DATA PROCESSING OBLIGATIONS. 12.1 Where and insofar as, in connection with this Agreement or any Work Order, either party processes personal data on behalf of the other party, the Receiving Party shall: 12.1.1 process the personal data for and on behalf of the Disclosing Party only on the documented instructions of the Disclosing Party, unless the Receiving Party is required by applicable laws to otherwise process that personal data; 12.1.2 carry out any processing only on the documented instructions of the Disclosing Party in accordance with the Work Order, and such other processing and purposes as may be agreed by the parties from time to time; 12.1.3 implement appropriate technical and organisational measures, that the Disclosing Part has had the opportunity to review and approve, to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing. To the extent such technical and organisational measures have not been approved by the Disclosing Party, the Receiving Party will maintain safeguards no less rigorous than those maintained by it for its own similar personal data, but being in any event sufficient to comply with the Security Requirements; 12.1.4 ensure that Personnel with access to the relevant personal have entered into appropriate contractually binding confidentiality undertakings; 12.1.5 ensure that access to the personal data is restricted to only those members of its Personnel who require it in order to discharge the Receiving Party’s obligations under this Agreement or any Work Order; 12.1.6 notify the Disclosing Party without undue delay following its receipt of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise to it unless prohibited by law; and 12.1.7 not disclose personal data to any person except as required by the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or with the Disclosing Party written consent. 12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as to the extent to which Receiving Party is entitled to use and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly from the Disclosing Party instructions. 12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party without undue delay and provide reasonable assistance to the Disclosing Party in relation to its obligations under the Data Protection Legislation. 12.4 Where, in connection with this Agreement or any Work Order, the Receiving Party processes personal data on behalf of the Disclosing Party, the Disclosing Party provides its general authorization for the Receiving Party to appoint data sub-processors provided that: 12.4.1 the Receiving Party shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Receiving Party under this Agreement; 12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions of the Receiving Party; and 12.4.3 shall inform the Disclosing Party of any intended changes concerning the addition or replacement of the sub-processors. 12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- processors of Expleo. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected in accordance with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties shall enter into a data transfer agreement incorporating the EU Model Clauses. 12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming it has done so). 12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation. 12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
Sources: Framework Services Agreement
DATA PROCESSING OBLIGATIONS. 12.1 Where and insofar as, in connection with this Agreement or any Work Order, either party 3.1 Each Party shall maintain records which indicate how that Party processes personal data under its responsibility. These records will contain at least the minimum information required by the Data Protection Laws and each Party shall make that information available to any DP Regulator on request.
3.2 To the extent that the Supplier processes Customer Personal Data on behalf of the other partyCustomer, the Receiving Party Supplier shall:
12.1.1 3.2.1 process the personal data for and on behalf of the Disclosing Party that Customer Personal Data only on the documented instructions of the Disclosing PartyCustomer, which shall include processing the Customer Personal Data to the extent necessary for the Purpose, unless the Receiving Party Supplier is otherwise required by applicable laws to otherwise process that personal datalaws. The Supplier shall notify the Customer if its instructions infringe Data Protection Laws or other applicable laws;
12.1.2 carry out any processing only on the documented instructions of the Disclosing Party in accordance with the Work Order, and such other processing and purposes as may be agreed by the parties from time to time;
12.1.3 3.2.2 implement appropriate technical and organisational measures, that the Disclosing Part has had the opportunity to review and approve, measures to protect personal data against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or unlawful destruction of, or accidental lossdamage to, alterationCustomer Personal Data, unauthorised disclosure including as appropriate:
a) the pseudonymisation and encryption of Customer Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or accesstechnical incident; and
d) a process for regularly testing, assessing and against all other unlawful forms evaluating the effectiveness of processing. To the extent such technical and organisational measures have for ensuring the security of the processing;
3.2.3 Notwithstanding the obligations in clause 3.2.2, the Supplier shall comply at all times with its security policy, as set out in the attachment to this Agreement (Attachment 1);
3.2.4 maintain the confidentiality of the Customer Personal Data, not been approved disclose the Customer Personal Data to any third party other than as authorised to do so under this Agreement and ensure that any personnel engaged and authorised by the Disclosing Party, Supplier to process Customer Personal Data have committed themselves to obligations of confidentiality;
3.2.5 assist the Receiving Party will maintain safeguards no less rigorous than those maintained by it for Customer in responding to any request from a data subject and in ensuring the Customer's compliance with its own similar personal data, but being obligations under applicable Data Protection Laws. This process shall be provided (at the Customer’s cost) and shall include:
a) recording and referring all requests and communications received from data subjects or any DP Regulator to the Customer which relate to any Customer Personal Data promptly (and in any event sufficient to comply with the Security Requirements;
12.1.4 ensure that Personnel with access to the relevant personal have entered into appropriate contractually binding confidentiality undertakings;
12.1.5 ensure that access to the personal data is restricted to only those members within one month of its Personnel who require it in order to discharge the Receiving Party’s obligations under this Agreement or any Work Order;
12.1.6 notify the Disclosing Party without undue delay following its receipt of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise to it unless prohibited by lawreceipt); and
12.1.7 b) not disclose personal data responding to any person except as required by such requests without the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or with the Disclosing Party Customer’s express written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as to the extent to which Receiving Party is entitled to use approval and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly from the Disclosing Party instructions.
12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party without undue delay and provide reasonable assistance to the Disclosing Party in relation to its obligations under the Data Protection Legislation.
12.4 Where, in connection with this Agreement or any Work Order, the Receiving Party processes personal data on behalf of the Disclosing Party, the Disclosing Party provides its general authorization for the Receiving Party to appoint data sub-processors provided that:
12.4.1 the Receiving Party shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Receiving Party under this Agreement;
12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions of the Receiving Party; and
12.4.3 shall inform the Disclosing Party of any intended changes concerning the addition or replacement of the sub-processors.
12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- processors of Expleo. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected strictly in accordance with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, Customer’s instructions unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties shall enter into a data transfer agreement incorporating the EU Model Clauses.
12.6 Except and to the extent required by applicable law.
3.2.6 promptly (and in any event within 72 hours):
a) notify the Customer if it (or any of the Sub-Processors or the Supplier personnel) becomes aware of any actual occurrence of any Personal Data Breach in respect of any Customer Personal Data; and
b) provide all information as the Customer reasonably requires to report the circumstances to a DP Regulator and to notify affected data subjects under Data Protection Laws.
