Customer Personal Data. 5.1 The parties acknowledge and agree that: 5.1.1 this clause 5 sets out the parties’ respective obligations in respect of the processing of personal data under this Agreement; 5.1.2 to the extent that the Customer (including any Authorised Users) uploads, transmits, stores or otherwise communicates personal data to or via the Software, the Customer shall be the data controller in respect of such Customer Personal Data and the Supplier shall be acting as a data processor on behalf of the Customer. 5.2 The Supplier shall also process personal data in connection with the Agreement in its own capacity as a data controller (where the Supplier is to determine the purposes and means of the processing, including, for example, contact details for the representative of the Customer). Except where this clause 5 refers generally to personal data, the provisions of this clause 5 will not apply to such processing but the Supplier will undertake such processing in accordance with its legal obligations to data subjects under Data Protection Legislation. 5.3 Both parties shall comply with their respective obligations under Data Protection Legislation, the provisions of this clause 5 and any applicable Data Protocol in respect of all Customer Personal Data processed in connection with this Agreement. 5.4 As a data controller, it is the Customer's responsibility to ensure that the Customer is entitled to process and to authorise the Supplier to process the Customer Personal Data in the manner and for the duration envisaged by this Agreement. If at any time the Customer has reason to believe that the processing of any Customer Personal Data under this Agreement is in breach of the Data Protection Legislation, the Customer shall immediately notify the Supplier, together with an explanation of the concern. 5.5 Prior to sharing any Customer Personal Data with the Supplier, the Customer shall identify the lawful basis on which the parties can rely under Data Protection Legislation to process such Customer Personal Data. Unless the lawful basis the Customer wishes to rely on is performance of a contract or the data subject's consent, the Customer shall inform the Supplier of the lawful basis for processing such Customer Personal Data (prior to sharing such personal data with the Supplier) and if the lawful basis for processing changes, the Customer shall notify the Supplier as soon as practicable, but in any event no later than 14 days after such change occurs. 5.6 The Customer shall always ensure that the Customer’s instructions to the Supplier for the processing of Customer Personal Data under this Agreement comply with Data Protection Legislation and that compliance with such instructions would not cause the Supplier to breach the Data Protection Legislation. 5.7 The Customer shall be responsible for the provision of the corresponding fair processing information to relevant data subjects and for obtaining any consents that may be required (in each case to the extent necessary in order to comply with Data Protection Legislation) from that data subject. The Customer shall ensure that such fair processing notices are accurate and complete, and that any consents are sufficient in order for the Supplier to lawfully process the Customer Personal Data in the manner set out in this clause 5. 5.8 If the Customer requires the Supplier to transfer any Customer Personal Data to a third-party provider engaged by the Customer, the Customer shall be solely responsible for identifying the lawful basis under the Data Protection Legislation on which the parties can rely under the Data Protection Legislation to transfer such Customer Personal Data to the relevant third-party provider (and the Customer shall notify the Supplier of the same). A written data processing agreement must be in place between the Customer and such provider. The Customer acknowledges and agrees that the Supplier has no control over and shall have no liability in respect of how any personal data is processed by such third-party provider engaged by the Customer. 5.9 If the Customer has requested integration of the Software with any third-party applications, it shall be Customer’s sole responsibility to ensure such third-party integration complies with Data Protection Legislation. Such third parties shall either be data controllers or data processors on behalf of the Customer and shall have no direct relationship with the Supplier. The Supplier shall not be responsible or liable for the way in which other data controllers and/or the Customer’s other data processors process the Customer Personal Data. 5.10 In respect of the Customer Personal Data processed by the Supplier as a data processor on behalf of the Customer, the Supplier shall: 5.10.1 only process Customer Personal Data on behalf of the Customer where and to the extent necessary to deliver the Services, and otherwise to perform the Supplier's obligations under this Agreement and applicable laws, and only in accordance with the terms of this clause 5, any applicable Data Protocol, and any additional reasonable instructions the Customer may issue from time to time (provided that such instructions are within the scope of the Supplier's obligations under this clause 5), unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body; 5.10.2 ensure that personnel who have access to and/or process the Customer Personal Data are obliged to keep the Customer Personal Data confidential; 5.10.3 not transfer the Customer Personal Data outside of the United Kingdom or European Economic Area (EEA) without complying with the provisions of the Data Protection Legislation in respect of such transfer, save that if the Customer requires the Supplier to transfer any Customer Personal Data outside the United Kingdom or EEA pursuant to the Customer’s instructions, it shall be the Customer’s responsibility to ensure that any such transfer complies with the provisions of the Data Protection Legislation and to notify the Supplier of any specific instructions or restrictions in respect of the same; 5.10.4 notify the Customer without undue delay if the Supplier becomes aware of any personal data breach or of any request or objection from a data subject pursuant to the Data Protection Legislation, in each case relating to the Customer Personal Data; 5.10.5 to the extent that the Customer does not have the ability to address a Data Subject Request in respect of the Supplier's processing of Customer Personal