of a notification of any change. If the parties are (acting reasonably) unable to resolve the objection and the Supplier informs the Customer that it nevertheless intends to appoint the relevant Sub-Processor then the Customer may either: (i) accept the change; or (ii) terminate this agreement upon written notice within one month of raising the objection (and as the Customer’s sole and exclusive remedy, the Supplier will refund any unused prepaid fees).
4.9 The parties may, acting reasonably, agree to amend this agreement to ensure that it has in place appropriate technical and organisational measures complies with any applicable guidance issued by the Information Commissioner’s Office from time to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)time.
6.9 4.10 The Supplier will ensure acknowledges that any sub-contractors appointed to process personal data on behalf of where the Customer are is subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPRFreedom of Information Act 2000 (“FOIA”), particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter shall use its reasonable endeavours to assist and co-operate with the third- party processor into a written agreement substantially on that third party's standard terms Customer in respect of businessthe Customer’s disclosure obligations under the FOIA. As between Accordingly the Supplier agrees where applicable:
(a) to use its reasonable endeavours to provide such assistance and cooperation as reasonably requested by the Customer and in relation to its obligations under the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services FOIA;
(b) transfer to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services all requests for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related information relating to this agreement once per year that it receives as soon as practicable and in any event within 2 Business Days of receipt;
(c) provide the Customer with a copy of all relevant information belonging to ensure compliance with Data Protection Legislation and the terms Customer requested in the request for information which is in the Supplier’s possession or control in the form that the Customer reasonably requires within 5 Business Days (or such other longer period as the Customer may reasonably specify) of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter ’s request for such Information; and
(d) not respond directly to a request for information unless authorised in writing to do so by the data protection obligations of the partiesCustomer.
Appears in 1 contract
Sources: Software as a Service Agreement
Customer Data. 6.1
5.1. The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 5.2. The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its BackPrivacy and Security Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/privacy- security-Up Policypolicy or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.95.9).
6.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇://▇▇▇▇▇▇▇▇.▇▇.▇▇ /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 5.4. Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.Legislation.
6.5 5.5. The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) Schedule 2 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
(c) the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.6. Without prejudice to the generality of clause 6.15.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 5.7. Without prejudice to the generality of clause 6.15.4, the Supplier shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where the Supplier's data Supplier is relying on Applicable Laws as the basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data it can reasonably identify and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Datapersonal data (and for these purposes the term "delete" shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 65 and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation.
6.8 5.8. Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 5.9. The Customer consents to the Supplier will ensure that appointing or otherwise hosting its Software with
(i) Amazon Web Services EMEA SARL or any subother member of the Amazon Web Services Group; and (ii) any other third party processor the Supplier considers appropriate to the provision of the Services; as a third-contractors appointed to process party processor of personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28under this agreement. The Supplier confirms that it has entered or (as the case may be) will enter with the third- third-party processor into a written agreement substantially on that third party's standard terms of businessbusiness including terms related to the requirements of the Data Protection Legislation. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions use commercially reasonable efforts to enforce the terms of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon requestprocessor.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software License Agreement
Customer Data. 6.1 The Customer You shall own all right, title and interest in and to all the of your Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyMillpledge will maintain commercially appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect Patient Records. In the event of any loss or damage to your Customer DataData and/or Patient Records, the Customer's your sole and exclusive remedy against the Supplier Millpledge shall be for the Supplier Millpledge to use reasonable commercial endeavours to restore the lost or damaged Customer Data and/or Patient Records from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in Millpledge (or its Back-Up Policy. The Supplier hosting provider).
6.3 Millpledge shall not be responsible for any loss, destruction, alteration or disclosure of your Customer Data caused by any third party (except those third parties sub-contracted by the Supplier party.
6.4 Millpledge strongly encourages you to perform services related take appropriate measures to secure, store and backup your important information and Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9(including Patient Records).
6.3 The Supplier 6.5 Millpledge shall, in providing the ServicesService, comply with follow its Privacy standard privacy and Security Policy relating security procedures to protect the privacy and security of the your Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to timeData, as such document procedures may be amended from time to time by the Supplier Millpledge in its sole discretion.
6.4 Both parties will follow all 6.6 Millpledge has no duty (unless applicable requirements of the Data Protection Legislation. This clause 6 is in addition tolaws or regulations provide otherwise) to pre- screen, and does not relievecontrol, remove monitor or replace, a party's obligations under the Data Protection Legislationedit your Customer Data.
6.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the 6.7 You agree that Millpledge may access and use your Customer is the data controller and the Supplier is the data processor Data for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred providing support to you or stored outside the EEA or the country where the Customer and the your Authorised Users are located when requested, for security purposes, to carry out develop and improve the Services Service as part of internal data processes, as permitted by applicable law and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality these Terms of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier Service and/or for the duration and purposes of this agreement so that the Supplier may lawfully use, process collecting and transfer the Personal Data aggregating data as described in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 66.8.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature Millpledge may monitor use of the Service by all of its customers and use the information gathered in an aggregate and anonymous manner. You agree that Millpledge may use and publish such information, provided that such information does not identify you. For clarity, any data provided to other customers or third parties will only be in an aggregated and anonymous manner. Millpledge uses Customer Data in an anonymised manner for reporting purposes, including providing aggregated data to be protected, having regard to the state corporate groups of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incidenttheir member veterinary practices, and regularly assessing and evaluating for machine learning that supports certain product features and/or functionality within the effectiveness of the technical and organisational measures adopted by it)Service.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf This clause 6 shall survive termination or expiry of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon requestSubscription Term.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Terms of Service
Customer Data. 6.1 5.1 The Customer shall own all rightrights, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyData. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours endeavors to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ the website assigned to the Customer by the Supplier, or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 5.4 If the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(ba) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country state where the Customer and the Authorised Authorized Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If ;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the CustomerCustomer shall ensure that the relevant third parties have been informed of, at the Customer's costand have given their consent to, in responding to any request from a Data Subject such use, processing, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorstransfer as required by all applicable data protection legislation;
(d) notify the ICO within 72 hours Supplier shall process the personal data only in accordance with the terms of becoming aware of a data breach. Where this agreement and any lawful instructions reasonably given by the breach is likely Customer from time to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;time; and
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational organizational measures to protect against unauthorised unAuthorized or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Customer Data. 6.1 10.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 10.2 Unless the parties agree otherwise in writing, the Supplier shall only be obliged to retain a copy of Customer Data for a period of six months following the date on which those Customer Data were first inputted for the purpose of using the Services or facilitating the Customer’s use of the Services.
10.3 The Supplier shall follow its archiving back-up procedures for Customer Data as set out in its Back-Up PolicyPolicy (as amended by the Supplier in its sole discretion from time to time), a copy of which is available on request. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9)party.
6.3 The Supplier shall, in providing the Services, 10.4 Each party undertakes to comply with its Privacy all applicable requirements of all applicable data protection and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended legislation in force from time to time by in the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of UK including the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018. 2018 (Data Protection Legislation). This clause 6 10 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 10.5 The parties acknowledge that:
(a) if the Supplier processes that in relation to any personal data on the Customer's behalf when performing its obligations under this agreement, in the Customer is the data controller and the Supplier is the data processor Data (Personal Data) for the purposes of the Data Protection Legislation (where Data Legislation, the Customer is the Controller and Data Processor have the meanings as defined in Supplier is the Data Protection Legislation)Processor.
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 10.6 Without prejudice to the generality of clause 6.110.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Customer for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalfAgreement.
6.7 10.7 Without prejudice to the generality of clause 6.110.4, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process process that Personal Data only on the documented written instructions of the Customer, Customer unless the Supplier is required by law to otherwise process that Personal Data. Where the laws of Supplier is relying on law as the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process basis for processing Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionsData, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by law unless the Applicable Laws, unless prohibited by those laws law prohibits the Supplier from providing such notificationso notifying the Customer;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).;
6.9 The Supplier will (c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(i) not transfer any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements Personal Data outside of the UK GDPRor EEA unless the following conditions are fulfilled:
(ii) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer;
(iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(d) assist the Customer, particularly Article 28at the Customer's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify the Customer without undue delay on becoming aware of a personal data breach;
(f) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Agreement unless required by law to store the Personal Data; and
(g) maintain complete and accurate records and information to demonstrate its compliance with this clause 10.
10.8 The Customer consents to the Supplier appointing third-party processors of Personal Data under this Agreement as notified by the Supplier from time to time. The Supplier confirms that it has entered or (as the case may be) will enter with the third- third-party processor processors into a written agreement substantially on that third party's standard terms which reflect the requirements of businessthe Data Protection Legislation. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details clause.
10.9 The Customer shall notify the Supplier within 30 days of all third parties providing such services any reasonable objection to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition appointment of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on a third-party services for the hosting and processing processor of Customer Personal Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer parties shall enter into good faith discussions to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with resolve the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedobjection.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: End User License Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9).
6.3 5.2 The Supplier shall, in providing the Services, comply with its Privacy Customer’s information security, confidentiality and Security Policy data protection policies relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ [WEB ADDRESS] or such other website address as may be notified to by the Customer from time to time, as such document may be amended from time to time by the Supplier Customer in its sole discretion.
6.4 5.3 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 Clause 5 is in addition to, and does not relieve, remove or replace, a party's ’s obligations or rights under the Data Protection Legislation.. In this Clause 5, Applicable Laws means the UK Data Protection Legislation and any other relevant law that applies in the UK..