3.3 Where the Supplier is relying on applicable laws as the basis for processing Customer Processor Data under clause 3.2.1 above, upon the termination Supplier shall use reasonable efforts to notify the Customer of this Agreement for any reason, or earlier if instructed in writing before performing the processing required by the Disclosing Party to do so, applicable laws unless those applicable laws prohibit the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy Supplier from so that it is no longer retrievable (as directed in writing by notifying the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming it has done so)Customer.
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
Sources: Data Processing Agreement
DATA PROCESSING OBLIGATIONS. 12.1 Where 3.1 The parties acknowledge and insofar asagree that, in respect of the Protected Data, each party is an independent controller in common (and not a joint controller).
3.2 Each party shall comply with DP Laws and its obligations under this Agreement in connection with the processing of Protected Data. The Kitchen Provider shall only use Protected Data for the purpose of processing fulfilling the Order in accordance with paragraph 2 or for the Agreed Purpose.
3.3 Applicable DP Laws may in the future change, or be scheduled to change, in a way that either party considers this Agreement is no longer adequate for the purpose of the data sharing arrangements envisaged hereunder. In such circumstances, upon request by either party, the parties (acting reasonably and in good faith) shall promptly meet to discuss, agree and document appropriate changes to the Agreement.
3.4 Each party may deal at its discretion with all Data Subject Requests and Complaints that it receives directly from a Data Subject or the person making the Complaint. The Kitchen Provider shall notify PICKY of Data Subject Requests within 3 days of receipt by theKitchen Provider ofsuchData Subject Requests.
3.5 Each party agrees to provide reasonable and prompt assistance to the other party as necessary to enable the other party to comply with Data Subject Requests and/or to respond to any Work Orderother queries or Complaints received from Data Subjects or Supervisory Authorities and, either in each case, related to the Protected Data.
3.6 In respect of any Personal DataBreach(actual or suspected) related tothe ProtectedData,the Kitchen Provider shall notify PICKY of the breach without undue delay (but no later than 24 hours after becoming aware of the Personal Data Breach) and provide PICKY without undue delay (wherever possible, within 24 hours of becoming aware of the breach) with all details relating to the breach as PICKY reasonably requires.
3.7 To the extent permitted by Applicable Law, neither party processes personal data on behalf shall:
3.7.1 notify a Supervisory Authority or Data Subject of any Protected Data Breach; or
3.7.2 issue any public statement about or otherwise notify any Data Subject of any Protected Data Breach, without first consulting with, and obtaining the consent of, the other party, such consent not to be unreasonably withheld or delayed.
3.8 The Kitchen Provider shall not retain or process any Protected Data for longer than is necessary in connection with carrying out the Receiving Party shall:Agreed Purpose, or, if longer, to adhere to its binding requirements under Applicable Law.
12.1.1 process the personal data for 3.9 The Kitchen Provider shall without undue delay, and on behalf at PICKY’s written request, either permanently and securely delete or securely provide all of the Disclosing Party only on Protected Data to PICKY once processing by the documented instructions Kitchen Provider of the Disclosing Protected Data is no longer required for a specific Agreed Purpose. This requirement shall not apply to the extent retention and storage of any data is required for the Kitchen Provider's own legitimate record keeping purposes or by Applicable Law (in which case the Kitchen Provider shall ensure that such retention and storage is in compliance with DP Laws)
3.10 Each party (the “Indemnifying Party”) shall indemnify and keep indemnified the other party (the “Indemnified Party”) in respect of all DP Losses suffered or incurred by the Indemnified Party, unless the Receiving Party is required by applicable laws to otherwise process that personal data;
12.1.2 carry out arising from or in connection with any processing only on the documented instructions of the Disclosing Party in accordance with the Work Order, and such other processing and purposes as may be agreed breach by the parties from time to time;
12.1.3 implement appropriate technical and organisational measures, that the Disclosing Part has had the opportunity to review and approve, to protect personal data against accidental Indemnifying Party or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing. To the extent such technical and organisational measures have not been approved by the Disclosing Party, the Receiving Party will maintain safeguards no less rigorous than those maintained by it for its own similar personal data, but being in any event sufficient to comply with the Security Requirements;
12.1.4 ensure that Personnel with access to the relevant personal have entered into appropriate contractually binding confidentiality undertakings;
12.1.5 ensure that access to the personal data is restricted to only those members of its Personnel who require it in order to discharge the Receiving Party’s Data Processors and sub- Processors of its obligations under this Agreement or any Work Order;Schedule.
12.1.6 notify the Disclosing Party without undue delay following its receipt of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and 3.11 Each party shall provide a copy of such complaintreasonable assistance, request, notification or correspondence information and reasonable details of the circumstances giving rise to it unless prohibited by law; and
12.1.7 not disclose personal data to any person except as required by the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or cooperation in connection with the Disclosing Party written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as Protected Data to the extent other party to which Receiving Party is entitled assist the other party to use and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly from the Disclosing Party instructions.
12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party without undue delay and provide reasonable assistance to the Disclosing Party in relation to ensure compliance with its obligations under the Data Protection LegislationDP Laws.
12.4 Where, in connection with this Agreement or any Work Order, the Receiving Party processes personal data on behalf of the Disclosing Party, the Disclosing Party provides its general authorization for the Receiving Party to appoint data sub-processors provided that:
12.4.1 the Receiving Party shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Receiving Party under this Agreement;
12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions of the Receiving Party; and
12.4.3 shall inform the Disclosing Party of any intended changes concerning the addition or replacement of the sub-processors.
12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- processors of Expleo. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected in accordance with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties shall enter into a data transfer agreement incorporating the EU Model Clauses.
12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming it has done so).
