DATA CONTROLLER OBLIGATIONS Clause Samples

DATA CONTROLLER OBLIGATIONS. 1.1 The Data Controller shall comply with all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Addendum, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws. 1.2 The Data Controller warrants, represents and undertakes, that: 1.2.1 all Protected Data sourced or provided by the Data Controller for use in connection with the Services, shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws; and 1.2.2 all instructions given by the Data Controller to the Data Processor in respect of Protected Data shall at all times be in accordance with Data Protection Laws.

DATA CONTROLLER OBLIGATIONS. 5.1. The RSP shall provide Customer Personal Data to NBI only to the extent necessary to enable NBI achieve the Processing Purposes and in this regard the RSP shall not provide any excessive or unnecessary Customer Personal Data to NBI. All Customer Personal Data provided by the RSP to the NBI shall be accurate and up to date. 5.2. The RSP acknowledges that NBI is reliant on the RSP for lawful instruction as to the extent of the NBI’s processing of Customer Personal Data and accordingly the RSP agrees to provide clear written instructions in a timely manner to NBI, which shall at all times be in compliance with the Data Protection Laws. 5.3. Notwithstanding clause 5.2 above, NBI retains the discretion to refuse any such instruction received if, in NBI’s reasonable opinion, such instruction infringes the Data Protection Laws or any other applicable law. In such circumstances, NBI shall notify in writing the RSP of same, including the reasons underlying its opinion. 5.4. As regards access to the NBI Operational Environment, the RSP shall ensure that its staff, employees, contractors and all other personnel authorised to access NBI Operational Environment, shall ensure the security and confidentiality of all passwords, credentials and access

DATA CONTROLLER OBLIGATIONS. 4.1 Each Party hereby undertakes to the other that it shall comply, when applicable, with the obligations of a Controller under the provisions of the GDPR and undertakes that it will only process Personal Data as is necessary to perform its obligations under the Agreement in accordance with Data Protection Laws.

DATA CONTROLLER OBLIGATIONS. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer and the Supplier are both Controllers. Supplier shall only process data: (i) in accordance with this Agreement (including Annex A) or any further instructions from Customer; and (ii) only to the extent, and in such a manner, as is necessary for the purposes of performing their obligations under this Agreement. Supplier shall only Process Personal Data strictly in accordance with Customer’s written instructions and shall not use the Processed Personal Data for any other purpose. 2.2 Each Controller shall comply with the obligations that apply to it under applicable Data Protection Legislation in relation to the Processed Personal Data, and to the extent that a Controller under this Agreement is Processing Personal Data on behalf of the other party, it will Process such Personal Data in compliance with the Data Protection Legislation and the terms of this Agreement (including Annex A). 2.3 Both Parties agree to notify the other Party immediately if it considers that any of the Customer's instructions infringe the Data Protection Legislation. 2.4 Neither Controller will transfer Processed Personal Data outside the EEA without first entering into: (i) the Standard Contractual Clauses with the importer of the Processed Personal Data attached hereto as Annex C; or, (ii) any other permitted transfer mechanism prescribed by Data Protection Legislation. 2.5 Both Parties agree to implement and maintain Protective Measures to protect the Processed Personal Data from a Security Incident. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate those contained in Annex B.

DATA CONTROLLER OBLIGATIONS. Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. Without limiting the generality of the obligation set out in Paragraph 1.2.1, in particular, each Party shall: where required to do so make due notification to the ICO; ensure it is not subject to any prohibition or restriction which would: prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; ensure that all Personal Data disclosed or transferred to, or accessed by, the other Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable either Party to Process the Personal Data as envisaged under this Agreement; ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements: notify the other Party promptly, and in any event within forty-eight (48) hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; notify the other Party in writing with...

DATA CONTROLLER OBLIGATIONS. Data Controller will cooperate with Data Processor in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. Data Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.

DATA CONTROLLER OBLIGATIONS. 2.1 We will ensure that We comply with Our obligations as a Controller, including ensuring that We have the appropriate lawful basis for processing in place to enable lawful transfer of the Personal Data to You for the Duration and Purpose of this Data Processing Agreement. 2.2 We have made available a Supplier Privacy Policy that details how Debenhams will process any Personal Data You supply to Us in connection with the provision of the Goods and/or Services under the Principal Agreement.

DATA CONTROLLER OBLIGATIONS. 2.2.1. Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 2.2.2. Without limiting the generality of the obligation set out in Paragraph 2.2.1, in particular, each Party shall: 2.2.2.1. ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; 2.2.2.2. ensure that all Personal Data disclosed or transferred to, or accessed by, the other Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable either Party to Process the Personal Data as envisaged under this Agreement; 2.2.2.3. ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements;

DATA CONTROLLER OBLIGATIONS. Data Controller will cooperate with Data Processor in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s), and prevent a recurrence. Data Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice. 6.3. データ管理者の義務データ管理者は、サポートポータルにおいて正確な連絡先を維持し、違反を含むセキュリティインシデントを解決し、根本原因を特定し、再発を防ぐために合理的に要求されるあらゆる情✲を提供することによってデータ処理者に協力します。データ管理者は、関連する監督または規制当局および被害を受けたデータ主体に通知する✎どう ✎を決定し、通知を行うことにつき単独で責任を負います。