DATA CONTROLLER OBLIGATIONS. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer and the Supplier are both Controllers. Supplier shall only process data: (i) in accordance with this Agreement (including Annex A) or any further instructions from Customer; and (ii) only to the extent, and in such a manner, as is necessary for the purposes of performing their obligations under this Agreement. Supplier shall only Process Personal Data strictly in accordance with Customer’s written instructions and shall not use the Processed Personal Data for any other purpose. 2.2 Each Controller shall comply with the obligations that apply to it under applicable Data Protection Legislation in relation to the Processed Personal Data, and to the extent that a Controller under this Agreement is Processing Personal Data on behalf of the other party, it will Process such Personal Data in compliance with the Data Protection Legislation and the terms of this Agreement (including Annex A). 2.3 Both Parties agree to notify the other Party immediately if it considers that any of the Customer's instructions infringe the Data Protection Legislation. 2.4 Neither Controller will transfer Processed Personal Data outside the EEA without first entering into: (i) the Standard Contractual Clauses with the importer of the Processed Personal Data attached hereto as Annex C; or, (ii) any other permitted transfer mechanism prescribed by Data Protection Legislation. 2.5 Both Parties agree to implement and maintain Protective Measures to protect the Processed Personal Data from a Security Incident. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate those contained in Annex B.
Appears in 2 contracts
Sources: Framework Terms, Framework Terms