Common use of DATA PROCESSING OBLIGATIONS Clause in Contracts

DATA PROCESSING OBLIGATIONS. 3.1 The parties have determined that for purposes of the Applicable Data Protection Laws the University is the [Controller OR Processor] and the Supplier is the [Controller OR Processor]. [DN: amend depending on the circumstances.]. Part 2 of this Schedule 3 sets out the scope, nature and purpose of processing by the Processor, the duration of the processing and the types of personal data and categories of data subject. 3.2 Without prejudice to the generality of paragraph 2.1, the Controller will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the personal data to the Processor and/or lawful collection of the personal data by the Processor on behalf of the Controller for the duration of this Contract. 3.3 Without prejudice to the generality of paragraph 3.2, the Processor shall, in relation to any personal data processed in connection with the performance by the Processor of its obligations under this Contract: 3.3.1 process that personal only on the documented instructions of the Controller, unless the Processor is required by other Applicable Laws to otherwise process that personal data. Where the Processor is relying on other Applicable Laws as the basis for processing personal data, the Processor shall promptly notify the Controller of this before performing the processing required by other Applicable Laws unless those laws prohibit the Processor from so notifying the Controller on important grounds of public interest. The Processor shall immediately inform the Controller if, in the opinion of the Processor, the instructions of the Controller infringe Applicable Data Protection Laws; 3.3.2 implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against its accidental loss, damage or destruction, including: 3.3.2.1 the pseudonymisation and encryption of personal data; 3.3.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3.3.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 3.3.2.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 3.3.3 ensure, and procure, that any personnel engaged and authorised by the Processor to process personal data keep the personal data confidential; 3.3.4 promptly assist the Controller, at the Processor’s expense, in responding to any request from a data subject and in ensuring compliance with the Controller's obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with the Commissioner, supervisory authorities or other regulators and, in particular, the Processor shall promptly notify the Controller if it receives any complaint, notice or communication (whether from the Commissioner, any data subject, supervisory authority or other third party) which relates to processing of personal data; 3.3.5 notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach and on suspecting the same, the Processor shall promptly conduct an initial assessment to determine, with a reasonable degree of certainty, whether the event or incident qualifies for notification to the Controller under this paragraph 3.3.5 and shall provide a copy of this initial assessment along with such notification; [DN: review this wording where the University acts as the processor.] 3.3.6 at the written direction of the Controller, delete or return to the Controller all personal data on termination or expiry of the Contract, and certify to the Controller in writing it has done so, unless the Processor is required by Applicable Law to continue to process that personal data, in which case the Processor shall promptly notify the Controller, in writing, of what that Applicable Law is and shall only be permitted to process that personal data for the specific purpose so-notified, and all other requirements set out in this Schedule 3 shall continue to apply to such personal data notwithstanding the termination or expiry of this Contract for as long as such personal data is processed by the Processor. For the purposes of this paragraph 3.3.6 the obligation to "delete" data includes the obligation to delete data from back-up systems as well as live systems; and 3.3.7 maintain adequate records, and, on the Controller's request, make available such information as the Controller may reasonably request, and allow for and submit its premises and operations to audits, including inspections, by the Controller or the Controller's designated auditor, to demonstrate its compliance with Applicable Data Protection Laws and this Schedule 3. 3.4 The Processor shall not, without the prior written consent of the Controller (and in any event subject to the Processor providing the Controller with reasonable evidence that such activity is being undertaking in full compliance with Applicable Data Protection Laws): 3.4.1 appoint or replace (or change the terms of the appointment of) any other processor in relation to the personal data or transfer any personal data to the same; or 3.4.2 carry out, via itself or via any other processor, any processing of personal data, or transfer any personal, outside of the UK, including processing personal data on equipment situated outside of the UK until the following conditions are fulfilled: 3.4.2.1 the Controller or the Processor has provided appropriate safeguards in relation to the transfer; 3.4.2.2 the data subject has enforceable rights and effective legal remedies; 3.4.2.3 the Processor complies with its obligations under the Applicable Data Protection Laws by providing an adequate level of protection to any personal data that is transferred; and 3.4.2.4 the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the personal data. [DN: this clause will apply where you have Suppliers who are situated/processing personal data outside of the UK and will need to reviewed on a case by case basis.] 3.5 Either party may, at any time on not less than 30 days' notice, revise the clauses in this Schedule 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Contract).