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
Sources: Service Pack
DATA PROCESSING OBLIGATIONS. 12.1 Where and insofar as, in connection with this Agreement or any Work Order, either party 5.1 To the extent that each Party processes personal data Personal Data as a Processor (the “Processing Party”) on behalf of the other party, Party (the Receiving “Controller Party”) in accordance with Annex 1 each Party shall:
12.1.1 process 5.1.1 at all times comply with Controller Party’s documented instructions, subject to compliance with all applicable Data Protection Laws in relation to Processing the personal data for and on behalf of the Disclosing Party only on the documented instructions of the Disclosing Controller Party, unless the Receiving Party is required by applicable laws to otherwise process that personal data’s Personal Data;
12.1.2 carry out any processing only on 5.1.2 take reasonable steps to ensure that access is limited to individuals who are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and who need to know/access Controller Party’s Personal Data for the documented instructions purposes of fulfilling the Disclosing Party in accordance with Processing Party’s obligations under the Work Order, and such other processing and purposes as may be agreed by the parties from time to timeAgreement;
12.1.3 5.1.3 implement and maintain (and provide details of such measures at the Controller Party’s request) appropriate technical and organisational measures to ensure a level of security appropriate to the risk including but not limited to the following:
(a) the Pseudonymisation and encryption of Controller Party Personal Data;
(b) measure(s) to ensure the ongoing confidentiality and access to Controller Party Personal Data in a timely manner in the event of a physical or technical incident;
(c) measure(s) to restore the availability and access to Controller Party Personal Data in a timely manner in the event of a physical or technical incident;
5.1.4 assist the Controller Party by implementing and maintaining appropriate technical and organisational measures, that insofar as this is possible, for the Disclosing Part fulfilment of the Controller Party’s obligation to respond to Data Subject’s rights (including but not limited to Access Requests) under Data Protection Laws, in particular:
(a) notify the Controller Party by email to: ▇▇▇▇▇▇▇_▇▇▇▇▇▇_▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇ within 3 Working Days if the Processing Party receives an Access Request from a Data Subject whose Personal Data has had been passed to them from the opportunity to review Controller Party and approve, to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing. To the extent such technical and organisational measures have not been approved is processed by the Disclosing PartyProcessing Party pursuant to the Agreement and/or this MoA; and
(b) in relation to any Access Request received by the Controller Party and shall agree in writing the approach for the secure transfer of any Personal Data relevant to the Data Subject and Access Request, prior to the Receiving Party will maintain safeguards no less rigorous than those maintained by it for its own similar personal data, but being aforementioned transfer taking place as soon as possible and in any event sufficient to comply with the Security Requirements;
12.1.4 ensure that Personnel with access to the relevant personal have entered into appropriate contractually binding confidentiality undertakings;
12.1.5 ensure that access to the personal data is restricted to only those members of its Personnel who require it in order to discharge the Receiving Party’s obligations under this Agreement or any Work Order;
12.1.6 notify the Disclosing Party without undue delay following its receipt within 5 Working Days of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise to it unless prohibited by law; and
12.1.7 not disclose personal data to any person except as required by the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or with the Disclosing Party written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as to the extent to which Receiving Party is entitled to use and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly request from the Disclosing Controller Party
5.1.5 assist the Controller Party instructions.
12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party without undue delay and provide reasonable assistance to the Disclosing Party in relation to its ensure compliance with obligations under the Data Protection Legislation.Laws including but not limited to:
12.4 Where, in connection with this Agreement or any Work Order, (a) the Receiving Party processes personal data on behalf security of Processing pursuant to Article 32 of the Disclosing PartyGDPR;
(b) notification of a Personal Data Breach to the Supervisory Authority pursuant to Article 33 of the GDPR;
(c) communication of a Personal Data Breach to the Data Subject pursuant to Article 34 of the GDPR; and
(d) data protection impact assessments, including prior consultation with Data Subjects and the Disclosing Supervisory Authority, which the Controller Party provides its general authorization for reasonably considers to be required pursuant to Articles 35 and 36 of the Receiving GDPR;
5.1.6 within fourteen (14) Working Days after the end of the provision of Services, or as directed by the Controller Party to appoint data sub-processors provided thatat any time:
12.4.1 (a) at the Receiving Controller Party’s discretion, (i) delete or (ii) return by secure transfer to the Controller Party (in such format as notified by the Controller Party) all of the Controller Party’s Personal Data; and
(b) delete existing copies of all Controller Party’s Personal Data subject to compliance with Data Protection Laws and always provided that the Processing Party shall ensure that the terms on which it appoints security and confidentiality of all such processors comply with the Data Protection LegislationPersonal Data, and are consistent with the obligations imposed on the Receiving Party under this Agreement;
12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions provide evidence of the Receiving Partysame to the Controller Party on request; and
12.4.3 shall 5.1.7 immediately inform the Disclosing Controller Party of any intended changes concerning the addition if, in its opinion, an instruction infringes or replacement of the sub-processors.
12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- processors of Expleo. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected in accordance conflicts with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties Laws and shall enter into a data transfer agreement incorporating the EU Model Clauses.
12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming not commence such Processing until it has done so)received confirmed instructions from the Controller Party.
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
Sources: Service Agreement
DATA PROCESSING OBLIGATIONS. 12.1 Where and insofar as, in connection with this Agreement or any Work Order, either party processes personal data on behalf of the other party, the Receiving Party shall:
12.1.1 process the personal data for and on behalf of the Disclosing Party only on the documented written instructions of the Disclosing Party, unless the Receiving Party is required by applicable laws to otherwise process that personal data;
12.1.2 notify the Disclosing Party immediately (and in any event within 24 hours of becoming aware of the same) if it believes that any of the Disclosing Party written instructions infringe the Data Protection Legislation;
12.1.3 carry out any processing only on for the documented instructions of the Disclosing Party Permitted Purpose in accordance with the Data Processing Particulars as set out in a Work Order, and such other processing and purposes as may be agreed by the parties from time to timetime through the change control procedure set out in Clause 9;
12.1.3 12.1.4 implement appropriate technical and organisational measures, that reviewed and approved by the Disclosing Part has had the opportunity to review and approveParty, to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing. To the extent such technical and organisational measures have not been approved by the Disclosing Party, the Receiving Party will maintain safeguards no less rigorous than those maintained by it for its own similar personal data, but being in any event sufficient to comply with the Security Requirements;
12.1.4 12.1.5 take reasonable steps to ensure that the reliability and integrity of its Personnel with who shall have access to the relevant personal data, and ensure that they have entered into appropriate contractually binding confidentiality undertakings;
12.1.5 12.1.6 ensure that access to the personal data is restricted to only those members of its Personnel who require it in order to discharge the Receiving Party’s obligations under this Agreement or any Work Order;
12.1.6 12.1.7 notify the Disclosing Party without undue delay promptly (and in any event within 2 Business Days) following its receipt of any complaint Complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise to it unless prohibited by law; andit;
12.1.7 12.1.8 not disclose personal data to any person except as required by the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or with the Disclosing Party written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as to the extent to which Receiving Party is entitled to use and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly from the Disclosing Party instructions.