Data, the Supplier shall, upon the Customer’s request and insofar as is reasonably possible, provide commercially reasonable assistance, at the Customer’s cost, to facilitate such Data Subject Request; 5.10.6 reasonably assist the Customer, at the Customer’s cost, in ensuring compliance with the Customer’s obligations under the Data Protection Legislation with respect to consultations with supervisory authorities or regulators; 5.10.7 provide the Customer with reasonable cooperation and assistance, at the Customer’s cost, as may be required to fulfil the Customer’s obligation under the GDPR to carry out a data protection impact assessment related to the Services, to the extent that the Customer does not otherwise have access to the relevant information and to the extent that such information is available to the Supplier; 5.10.8 inform the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by the Supplier in connection with this Agreement; 5.10.9 maintain records and information regarding the Supplier's processing activities in respect of the Customer Personal Data to demonstrate the Supplier's compliance with this clause 5; 5.10.10 allow for audits by the Customer or the Customer’s designated auditor of the Supplier's systems and procedures relevant to the processing of Customer Personal Data, provided that in the case of any audit, the Customer shall: (i) comply with any reasonable requirements or security restrictions that the Supplier may impose to safeguard the Supplier's systems, personal data the Supplier holds on behalf of other customers and clients and the Supplier's own confidential or commercially sensitive information and to avoid unreasonable disruption to the Supplier's business and operations; (ii) reimburse the Supplier for any time expended by the Supplier for any such audit, at the Supplier's then current professional services rates, which shall be made available to the Customer upon request, which costs shall be reasonable, taking into account the resources expended by the Supplier; and (iii) before the commencement of any audit, the parties shall mutually agree on the scope, timing, and duration of the audit. 5.11 The Supplier shall implement appropriate technical and organisational measures, taking into account the nature and purposes of the processing (to the best of its knowledge), for the protection and security of the Customer Personal Data and to protect against the unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data (the Security Measures). The Security Measures shall be appropriate to the nature of the personal data to be protected to the best of the Supplier's knowledge, it being acknowledged that the Supplier may not have full oversight over the categories and types of Customer Personal Data subject to the processing (including where processing is automatic). 5.12 The Customer shall also implement its own appropriate technical and organisational measures, taking into account the nature and purposes of the processing, for the protection and security of the Customer Personal Data and to protect against the unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the nature of the personal data to be protected. 5.13 A summary of the Security Measures currently adopted by the Supplier are set out in Schedule 4 to this Agreement, further details of which are available from the Supplier upon request and which the Customer has the opportunity to review and assess in accordance with the Customer's own obligations under Data Protection Legislation. The Customer shall be responsible for ensuring that it is satisfied with the level of security offered by the Supplier in respect of its processing of Customer Personal Data and that the same meet the Customer's requirements as a data controller of the Customer Personal Data. 5.14 The Supplier reserves the right to revise the Security Measures at any time: 5.14.1 without notice, provided that such revisions will not materially reduce the overall security provided for the Customer Personal Data that the Supplier processes; or, in all other cases, 5.14.2 by notifying the Customer of the same, provided that the Supplier considers such revised Security Measures are still sufficient to enable the Supplier to comply with its obligations under this clause 5 and the Data Protection Legislation, including in particular clause 5.11. Within a period of 30 days of the date of notification of such changes, the Customer may object to any such changes on reasonable grounds, in which event either party shall have the right to terminate this Agreement on giving the other party 30 days’ written notice, without liability to the other party. If the Customer has not objected to any such changes within a period of 30 days of the date of the notification of the changes, the Customer shall be deemed to have accepted such changes. 5.15 If the Customer, acting reasonably, at any time considers that the Security Measures do not offer a sufficient level of security and protection for the processing of Customer Personal Data, having regard to the nature and purpose of the processing, the Customer shall immediately notify the Supplier, together with such additional security measures which the Customer requires to be implemented to offer sufficient protection. Any such measures shall be implemented at the Customer's sole cost and expense. If it is not possible or reasonably practicable for the Supplier to implement such additional security measures (having regard to the Supplier's wider business) and/or if the Customer does not agree to the additional costs associated with such security measures, either party may terminate this Agreement on 30 days' prior written notice. 5.16 From time to time, the Supplier may offer new or enhanced Security Measures to the Customer at additional cost (Enhanced Security). The Customer acknowledges that it is the Customer’s decision whether or not to implement such Enhanced Security. If the Customer chooses not to implement such Enhanced Security, the Supplier shall not be liable for any loss, harm or damage which the Supplier can demonstrate was directly caused by or attributable to the Customer’s failure to adopt such recommended measures (and which the Supplier can demonstrate would not have arisen if the Customer had implemented the recommended Enhanced Security). For the avoidance of doubt, from time to time, the Supplier may also implement new or enhanced security measures free of charge, pursuant to clause 5.14.1.