6.5 5.4 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor The parties acknowledge that for the purposes of the Data Protection Legislation (where Data Legislation, the Customer is the Controller and the Provider is the Processor. Schedule 3 sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data Processor have the meanings as defined in the and categories of Data Protection Legislation).
Subject. (b) the Customer acknowledges and agrees that the personal data may not be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection lawsAgreement.
6.6 5.5 Without prejudice to the generality of clause 6.15.3, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement Agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Agreement on the Customer's ’s behalf.
6.7 5.6 Without prejudice to the generality of clause 6.15.3, the Supplier shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier of its obligations under this agreementAgreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by Applicable Laws to otherwise process that personal data. Where the laws of Supplier is relying on Applicable Laws as the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the United Kingdom or European Economic Area unless it has obtained the Customer’s prior written consent to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless do so and the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's ’s cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO Customer without undue delay and in any event within 72 twenty-four (24) hours of on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data and copies thereof to the Customer on termination of the agreement Agreement in accordance with clause 14.5 unless the Supplier is required by Applicable Law to store the Personal Datapersonal data (and for these purposes the term “delete” shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6Clause 5 and immediately inform the Company if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation.
6.8 Each party 5.7 The Supplier shall ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 5.8 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services does not consent to the Supplier and who are processing Personal appointing any third party processor of personal data under this agreement are available upon requestAgreement.
6.10 5.9 The Supplier will update its Privacy Policy parties may, on written agreement between the parties, revise this Clause 5 by replacing it with any applicable controller to reflect any changes in sub-processors processor standard clauses or the addition similar terms forming part of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant an applicable certification scheme (which shall apply when replaced by attachment to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedAgreement).
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software as a Service (Saas) Subscription Agreement
Customer Data. 6.1 4.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 4.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policyback- up policy available on request in writing as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Backback-Up Policyup policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 4.3 The Supplier shall, in providing the Services:
(a) comply with all Data Protection Laws in connection with the processing of Customer Data, the Services and the exercise and performance of its respective rights and obligations under this Contract, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
(b) comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address data protection policy as may be notified to the Customer from time to time, as such document may be amended updated from time to time by the Supplier in its sole discretionSupplier.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 4.4 If the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreementContract, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(ba) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If Contract;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Contract on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the CustomerCustomer shall ensure that the relevant third parties have been informed of, at the Customer's costand have given their consent to, in responding to any request from a Data Subject such use, processing, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorstransfer as required by all applicable data protection legislation;
(d) notify the ICO within 72 hours Supplier shall process the personal data only in accordance with the terms of becoming aware of a data breach. Where this Contract and any lawful instructions reasonably given by the breach is likely Customer from time to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;time; and
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Service Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyPolicy available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9Clause 5.9).
6.3 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇.▇▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 5.4 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 Clause 5 is in addition to, and does not relieve, remove or replace, a party's ’s obligations or rights under the Data Protection Legislation.
6.5 5.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) [Schedule 4 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.]
(c) the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.6 Without prejudice to the generality of clause 6.1Clause 5.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's ’s behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software Subscription Agreement
Customer Data. 6.1 9.1. The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 9.2. The Customer warrants that it owns all rights in the Customer Data and that the Supplier’s use and processing of the Customer Data in accordance with the Agreement will not infringe third party rights. The Customer hereby grants the Supplier the non-exclusive worldwide right and licence to process, copy, store, transmit display, print, view and otherwise use the Customer Data to the extent required for the provision of the Services. The Supplier shall will not process any Customer Data for its own purposes without the prior written consent of the Customer.
9.3. The Supplier shall, in providing the Services, comply with its Security Policy and follow its archiving procedures for Customer Data as set out in its Back-Up Security Policy, as such document may be amended by the Supplier from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Security Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 . The Supplier shall, in providing the Services, comply with Customer acknowledges and accepts that more regular backups of Customer Data may be achieved by: (i) making its Privacy and Security Policy relating to the privacy and security own backups of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to any time, as such document may be amended or (ii) requesting enhanced data backup services from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement, details of which are available upon request. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, The Supplier’s liability in relation to any Personal Data processed in connection data loss or corruption will be limited to that resulting from its failure to comply with the performance by any contractual commitments given regarding data backup and the Supplier does not otherwise accept responsibility for data loss or damage of its obligations under this agreement:any kind.
(a) Process that Personal Data only 9.4. The Customer accepts the Services on the written instructions basis of the Customer, unless standards set out in the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, Security Policy and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, accepts that the Supplier will ensure have no liability owing to any loss, damage or corruption to Customer Data provided the use standards in the Security Policy have been complied with. The Customer accepts the security standards set out in the Security Policy as an acceptable commercial standard in light of Standard Contractual Clauses approved all the circumstances, including the level of charges applied by the UK Information Commissioner's Office (ICO)Supplier.
9.5. The Customer accepts that electronic communications involve transmission over the Internet, or ensure that and over other networks, which are outside the destination country has been deemed to provide an adequate level of protection for personal data by Supplier’s control. The Customer accepts the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance risk associated with the UK GDPR electronic communications and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation possibility that they may be accessed by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services is not responsible for the hosting and processing of Customer Data pursuant to this agreement. Specificallyany related delay, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedloss or damage.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Master Service Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. 5.2 In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyESC Cloud Database. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9the upkeep of the ESC Cloud Database).
6.3 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy privacy policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ on the ESC Website or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of 5.4 By agreeing to these Terms and Conditions the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under Customer agrees to the Data Protection LegislationSuppliers Privacy Policy.
6.5 The parties acknowledge that:
(a) if 5.5 If the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(b) 5.5.1 the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If ;
5.5.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.;
6.7 Without prejudice to 5.5.3 the generality of clause 6.1Customer shall ensure that the relevant third parties have been informed of, the Supplier shalland have given their consent to, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customersuch use, unless the Supplier is processing, and transfer as required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any all applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, protection legislation;
5.5.4 the Supplier shall promptly notify process the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies only in accordance with the UK GDPR terms of this agreement and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth lawful instructions reasonably given by the UK Information Commissioner's Office (ICO)Customer from time to time; and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each 5.5.5 each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: User Account Agreement
Customer Data. 6.1 4.1 The Customer CUSTOMER shall own all rightrights, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data. The CUSTOMER hereby grants to the SUPPLIER an irrevocable worldwide, royalty free licence to use Customer Data for the provision of the Services and otherwise in accordance with the terms of this agreement.
6.2 4.2 The Supplier SUPPLIER shall follow its archiving procedures for Customer Data as set out in its BackInformation Governance and Data Protection Policy and Privacy Policy, each as amended from time to time. The SUPPLIER’S policy and related procedures are fully compliant with the UK’s Data Protection legislation, and if the SUPPLIER becomes aware of any non-Up Policycompliance, it agrees to inform the CUSTOMER as soon as reasonably practicable. In the event of any loss or damage to Customer Data, the CustomerCUSTOMER's sole and exclusive remedy against the Supplier shall be for the Supplier SUPPLIER to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier SUPPLIER in accordance with the archiving procedure described in its Back-Up Policy. The Supplier SUPPLIER shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier SUPPLIER to perform services related to Customer Data CUSTOMER maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 4.3 The Supplier SUPPLIER shall, in providing the Services, comply with its Privacy Information Governance and Security Data Protection Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer CUSTOMER from time to time, as such document may be amended from time to time by the Supplier SUPPLIER in its sole discretion.
6.4 Both parties will follow all applicable requirements of 4.4 If the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier SUPPLIER processes any personal data (as defined in the GDPR 2018) on the Customer's CUSTOMER’s behalf when performing its obligations under this agreement, agreement then the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to SUPPLIER shall ensure compliance with UK the requirements of the data protection laws.
6.6 Without prejudice to the generality of clause 6.1legislation, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK Regulation (EU) 2016/679) (“GDPR”), the Data Protection Act 2018 (“DPA 2018, ”) (and any statutory modification or re-enactment thereof from time to time in force) in respect of any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's personal data processing activities are subject supplied to the laws of a member SUPPLIER by the CUSTOMER:
4.5 The CUSTOMER acknowledges that the SUPPLIER may monitor the CUSTOMER’s or its sub-licencees’ use of the European Union due to cross-border operations or data transfersServices for its own purposes (including, without limitation, for purposes of monitoring levels of activity and where such laws necessitate processing actions divergent from for purposes of maintaining the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside functional and operational integrity of the United Kingdom or to any country not deemed to have adequate data protection Smart Phone App and for purposes of complying with applicable laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPRregulations) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any SUPPLIER may use of anonymised Customer Data for commercial and/or research purposes and/or to analyse how the Services are used. For example, to assist in aggregated and anonymised form is done making statements such as (without limitation) “average users use the Software [x] times a week” or “we have [x] users in a manner that fully ensures such Devon”. The SUPPLIER will not use personally identifiable data cannot be re-identified, adhering to without the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit express prior written permission of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the partiesCUSTOMER.