12.3 Where the Receiving Party becomes aware of a an actual or suspected personal data breach, it shall shall:
12.3.1 notify the Disclosing Party without undue delay as soon as is practicable, but in any event within 24 hours, including details of how the breach occurred and provide reasonable assistance what personal data may have been compromised;
12.3.2 implement any measures necessary to restore the security of compromised personal data; and
12.3.3 assist the Disclosing Party (taking into account the nature of processing and the information available to the Receiving Party), in relation to its ensuring compliance with the Disclosing Party’s obligations under the Data Protection LegislationLegislation with respect to security, breach notifications, impact assessments and consultations with any applicable Supervisory Authority.
12.4 Where, in connection with this Agreement or any Work Order, the Receiving Party processes personal data on behalf of the Disclosing Party, the Disclosing Party provides its general authorization for consents to the Receiving Party to appoint appointing data sub-processors provided that:
12.4.1 the Receiving Party shall ensure that provides the terms on which it appoints Disclosing Party with full details of the data sub-processor before its appointment and the Disclosing Party consents to such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Receiving Party under this Agreementappointment;
12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions of the Receiving Party; and
12.4.3 shall inform the Disclosing Party undertakes thorough due diligence on the proposed data sub-processor, including a risk assessment of any intended changes concerning the addition or replacement information governance related practices and processes of the sub-processorsprocessor, which will be used by the Disclosing Party to inform any decision on appointing the proposed sub-processor;
12.4.3 the Disclosing Party appoints such data sub-processor on terms providing equivalent protection in relation to personal data to those set out in this Clause 11 (Data Processing Obligations).
12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- sub-processors of Expleo. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected in accordance with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK). Prior to any data transfer, the parties shall enter into a data transfer agreement incorporating the EU Model Clauses.
12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming it has done so).
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
Sources: Framework Services Agreement
DATA PROCESSING OBLIGATIONS. 12.1 Where and insofar as, in connection with this Agreement or any Work Order, either party 5.1 To the extent that each Party processes personal data Personal Data as a Processor (the “Processing Party”) on behalf of the other party, Party (the Receiving “Controller Party”) in accordance with Annex 1 each Party shall:
12.1.1 process 5.1.1 at all times comply with Controller Party’s documented instructions, subject to compliance with all applicable Data Protection Laws in relation to Processing the personal data for and on behalf of the Disclosing Party only on the documented instructions of the Disclosing Controller Party, unless the Receiving Party is required by applicable laws to otherwise process that personal data’s Personal Data;
12.1.2 carry out any processing only on 5.1.2 take reasonable steps to ensure that access is limited to individuals who are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and who need to know/access Controller Party’s Personal Data for the documented instructions purposes of fulfilling the Disclosing Party in accordance with Processing Party’s obligations under the Work Order, and such other processing and purposes as may be agreed by the parties from time to timeAgreement;
12.1.3 5.1.3 implement and maintain (and provide details of such measures at the Controller Party’s request) appropriate technical and organisational measures to ensure a level of security appropriate to the risk including but not limited to the following: the Pseudonymisation and encryption of Controller Party Personal Data; measure(s) to ensure the ongoing confidentiality and access to Controller Party Personal Data in a timely manner in the event of a physical or technical incident; measure(s) to restore the availability and access to Controller Party Personal Data in a timely manner in the event of a physical or technical incident;
5.1.4 assist the Controller Party by implementing and maintaining appropriate technical and organisational measures, that insofar as this is possible, for the Disclosing Part fulfilment of the Controller Party’s obligation to respond to Data Subject’s rights (including but not limited to Access Requests) under Data Protection Laws, in particular:
(a) notify the Controller Party by email to: ▇▇▇▇▇▇▇_▇▇▇▇▇▇_▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇ within 3 Working Days if the Processing Party receives an Access Request from a Data Subject whose Personal Data has had been passed to them from the opportunity to review Controller Party and approve, to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing. To the extent such technical and organisational measures have not been approved is processed by the Disclosing PartyProcessing Party pursuant to the Agreement and/or this MoA; and
(b) in relation to any Access Request received by the Controller Party and shall agree in writing the approach for the secure transfer of any Personal Data relevant to the Data Subject and Access Request, prior to the Receiving Party will maintain safeguards no less rigorous than those maintained by it for its own similar personal data, but being aforementioned transfer taking place as soon as possible and in any event sufficient to comply with the Security Requirements;
12.1.4 ensure that Personnel with access to the relevant personal have entered into appropriate contractually binding confidentiality undertakings;
12.1.5 ensure that access to the personal data is restricted to only those members of its Personnel who require it in order to discharge the Receiving Party’s obligations under this Agreement or any Work Order;
12.1.6 notify the Disclosing Party without undue delay following its receipt within 5 Working Days of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise to it unless prohibited by law; and
12.1.7 not disclose personal data to any person except as required by the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or with the Disclosing Party written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as to the extent to which Receiving Party is entitled to use and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly request from the Disclosing Controller Party
5.1.5 assist the Controller Party instructions.
12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party without undue delay and provide reasonable assistance to the Disclosing Party in relation to its ensure compliance with obligations under the Data Protection Legislation.Laws including but not limited to:
12.4 Where, in connection with this Agreement or any Work Order, (a) the Receiving Party processes personal data on behalf security of Processing pursuant to Article 32 of the Disclosing PartyUK GDPR; notification of a Personal Data Breach to the Supervisory Authority pursuant to Article 33 of the UK GDPR; communication of a Personal Data Breach to the Data Subject pursuant to Article 34 of the UK GDPR; and data protection impact assessments, including prior consultation with Data Subjects and the Disclosing Supervisory Authority, which the Controller Party provides its general authorization for reasonably considers to be required pursuant to Articles 35 and 36 of the Receiving UK GDPR;
5.1.6 within fourteen (14) Working Days after the end of the provision of Services, or as directed by the Controller Party to appoint data sub-processors provided thatat any time:
12.4.1 (a) at the Receiving Controller Party’s discretion, (i) delete or (ii) return by secure transfer to the Controller Party (in such format as notified by the Controller Party) all of the Controller Party’s Personal Data; and
(b) delete existing copies of all Controller Party’s Personal Data subject to compliance with Data Protection Laws and always provided that the Processing Party shall ensure that the terms on which it appoints security and confidentiality of all such processors comply with the Data Protection LegislationPersonal Data, and are consistent with the obligations imposed on the Receiving Party under this Agreement;
12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions provide evidence of the Receiving Partysame to the Controller Party on request; and
12.4.3 shall 5.1.7 immediately inform the Disclosing Controller Party of any intended changes concerning the addition if, in its opinion, an instruction infringes or replacement of the sub-processors.