Appears in 1 contract
Sources: Software as a Service Agreement
Customer Personal Data. 5.1 The parties acknowledge and agree that:
5.1.1 this clause 5 sets out the parties’ respective obligations in respect of the processing of personal data under this Agreement;
5.1.2 to the extent that the Customer (including any Authorised UsersUsers or Learners) uploads, transmits, stores or otherwise communicates personal data to or via the Software, the Customer shall be the data controller in respect of such Customer Personal Data and the Supplier shall be acting as a data processor on behalf of the Customer.
5.2 The Supplier shall also process personal data in connection with the Agreement in its own capacity as a data controller (where the Supplier is to determine the purposes and means of the processing, including, for example, contact details for the representative of the Customer). Except where this clause 5 refers generally to personal data, the provisions of this clause 5 will not apply to such processing but the Supplier will undertake such processing in accordance with its legal obligations to data subjects under Data Protection Legislation.
5.3 Both parties shall comply with their respective obligations under Data Protection Legislation, the provisions of this clause 5 and any applicable Data Protocol in respect of all Customer Personal Data processed in connection with this Agreement.
5.4 As a data controller, it is the Customer's responsibility to ensure that the Customer is entitled to process and to authorise the Supplier to process the Customer Personal Data in the manner and for the duration envisaged by this Agreement. If at any time the Customer has reason to believe that the processing of any Customer Personal Data under this Agreement is in breach of the Data Protection Legislation, the Customer shall immediately notify the Supplier, together with an explanation of the concern.
5.5 Prior to sharing any Customer Personal Data with the Supplier, the Customer shall identify the lawful basis on which the parties can rely under Data Protection Legislation to process such Customer Personal Data. Unless the lawful basis the Customer wishes to rely on is performance of a contract or the data subject's consent, the Customer shall inform the Supplier of the lawful basis for processing such Customer Personal Data (prior to sharing such personal data with the Supplier) and if the lawful basis for processing changes, the Customer shall notify the Supplier as soon as practicable, but in any event no later than 14 days after such change occurs.
5.6 The Customer shall always ensure that the Customer’s instructions to the Supplier for the processing of Customer Personal Data under this Agreement comply with Data Protection Legislation and that compliance with such instructions would not cause the Supplier to breach the Data Protection Legislation.
5.7 The Customer shall be responsible for the provision of the corresponding fair processing information to relevant data subjects and for obtaining any consents that may be required (in each case to the extent necessary in order to comply with Data Protection Legislation) from that data subject. The Customer shall ensure that such fair processing notices are accurate and complete, and that any consents are sufficient in order for the Supplier to lawfully process the Customer Personal Data in the manner set out in this clause 5.
5.8 If the Customer requires the Supplier to transfer any Customer Personal Data to a third-party provider engaged by the Customer, the Customer shall be solely responsible for identifying the lawful basis under the Data Protection Legislation on which the parties can rely under the Data Protection Legislation to transfer such Customer Personal Data to the relevant third-party provider (and the Customer shall notify the Supplier of the same). A written data processing agreement must be in place between the Customer and such provider. The Customer acknowledges and agrees that the Supplier has no control over and shall have no liability in respect of how any personal data is processed by such third-party provider engaged by the Customer.