Appears in 1 contract
Sources: Organisational Licence Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policythe Service Definition. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policythe Service Definition. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services specifically related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy at Schedule 5 relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to timeData, as such document may be amended from time to time by the Supplier in its sole discretionagreement with the accreditor of the RMADS referred to in Schedule 5.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 5.4 If the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for and in any such case:
(a) personal data may only be stored in the purposes UK without prejudice to the ability of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined Authorised Users to access such data from anywhere in the Data Protection Legislation).world;
(b) the Customer acknowledges and agrees shall ensure that the Customer is entitled to transfer the relevant personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the CustomerCustomer shall ensure that the relevant third parties have been informed of, at the Customer's costand have given their consent to, in responding to any request from a Data Subject such use, processing, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorstransfer as required by all applicable data protection legislation;
(d) notify the ICO within 72 hours Supplier shall process the personal data only in accordance with the terms of becoming aware of a data breach. Where this agreement and any lawful instructions reasonably given by the breach is likely Customer from time to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;time; and
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Customer Data. 6.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 The Supplier iplicit shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyBackup Policy (▇▇▇.▇▇▇▇▇▇▇.▇▇▇/▇▇▇▇▇) or such other website address as may be notified to the Customer from time to time, as such document may be amended by iplicit in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier iplicit to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier iplicit in accordance with the archiving procedure described in its Back-Up Backup Policy. The Supplier iplicit shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9)party.
6.3 The Supplier iplicit shall, in providing the Services, comply with its Privacy and Security UK GDPR Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇.▇▇▇/▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier iplicit in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier If iplicit processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the iplicit shall be a data processor for and in any such case: Unless agreed otherwise in writing by the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) Customer, the Customer acknowledges and agrees that the personal data may not be transferred or stored outside the EEA UK (or Ireland if Customer specifically requests in the country where the Customer and the Authorised Users are located Order Form in order to meet EU requirements) in order to carry out the Services and the Supplier's iplicit’s other obligations under this agreement. If ; the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement iplicit so that the Supplier iplicit may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's ’s behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify ; the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or shall ensure that the destination country has relevant third parties have been deemed to provide an adequate level of informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection for legislation; iplicit shall process the personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies only in accordance with the UK GDPR terms of this agreement and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable lawful instructions notified to it in advance reasonably given by the Customer with respect from time to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject time; and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and damage. iplicit may sub-contract and/or outsource any of its processing of personal data under this agreement to any other person or entity (“sub- processor”) provided that it informs the nature Customer immediately upon the Customer’s request for an updated list of sub-processors or, in any event, if requested in advance of the data next Renewal Period following the appointment of one or more additional sub-processors, less those in place at signing of this Agreement. The Customer shall not unreasonably object to be protected, having regard any new sub-processor (or any change to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed processor). If a sub- processor is appointed, iplicit shall enter into a written sub-processing agreement with such sub- processor and shall ensure that the sub-processor shall accept data protection obligations that are substantially the same as those undertaken by iplicit under this agreement. iplicit shall remain liable to the Customer for any acts and omissions of the sub-processor; iplicit shall give the Customer such assistance as it reasonably requests, and iplicit is reasonably able to provide, aimed at ensuring compliance with the Customer’s own personal data protection obligations under applicable law, including (where applicable) responding to data subject requests, security, personal data breach notifications, impact assessments, supervisory authority consultation obligations. Where requests from Customer to iplicit require significant resource time to meet Customer’s requirements, iplicit will be entitled to charge for the time to meet Customer’s requests; rates to be agreed prior to undertaking the work; iplicit shall ensure that persons authorised to process personal data on behalf of the Customer customer have committed themselves to confidentiality or are under an appropriate obligation of confidentiality relating to the personal data; and iplicit shall, subject to written agreements that require them any relevant and applicable confidentiality obligation, and solely at the expense of the Customer, covering any third party costs and resource costs incurred by iplicit to process such data only on documented instructions from facilitate this request, provide the Customer with access to any Customer personal data and in full compliance with Customer information relating to the requirements performance of the UK GDPRServices and assist with such audits, particularly Article 28. The Supplier confirms that it has entered including inspections, where iplicit is contractually able to facilitate such audits and inspections, reasonably requested by (or (as the case may beon behalf of) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review undertake the Privacy Policy verification that iplicit complies with its obligations in relation to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreementpersonal data. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will request may only be made once in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties12 month period.
Appears in 1 contract
Sources: Software as a Service Agreement
Customer Data. 6.1 7.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 7.2 For Service hosted on Supplier infrastructure or by Supplier Hosting Provider:
7.2.1 The Supplier shall follow its archiving procedures for will ensure that there are regular back ups of Customer Data as set out in its Back-Up PolicyData. In the event of any loss or damage to Customer DataData caused by the Supplier, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-back- up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. Supplier.
7.2.2 The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security 7.2.3 If recovery of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ is required as a result of an issue resulting from the Customer, the Supplier will use all reasonable endeavours to restore the lost or damaged Customer Data from the latest back-up of such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time Data maintained by the Supplier in its sole discretionprovided that the Customer pays the Supplier’s reasonable additional Fees for such recovery; and for the avoidance of doubt Customer acknowledges and agrees that where the Service is hosted by Customer or Customer’s third party provider then Customer shall be responsible for ensuring that all Customer Data is appropriately backed up and the Supplier shall not be responsible for any losses arising from a failure to take appropriate back-ups or recover any Customer Data howsoever arising.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 7.3 If the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreementContract, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(b) 7.3.1 the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If Contract;
7.3.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Contract on the Customer's behalf.;
6.7 Without prejudice to 7.3.3 the generality of clause 6.1Customer shall ensure that the relevant third parties have been informed of, the Supplier shalland have given their consent to, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customersuch use, unless the Supplier is processing, and transfer as required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any all applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, protection legislation;
7.3.4 the Supplier shall promptly notify process the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies only in accordance with the UK GDPR terms of this Contract and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth lawful instructions reasonably given by the UK Information Commissioner's Office (ICO)Customer from time to time; and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each 7.3.5 each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Services Agreement
Customer Data. 6.1 o The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 . o The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its BackMetadata Maintenance Policy available athttps://▇▇▇▇▇▇▇▇.▇▇/▇▇▇▇▇▇▇▇-Up Policy▇▇▇▇▇▇▇▇▇▇▇-▇▇▇▇▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.99).
6.3 . o The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇://▇▇▇▇▇▇▇▇.▇▇.▇▇ /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 . o Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's ’s obligations or rights under the Data Protection Legislation.
6.5 . o The parties acknowledge that:
(a) : if the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller Legislation. Schedule 2 sets out the scope, nature and Data Processor have purpose of processing by the meanings as defined in Supplier, the Data Protection Legislation).
(b) duration of the Customer acknowledges processing and agrees that the types of personal data and categories of data subject. the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 o Without prejudice to the generality of clause 6.14, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's ’s behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: End User License Agreement
Customer Data. 6.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9).
6.3 The Supplier Posturite shall, in providing the Products and Professional Services, comply with its Privacy Information Security and Security Data Protection Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to [the Customer from time to timeCustomer’s request], as such document may be amended from time to time by the Supplier Posturite in its sole discretion.
6.4 Both 6.3 The parties will follow all applicable requirements agree that, in respect of the Customer Data, the Customer shall be the Data Controller and Posturite shall be a Data Processor and shall process the Customer Data in compliance with the obligations of Data Processors under Data Protection Legislation. This clause 6 is Laws.
6.4 The Customer warrants, represents and undertakes, that:
6.4.1 all data sourced by the Customer shall comply in addition all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and does not relieveobtaining all necessary consents from, remove or replaceData Subjects), a party's obligations under the with Data Protection LegislationLaws; and
6.4.2 all instructions given by it to Posturite in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
6.5 Posturite, as Data Processor, shall:
6.5.1 inform the Customer if Posturite becomes aware of any instruction that, in the Posturite’s opinion, infringes Data Protection Laws, provided that to the maximum extent permitted by mandatory law, Posturite shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information.
6.5.2 implement and maintain at its own cost and expense, technical and organisational measures, taking into account the nature of the processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Customer Data;
6.5.3 refer all Data Subject Requests it receives to the Customer within five Business Days of receipt of the request;
6.5.4 maintain, in accordance with Data Protection Laws binding on Posturite, written records of all categories of processing activities carried out on behalf of the Customer;
6.5.5 subject to condition 6.6.1, ensure that all persons authorised by Posturite to process Customer Data are subject to a binding written contractual obligation to keep the Customer Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Posturite shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure);
6.5.6 ensure that each Authorised Sub-Processor shall to the extent applicable, be subject to conditions substantially no less onerous to those conditions contained within this condition 6; in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Posturite’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer giving Posturite reasonable prior notice of such information request;
6.5.7 notify the Customer (for which email shall suffice) if Posturite adds or removes any Authorised Sub- Processors at least ten (10) days prior to any such change. The Customer acknowledges and agrees that Posturite may object in writing to an appointment of a new Authorised Sub-Processor within five (5) calendar days of such notice. In such event, the parties acknowledge thatshall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Customer may suspend or terminate the Contract (without prejudice to any fees incurred by the Customer prior to suspension or termination);
6.5.8 in respect of any Personal Data Breach, Posturite shall, without undue delay:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, notify the Customer is the data controller and the Supplier is the data processor for the purposes of the any Customer Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).Breach; and
(b) provide the Customer acknowledges with details of the Customer Data Breach; and
6.5.9 Posturite shall either delete or return all the Customer Data to the Customer in such form as the Customer reasonably requests within a reasonable time once processing by Posturite of any Customer Data is no longer required for the purpose of Posturite’s performance of its relevant obligations under the Contract.
6.6 The processing of Personal Data by Posturite to be carried out in accordance with the change control procedure in condition 5.9 and agrees shall comprise the information contained in the Contract Particulars, and may be updated from time to time in accordance with any change control procedure in condition 5.9.