12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- processors of Expleo. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected in accordance conflicts with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties Laws and shall enter into a data transfer agreement incorporating the EU Model Clauses.
12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming not commence such Processing until it has done so)received confirmed instructions from the Controller Party.
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
Sources: Service Agreement
DATA PROCESSING OBLIGATIONS. 12.1 Where 3.1 The parties acknowledge and insofar asagree that, in relation to Personal Data, each of the parties is a joint Data Controller
3.2 Each of the Parties must comply with the Data Protection Regulations and the obligations incumbent on said party under the provisions of the Agreement in connection with this Agreement the Processing of Personal Data. Where required under applicable Data Protection Regulations, each of the Parties shall enter into any agreements (e.g., data processing agreements or any Work Orderjoint controller arrangements) with third parties or subcontractors and/or notify data subjects about the essence of such arrangements.
3.3 The applicable Data Protection Regulations may change in the future, or may be scheduled to change, in a way that would cause either party processes personal to consider that the Agreement is no longer adequate for the purpose set forth herein. In such circumstances, and upon request by either party, the parties (acting reasonably and by mutual agreement) will meet without delay to negotiate, agree and document the corresponding changes to the Agreement.
3.4 Each party is separately responsible for answering requests it receives from a data on behalf subject and therefore may deal, at its discretion, with all data subject requests and Data Claims received directly from the data subject or the person making the Data Claim. FTR and Restaurant shall mutually assist each other with commercially reasonable means in case of any such request.
3.5 In relation to any Personal Data Breach (actual or suspected) relating to the Personal Data, the Restaurant shall notify FTR of the breach without undue delay (and in no event in a period exceeding 24 hours from the time you become aware of the Personal Data Breach) and must provide FTR, without undue delay (where possible, within 24 hours from the time you become aware of the breach) all details relating to the breach that FTR reasonably requires.
3.6 To the extent permitted by the applicable legal system, neither party shall notify the Supervisory Authority or the Data Subject of any Personal Data Breach; or issue any public statement or otherwise notify any Data Subject of any Personal Data Breach, without having previously consulted with, and obtained the consent of, the other party, which consent will not be unreasonably withheld or delayed. Restaurant and FTR are separately responsible for complying with applicable Data Protection Regulations regarding providing notification to the Receiving Party shall:
12.1.1 process the personal supervisory data for and on behalf of the Disclosing Party only on the documented instructions of the Disclosing Partyprotection authority and, unless the Receiving Party is required by applicable laws to otherwise process that personal data;
12.1.2 carry out any processing only on the documented instructions of the Disclosing Party in accordance with the Work Order, and such other processing and purposes as may be agreed by the parties from time to time;
12.1.3 implement appropriate technical and organisational measures, that the Disclosing Part has had the opportunity to review and approvewhere applicable, to protect personal the affected data against accidental or unlawful destruction or accidental subjects in the case of any breach of security leading to the destruction, loss, alteration, unauthorised unauthorized disclosure of or access, and against all other unlawful forms of processing. To the extent such technical and organisational measures have not been approved by the Disclosing Party, the Receiving Party will maintain safeguards no less rigorous than those maintained by it for its own similar access to personal data.
3.7 The Restaurant will not retain or process any Personal Data for a period longer than is necessary or, but being if longer, for the period necessary to fulfill its binding obligations under the law or by contract.
3.8 Each party shall provide reasonable assistance, information and cooperation in any event sufficient to comply connection with the Security Requirements;
12.1.4 ensure that Personnel with access Personal Data to the relevant personal have entered into appropriate contractually binding confidentiality undertakings;
12.1.5 ensure that access to the personal data is restricted to only those members of its Personnel who require it other party, in order to discharge help the Receiving Party’s obligations under this Agreement or any Work Order;
12.1.6 notify the Disclosing Party without undue delay following its receipt of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise to it unless prohibited by law; and
12.1.7 not disclose personal data to any person except as required by the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or other party ensure compliance with the Disclosing Party written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as to the extent to which Receiving Party is entitled to use and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly from the Disclosing Party instructions.
12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party without undue delay and provide reasonable assistance to the Disclosing Party in relation to its obligations under the Data Protection LegislationRegulations of data protection.
12.4 Where, in connection with this Agreement or any Work Order, the Receiving Party processes personal data on behalf of the Disclosing Party, the Disclosing Party provides its general authorization for the Receiving Party to appoint data sub-processors provided that:
12.4.1 the Receiving Party shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Receiving Party under this Agreement;
12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions of the Receiving Party; and
12.4.3 shall inform the Disclosing Party of any intended changes concerning the addition or replacement of the sub-processors.
12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- processors of Expleo. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected in accordance with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties shall enter into a data transfer agreement incorporating the EU Model Clauses.
12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming it has done so).
