Common use of DATA PROCESSING INFORMATION Clause in Contracts

DATA PROCESSING INFORMATION. 22.1 The Parties acknowledge that under the term of the agreement the Customer is a *Data Controller and the Provider is a *Data Processor. *A Data Controller is an organisation who determines the manner and purpose of the processing of personal data. * A Data Processor is an organisation who processes personal data under the instruction of the Data Controller 22.2 The Data Processor agrees to process the Personal Data only for the purposes outlined in the Agreement and strictly for no other purpose without the written authority of the Data Controller. 22.3 The Data Processor will NOT disclose or share the Personal Data processed under the Agreement, with any third party without the written authority of the Data Controller. 22.4 The Data Processor is prohibited from publishing, copying, transferring or duplicating any information without the written authority of the Data Controller. 22.5 The Data Processor agrees to only process the Personal data in accordance with the Data Controller’s instructions, and only for the purposes of providing the Hosted Services. The Parties shall not process Personal Data in a way that is incompatible with the purposes described in this agreement. 22.6 Each party shall appoint a single point of contact (SPoC) who will work together to reach an agreement with regards to any issues arising from the data sharing and to actively improve the effectiveness of the data sharing initiative. The points of contact for each of the parties are specified in the Services Order Form. 22.7 The Parties agree that the Personal Data processed under the Agreement must be lawfully in accordance with the Privacy Legislation during the Term of the Agreement. Further, the Data Controller shall ensure that the processing satisfies the appropriate conditions. 22.8 The Data Controller agrees to review the accuracy of the personal data and make any necessary changes/ updates to the inaccurate data. 22.9 Both parties agree that the Data Subjects (individuals whose data are processed or published) have the rights to access, modify, erase or restrict access to their personal data. 22.10 To facilitate the above rights, the Data Processor agrees to store or record the Personal Data processed under the Agreement in a structured, commonly used and machine readable form. 22.11 The Data Processor agrees to notify the Data Controller immediately and no later than 48 hours upon receipt by the Data Processor of a request from an individual seeking to exercise any of their rights under the Privacy and Data Protection Legislation, including those rights as described in clause 22.10 above. The Data Processor agrees to notify the Data Controller immediately and no later than 48 hours upon receipt of any complaint from an individual regarding the processing of Personal Data under the Agreement. The Data Processor will provide the Data Controller with full co-operation and assistance in relation to any such complaint or request from an individual regarding the Processing of Personal Data. 22.12 The Data Processor’s SPoC is required to maintain a record of requests or complaints from data subjects seeking to exercise their rights under the Privacy and Data Protection Legislation, including requests for Personal Data processed under this Agreement. The records described in this clause must include copies of the request or complaint, details of the data accessed and shared and where relevant, notes of measures taken by the Data Processor to resolve the complaint. 22.13 The Data Processor agrees to maintain records of all Personal Data processed under the Agreement and its processing activities. The Data Controller reserves the right to inspect the records maintained by the Data Processor at any time. 22.14 The Data Processor shall not retain or process Personal Data for longer than is necessary to carry out the Agreement or for longer than any period set by the Data Controller. For the avoidance of doubt, the Data Controller reserves the right to determine the periods for which the Data Processor may retain the Personal Data processed under this Agreement 22.15 On the instructions of the Data Controller, the Data Processor shall ensure that the Personal Data processed under this Agreement are returned to the Data Controller or destroyed in accordance with the Data Controller’s instructions. The Data Controller reserves the right to issue instructions to the Data Processor under this Clause at any time. 22.16 Following the deletion of Personal Data under clause 22.15 and 22.16, the Data Processor shall notify the Data Controller that the Personal Data in question has been deleted. 22.17 The Data Processor shall not disclose or transfer the Personal Data to a third party located outside the EEA without the prior written authorisation of the Data Controller. If the Data Controller authorises the disclosure of the Personal Data to a third party, the Data Processor agrees to enter into an information sharing agreement with any relevant third party which reflects the terms of the Agreement. 22.18 The Data Processor agrees to implement appropriate technological and organisational measures to prevent unauthorised or unlawful processing of the Personal Data and the accidental loss or destruction of, or damage to, the Personal Data. 22.19 It is the responsibility of each Party to ensure that its staff members are appropriately trained to handle and process the Personal Data in accordance with applicable national data protection laws and guidance. 22.20 The Data Processor recognises that the Data Controller may be required to disclose information about the Agreement, the services provided by the Data Processor under the Agreement and the processing carried out under the Agreement. The Data Processor agrees to provide any reasonable assistance to the Data Controller as is necessary to enable the Data Controller to comply with its obligations. 22.21 The Data Processor is under a strict obligation to immediately notify and inform the Data Controller of any Data Security Breach and no later than within 24 hours of the Data Processor becoming aware of the breach. The Data Processor agrees to provide any reasonable assistance to facilitate the handling of any Data Security breach in a fast and compliant manner. 22.22 The Parties shall review the effectiveness of the processing of Personal Data under this Agreement every 12 months. The Data Controller may continue, amend or terminate the Agreement depending on the outcome of this review. 22.23 In the event of a dispute or claim brought by a Data Dubject or the Data Protection Authority concerning the processing of Personal Data against either or both parties, the Parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion. 22.24 The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Data Protection Authority. The Parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes. 22.25 If Personal Data is stored or processed, the Data Controller shall specify the following information in the Services Order Form: 1. Categories of data subject - Staff including volunteers, agents, temporary and casual workers - Customers and clients - Suppliers - Members or supporters - Complainants, correspondents and enquirers - Relatives, guardians and associates of the data subject - Advisers, consultants and other professional experts - Patients - Students and pupils - Offenders and suspected offenders