5.9 If the Customer has requested integration of the Software with any third-party applications, it shall be Customer’s sole responsibility to ensure such third-party integration complies with Data Protection Legislation. Such third parties shall either be data controllers or data processors on behalf of the Customer and shall have no direct relationship with the Supplier. The Supplier shall not be responsible or liable for the way in which other data controllers and/or the Customer’s other data processors process the Customer Personal Data.
5.10 In respect of the Customer Personal Data processed by the Supplier as a data processor on behalf of the Customer, the Supplier shall:
5.10.1 only process Customer Personal Data on behalf of the Customer where and to the extent necessary to deliver the Services, and otherwise to perform the Supplier's obligations under this Agreement and applicable laws, and only in accordance with the terms of this clause 5, any applicable Data Protocol, and any additional reasonable instructions the Customer may issue from time to time (provided that such instructions are within the scope of the Supplier's obligations under this clause 5), unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body;
5.10.2 ensure that personnel who have access to and/or process the Customer Personal Data are obliged to keep the Customer Personal Data confidential;
5.10.3 not transfer the Customer Personal Data outside of the United Kingdom or European Economic Area (EEA) without complying with the provisions of the Data Protection Legislation in respect of such transfer, save that if the Customer requires the Supplier to transfer any Customer Personal Data outside the United Kingdom or EEA pursuant to the Customer’s instructions, it shall be the Customer’s responsibility to ensure that any such transfer complies with the provisions of the Data Protection Legislation and to notify the Supplier of any specific instructions or restrictions in respect of the same;
5.10.4 notify the Customer without undue delay if the Supplier becomes aware of any personal data breach or of any request or objection from a data subject pursuant to the Data Protection Legislation, in each case relating to the Customer Personal Data;
5.10.5 to the extent that the Customer does not have the ability to address a Data Subject Request in respect of the Supplier's processing of Customer Personal Data, the Supplier shall, upon the Customer’s request and insofar as is reasonably possible, provide commercially reasonable assistance, at the Customer’s cost, to facilitate such Data Subject Request;
5.10.6 reasonably assist the Customer, at the Customer’s cost, in ensuring compliance with the Customer’s obligations under the Data Protection Legislation with respect to consultations with supervisory authorities or regulators;
5.10.7 provide the Customer with reasonable cooperation and assistance, at the Customer’s cost, as may be required to fulfil the Customer’s obligation under the GDPR to carry out a data protection impact assessment related to the Services, to the extent that the Customer does not otherwise have access to the relevant information and to the extent that such information is available to the Supplier;
5.10.8 inform the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by the Supplier in connection with this Agreement;
5.10.9 maintain records and information regarding the Supplier's processing activities in respect of the Customer Personal Data to demonstrate the Supplier's compliance with this clause 5;
5.10.10 allow for audits by the Customer or the Customer’s designated auditor of the Supplier's systems and procedures relevant to the processing of Customer Personal Data, provided that in the case of any audit, the Customer shall:
(i) comply with any reasonable requirements or security restrictions that the Supplier may impose to safeguard the Supplier's systems, personal data the Supplier holds on behalf of other customers and clients and the Supplier's own confidential or commercially sensitive information and to avoid unreasonable disruption to the Supplier's business and operations;
(ii) reimburse the Supplier for any time expended by the Supplier for any such audit, at the Supplier's then current professional services rates, which shall be made available to the Customer upon request, which costs shall be reasonable, taking into account the resources expended by the Supplier; and
(iii) before the commencement of any audit, the parties shall mutually agree on the scope, timing, and duration of the audit.
5.11 The Supplier shall implement appropriate technical and organisational measures, taking into account the nature and purposes of the processing (to the best of its knowledge), for the protection and security of the Customer Personal Data and to protect against the unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data (the Security Measures). The Security Measures shall be appropriate to the nature of the personal data to be protected to the best of the Supplier's knowledge, it being acknowledged that the Supplier may not have full oversight over the categories and types of Customer Personal Data subject to the processing (including where processing is automatic).
5.12 The Customer shall also implement its own appropriate technical and organisational measures, taking into account the nature and purposes of the processing, for the protection and security of the Customer Personal Data and to protect against the unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the nature of the personal data to be protected.
5.13 A summary of the Security Measures currently adopted by the Supplier are set out in Schedule 4 to this Agreement, further details of which are available from the Supplier upon request and which the Customer has the opportunity to review and assess in accordance with the Customer's own obligations under Data Protection Legislation. The Customer shall be responsible for ensuring that it is satisfied with the level of security offered by the Supplier in respect of its processing of Customer Personal Data and that the same meet the Customer's requirements as a data controller of the Customer Personal Data.