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
Sources: Terms of Service
DATA PROCESSING OBLIGATIONS. 12.1 Where and insofar as, in connection with this Agreement or any Work Order, either party processes personal data on behalf of the other party, the Receiving Party 14.1 The Hub shall:
12.1.1 process the personal 14.2 at all times comply with AET’s documented instructions, subject to compliance with all applicable data for and on behalf of the Disclosing Party only on the documented instructions of the Disclosing Party, unless the Receiving Party is required by applicable protection laws in relation to otherwise process that processing AET personal data;
12.1.2 carry out any processing only on 14.3 take reasonable steps to ensure that access is limited to individuals who are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and who need to know/access AET Personal Data for the documented instructions purposes of fulfilling the Disclosing Party in accordance with the Work Order, and such other processing and purposes as may be agreed by the parties from time to timeHub’s obligations under this Agreement;
12.1.3 14.4 implement and maintain (and provide details of such measures at AET’s request) appropriate technical and organisational measures to ensure a level of security appropriate to the risk including but not limited to the following:
14.4.1 the Pseudonymisation and encryption of AET Personal Data;
14.4.2 measure(s) to ensure the ongoing confidentiality and access to AET Personal Data in a timely manner in the event of a physical or technical incident;
14.4.3 measure(s) to restore the availability and access to AET Personal Data in a timely manner in the event of a physical or technical incident;
14.5 assist AET by implementing and maintaining appropriate technical and organisational measures, that insofar as this is possible, for the Disclosing Part fulfilment of AET's obligation to respond to Data Subject’s rights (including but not limited to Access Requests) under Data Protection Laws, in particular:
14.5.1 notify AET by email to: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇.▇▇ within 3 Working Days if the Supplier receives an Access Request from a Data Subject whose Personal Data has had the opportunity been passed to review them from AET and approve, to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing. To the extent such technical and organisational measures have not been approved is processed by the Disclosing PartySupplier pursuant to this Agreement; and
14.5.2 in relation to any Access Request received by AET, agree in writing the Receiving Party will maintain safeguards no less rigorous than those maintained by it approach for its own similar personal datathe secure transfer of any Personal Data relevant to the Data Subject and Access Request, but being prior to the aforementioned transfer taking place as soon as possible and in any event sufficient to comply with the Security Requirements;
12.1.4 ensure that Personnel with access to the relevant personal have entered into appropriate contractually binding confidentiality undertakings;
12.1.5 ensure that access to the personal data is restricted to only those members of its Personnel who require it in order to discharge the Receiving Party’s obligations under this Agreement or any Work Order;
12.1.6 notify the Disclosing Party without undue delay following its receipt within 5 Working Days of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise request from AET
14.6 assist AET to it unless prohibited by law; and
12.1.7 not disclose personal data to any person except as required by the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or ensure compliance with the Disclosing Party written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as to the extent to which Receiving Party is entitled to use and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly from the Disclosing Party instructions.
12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party without undue delay and provide reasonable assistance to the Disclosing Party in relation to its obligations under the Data Protection Legislation.Laws including but not limited to:
12.4 Where, in connection with this Agreement or any Work Order, 14.6.1 the Receiving Party processes personal data on behalf security of Processing pursuant to Article 32 of the Disclosing Party, GDPR;
14.6.2 notification of a Personal Data Breach to the Disclosing Party provides its general authorization for Supervisory Authority pursuant to Article 33 of the Receiving Party GDPR;
14.6.3 communication of a Personal Data Breach to appoint data sub-processors provided that:
12.4.1 the Receiving Party shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Receiving Party under this Agreement;
12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions Subject pursuant to Article 34 of the Receiving PartyGDPR; and
12.4.3 shall inform 14.6.4 data protection impact assessments, including prior consultation with Data Subjects and the Disclosing Party of any intended changes concerning the addition or replacement Supervisory Authority, which AET reasonably considers to be required pursuant to Articles 35 and 36 of the sub-processors.GDPR;
12.5 The Client consents to 14.7 within fourteen (14) Working Days after the appointment by Expleo of its Affiliates incorporated in member states end of the European Union provision of Services, or as sub- processors directed by AET at any time:
14.7.1 at AET’s discretion, (i) delete or (ii) return by secure transfer to AET (in such format as notified by AET) all AET Personal Data; and
14.7.2 delete existing copies of Expleo. Further, the Client acknowledges all AET Personal Data subject to compliance with Data Protection Laws and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), always provided that the parties Supplier shall ensure that personal data is adequately protected the security and confidentiality of all such AET Personal Data, and provide evidence of the same to AET on request; and
14.8 immediately inform AET if, in accordance its opinion, an instruction infringes or conflicts with the Data Protection Legislation prior Laws and shall not commence such Processing until it has received confirmed instructions from AET.
14.9 This clause 14 shall remain in force without limit in time.
14.10 Hub must indemnify and keep indemnified the AET against all claims and proceedings and all liability, loss, costs and expenses incurred in connection therewith by the AET as a result of any claim made or brought by any person in respect of any loss, damage or distress caused to that person as a result Hub’s unauthorised processing, unlawful processing, destruction of and/or damage to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved processed by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties shall enter into a data transfer agreement incorporating the EU Model ClausesHub.
12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming it has done so).
