Common use of DATA PROCESSING OBLIGATIONS Clause in Contracts

DATA PROCESSING OBLIGATIONS. In respect of any Personal Data to be processed by the Data Processor pursuant to this Agreement for which the Customer is Data Controller, the Data Processor shall: a) have in place and at all times maintain appropriate technical and organisational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk; b) not engage any new sub-processor without giving notice of at least 30 days in advance of providing that new sub-processor with access to Customer Data. A list of current sub-processors can be found at 7 c) ensure that each of the Data Processor’s employees, agents, consultants, subcontractors and sub-processors are made aware of the Data Processor’s obligations under this Schedule and enter into binding obligations with the Data Processor to maintain the levels of security and protection required under this Schedule. The Data Processor shall ensure that the terms of this Schedule are incorporated into each agreement with any sub-processor, subcontractor, agent or consultant to the effect that the sub- processor, subcontractor, agent or consultant shall be obligated to act at all times in accordance with duties and obligations of the Data Processor under this Schedule. The Data Processor shall at all times be and remain liable to the Customer for any failure of any employee, agent, consultant, subcontractor or sub-processor to act in accordance with the duties and obligations of the Data Processor under this Schedule; d) process that Personal Data only on behalf of the Customer in accordance with the Customer’s instructions and to perform its obligations under this Agreement or other documented instructions and for no other purpose save to the limited extent required by law;

DATA PROCESSING OBLIGATIONS. In respect of any Personal Data to be processed by the Data Processor pursuant to this Agreement for which the Customer is Data Controller, the Data Processor shall: a) have in place and at all times maintain appropriate technical and organisational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk; b) not engage any new sub-processor without giving notice of at least 30 days in advance of providing that new sub-processor with access to Customer Data. A list of current sub-processors can be found at 7 c) ensure that each of the Data Processor’s employees, agents, consultants, subcontractors and sub-processors are made aware of the Data Processor’s obligations under this Schedule and enter into binding obligations with the Data Processor to maintain the levels of security and protection required under this Schedule. The Data Processor shall ensure that the terms of this Schedule are incorporated into each agreement with any sub-processor, subcontractor, agent or consultant to the effect that the sub- sub-processor, subcontractor, agent or consultant shall be obligated to act at all times in accordance with duties and obligations of the Data Processor under this Schedule. The Data Processor shall at all times be and remain liable to the Customer for any failure of any employee, agent, consultant, subcontractor or sub-processor to act in accordance with the duties and obligations of the Data Processor under this Schedule; d) process that Personal Data only on behalf of the Customer in accordance with the Customer’s instructions and to perform its obligations under this Agreement or other documented instructions and for no other purpose save to the limited extent required by law;