6.7 Posturite shall not:
6.7.1 With the exception of the Authorised Sub-Processors, engage any other party (a ‘Sub-Processor’) for carrying out any processing activities in respect of the Customer Data without the Customer’s written authorisation authorising the appointment of that the specific Sub-Processor; or
6.7.2 transfer or store any personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Licensed Users are located in order to carry out the Products and Professional Services and the Supplier's Posturite’s other obligations under this agreement. If the Contract.
6.8 The Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement Posturite so that the Supplier Posturite may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement the Contract on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier 6.9 The Customer shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has relevant third parties have been deemed to provide an adequate level of protection for personal data informed of, and have given their consent to, such use, processing, and transfer as required by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the all applicable Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6Laws.
6.8 6.10 Each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Customer Data and against accidental loss or destruction of, any personal data or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Contract for Provision and Use of E Learning Product
Customer Data. 6.1 5.1. The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 5.2. The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its BackPrivacy and Security Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/privacy- security-Up Policypolicy or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours endeavors to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.95.9).
6.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇://▇▇▇▇▇▇▇▇.▇▇.▇▇ /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 5.4. Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 5.5. The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) Schedule 2 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
(c) the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Authorized Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.6. Without prejudice to the generality of clause 6.15.4, the Customer will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 5.7. Without prejudice to the generality of clause 6.15.4, the Supplier shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where the Supplier's data Supplier is relying on Applicable Laws as the basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customerin accordance with clause 14.1 (b), delete or return Personal Data and copies thereof to the Customer personal data on termination of the agreement unless required by Applicable Law to store the Personal Datapersonal data (and for these purposes the term "delete" shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 65 and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation.
6.8 5.8. Each party shall ensure that it has in place appropriate technical and organisational organizational measures to protect against unauthorised unauthorized or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational organizational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 285.9. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services consents to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update appointing or otherwise hosting its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.Software with
Appears in 1 contract
Sources: Software License Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier 5.2 MY DIGITAL shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy, as such document may be amended by MY DIGITAL in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier MY DIGITAL shall be for the Supplier MY DIGITAL to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier MY DIGITAL in accordance with the archiving procedure described in its Back-Up Policy. The Supplier MY DIGITAL shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier MY DIGITAL to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.95.10). The Customer shall ensure that each of its Authorised Users is aware of the Back Up Policy and MY DIGITAL’s obligations with regard to the restoration of Customer Data.
6.3 5.3 The Supplier Privacy Policy is incorporated into this contract by reference and applies to the Subscription Services. The Customer acknowledges and agrees that Customer Data shall be collected and used by MY DIGITAL in accordance with the Privacy Policy and shall ensure that each Authorised User is aware of the Privacy Policy and provides its prior written consent to the Customer which shall confirm that each Contractor User and End Client User has seen and agrees to that party’s personal data being used by MY DIGITAL in accordance with the Privacy Policy. MY DIGITAL shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretionData.
6.4 5.4 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 5.5 The Customer shall not disclose (and shall not permit any data subject to disclose), any sensitive personal data/special categories of personal data to MY DIGITAL for processing.
5.6 The parties acknowledge that:
(a) if the Supplier that where MY DIGITAL processes any personal data as described in this contract on the Customer's ’s behalf when performing its obligations under this agreementcontract, and for the purposes of this Contract, the Customer is the data controller and the Supplier MY DIGITAL is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.7 Without prejudice to the generality of clause 6.15.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the Personal Data personal data to the Supplier MY DIGITAL for the duration and purposes of this agreement contract so that the Supplier MY DIGITAL may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement contract on the Customer's behalf.
6.7 5.8 Without prejudice to the generality of clause 6.15.4, the Supplier MY DIGITAL shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier MY DIGITAL of its obligations under this agreementcontract:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier MY DIGITAL is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to MY DIGITAL and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where MY DIGITAL is relying on Applicable Laws as the Supplier's data basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transferspersonal data, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier MY DIGITAL shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit MY DIGITAL from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier MY DIGITAL has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) MY DIGITAL complies with its obligations under the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier MY DIGITAL complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data and copies thereof to the Customer on termination of the agreement this contract unless required by Applicable Law to store the Personal Datapersonal data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 65 and immediately inform the Company if, in the opinion of the MY DIGITAL, an instruction infringes the Data Protection Legislation.
6.8 5.9 Each party shall ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 5.10 The Supplier will ensure that any subCustomer consents to MY DIGITAL appointing AWS Europe as a third-contractors appointed to process party processor of personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28under this contract. The Supplier MY DIGITAL confirms that it has entered or (as the case may be) will enter with the third- third-party processor into a written agreement substantially on that third party's standard terms of businessbusiness and which reflect the requirements of the Data Protection Legislation. As between the Customer and the SupplierMY DIGITAL, the Supplier MY DIGITAL shall remain fully liable for all acts or omissions of any third-third- party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request5.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 5.11 The Customer acknowledges and agrees that internet transmissions are never completely private or secure and that any message or information which is sent or received using the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. SpecificallyServices may be read or intercepted by others, Amazon Web Services (AWS) even if a particular transmission is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedencrypted.
6.12 5.12 The Supplier will ensure Customer consents (on behalf of itself and each Authorised User) to MY DIGITAL collecting and using technical information about the devices and related software, hardware and peripherals for services that are internet or wireless based to improve its products and to provide any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering Services to the standards of anonymisation defined under the UK GDPRCustomer.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Customer Data. 6.1 4.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 4.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyPolicy available on request in writing as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9back- up).
6.3 4.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 4.4 If the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(ba) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If ;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the CustomerCustomer shall ensure that the relevant third parties have been informed of, at the Customer's costand have given their consent to, in responding to any request from a Data Subject such use, processing, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorstransfer as required by all applicable data protection legislation;
(d) notify the ICO within 72 hours Supplier shall process the personal data only in accordance with the terms of becoming aware of a data breach. Where this agreement and any lawful instructions reasonably given by the breach is likely Customer from time to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;time; and
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Saas Subscription Agreement
Customer Data. 6.1 5.1 Each Party shall comply with its respective obligations and may exercise its respective rights and remedies, under the Data Processing Agreement in Schedule 5.
5.2 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. 5.3 In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicySupplier. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those any third parties sub-contracted by the Supplier to perform Software services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 5.4 The Supplier shall, in providing the Software Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇://▇▇▇▇▇▇.▇▇.▇▇ /en/privacynotice or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 5.5 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 Clause 5 is in addition to, and does not relieve, remove or replace, a party's ’s obligations or rights under the Data Protection Legislation.
6.5 5.6 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreementAgreement, the Customer is the data controller Data Controller and the Supplier is the data processor Data Processor for the purposes of the Data Protection Legislation (where Data Controller and;
b) Schedule 5 sets out the scope, nature and Data Processor have purpose of processing by the meanings Supplier as defined in the Data Protection Legislation)Processor, the duration of the processing, the types of personal data and categories of data subject.
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.7 Without prejudice to the generality of clause 6.1Clause 5.5, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement Agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Agreement on the Customer's ’s behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software, Hardware and Related Services Supply Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyPolicy as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9back- up).
6.3 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 5.4 If the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(ba) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If Agreement;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the CustomerCustomer shall ensure that the relevant third parties have been informed of, at the Customer's costand have given their consent to, in responding to any request from a Data Subject such use, processing, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorstransfer as required by all applicable data protection legislation;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: License Agreement
Customer Data. 6.1 9.1 The Customer shall own all rightrights, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 The 9.2 In relation to Services which involve the Supplier shall follow its archiving procedures for storing Customer Data as set out and in its Back-Up Policy. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore ensure that the lost or damaged Customer Data from is secure and backed up and that the latest back-up of such Customer has electronic access to the Customer Data maintained stored by the Supplier to retrieve or manipulate at any time. If the Customer has no access to the Customer Data electronically, the Supplier shall, upon the Customer’s request grant such access necessary to retrieve/manipulate Customer Data within 7 working days from the request. In the event that the Customer requires Customer Data on physical media, the Customer can raise a request and the Supplier will apply reasonable endeavours to assist the Customer with the physical retrieval of Customer Data.
9.3 On the billing anniversary following the termination date of a Service which involves the storing or hosting of Customer Data by the Supplier, all Customer Data held within the Service shall cease to be available to the Customer to access. Any Customer Data will be retained in accordance with to the archiving procedure described extent set out in its Back-Up Policy. the applicable Service Option and can be retrieved by the Supplier (and then provided to the Customer in the format reasonably required) through the submission of a request to the Supplier by email.
9.4 The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 9.5 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to available on the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ smartCLOUD Website or such other website address as may be notified to the Customer from time to time, as time and such document policy may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 9.6 If the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(b) 9.6.1 the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If Agreement;
9.6.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Agreement on the Customer's behalf.;
6.7 Without prejudice to 9.6.3 the generality of clause 6.1Customer shall ensure that the relevant third parties have been informed of, the Supplier shalland have given their consent to, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customersuch use, unless the Supplier is processing, and transfer as required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any all applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, protection legislation;
9.6.4 the Supplier shall promptly notify process the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies only in accordance with the UK GDPR terms of this Agreement and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth lawful instructions reasonably given by the UK Information Commissioner's Office (ICO)Customer from time to time; and
(iv) 9.6.5 the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software Services Agreement
Customer Data. 6.1 4.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 4.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyPolicy as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.94.9).