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
DATA PROCESSING OBLIGATIONS. 12.1 Where 7.1. To the extent that the Property Checker Data is comprised of any Personal Data, each Party:
7.1.1. acknowledges that it is a Controller of the Property Checker Data and insofar as, shall comply with its obligations as a Controller as set out in Data Protection Legislation;
7.1.2. at all times comply with all Data Protection Legislation in connection with the exercise and performance of its respective rights and obligations under this Agreement and ensure that Personal Data is only processed to the extent consistent with the permitted legal basis under Data Protection Legislation for which it was collected;
7.1.3. notify the other Party without undue delay if it receives a request or enquiry from either a Data Protection Supervisory Authority or Data Subject about any Work OrderPersonal Data or the transfer of data under this Agreement, either party processes personal and the Parties shall co-operate, as is reasonably required to respond to such request or enquiry, and shall keep each other regularly updated as to the handling of such request or enquiry. The responsibility for complying with any Data Subject request falls on the Party which first received the request or communication;
7.1.4. promptly following a written request from the other Party, provide to the other Party such information as is reasonably required to demonstrate its compliance with its obligations under this Agreement;
7.1.5. cooperate with the Data Controller in the event the Data Controller initiates a data on behalf protection impact assessment or inspections for compliance to these obligations;
7.1.6. where acting as a Data Controller, the Parties agree that Special Category Personal Data will not be sought from users; and
7.1.7. use their reasonable endeavours to assist the other Party to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Agreement in such a way as to cause the other Party to breach any of the other partyParty’s obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. TrustMark’s Obligations
7.2. Without prejudice to clause 7.1, TrustMark shall, in relation to the Property Checker Data:
7.2.1. be the primary point of contact for Data Subjects and shall direct Data Subjects to the relevant person in connection with the exercise of their rights as Data Subjects and for any enquiries concerning any Personal Data;
7.2.2. transfer Property Checker Data to the Company using appropriate technical and organisational security measures which shall be determined by TrustMark;
7.2.3. ensure the Property Checker Data reflects the data stored in its systems at the point at which it commences transfer to the Company;
7.2.4. make reasonable endeavours to ensure the Property Checker Data is up-to-date;
7.2.5. if the Property Checker Data comprises of Personal Data, ensure that the Personal Data has been collected, Processed and transferred to the Company in accordance with Data Protection Legislation. The Company’s Obligations
7.3. Without prejudice to clause 7.1, the Receiving Party Company shall:
12.1.1 7.3.1. process the personal data Property Checker Data solely for the Processing Purposes and on behalf of not use the Disclosing Party only on Property Checker Data in any way for any purpose except as specifically permitted by, and at all times in accordance with this Agreement;
7.3.2. if the documented instructions of Property Checker Data comprises Personal Data, when processing the Disclosing Party, unless Personal Data the Receiving Party Company shall provide to Data Subjects such information as is required by applicable laws to otherwise process that personal dataData Protection Legislation, in the manner prescribed by Data Protection Legislation (if any);
12.1.2 carry out any processing only on 7.3.3. except as required by applicable law in the documented instructions United Kingdom, the Company shall Process all Personal Data for no longer than such Processing is necessary for the Processing Purposes and compliant with this Agreement and all Data Protection Legislation;
7.3.4. taking into account the state of the Disclosing Party in accordance with art, the Work Ordercosts of implementation and the nature, and such other processing scope, context and purposes of Processing as may be agreed by well as the parties from time to time;
12.1.3 risk of varying likelihood and severity for the rights and freedoms of Data Subjects, implement appropriate technical and organisational measuresmeasures to ensure a level of security appropriate to the risk, taking account in particular the risks that are presented by the Disclosing Part has had the opportunity to review and approveProcessing, to protect personal data against in particular from accidental or unlawful destruction or accidental destruction, loss, alteration, unauthorised disclosure of, or access to the Property Checker Data;
7.3.5. take all steps set out below in respect of its employees who have access to the Property Checker Data (“Personnel”):
7.3.5.1. to ensure that only those Personnel who need to have access to the Property Checker Data are granted such access, and against such access is permitted solely for the Processing Purposes;
7.3.5.2. take all other unlawful forms reasonable steps to ensure the reliability of processingits Personnel;
7.3.5.3. To ensure that all Personnel have completed training in Data Protection Legislation and in the extent such technical care and organisational measures have not been approved by handling of Personal Data;
7.3.5.4. ensure that all Personnel are informed of the Disclosing Party, confidential nature of the Receiving Party will maintain safeguards no less rigorous than those maintained by it for its own similar personal data, but being in any event sufficient Property Checker Data and are subject to appropriate contractual obligations of confidentiality; and
7.3.5.5. ensure that all Personnel comply with the Security Requirementsobligations set out in this clause 7;
12.1.4 7.3.6. ensure that Personnel with access it has the capability (technological and otherwise), to the relevant personal have extent required by Data Protection Legislation, to:
7.3.6.1. provide, correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject; and
7.3.6.2. comply with any data subject requests;
7.3.7. only share Personal Data with a third party to the extent that it is necessary to achieve the Processing Purposes and where that third party has entered into appropriate contractually binding confidentiality undertakingsa data processing agreement with the Company to ensure the third party’s compliance with Data Protection Legislation;
12.1.5 ensure that access 7.3.8. not disclose any Personal Data to any third party other than a System Provider except with TrustMark’s prior written consent, or else as required by law;
7.3.9. not transfer the personal data is restricted to only those members of its Personnel who require it in order to discharge Property Checker Data outside the Receiving PartyEuropean Economic Area (EEA) except with TrustMark’s obligations under prior written consent, or else as required by this Agreement or any Work Order;
12.1.6 notify the Disclosing Party without undue delay following its receipt of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise to it unless prohibited by law; and
12.1.7 not disclose personal data to any person except as required by 7.3.10. in the delivery or receipt event of the Services, to a Supervisory Authority or as otherwise required by law or with the Disclosing Party written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as Data Breach relating to the extent to which Receiving Party is entitled to use and process the Disclosing Party’s personal data. ConsequentlyProperty Checker Data, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly from the Disclosing Party instructions.Company shall:
12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party 7.3.10.1. without undue delay and provide reasonable assistance to the Disclosing Party in relation to its obligations under any case within twenty four (24) hours of becoming aware of the Data Protection Legislation.
12.4 WhereBreach, notify TrustMark via email and telephone using the details in connection with this Agreement or any Work Order, (as stated in the Receiving Party processes personal data on behalf “Notices” section of the Disclosing Party, the Disclosing Party provides its general authorization for the Receiving Party to appoint data sub-processors provided that:
12.4.1 the Receiving Party shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Receiving Party under this Agreementclause 1 above);
12.4.2 shall remain responsible 7.3.10.2. complete and return to TrustMark within two (2) working days hours any requests for the acts information or forms to be completed as instructed by and omission of any such sub-processor as if they were the acts and omissions of the Receiving Partyprovided by TrustMark; and
12.4.3 shall inform the Disclosing Party of any intended changes concerning the addition or replacement of the sub-processors.
12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- processors of Expleo7.3.10.3. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected in accordance with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties shall enter into a data transfer agreement incorporating the EU Model Clauses.
12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming it has done so).
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with following the Data Breach, without undue delay, any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) such information and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement)assistance that TrustMark may reasonably request.