DATA PROCESSING OBLIGATIONS. 3.1 The parties have determined that for purposes of the Applicable Data Protection Laws the University is the [Controller OR Processor] and the Supplier is the [Controller OR Processor]. [DN: amend depending on the circumstances.]. Part 2 of this Schedule 3 sets out the scope, nature and purpose of processing by the Processor, the duration of the processing and the types of personal data and categories of data subject. 3.2 Without prejudice to the generality of paragraph 2.1, the Controller will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the personal data to the Processor and/or lawful collection of the personal data by the Processor on behalf of the Controller for the duration of this Contract. 3.3 Without prejudice to the generality of paragraph 3.2, the Processor shall, in relation to any personal data processed in connection with the performance by the Processor of its obligations under this Contract: 3.3.1 process that personal only on the documented instructions of the Controller, unless the Processor is required by other Applicable Laws to otherwise process that personal data. Where the Processor is relying on other Applicable Laws as the basis for processing personal data, the Processor shall promptly notify the Controller of this before performing the processing required by other Applicable Laws unless those laws prohibit the Processor from so notifying the Controller on important grounds of public interest. The Processor shall immediately inform the Controller if, in the opinion of the Processor, the instructions of the Controller infringe Applicable Data Protection Laws; 3.3.2 implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against its accidental loss, damage or destruction, including: 3.3.2.1 the pseudonymisation and encryption of personal data; 3.3.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3.3.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 3.3.2.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 3.3.3 ensure, and procure, that any personnel engaged and authorised by the Processor to process personal data keep the personal data confidential; 3.3.4 promptly assist the Controller, at the Processor’s expense, in responding to any request from a data subject and in ensuring compliance with the Controller's obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with the Commissioner, supervisory authorities or other regulators and, in particular, the Processor shall promptly notify the Controller if it receives any complaint, notice or communication (whether from the Commissioner, any data subject, supervisory authority or other third party) which relates to processing of personal data; 3.3.5 notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach and on suspecting the same, the Processor shall promptly conduct an initial assessment to determine, with a reasonable degree of certainty, whether the event or incident qualifies for notification to the Controller under this paragraph 3.3.5 and shall provide a copy of this initial assessment along with such notification; [DN: review this wording where the University acts as the processor.] 3.3.6 at the written direction of the Controller, delete or return to the Controller all personal data on termination or expiry of the Contract, and certify to the Controller in writing it has done so, unless the Processor is required by Applicable Law to continue to process that personal data, in which case the Processor shall promptly notify the Controller, in writing, of what that Applicable Law is and shall only be permitted to process that personal data for the specific purpose so-notified, and all other requirements set out in this Schedule 3 shall continue to apply to such personal data notwithstanding the termination or expiry of this Contract for as long as such personal data is processed by the Processor. For the purposes of this paragraph 3.3.6 the obligation to "delete" data includes the obligation to delete data from back-up systems as well as live systems; and 3.3.7 maintain adequate records, and, on the Controller's request, make available such information as the Controller may reasonably request, and allow for and submit its premises and operations to audits, including inspections, by the Controller or the Controller's designated auditor, to demonstrate its compliance with Applicable Data Protection Laws and this Schedule 3. 3.4 The Processor shall not, without the prior written consent of the Controller (and in any event subject to the Processor providing the Controller with reasonable evidence that such activity is being undertaking in full compliance with Applicable Data Protection Laws): 3.4.1 appoint or replace (or change the terms of the appointment of) any other processor in relation to the personal data or transfer any personal data to the same; or 3.4.2 carry out, via itself or via any other processor, any processing of personal data, or transfer any personal, outside of the UK, including processing personal data on equipment situated outside of the UK until the following conditions are fulfilled: 3.4.2.1 the Controller or the Processor has provided appropriate safeguards in relation to the transfer; 3.4.2.2 the data subject has enforceable rights and effective legal remedies; 3.4.2.3 the Processor complies with its obligations under the Applicable Data Protection Laws by providing an adequate level of protection to any personal data that is transferred; and 3.4.2.4 the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the personal data. [DN: this clause will apply where you have Suppliers who are situated/processing personal data outside of the UK and will need to be reviewed on a case by case-by-case basis.] 3.5 Either party may, at any time on not less than 30 days' notice, revise the clauses in this Schedule 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Contract).