5.14 The Supplier reserves the right to revise the Security Measures at any time:
5.14.1 without notice, provided that such revisions will not materially reduce the overall security provided for the Customer Personal Data that the Supplier processes; or, in all other cases,cases,
5.14.2 by notifying the Customer of the same, provided that the Supplier considers such revised Security Measures are still sufficient to enable the Supplier to comply with its obligations under this clause 5 and the Data Protection Legislation, including in particular clause 5.11. Within a period of 30 days of the date of notification of such changes, the Customer may object to any such changes on reasonable grounds, in which event either party shall have the right to terminate this Agreement on giving the other party 30 days’ written notice, without liability to the other party. If the Customer has not objected to any such changes within a period of 30 days of the date of the notification of the changes, the Customer shall be deemed to have accepted such changes.
5.15 If the Customer, acting reasonably, at any time considers that the Security Measures do not offer a sufficient level of security and protection for the processing of Customer Personal Data, having regard to the nature and purpose of the processing, the Customer shall immediately notify the Supplier, together with such additional security measures which the Customer requires to be implemented to offer sufficient protection. Any such measures shall be implemented at the Customer's sole cost and expense. If it is not possible or reasonably practicable for the Supplier to implement such additional security measures (having regard to the Supplier's wider business) and/or if the Customer does not agree to the additional costs associated with such security measures, either party may terminate this Agreement on 30 days' prior written notice.
5.16 From time to time, the Supplier may offer new or enhanced Security Measures to the Customer at additional cost (Enhanced Security). The Customer acknowledges that it is the Customer’s decision whether or not to implement such Enhanced Security. If the Customer chooses not to implement such Enhanced Security, the Supplier shall not be liable for any loss, harm or damage which the Supplier can demonstrate was directly caused by or attributable to the Customer’s failure to adopt such recommended measures (and which the Supplier can demonstrate would not have arisen if the Customer had implemented the recommended Enhanced Security). For the avoidance of doubt, from time to time, the Supplier may also implement new or enhanced security measures free of charge, pursuant to clause 5.14.1.
Appears in 1 contract
Sources: Software as a Service Agreement
Customer Personal Data. 5.1 The parties acknowledge Customer shall own all right, title and agree that:
5.1.1 this clause 5 sets out the parties’ respective obligations interest in respect and to all of the processing Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy, GDPR compliance and quality of personal data under this Agreement;
5.1.2 to the extent that the Customer (including any Authorised Users) uploads, transmits, stores or otherwise communicates personal data to or via the Software, the Customer shall be the data controller in respect of such Customer Personal Data and the Data. The Supplier shall be acting as a have no responsibility for incorrect data processor on behalf of the Customerinput.
5.2 The Supplier shall also process personal data in connection with the Agreement in its own capacity as a data controller (where the Supplier is to determine the purposes and means of the processing, including, for example, contact details for the representative of the Customer). Except where this clause 5 refers generally to personal data, the provisions of this clause 5 will not apply to such processing but the Supplier will undertake such processing in accordance with its legal obligations to data subjects under Data Protection Legislation.
5.3 Both parties shall comply with their respective obligations under Data Protection Legislation, the provisions of this clause 5 and any applicable Data Protocol in respect of all Customer Personal Data processed in connection with this Agreement.
5.4 As a data controller, it is the Customer's responsibility to ensure that the Customer is entitled to process and to authorise the Supplier to process the Customer Personal Data in the manner and for the duration envisaged by this Agreement. If at any time the Customer has reason to believe that the processing of any Customer Personal Data under this Agreement is in breach of the Data Protection Legislation, the Customer shall immediately notify the Supplier, together with an explanation of the concern.
5.5 Prior to sharing any Customer Personal Data with the Supplier, the Customer shall identify the lawful basis on which the parties can rely under Data Protection Legislation to process such Customer Personal Data. Unless the lawful basis the Customer wishes to rely on is performance of a contract or the data subject's consent, the Customer shall inform the Supplier of the lawful basis for processing such Customer Personal Data (prior to sharing such personal data with the Supplier) and if the lawful basis for processing changes, the Customer shall notify the Supplier as soon as practicable, but in any event no later than 14 days after such change occurs.
5.6 5.3 The Customer shall always ensure that the Customer’s instructions to the Supplier for the processing of Customer Personal Data under this Agreement comply with Data Protection Legislation and that compliance with such instructions would not cause the Supplier to breach the Data Protection Legislation.