6.3 4.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇▇▇▇.▇▇.▇▇▇▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 4.4 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 4 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 4.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Personal Data, Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 4.6 Without prejudice to the generality of clause 6.14.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 4.7 Without prejudice to the generality of clause 6.14.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process process that Personal Data only on the written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the UK General Data Protection Regulation (UK GDPR), laws of the Data Protection Act 2018, or any European Union applicable international laws to the Supplier to process Personal Data (Applicable Laws). In instances where Where the Supplier's data processing activities are subject to the Supplier is relying on laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate European Union law as the basis for processing actions divergent from the Customer's instructionsPersonal Data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(c) not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), EEA unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(cd) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(de) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Databreach; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 64 and allow for audits by the Customer or the Customer's designated auditor.
6.8 4.8 Each party shall ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 4.9 The Customer does not consent to the Supplier will ensure that appointing any sub-contractors appointed to process personal data on behalf third party processor of Personal Data under this agreement.
4.10 Either party may at the cost of the Customer are subject to written agreements that require them to process such data only for both parties, at any time on documented instructions from the Customer and in full compliance with the requirements of the UK GDPRnot less than 30 days' notice, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to revise this clause 6. Full details 4 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant an applicable certification scheme (which shall apply when replaced by attachment to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained).
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Service Agreement
Customer Data. 6.1 5.1. The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 5.2. The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its BackPrivacy and Security Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/privacy- security-Up Policypolicy or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.95.9).
6.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇://▇▇▇▇▇▇▇▇.▇▇.▇▇ /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 5.4. Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 5.5. The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) Schedule 2 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
(c) the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Authorized Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.6. Without prejudice to the generality of clause 6.15.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 5.7. Without prejudice to the generality of clause 6.15.4, the Supplier shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where the Supplier's data Supplier is relying on Applicable Laws as the basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data it can reasonably identify and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Datapersonal data (and for these purposes the term "delete" shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 65 and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation.
6.8 5.8. Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised unauthorized or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 285.9. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services consents to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update appointing or otherwise hosting its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.Software with
Appears in 1 contract
Sources: Software License Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier 5.2 MY DIGITAL shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy, as such document may be amended by MY DIGITAL in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier MY DIGITAL shall be for the Supplier MY DIGITAL to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier MY DIGITAL in accordance with the archiving procedure described in its Back-Up Policy. The Supplier MY DIGITAL shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier MY DIGITAL to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.95.10). The Customer shall ensure that each of its Authorised Users is aware of the Back Up Policy and MY DIGITAL’s obligations with regard to the restoration of Customer Data.
6.3 5.3 The Supplier Privacy Policy is incorporated into this contract by reference and applies to the Subscription Services. The Customer acknowledges and agrees that Customer Data shall be collected and used by MY DIGITAL in accordance with the Privacy Policy and shall ensure that each Authorised User is aware of the Privacy Policy and provides its prior written consent to the Customer which shall confirm that each Contractor User and End Client User has seen and agrees to that party’s personal data being used by MY DIGITAL in accordance with the Privacy Policy. MY DIGITAL shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretionData.
6.4 5.4 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
6.5 5.5 The Customer shall not disclose (and shall not permit any data subject to disclose), any sensitive personal data/special categories of personal data to MY DIGITAL for processing.
5.6 The parties acknowledge that:
(a) if the Supplier that where MY DIGITAL processes any personal data as described in this contract on the Customer's ’s behalf when performing its obligations under this agreementcontract, and for the purposes of this Contract, the Customer is the data controller and the Supplier MY DIGITAL is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 5.7 Without prejudice to the generality of clause 6.15.4, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the Personal Data personal data to the Supplier MY DIGITAL for the duration and purposes of this agreement contract so that the Supplier MY DIGITAL may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement contract on the Customer's behalf.
6.7 5.8 Without prejudice to the generality of clause 6.15.4, the Supplier MY DIGITAL shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier MY DIGITAL of its obligations under this agreementcontract:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier MY DIGITAL is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to MY DIGITAL and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process Personal Data personal data (Applicable Laws). In instances where Where MY DIGITAL is relying on Applicable Laws as the Supplier's data basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transferspersonal data, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier MY DIGITAL shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit MY DIGITAL from providing such notificationso notifying theCustomer;
(b) Not not transfer any Personal Data personal data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier MY DIGITAL has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) MY DIGITAL complies with its obligations under the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier MY DIGITAL complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data and copies thereof to the Customer on termination of the agreement this contract unless required by Applicable Law to store the Personal Datapersonal data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 65 and immediately inform the Company if, in the opinion of the MY DIGITAL, an instruction infringes the Data Protection Legislation.
6.8 5.9 Each party shall ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 5.10 The Supplier will ensure that any subCustomer consents to MY DIGITAL appointing AWS Europe as a third-contractors appointed to process party processor of personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28under this contract. The Supplier MY DIGITAL confirms that it has entered or (as the case may be) will enter with the third- third-party processor into a written agreement substantially on that third party's standard terms of businessbusiness and which reflect the requirements of the Data Protection Legislation. As between the Customer and the SupplierMY DIGITAL, the Supplier MY DIGITAL shall remain fully liable for all acts or omissions of any third-third- party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request5.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 5.11 The Customer acknowledges and agrees that internet transmissions are never completely private or secure and that any message or information which is sent or received using the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. SpecificallyServices may be read or intercepted by others, Amazon Web Services (AWS) even if a particular transmission is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedencrypted.
6.12 5.12 The Supplier will ensure Customer consents (on behalf of itself and each Authorised User) to MY DIGITAL collecting and using technical information about the devices and related software, hardware and peripherals for services that are internet or wireless based to improve its products and to provide any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering Services to the standards of anonymisation defined under the UK GDPRCustomer.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Customer Data. 6.1 5.1 The Customer shall own all rightrights, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyData. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇://▇▇▇▇▇-▇▇▇▇▇▇.▇▇.▇▇ /privacy-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 5.4 If the Supplier processes any personal data on the Customer's ’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).any such case:
(ba) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If ;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the CustomerCustomer shall ensure that the relevant third parties have been informed of, at the Customer's costand have given their consent to, in responding to any request from a Data Subject such use, processing, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorstransfer as required by all applicable data protection legislation;
(d) notify the ICO within 72 hours Supplier shall process the personal data only in accordance with the terms of becoming aware of a data breach. Where this agreement and any lawful instructions reasonably given by the breach is likely Customer from time to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;time; and
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)damage.
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Customer Data. 6.1 5.1 The Customer shall own all rightrights, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legalitylegality , reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out described in its Back-Up Policythe Service Level Agreement or the Supplier’s Hosting Policy (as applicable). The Supplier may, without obligation to the Customer, make such additional backup or archiving arrangements as it sees fit.
5.3 In the event of any loss or damage to Customer DataData during the Licence Term, the Customer's sole and exclusive remedy against the Supplier shall be for under no obligation to retrieve the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Customer’s Data from any back- up taken by or on behalf of the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. Supplier.
5.4 The Supplier shall not be responsible for required to maintain, back-up, protect or retrieve any loss, destruction, alteration or disclosure of Customer Data caused by after the expiry of the Licence Term.
5.5 If the Customer utilises the customer service icon provided within the Software, the Customer acknowledges that any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and backuploaded via such service will be subject to the relevant third-up for which it shall remain fully liable under clause 6.9).
6.3 party supplier’s security policy. The Supplier shall, in providing currently utilises a Fresh Desk application. For a copy of the Services, comply with its Privacy and Fresh Desk Security Policy relating to the privacy and security of the Customer Data available at see ▇▇▇.▇▇://▇▇▇▇▇▇▇▇▇.▇▇▇/security. The Supplier accepts no liability for any Customer Data transferred through the customer service icon provided within the Software.▇▇
5.6 The Supplier shall not be responsible for any loss suffered by the Customer as a result of or such other website address as may be notified arising from the destruction, alteration, or disclosure of any Customer Data caused by any third party (including any third-party providing customer service functionality in connection with the Software), except and to the Customer from time to time, as such document may be amended from time to time by extent that the Supplier in its sole discretionis entitled to recover and has so recovered an amount (net of the costs of recovery) equal to such loss from the relevant third party.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if 5.7 If the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreementthese Terms and Conditions of Use, the parties record their intention that the Customer is shall be the data controller and the Supplier is the shall be a data processor for and in any such case:
(a) the purposes Customer undertakes to comply with all the requirements of the Data Protection Legislation (where Data Controller ▇▇▇ ▇▇▇▇ in connection with any personal data processed by the Supplier on the Customer's behalf when performing its obligations under these Terms and Data Processor have the meanings as defined in the Data Protection Legislation).Conditions of Use;
(b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully process the personal data in accordance with these Terms and Conditions of Use on the Customer's behalf;
(c) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality these Terms and Conditions of clause 6.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulatorsUse;
(d) notify the ICO within 72 hours of becoming aware of a Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing and transfer as required by all applicable data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.protection legislation;
(e) at the written direction Supplier shall process the personal data only in accordance with these Terms and Conditions of the Customer, delete or return Personal Data Use and copies thereof to any lawful instructions reasonably given by the Customer on termination of the agreement unless required by Applicable Law from time to store the Personal Data; andtime;
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each each party shall ensure that it has in place take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss the personal data or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or its accidental loss, destruction or damage damage; and
(g) the Customer shall make and maintain all necessary registration applications within all appropriate categories under the nature DPA as are required in relation to any personal data processed by the Supplier on the Customer's behalf when performing its obligations under these Terms and Conditions of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)Use.