DATA PROCESSING OBLIGATIONS. 3.1 The parties have determined that for purposes of the Applicable Data Protection Laws the University is the [Controller OR Processor] and the Supplier is the [Controller OR Processor]. [DN: amend depending on the circumstances.]. Part 2 of this Schedule 3 sets out the scope, nature and purpose of processing by the Processor, the duration of the processing and the types of personal data and categories of data subject. 3.2 Without prejudice to the generality of paragraph 2.1, the Controller will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the personal data to the Processor and/or lawful collection of the personal data by the Processor on behalf of the Controller for the duration of this ContractAgreement. 3.3 Without prejudice to the generality of paragraph 3.2, the Processor shall, in relation to any personal data processed in connection with the performance by the Processor of its obligations under this ContractAgreement: 3.3.1 process that personal only on the documented instructions of the Controller, unless the Processor is required by other Applicable Laws to otherwise process that personal data. Where the Processor is relying on other Applicable Laws as the basis for processing personal data, the Processor shall promptly notify the Controller of this before performing the processing required by other Applicable Laws unless those laws prohibit the Processor from so notifying the Controller on important grounds of public interest. The Processor shall immediately inform the Controller if, in the opinion of the Processor, the instructions of the Controller infringe Applicable Data Protection Laws; 3.3.2 implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against its accidental loss, damage or destruction, including: 3.3.2.1 the pseudonymisation and encryption of personal data; 3.3.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3.3.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 3.3.2.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 3.3.3 ensure, and procure, that any personnel engaged and authorised by the Processor to process personal data keep the personal data confidential; 3.3.4 promptly assist the Controller, at the Processor’s expense, in responding to any request from a data subject and in ensuring compliance with the Controller's obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with the Commissioner, supervisory authorities or other regulators and, in particular, the Processor shall promptly notify the Controller if it receives any complaint, notice or communication (whether from the Commissioner, any data subject, supervisory authority or other third party) which relates to processing of personal data; 3.3.5 notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach and on suspecting the same, the Processor shall promptly conduct an initial assessment to determine, with a reasonable degree of certainty, whether the event or incident qualifies for notification to the Controller under this paragraph 3.3.5 and shall provide a copy of this initial assessment along with such notification; [DN: review this wording where the University acts as the processor.] 3.3.6 at the written direction of the Controller, delete or return to the Controller all personal data on termination or expiry of the ContractAgreement, and certify to the Controller in writing it has done so, unless the Processor is required by Applicable Law to continue to process that personal data, in which case the Processor shall promptly notify the Controller, in writing, of what that Applicable Law is and shall only be permitted to process that personal data for the specific purpose so-so- notified, and all other requirements set out in this Schedule 3 shall continue to apply to such personal data notwithstanding the termination or expiry of this Contract Agreement for as long as such personal data is processed by the Processor. For the purposes of this paragraph 3.3.6 the obligation to "delete" data includes the obligation to delete data from back-up systems as well as live systems; and 3.3.7 maintain adequate records, and, on the Controller's request, make available such information as the Controller may reasonably request, and allow for and submit its premises and operations to audits, including inspections, by the Controller or the Controller's designated auditor, to demonstrate its compliance with Applicable Data Protection Laws and this Schedule 3. 3.4 The Processor shall not, without the prior written consent of the Controller (and in any event subject to the Processor providing the Controller with reasonable evidence that such activity is being undertaking in full compliance with Applicable Data Protection Laws): 3.4.1 appoint or replace (or change the terms of the appointment of) any other processor in relation to the personal data or transfer any personal data to the same; or 3.4.2 carry out, via itself or via any other processor, any processing of personal data, or transfer any personal, outside of the UK, including processing personal data on equipment situated outside of the UK until the following conditions are fulfilled: 3.4.2.1 the Controller or the Processor has provided appropriate safeguards in relation to the transfer; 3.4.2.2 the data subject has enforceable rights and effective legal remedies; 3.4.2.3 the Processor complies with its obligations under the Applicable Data Protection Laws by providing an adequate level of protection to any personal data that is transferred; and 3.4.2.4 the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the personal data. [DN: this clause will apply where you have Suppliers who are situated/processing personal data outside of the UK and will need to reviewed on a case by case basis.] 3.5 Either party may, at any time on not less than 30 days' notice, revise the clauses in this Schedule 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this ContractAgreement).