5.7 5.4 The Customer shall be responsible for the provision of the corresponding fair processing information to relevant data subjects and for obtaining any consents that may be required (in each case to the extent necessary in order to comply with Data Protection Legislation) from that data subject. The Customer shall ensure that such fair processing notices are accurate and complete, and that any consents are sufficient in order for the Supplier to lawfully process the Customer Personal Data in the manner set out in this clause 5.
5.8 5.5 The Supplier shall, in providing the Services, comply with the General Data Protection Regulation (GDPR) and its Privacy and Data Protection Policies relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion.
5.6 The Supplier occasionally processes Customer Data in order to fulfil all requirements set out by the Education and Skills Funding Agency’s (ESFA) ILR Specification documentation. This is a necessary requirement to satisfy the Customer’s contractual obligations with the ESFA, when holding a lead contract, for submission of monthly Individualised Learner Records (ILR).
5.7 If the Customer requires the Supplier to transfer processes any Customer Personal Data to a third-party provider engaged by personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be solely responsible for identifying the lawful basis under data controller and the Data Protection Legislation on which the parties can rely under the Data Protection Legislation to transfer Supplier shall be a data processor and in any such Customer Personal Data to the relevant third-party provider case:
(and a) the Customer shall notify provide a Data Processing Agreement as required by General Data Protection Regulation (GDPR)
(b) the Supplier of the same). A written data processing agreement must be in place between the Customer and such provider. The Customer acknowledges and agrees that if the Supplier has no control over and shall have no liability in respect of how any personal data is processed by such third-party provider engaged by transferred or stored outside the Customer.EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement, then all appropriate policies and safeguards must be in place;
5.9 If (c) the Customer shall ensure that the Customer has requested integration of consent to transfer the Software relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with any third-party applicationsthis agreement on the Customer's behalf;
(d) the Customer shall ensure that the relevant third parties have been informed of, it shall be Customer’s sole responsibility to ensure and have given their consent to, such third-party integration complies with use, processing, and transfer as required by all applicable General Data Protection Legislation. Such third parties shall either be data controllers or data processors on behalf of Regulation (GDPR) legislation;
(e) the Customer and shall have no direct relationship with the Supplier. The Supplier shall not be responsible or liable for the way in which other data controllers and/or the Customer’s other data processors process the Customer Personal Data.
5.10 In respect of the Customer Personal Data processed by the Supplier as a personal data processor on behalf of the Customer, the Supplier shall:
5.10.1 only process Customer Personal Data on behalf of the Customer where and to the extent necessary to deliver the Services, and otherwise to perform the Supplier's obligations under this Agreement and applicable laws, and only in accordance with the terms of this clause 5, any applicable Data Protocol, agreement and any additional reasonable lawful instructions reasonably given by the Customer may issue from time to time (provided that such instructions are within the scope of the Supplier's obligations under this clause 5), unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body;
5.10.2 ensure that personnel who have access to and/or process the Customer Personal Data are obliged to keep the Customer Personal Data confidential;
5.10.3 not transfer the Customer Personal Data outside of the United Kingdom or European Economic Area (EEA) without complying with the provisions of the Data Protection Legislation in respect of such transfer, save that if the Customer requires the Supplier to transfer any Customer Personal Data outside the United Kingdom or EEA pursuant to the Customer’s instructions, it shall be the Customer’s responsibility to ensure that any such transfer complies with the provisions of the Data Protection Legislation and to notify the Supplier of any specific instructions or restrictions in respect of the same;
5.10.4 notify the Customer without undue delay if the Supplier becomes aware of any personal data breach or of any request or objection from a data subject pursuant to the Data Protection Legislation, in each case relating to the Customer Personal Data;
5.10.5 to the extent that the Customer does not have the ability to address a Data Subject Request in respect of the Supplier's processing of Customer Personal Data, the Supplier shall, upon the Customer’s request and insofar as is reasonably possible, provide commercially reasonable assistance, at the Customer’s cost, to facilitate such Data Subject Request;
5.10.6 reasonably assist the Customer, at the Customer’s cost, in ensuring compliance with the Customer’s obligations under the Data Protection Legislation with respect to consultations with supervisory authorities or regulators;
5.10.7 provide the Customer with reasonable cooperation and assistance, at the Customer’s cost, as may be required to fulfil the Customer’s obligation under the GDPR to carry out a data protection impact assessment related to the Services, to the extent that the Customer does not otherwise have access to the relevant information and to the extent that such information is available to the Supplier;
5.10.8 inform the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by the Supplier in connection with this Agreement;
5.10.9 maintain records and information regarding the Supplier's processing activities in respect of the Customer Personal Data to demonstrate the Supplier's compliance with this clause 5;
5.10.10 allow for audits by the Customer or the Customer’s designated auditor of the Supplier's systems and procedures relevant to the processing of Customer Personal Data, provided that in the case of any audit, the Customer shall:
(i) comply with any reasonable requirements or security restrictions that the Supplier may impose to safeguard the Supplier's systems, personal data the Supplier holds on behalf of other customers and clients and the Supplier's own confidential or commercially sensitive information and to avoid unreasonable disruption to the Supplier's business and operations;
(ii) reimburse the Supplier for any time expended by the Supplier for any such audit, at the Supplier's then current professional services rates, which shall be made available to the Customer upon request, which costs shall be reasonable, taking into account the resources expended by the Suppliertime; and
(iiif) before the commencement of any audit, the parties each party shall mutually agree on the scope, timing, and duration of the audit.