6.9 5.8 The Customer shall indemnify and keep indemnified the Supplier will ensure that any sub-contractors appointed to process against all actions, proceedings , costs, claims, demands , liabilities , losses and expenses whatsoever arising out of or in connection with the Supplier 's processing of personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter behalf when performing its obligations under these Terms and Conditions of Use, save to the data protection extent that the same is caused by or arises from the Supplier’s (or its directors, employees or sub-contractors’) negligence or breach of its obligations under these Terms and Conditions of the partiesUse.
Appears in 1 contract
Sources: Software License Agreement
Customer Data. 6.1 4.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier 4.2 OYM shall follow its archiving procedures for Customer Data as set out in its Back-Up PolicyPolicy available at the website address as may be notified to the Customer from time to time, as such document may be amended by OYM in its sole discretion from time to time. In the event of any loss or damage to Customer DataData as a result of an OYM system failure, the Customer's sole and exclusive remedy against the Supplier OYM shall be for the Supplier OYM to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier OYM in accordance with the archiving procedure described in its Back-Up Policy. The Supplier OYM shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by the Customer, Authorised Users or any third party (except those third parties sub-contracted by the Supplier OYM to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.94.8).
6.3 The Supplier 4.3 OYM shall, in providing the Services, comply with its Privacy and Security Policy data protection laws relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Data. Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 4 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 4.4 The parties acknowledge that:
(a) if the Supplier OYM processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier OYM is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry Schedule 1 sets out the Services scope, nature and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UKpurpose of processing by OYM, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office Customer, the duration of the processing and the types of personal data (ICO)as defined in the Data Protection Legislation, will be implemented to ensure compliance with UK data protection lawsPersonal Data) and categories of Data Subject.
6.6 (c) Schedule 2 sets out the ‘TSA Data Sharing Arrangement’ which is in active during the partnership between The Scout Association and Online Youth Manager for customers that agree to the arrangement.
4.5 Without prejudice to the generality of clause 6.14.3, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier OYM for the duration and purposes of this agreement so that the Supplier OYM may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 4.6 Without prejudice to the generality of clause 6.14.3, the Supplier OYM shall, in relation to any Personal Data processed in connection with the performance by the Supplier OYM of its obligations under this agreement:
(a) Process process that Personal Data only on the written instructions of the Customer, Customer unless the Supplier OYM is required by the laws of any member of the United Kingdom, European Union or by the UK General Data Protection Regulation (UK GDPR), laws of the Data Protection Act 2018, or any European Union applicable international laws to OYM to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the Where OYM is relying on laws of a member of the European Union due to cross-border operations or data transfersEuropean Union law as the basis for processing Personal Data, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier OYM shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit OYM from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier OYM has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) OYM complies with its obligations under the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier OYM complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of Customer without undue delay on becoming aware of a data Personal Data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data (and copies thereof to the Customer thereof) on termination of the agreement unless required by Applicable Law to store the Personal DataData or if back-up copies are retained as part of the Suppliers usual back-up process then until those are deleted in accordance with its normal processes; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 64.
6.8 4.7 Each party shall ensure that it has in place appropriate technical and organisational measures measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Dataencryption, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 4.8 The Supplier will ensure that any subCustomer consents to OYM appointing hosting and IT, communications, administration and payment services providers as a third-contractors appointed to process personal data on behalf party processors of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28Personal Data under this agreement. The Supplier OYM confirms that it has entered or (as the case may be) will enter with the third- any third-party processor into a written agreement incorporating terms which are substantially on that third party's standard terms of businesssimilar to those set out in this clause 4. As between the Customer and the SupplierOYM, the Supplier OYM shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request4.
6.10 The Supplier will update its Privacy Policy 4.9 OYM may, at any time on not less than 30 days' notice, revise this clause 4 by replacing it with any applicable controller to reflect any changes in sub-processors processor standard clauses or the addition similar terms forming part of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant an applicable certification scheme (which shall apply when replaced by attachment to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained).
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Online Youth Manager Agreement
Customer Data. 6.1 The 13.1 Except for Pattern Data that is owned by REDi, the Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such the Customer Data.
6.2 13.2 The Supplier Customer hereby grants REDi a worldwide, royalty-free, and non-exclusive license during the term of its subscription to access Customer Data in order to provide the Services, including storing, hosting and management of such content (“Content License”)
13.3 Unless otherwise agreed to under a Contract, REDi shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy, which policy shall be made available on receipt of Customer’s written request. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier REDi to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier REDi in accordance with the archiving procedure described in its Back-Up Policy. The Supplier REDi shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier REDi to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 13.4 The Supplier shallCustomer understands that REDi, in providing performing the required technical steps to provide the Services, comply with its Privacy may
(a) transmit or distribute Customer Data over various public or private networks and Security Policy relating in various media; and
(b) make such changes to Customer Data as are necessary to conform and adapt that Customer Data to the privacy and security technical requirements of connecting networks, devices, Services or media;
13.5 Where the use of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to involves the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements Processing of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreementPersonal Information, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located Parties agree to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice to the generality of clause 6.1, the Customer will ensure that it has execute all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies Processing in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it Processing Legislation. REDi’s processing shall take place in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance accordance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6Privacy Policy.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data 13.6 Where any Processing needs to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in executed by a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data Third Party Service Provider on behalf of the Customer are subject or as instructed by the Customer, such Processing shall only take place subsequent to i) receipt by ▇▇▇▇ of a written agreements that require them consent from Customer to process such data only on documented instructions from allow sharing of Customer Data to said Third Party Service Provider and ii) the signing of the REDi Data Processing Agreement by the Third Party Service Provider;
13.7 The accuracy and maintenance of the Customer and Data (Customer and/or Authorised User data or End User data) in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It Services is the responsibility of the Customer to regularly review and/or Authorised – or End Users. REDi will however provide (where reasonably possible) advice and assistance wherever possible, within the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 limits of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with Main Agreement, to improve the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit accuracy of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted information at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the partiesall time.
Appears in 1 contract
Sources: Master Services Agreement
Customer Data. 6.1 The Customer shall own all right, title and interest in and to all the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 3.1 The Supplier shall follow its archiving procedures for promptly notify the Customer Data as set out in its Back-Up Policywriting of any actual or suspected loss or damage to the Customer Data. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or unauthorised access to or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 The Supplier shall, in providing the Services, 3.2 Each party undertakes that it shall comply with its Privacy the DPA and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of changes in law, including any subsequent legislation that may amend and/or supersede the Data Protection Legislation. This clause 6 is in addition toDPA, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, . The parties acknowledge that the European General Data Protection Regulation (GDPR) shall apply during the term of this agreement. The parties agree that they shall enter into such variation of this agreement and execute such additional documentation and make any required changes to the Services as is reasonably required to reflect their obligations under the GDPR and in order for the Supplier to provide the Services in a manner that would allow the Customer is to be compliant with the data controller and GDPR, based on the Supplier is the data processor for the purposes of the Data Protection Legislation (where Customer’s obligations as a Data Controller and the Supplier’s obligations as a Data Processor have the meanings or each party’s obligations as defined in a Data Controller, as applicable.
3.3 The Customer shall be the Data Protection Legislation).
(b) Controller, and the Customer acknowledges and agrees parties acknowledge that the personal Supplier will be acting as Data Processor in respect of all data may be transferred or stored outside processing activities in relation to Customer Personal Data that the EEA or the country where the Customer and the Authorised Users are located to carry Supplier carries out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice 3.4 The Supplier undertakes to the generality of clause 6.1, Customer that:
(a) it shall process the Customer will ensure that it has all necessary appropriate consents Personal Data, including updating, correcting and notices in place to enable lawful transfer of the deleting such Customer Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully useData, process and transfer the Personal Data only in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on and the written instructions of the CustomerCustomer and to the extent, unless and in such a manner, as is reasonably necessary to supply the Supplier Services in accordance with this agreement or as is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notificationlaw;
(b) Not transfer any in respect of Customer Personal Data outside which is in the possession or under the control of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO)Supplier, unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place implement appropriate technical and organisational measures to protect this Customer Personal Data against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction destruction, damage, alteration or damage disclosure;
(c) it shall not (and shall ensure that its Representatives do not) publish, disclose or divulge any Customer Personal Data to any third party, nor allow any third party to process Customer Personal Data on the nature Supplier's behalf, without the prior written consent of the data Customer;
(d) it shall not transfer Customer Personal Data outside the European Economic Area without the prior written consent of the Customer;
(e) it shall take reasonable steps to be protectedensure the reliability of any employee, having regard agent or sub-contractor who has access to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Customer Data, ensuring confidentialityand ensure all employees, integrity, availability agents and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data undergo training on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.information security;
6.12 The Supplier will ensure that any (f) it shall use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering reasonable endeavours to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted Customer at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter cost with any subject access request that the data protection obligations of Customer receives relating to Customer Personal Data processed by the partiesSupplier under this agreement; and
(g) it shall use reasonable endeavours to assist the Customer in responding to regulatory requirements.