DATA PROCESSING OBLIGATIONS. 3.1 The parties have determined that for purposes of the Applicable Data Protection Laws the University is the [Controller OR Processor] and the Supplier is the [Controller OR Processor]. [DN: amend depending on the circumstances.]. Part 2 of this Schedule 3 sets out the scope, nature and purpose of processing by the Processor, the duration of the processing and the types of personal data and categories of data subject. 3.2 Without prejudice to the generality of paragraph 2.1, the Controller will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the personal data to the Processor and/or lawful collection of the personal data by the Processor on behalf of the Controller for the duration of this Contract. 3.3 Without prejudice to the generality of paragraph 3.2, the Processor shall, in relation to any personal data processed in connection with the performance by the Processor of its obligations under this Contract: 3.3.1 process that personal only on the documented instructions of the Controller, unless the Processor is required by other Applicable Laws to otherwise process that personal data. Where the Processor is relying on other Applicable Laws as the basis for processing personal data, the Processor shall promptly notify the Controller of this before performing the processing required by other Applicable Laws unless those laws prohibit the Processor from so notifying the Controller on important grounds of public interest. The Processor shall immediately inform the Controller if, in the opinion of the Processor, the instructions of the Controller infringe Applicable Data Protection Laws; 3.3.2 implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against its accidental loss, damage or destruction, including: 3.3.2.1 the pseudonymisation and encryption of personal data; 3.3.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3.3.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 3.3.2.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 3.3.3 ensure, and procure, that any personnel engaged and authorised by the Processor to process personal data keep the personal data confidential; 3.3.4 promptly assist the Controller, at the Processor’s expense, in responding to any request from a data subject and in ensuring compliance with the Controller's obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with the Commissioner, supervisory authorities or other regulators and, in particular, the Processor shall promptly notify the Controller if it receives any complaint, notice or communication (whether from the Commissioner, any data subject, supervisory authority or other third party) which relates to processing of personal data; 3.3.5 notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach and on suspecting the same, the Processor shall promptly conduct an initial assessment to determine, with a reasonable degree of certainty, whether the event or incident qualifies for notification to the Controller under this paragraph 3.3.5 and shall provide a copy of this initial assessment along with such notification; [DN: review this wording where the University acts will act as the processorprocessor under a SaaS agreement and this Data Protection schedule has been drafted for wider use in the suite of contracts.] 3.3.6 at the written direction of the Controller, delete or return to the Controller all personal data on termination or expiry of the Contract, and certify to the Controller in writing it has done so, unless the Processor is required by Applicable Law to continue to process that personal data, in which case the Processor shall promptly notify the Controller, in writing, of what that Applicable Law is and shall only be permitted to process that personal data for the specific purpose so-notified, and all other requirements set out in this Schedule 3 shall continue to apply to such personal data notwithstanding the termination or expiry of this Contract for as long as such personal data is processed by the Processor. For the purposes of this paragraph 3.3.6 the obligation to "delete" data includes the obligation to delete data from back-up systems as well as live systems; and 3.3.7 maintain adequate records, and, on the Controller's request, make available such information as the Controller may reasonably request, and allow for and submit its premises and operations to audits, including inspections, by the Controller or the Controller's designated auditor, to demonstrate its compliance with Applicable Data Protection Laws and this Schedule 3. 3.4 The Processor shall not, without the prior written consent of the Controller (and in any event subject to the Processor providing the Controller with reasonable evidence that such activity is being undertaking in full compliance with Applicable Data Protection Laws): 3.4.1 appoint or replace (or change the terms of the appointment of) any other processor in relation to the personal data or transfer any personal data to the same; or 3.4.2 carry out, via itself or via any other processor, any processing of personal data, or transfer any personal, outside of the UK, including processing personal data on equipment situated outside of the UK until the following conditions are fulfilled: 3.4.2.1 the Controller or the Processor has provided appropriate safeguards in relation to the transfer; 3.4.2.2 the data subject has enforceable rights and effective legal remedies; 3.4.2.3 the Processor complies with its obligations under the Applicable Data Protection Laws by providing an adequate level of protection to any personal data that is transferred; and 3.4.2.4 the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the personal data. [DN: this clause will apply where you have Suppliers who are situated/processing personal data outside of the UK and will need to reviewed on a case by case basis.] 3.5 Either party may, at any time on not less than 30 days' notice, revise the clauses in this Schedule 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Contract).