5.11 The Supplier shall implement take appropriate technical and organisational measures, taking into account the nature and purposes of the processing (to the best of its knowledge), for the protection and security of the Customer Personal Data and to protect measures against the unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data (the Security Measures). The Security Measures shall be appropriate to the nature of the personal data to be protected to the best of the Supplier's knowledge, it being acknowledged that the Supplier may not have full oversight over the categories and types of Customer Personal Data subject to the processing (including where processing is automatic).
5.12 The Customer shall also implement or its own appropriate technical and organisational measures, taking into account the nature and purposes of the processing, for the protection and security of the Customer Personal Data and to protect against the unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the nature of the personal data to be protected.
5.13 A summary of the Security Measures currently adopted by the Supplier are set out in Schedule 4 to this Agreement, further details of which are available from the Supplier upon request and which the Customer has the opportunity to review and assess in accordance with the Customer's own obligations under Data Protection Legislation. The Customer shall be responsible for ensuring that it is satisfied with the level of security offered by the Supplier in respect of its processing of Customer Personal Data and that the same meet the Customer's requirements as a data controller of the Customer Personal Data.
5.14 The Supplier reserves the right to revise the Security Measures at any time:
5.14.1 without notice, provided that such revisions will not materially reduce the overall security provided for the Customer Personal Data that the Supplier processes; or, in all other cases,
5.14.2 by notifying the Customer of the same, provided that the Supplier considers such revised Security Measures are still sufficient to enable the Supplier to comply with its obligations under this clause 5 and the Data Protection Legislation, including in particular clause 5.11. Within a period of 30 days of the date of notification of such changes, the Customer may object to any such changes on reasonable grounds, in which event either party shall have the right to terminate this Agreement on giving the other party 30 days’ written notice, without liability to the other party. If the Customer has not objected to any such changes within a period of 30 days of the date of the notification of the changes, the Customer shall be deemed to have accepted such changes.
5.15 If the Customer, acting reasonably, at any time considers that the Security Measures do not offer a sufficient level of security and protection for the processing of Customer Personal Data, having regard to the nature and purpose of the processing, the Customer shall immediately notify the Supplier, together with such additional security measures which the Customer requires to be implemented to offer sufficient protection. Any such measures shall be implemented at the Customer's sole cost and expense. If it is not possible or reasonably practicable for the Supplier to implement such additional security measures (having regard to the Supplier's wider business) and/or if the Customer does not agree to the additional costs associated with such security measures, either party may terminate this Agreement on 30 days' prior written notice.
5.16 From time to time, the Supplier may offer new or enhanced Security Measures to the Customer at additional cost (Enhanced Security). The Customer acknowledges that it is the Customer’s decision whether or not to implement such Enhanced Security. If the Customer chooses not to implement such Enhanced Security, the Supplier shall not be liable for any loss, harm destruction or damage which the Supplier can demonstrate was directly caused by or attributable to the Customer’s failure to adopt such recommended measures (and which the Supplier can demonstrate would not have arisen if the Customer had implemented the recommended Enhanced Security). For the avoidance of doubt, from time to time, the Supplier may also implement new or enhanced security measures free of charge, pursuant to clause 5.14.1damage.
Appears in 1 contract
Sources: Software as a Service Agreement