Appears in 1 contract
Sources: Data Sharing Agreement
DATA PROCESSING OBLIGATIONS. 12.1 Where and insofar as, in connection with this Agreement or any Work Order, either party 5.1 To the extent that each Party processes personal data Personal Data as a Processor (the “Processing Party”) on behalf of the other party, Party (the Receiving “Controller Party”) in accordance with Annex 1 each Party shall:
12.1.1 process 5.1.1 at all times comply with Controller Party’s documented instructions, subject to compliance with all applicable Data Protection Laws in relation to Processing the personal data for and on behalf of the Disclosing Party only on the documented instructions of the Disclosing Controller Party, unless the Receiving Party is required by applicable laws to otherwise process that personal data’s Personal Data;
12.1.2 carry out any processing only on 5.1.2 take reasonable steps to ensure that access is limited to individuals who are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and who need to know/access Controller Party’s Personal Data for the documented instructions purposes of fulfilling the Disclosing Party in accordance with Processing Party’s obligations under the Work Order, and such other processing and purposes as may be agreed by the parties from time to timeAgreement;
12.1.3 5.1.3 implement and maintain (and provide details of such measures at the Controller Party’s request) appropriate technical and organisational measures to ensure a level of security appropriate to the risk including but not limited to the following: the Pseudonymisation and encryption of Controller Party Personal Data; measure(s) to ensure the ongoing confidentiality and access to Controller Party Personal Data in a timely manner in the event of a physical or technical incident; measure(s) to restore the availability and access to Controller Party Personal Data in a timely manner in the event of a physical or technical incident;
5.1.4 assist the Controller Party by implementing and maintaining appropriate technical and organisational measures, that insofar as this is possible, for the Disclosing Part fulfilment of the Controller Party’s obligation to respond to Data Subject’s rights (including but not limited to Access Requests) under Data Protection Laws, in particular: notify the Controller Party by email to: ▇▇▇▇▇▇▇_▇▇▇▇▇▇_▇▇▇▇▇▇▇@▇▇▇.▇▇.▇▇ within 3 Working Days if the Processing Party receives an Access Request from a Data Subject whose Personal Data has had been passed to them from the opportunity to review Controller Party and approve, to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing. To the extent such technical and organisational measures have not been approved is processed by the Disclosing PartyProcessing Party pursuant to the Agreement and/or this MoA; and in relation to any Access Request received by the Controller Party and shall agree in writing the approach for the secure transfer of any Personal Data relevant to the Data Subject and Access Request, prior to the Receiving Party will maintain safeguards no less rigorous than those maintained by it for its own similar personal data, but being aforementioned transfer taking place as soon as possible and in any event sufficient to comply with the Security Requirements;
12.1.4 ensure that Personnel with access to the relevant personal have entered into appropriate contractually binding confidentiality undertakings;
12.1.5 ensure that access to the personal data is restricted to only those members of its Personnel who require it in order to discharge the Receiving Party’s obligations under this Agreement or any Work Order;
12.1.6 notify the Disclosing Party without undue delay following its receipt within 5 Working Days of any complaint or Subject Access Request or notification of an audit or an investigation by a Supervisory Authority, and shall provide a copy of such complaint, request, notification or correspondence and reasonable details of the circumstances giving rise to it unless prohibited by law; and
12.1.7 not disclose personal data to any person except as required by the delivery or receipt of the Services, to a Supervisory Authority or as otherwise required by law or with the Disclosing Party written consent.
12.2 The Disclosing Party acknowledges that the Receiving Party is reliant on the Disclosing Party for direction as to the extent to which Receiving Party is entitled to use and process the Disclosing Party’s personal data. Consequently, the Receiving Party will not be liable for any claim brought by a data subject arising from any action or omission by the Receiving Party, to the extent that such action or omission resulted directly request from the Disclosing Controller Party
5.1.5 assist the Controller Party instructions.
12.3 Where the Receiving Party becomes aware of a personal data breach, it shall notify the Disclosing Party without undue delay and provide reasonable assistance to the Disclosing Party in relation to its ensure compliance with obligations under the Data Protection Legislation.
12.4 Where, in connection with this Agreement or any Work Order, Laws including but not limited to: the Receiving Party processes personal data on behalf security of Processing pursuant to Article 32 of the Disclosing GDPR; notification of a Personal Data Breach to the Supervisory Authority pursuant to Article 33 of the GDPR; communication of a Personal Data Breach to the Data Subject pursuant to Article 34 of the GDPR; and data protection impact assessments, including prior consultation with Data Subjects and the Supervisory Authority, which the Controller Party reasonably considers to be required pursuant to Articles 35 and 36 of the GDPR;
5.1.6 within fourteen (14) Working Days after the end of the provision of Services, or as directed by the Controller Party at any time: at the Controller Party’s discretion, (i) delete or (ii) return by secure transfer to the Disclosing Controller Party provides its general authorization for (in such format as notified by the Receiving Party Controller Party) all of the Controller Party’s Personal Data; and delete existing copies of all Controller Party’s Personal Data subject to appoint data sub-processors compliance with Data Protection Laws and always provided that:
12.4.1 that the Receiving Processing Party shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on the Receiving Party under this Agreement;
12.4.2 shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions provide evidence of the Receiving Partysame to the Controller Party on request; and
12.4.3 shall 5.1.7 immediately inform the Disclosing Controller Party of any intended changes concerning the addition if, in its opinion, an instruction infringes or replacement of the sub-processors.
12.5 The Client consents to the appointment by Expleo of its Affiliates incorporated in member states of the European Union as sub- processors of Expleo. Further, the Client acknowledges and agrees that Expleo may transfer, store and process Client Data in various jurisdictions in which Expleo and its Affiliates operate (including outside the European Economic Area or in a country not deemed to provide an adequate level of protection for personal data by the European Commission), provided that the parties ensure that personal data is adequately protected in accordance conflicts with the Data Protection Legislation prior to any transfer taking place. In order to achieve this, the parties shall, unless agreed otherwise, rely on the Standard Contractual Clauses for the Transfers of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) / as amended from time to time (“EU Model Clauses”) or any equivalent provisions approved by the Information Commissioner’s Office where any personal data is transferred outside of the UK. Prior to any data transfer, the parties Laws and shall enter into a data transfer agreement incorporating the EU Model Clauses.
12.6 Except to the extent required by applicable law, upon the termination of this Agreement for any reason, or earlier if instructed in writing by the Disclosing Party to do so, the Receiving Party shall cease processing all personal data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Disclosing Party) all personal data and all copies in its possession or control (and it shall provide the Disclosing Party with a certificate signed by one of its authorised signatories confirming not commence such Processing until it has done so)received confirmed instructions from the Controller Party.
12.7 No party shall unreasonably withhold, delay or condition its agreement to any Change Request of the other party in order to ensure the relevant data processor (and each agreed sub-processor) can comply with the Data Protection Legislation.
12.8 The parties may agree at any time to revise this Clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme as contemplated by Articles 28(6), 28(7) and 28(8) of the GDPR (which shall apply when replaced by an addendum to this Agreement).
Appears in 1 contract
Sources: Service Agreement