DATA PROCESSING OBLIGATIONS. 3.1 The parties have determined that for purposes of the Applicable Data Protection Laws the University is the [Controller OR Processor] and the Supplier is the [Controller OR Processor]. [DN: amend depending on the circumstances.]. Part 2 of this Schedule 3 sets out the scope, nature and purpose of processing by the Processor, the duration of the processing and the types of personal data and categories of data subject. 3.2 Without prejudice to the generality of paragraph 2.1, the Controller will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the personal data to the Processor and/or lawful collection of the personal data by the Processor on behalf of the Controller for the duration of this ContractAgreement. 3.3 Without prejudice to the generality of paragraph 3.2, the Processor shall, in relation to any personal data processed in connection with the performance by the Processor of its obligations under this ContractAgreement: 3.3.1 process that personal only on the documented instructions of the Controller, unless the Processor is required by other Applicable Laws to otherwise process that personal data. Where the Processor is relying on other Applicable Laws as the basis for processing personal data, the Processor shall promptly notify the Controller of this before performing the processing required by other Applicable Laws unless those laws prohibit the Processor from so notifying the Controller on important grounds of public interest. The Processor shall immediately inform the Controller if, in the opinion of the Processor, the instructions of the Controller infringe Applicable Data Protection Laws; 3.3.2 implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against its accidental loss, damage or destruction, including: 3.3.2.1 the pseudonymisation and encryption of personal data; 3.3.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3.3.2.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 3.3.2.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 3.3.3 ensure, and procure, that any personnel engaged and authorised by the Processor to process personal data keep the personal data confidential; 3.3.4 promptly assist the Controller, at the Processor’s expense, in responding to any request from a data subject and in ensuring compliance with the Controller's obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with the Commissioner, supervisory authorities or other regulators and, in particular, the Processor shall promptly notify the Controller if it receives any complaint, notice or communication (whether from the Commissioner, any data subject, supervisory authority or other third party) which relates to processing of personal data; 3.3.5 notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach and on suspecting the same, the Processor shall promptly conduct an initial assessment to determine, with a reasonable degree of certainty, whether the event or incident qualifies for notification to the Controller under this paragraph 3.3.5 and shall provide a copy of this initial assessment along with such notification; [DN: review this wording where the University acts as the processor.]; 3.3.6 at the written direction of the Controller, delete or return to the Controller all personal data on termination or expiry of the ContractAgreement, and certify to the Controller in writing it has done so, unless the Processor is required by Applicable Law to continue to process that personal data, in which case the Processor shall promptly notify the Controller, in writing, of what that Applicable Law is and shall only be permitted to process that personal data for the specific purpose so-so- notified, and all other requirements set out in this Schedule 3 shall continue to apply to such personal data notwithstanding the termination or expiry of this Contract Agreement for as long as such personal data is processed by the Processor. For the purposes of this paragraph 3.3.6 the obligation to "delete" data includes the obligation to delete data from back-up systems as well as live systems; and 3.3.7 maintain adequate records, and, on the Controller's request, make available such information as the Controller may reasonably request, and allow for and submit its premises and operations to audits, including inspections, by the Controller or the Controller's designated auditor, to demonstrate its compliance with Applicable Data Protection Laws and this Schedule 3. 3.4 The Processor shall not, without the prior written consent of the Controller (and in any event subject to the Processor providing the Controller with reasonable evidence that such activity is being undertaking in full compliance with Applicable Data Protection Laws): 3.4.1 appoint or replace (or change the terms of the appointment of) any other processor in relation to the personal data or transfer any personal data to the same; or 3.4.2 carry out, via itself or via any other processor, any processing of personal data, or transfer any personal, outside of the UK, including processing personal data on equipment situated outside of the UK until the following conditions are fulfilled: 3.4.2.1 the Controller or the Processor has provided appropriate safeguards in relation to the transfer; 3.4.2.2 the data subject has enforceable rights and effective legal remedies; 3.4.2.3 the Processor complies with its obligations under the Applicable Data Protection Laws by providing an adequate level of protection to any personal data that is transferred; and 3.4.2.4 the Processor complies with reasonable instructions notified to it in advance by the Controller with respect to the processing of the personal data. [DN: this clause will apply where you have Suppliers who are situated/processing personal data outside of the UK and will need to reviewed on a case by case basis.] 3.5 Either party may, at any time on not less than 30 days' notice, revise the clauses in this Schedule 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this ContractAgreement).