Appears in 1 contract
Sources: Cwcare Services Agreement
Customer Data. 6.1 The Customer shall own all right, title and interest in and to all the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 14.1 The Supplier shall follow its archiving procedures for promptly notify the Customer Data as set out in its Back-Up Policywriting of any actual or suspected loss or damage to the Customer Data. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or unauthorised access to or disclosure of Customer Data caused by any third party (except those third parties (excluding Microsoft) sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 The Supplier shall, in providing the Services, 14.2 Both Parties will comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is .
14.3 For the purpose of this Agreement, the words Data Controller, Data Processor, Personal Data, Data Subject and process/processing have the meanings given to them in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 14.4 The parties Parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor that for the purposes of the Data Protection Legislation (where Legislation, the Customer is the Data Controller and the Supplier is the Data Processor have the meanings Processor. The Customer warrants that it will comply with all its obligations as defined in Data Controller under the Data Protection Legislation).
(b) , and that it will where the Customer acknowledges Supplier is to process Personal Data on the Customer’s behalf, provide the Supplier with complete and agrees accurate details of the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject, and will ensure that a schedule is added to the personal data relevant Statement of Work containing such detail as may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented required to ensure compliance with UK data protection lawsthe Data Protection Legislation. The Supplier shall not be deemed to have breached any of its obligations as Data Processor by virtue of a breach of the Data Protection Legislation by the Customer as Data Controller.
6.6 14.5 Without prejudice to the generality of clause 6.114.2, the Customer will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalfrelevant Statement of Work.
6.7 14.6 Without prejudice to the generality of clause 6.114.2, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under a Statement of Work or this agreementAgreement:
(a) Process 14.6.1 process that Personal Data only on the written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the UK General Data Protection Regulation (UK GDPR), laws of the Data Protection Act 2018, or any European Union applicable international laws to the Supplier to process Personal Data (Applicable Laws). In instances where Where the Supplier's data processing activities are subject to the Supplier is relying on laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate European Union law as the basis for processing actions divergent from the Customer's instructionsPersonal Data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall 14.6.2 ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).;
6.9 The Supplier will 14.6.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
14.6.4 not transfer any sub-contractors appointed to process personal data on behalf Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are subject to written agreements that require them to process such data only on documented instructions from fulfilled:
14.6.4.1 the Customer or the Supplier has provided appropriate safeguards in relation to the transfer;
14.6.4.2 the Data Subject has enforceable rights and effective legal remedies;
14.6.4.3 the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
14.6.4.4 the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
14.6.5 assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in full ensuring compliance with its obligations under the requirements Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
14.6.6 notify the Customer without undue delay on becoming aware of a Personal Data breach;
14.6.7 at the written direction of the UK GDPRCustomer, particularly Article 28. delete or return Personal Data and copies thereof to the Customer on termination of a Statement of Work unless required by Applicable Law to store the Personal Data; and
14.6.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 14 and allow for audits by the Customer or the Customer's designated auditor, such audits to be conducted on reasonable notice (but in any event on giving Supplier not less than seven (7) days’ notice, unless the Customer has reasonable grounds for giving shorter notice) and during normal business hours on Business Days.
14.7 The Customer hereby consents to the Supplier appointing third party processors of the Personal Data on the condition that the Supplier confirms for each such third-party processor that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between with the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant incorporating terms which are as similar as possible to those set out in this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request14.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Terms and Conditions
Customer Data. 6.1 The Customer shall own all right, title and interest in and to all the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 14.1. The Supplier shall follow its archiving procedures for promptly notify the Customer Data as set out in its Back-Up Policywriting of any actual or suspected loss or damage to the Customer Data. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or unauthorised access to or disclosure of Customer Data caused by any third party (except those third parties sub-(excluding Microsoft) sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9up).
6.3 The Supplier shall14.2. For the purposes of this Clause 14, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in providing the Services, UK Data Protection Legislation.
14.3. Both Parties will comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of the Applicable Data Protection LegislationLaws. This clause 6 Clause 14 is in addition to, and does not relieve, remove or replace, a partyParty's obligations or rights under the Applicable Data Protection LegislationLaws.
6.5 14.4. The parties acknowledge Parties have determined that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Applicable Data Protection Legislation (where Data Controller and Data Processor have Laws, the meanings as defined in the Data Protection Legislation).
(b) the Customer acknowledges and agrees that Supplier shall process the personal data may be transferred or stored outside set out in Error! Bookmark not defined.Error! Reference source not found., as a processor on behalf of the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection lawsCustomer.
6.6 14.5. Without prejudice to the generality of clause 6.1Clause 14.3, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer's behalfAgreement.
6.7 14.6. In relation to the Customer Personal Data, Schedule 1 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.
14.7. Without prejudice to the generality of clause 6.1, 14.3 the Supplier shall, in relation to any Customer Personal Data processed in connection with the performance by the Supplier of its obligations under this agreementData:
(a) Process process that Customer Personal Data only on the written documented instructions of the Customer, unless the Supplier is required by Applicable Laws to otherwise process that Customer Personal Data. Where the laws of Supplier is relying on Applicable Laws as the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionsCustomer Processor Data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable LawsLaws unless those Applicable Laws prohibit the Supplier from so notifying the Customer on important grounds of public interest. The Supplier shall inform the Customer if, unless prohibited by those laws from providing such notificationin the opinion of the Supplier, the instructions of the Customer infringe Applicable Data Protection Legislation;
(b) Not transfer any Personal Data outside of implement appropriate the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures measures;
(those measures may includec) ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
(d) assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to the Supplier), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;
(f) at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the Agreement unless the Supplier is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this Clause Error! Reference source not found. Customer Personal Data shall be considered deleted where appropriateit is put beyond further use by the Supplier; and
(g) maintain records to demonstrate its compliance with this Clause 14 and allow for reasonable audits by the Customer or the Customer's designated auditor, pseudonymisation and encr ypting for this purpose, on reasonable written notice.
14.8. The Customer hereby provides its prior, general authorisation for the Supplier to:
(a) appoint processors to process the Customer Personal Data, ensuring confidentialityprovided that the Supplier:
(i) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, integrityand are consistent with the obligations imposed on the Supplier in this Clause Error! Bookmark not defined.Error! Reference source not found.4;
(ii) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and
(iii) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, availability thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and resilience cannot demonstrate, to the Supplier's reasonable satisfaction, that the objection is due to an actual or likely breach of its systems Applicable Data Protection Law, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and services, ensuring that availability of and access to expenses suffered by the Supplier in accommodating the objection.
(b) transfer Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness outside of the technical and organisational measures UK as required for the Purpose, provided that the Supplier shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses adopted by itthe EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the Commissioner from time to time (where the UK Data Protection Legislation applies to the transfer).
6.9 The Supplier will ensure that 14.9. Either Party may, at any sub-contractors appointed time on not less than 30 days' notice, revise this Clause 14 by replacing it with any applicable controller to process personal data on behalf processor standard clauses or similar terms forming part of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or an applicable certification scheme (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier which shall remain fully liable for all acts or omissions of any third-party processor appointed apply when replaced by it pursuant attachment to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon requestAgreement).
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Professional Services
Customer Data. 6.1 The Customer Supplier shall own all right, title follow its archiving and interest in and to all the Customer Data that is not personal data and shall have sole responsibility security procedures for the legality, reliability, integrity, accuracy and quality of all such Customer Data, including those set out in clause 7 (Security) and as described in Schedule 2.
6.2 The Supplier shall follow its archiving procedures for promptly notify the Customer Data as set out in its Back-Up Policywriting of any actual or suspected loss or damage to the Customer Data. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or unauthorised access to or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9back- up).
6.3 The Supplier shall, in providing the Services, Each party undertakes that it shall comply with its Privacy the DPA and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 Both parties will follow all applicable requirements of changes in law, including any subsequent legislation that may amend and/or supersede the Data Protection Legislation. This clause 6 is in addition toDPA, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
6.5 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, . The parties acknowledge that the European General Data Protection Regulation (GDPR) shall apply during the term of this agreement. The parties agree that they shall enter into such variation of this agreement and execute such additional documentation and make any required changes to the Services as is reasonably required to reflect their obligations under the GDPR and in order for the Supplier to provide the Services in a manner that would allow the Customer is to be compliant with the data controller and GDPR, based on the Supplier is the data processor for the purposes of the Data Protection Legislation (where Customer’s obligations as a Data Controller and the Supplier’s obligations as a Data Processor have the meanings or each party’s obligations as defined in a Data Controller, as applicable.
6.4 The Customer shall be the Data Protection Legislation).
(b) Controller, and the Customer acknowledges and agrees parties acknowledge that the personal Supplier will be acting as Data Processor in respect of all data may be transferred or stored outside processing activities in relation to Customer Personal Data that the EEA or the country where the Customer and the Authorised Users are located to carry Supplier carries out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 Without prejudice 6.5 The Supplier undertakes to the generality of clause 6.1, Customer that:
(a) it shall process the Customer will ensure that it has all necessary appropriate consents Personal Data, including updating, correcting and notices in place to enable lawful transfer of the deleting such Customer Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully useData, process and transfer the Personal Data only in accordance with this agreement on the Customer's behalf.
6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) Process that Personal Data only on and the written instructions of the CustomerCustomer and to the extent, unless and in such a manner, as is reasonably necessary to supply the Supplier Services in accordance with this agreement or as is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notificationlaw;
(b) Not transfer any in respect of Customer Personal Data outside which is in the possession or under the control of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO)Supplier, unless the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018;
(iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO within 72 hours of becoming aware of a data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6.
6.8 Each party shall ensure that it has in place implement appropriate technical and organisational measures to protect this Customer Personal Data against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction destruction, damage, alteration or damage and disclosure;
(c) it shall not publish, disclose or divulge any Customer Personal Data to any third party, nor allow any third party to process Customer Personal Data on the nature Supplier’s behalf, without the prior written consent of the data Customer;
(d) it shall not transfer Customer Personal Data outside the European Economic Area without the prior written consent of the Customer;
(e) it shall take reasonable steps to be protectedensure the reliability of any employee, having regard agent or sub- contractor who has access to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Customer Data, ensuring confidentialityand ensure all employees, integrity, availability agents and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 The Supplier will ensure that any sub-sub- contractors appointed to process personal data undergo training on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.information security;
6.12 The Supplier will ensure that any (f) it shall use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering reasonable endeavours to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance Customer at the Customer’s cost with any subject access request that the data subject rights Customer receives relating to Customer Personal Data processed by the Supplier under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit ;
(g) it shall be conducted at use reasonable endeavours to assist the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions Customer in responding to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the partiesregulatory requirements.
Appears in 1 contract
Sources: Master Services Agreement
Customer Data. 6.1 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9).
6.3 5.2 The Supplier shall, in providing the Services, comply with its Privacy Customer’s information security, confidentiality and data protection policies, UKHSA operate in line with the Government Functional Standard for Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ 007 or such other website address as may be notified to by the Customer from time to time, as such document may be amended from time to time by the Supplier Customer in its sole discretion.
6.4 5.3 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 Clause 5 is in addition to, and does not relieve, remove or replace, a party's ’s obligations or rights under the Data Protection Legislation.. In this Clause 5, Applicable Laws means the UK Data Protection Legislation and any other relevant law that applies in the UK..
6.5 5.4 The parties acknowledge that:
(a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor The parties acknowledge that for the purposes of the Data Protection Legislation (where Legislation, the Customer is the Controller, and the Provider is the Processor. Schedule 3 sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data Controller and categories of Data Processor have the meanings as defined in the Data Protection Legislation).
Subject. (b) the Customer acknowledges and agrees that the personal data may not be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's ’s other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection lawsAgreement.
6.6 5.5 Without prejudice to the generality of clause 6.15.3, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier for the duration and purposes of this agreement Agreement so that the Supplier may lawfully use, process and transfer the Personal Data personal data in accordance with this agreement Agreement on the Customer's ’s behalf.
6.7 5.6 Without prejudice to the generality of clause 6.15.3, the Supplier shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier of its obligations under this agreementAgreement:
(a) Process process that Personal Data personal data only on the documented written instructions of the Customer, Customer unless the Supplier is required by Applicable Laws to otherwise process that personal data. Where the laws of Supplier is relying on Applicable Laws as the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionspersonal data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not not transfer any Personal Data personal data outside of the United Kingdom or European Economic Area unless it has obtained the Customer’s prior written consent to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless do so and the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Datapersonal data;
(c) assist the Customer, at the Customer's ’s cost, in responding to any request from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the ICO Customer without undue delay and in any event within 72 twenty-four (24) hours of on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) at the written direction of the Customer, delete or return Personal Data personal data and copies thereof to the Customer on termination of the agreement Agreement in accordance with clause 14.5 unless the Supplier is required by Applicable Law to store the Personal Datapersonal data (and for these purposes the term “delete” shall mean to put such data beyond use); and
(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 6Clause 5 and immediately inform the Company if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation.
6.8 Each party 5.7 The Supplier shall ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation pseudonymising and encr ypting Personal Dataencrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
6.9 5.8 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services does not consent to the Supplier and who are processing Personal appointing any third party processor of personal data under this agreement are available upon requestAgreement.
6.10 5.9 The Supplier will update its Privacy Policy parties may, on written agreement between the parties, revise this Clause 5 by replacing it with any applicable controller to reflect any changes in sub-processors processor standard clauses or the addition similar terms forming part of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant an applicable certification scheme (which shall apply when replaced by attachment to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintainedAgreement).
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software as a Service (Saas) Subscription Agreement
Customer Data. 6.1 7.1 The Customer shall own all right, right and title to and interest in:
7.1.1 all rights arising from or in and to all connection with its acquisition, verification or presentation of the Customer Data that is not personal data Data; and
7.1.2 all copyright arising from the authorship of literary work in the creation of Customer Data, and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
6.2 7.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Data Back-Up up and Retention Policy annexed to this Agreement at Schedule 5 (Retention Policy. ), as such document may be amended by the Supplier in its reasonable discretion from time to time.
7.3 In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with its Retention Policy in force at the archiving procedure described in its Back-Up Policy. The relevant time.
7.4 Save where directly attributable to any breach by the Supplier of the terms of this Agreement, the Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up for which it shall remain fully liable under clause 6.9)clause7.
6.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
6.4 7.5 Both parties will follow comply with all applicable requirements of the Data Protection Legislation. This clause 6 7 is in addition to, and does not relieve, remove or replace, a party's obligations obligations, responsibilities or rights under the Data Protection Legislation.
6.5 7.6 The parties acknowledge that:
(a) if 7.6.1 in respect of the personal data processed by the Supplier processes any personal on behalf of the Customer in connection with the Services whether or not Customer Data (Personal Data), the Customer is determining the purpose and approving the manner in which data on is processed in connection with the Customer's behalf when performing its obligations under this agreementprovision of the Services and that, accordingly the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Legislation; and
7.6.2 Schedule 2 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation)categories of data subject.
(b) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located to carry out the Services and the Supplier's other obligations under this agreement. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws.
6.6 7.7 Without prejudice to the generality of clause 6.17.5, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and processing of the Personal Data for the duration and purposes of this agreement Agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement Agreement on the Customer's behalf.
6.7 7.8 Without prejudice to the generality of clause 6.17.5, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier in the course of its obligations under this agreementthe provision of the Services:
(a) Process 7.8.1 process that Personal Data only as is strictly necessary to provide the Services and on the documented written instructions of the Customer, Customer unless the Supplier is required by the laws of any member of the United Kingdom, European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK General Data Protection Regulation (UK GDPR), Legislation and any other law that applies in the Data Protection Act 2018, or any applicable international laws UK) to process such Personal Data (Applicable Laws). In instances where Where the Supplier's data Supplier is relying on Applicable Laws as the basis for processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructionsPersonal Data, the Supplier shall promptly notify the Customer of this requirement before commencing performing the processing required by the Applicable Laws, Laws unless prohibited by those laws Applicable Laws prohibit the Supplier from providing such notificationso notifying the Customer;
(b) Not 7.8.2 not transfer any Personal Data outside of the European Economic Area and the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled:
(i) 7.8.2.1 the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK governmenttransfer;
(ii) 7.8.2.2 the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018remedies;
(iii) 7.8.2.3 the Supplier ensures compliance complies with its obligations under the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and
(iv) 7.8.2.4 the Supplier complies with reasonable instructions notified to it in writing in advance by the Customer with respect to the processing of the such Personal Data;
(c) 7.8.3 ensure that all personnel who have access to and/or process such personal data are obliged to keep the Personal Data confidential;
7.8.4 assist the Customer, at the Customer's cost, in responding to any request (including a subject access request) from a Data Subject data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) 7.8.5 notify the ICO within 72 hours of Customer in writing without undue delay on becoming aware of a personal data breach. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data subjects without undue delay.;
(e) 7.8.6 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement Agreement unless required by Applicable Law Laws to store the Personal Data; and;
(f) 7.8.7 maintain complete and accurate records and information to demonstrate its compliance with this clause 67 and the Data Protection Legislation and immediately inform the Company if, in the opinion of the Supplier, an instruction provided by the Customer infringes the Data Protection Legislation; and
7.8.8 allow for audits by the Customer or its authorised representatives to review the Supplier’s compliance with this clause 7 and the Data Protection Legislation, provided that such audits shall not take place more than once in any twelve month period (unless the Customer, acting reasonably, suspects a breach of Data Protection Legislation) and shall be on reasonable prior written notice and carried out in such a manner as to minimise disruption to the Supplier’s business. The Supplier may require the Customer’s authorised representatives to enter into binding confidentiality obligations with it prior to such audit.
6.8 Each party 7.9 In each calendar year the Supplier shall ensure complete and publish the Data Security and Protection Toolkit. The Customer hereby acknowledges and agrees that it has in place the completion and publishing of the Data Security and Protection Toolkit satisfies the requirements of Article 32 of the General Data Protection Regulation (2016/679) and constitutes the taking of appropriate technical and organisational measures adequate to protect the Personal Data processed by the Supplier against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, such Personal Data, Data and are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protectedPersonal Data, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience measures.
7.10 The Customer consents to the Supplier appointing the third-party processors of its systems and services, ensuring that availability of and access to Personal Data can be restored specified in a timely manner after an incident, Schedule 4 (as amended and regularly assessing and evaluating updated by agreement in writing between the effectiveness of the technical and organisational measures adopted by itparties from time to time).
6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- third-party processor into a written agreement incorporating terms which are substantially on that third party's standard terms similar to those set out in this clause 7 and in either case which the Supplier confirms reflect and will continue to reflect the requirements of businessthe Data Protection Legislation. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request7.
6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes.
6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained.
6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR.
6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability.
6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations
6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.
Appears in 1 contract
Sources: Software Subscription Agreement