Common use of Data Processor Obligations Clause in Contracts

Data Processor Obligations. With respect to the Parties’ rights and obligations under this Provider Agreement, the Parties agree that the Council is the Data Controller and that the Service Provider is the Data Processor. A description of the Personal Data processed by the Service Provider and the processing activities undertaken by the Service Provider is set out in the Data Processing Activities set out in clause 19.1. • In respect of Personal Data that the Service Provider processes on behalf of the Council in connection with this Provider Agreement, the Service Provider shall and shall procure that its representatives shall: 19.3.1 solely process the Personal Data for the purposes of fulfilling its obligations under this Provider Agreement and in compliance with the Council’s written instructions as set out in this Provider Agreement and as may be specified from time to time in writing by the Council; 19.3.2 notify the Council immediately if any instructions of the Council relating to the processing of Personal Data are unlawful; 19.3.3 not transfer to or access any Personal Data from a country outside of the United Kingdom without the prior written consent of the Council; 19.3.4 comply with the Council’s instructions in relation to transfers of Personal Data to a country outside of the United Kingdom unless the Service Provider is required pursuant to applicable laws to transfer Personal Data outside the United Kingdom, in which case the Service Provider shall inform the Council in writing of the relevant legal requirement before any such transfer occurs unless the relevant law prohibits such notification on important grounds of public interest; 19.3.5 take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data and ensure that all Staff used by the Service Provider to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data; 19.3.6 ensure that none of the Service Provider’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Council; 19.3.7 not engage any sub-contractor to carry out any processing of Personal Data without the prior written consent of the Council provided that notwithstanding any such consent the Service Provider shall remain liable for compliance with all the requirements of this Provider Agreement including in relation to the processing of Personal Data; 19.3.8 ensure that obligations equivalent to the obligations set out in this clause 19 are included in all Provider Agreements between the Service Provider and permitted sub-contractor who will be processing Personal Data and who have been approved in accordance with clause; 19.3.9 take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with the Data Protection Legislation; 19.3.10 upon request provide a written description of the technical and organisational measures employed by the Service Provider (within the timescales required by the Council) and if the Council does not consider that such measures are adequate to enable compliance with the Data Protection Legislation, implement such additional measures as may be specified by the Council (acting reasonably) to ensure compliance; 19.3.11 taking into account the nature of the data processing activities undertaken by the Service Provider, provide, at no cost to the Council, all possible assistance and co-operation (including without limitation putting in place appropriate technical and organisational measures) to enable the Council to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation, including (without limitation): 19.3.12 notifying the Council within two (2) Working Days, of receiving any request from a Data Subject exercising their rights under the Data Protection Legislation; 19.3.13 complying with the Council’s instructions in relation to complying with the Data Subject’s rights under the Data Protection Legislation, which may include (without limitation) providing notices to Data Subjects in a format specified by the Council, rectifying inaccurate Personal Data, ceasing or restricting processing of Personal Data, providing access to Personal Data, permanently deleting or securely destroying Personal Data and providing copies of Personal Data in a format specified by the Council; 19.3.14 maintain a record of the Service Provider’s processing activities in accordance with the requirements of the Data Protection Legislation; 19.3.15 assist the Council, at no cost to the Council, in ensuring compliance with the obligations set out in Articles 32 to 36 (inclusive) of the GDPR (or any equivalent legislation in the UK or any subsequent legislation) taking into account the nature of the data processing undertaken by the Service Provider and the information available to the Service Provider, including (without limitation): 19.3.15.1 providing information and assistance upon request to enable the Council to notify Data Security Breaches to the Information Commissioner’s and/or to affected individuals and/or to any other regulators to whom the Council is required to notify any Data Security Breaches; and 19.3.15.2 providing input into and carrying out Data Protection Impact Assessments in relation to the Service Provider’s data processing activities; 19.3.16 ensure that it has in place appropriate technical and organisational measures to ensure that processing of Personal Data carried out by the Service Provider in connection with this Provider Agreement meets the requirements of the Data Protection Legislation and ensures protection of the rights of individuals under the Data Protection Legislation; 19.3.17 notify the Council immediately and in any event within twenty-four (24) hours in writing if: 19.3.17.1 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data; or 19.3.17.2 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation, and in each case the Service Provider shall provide full co-operation, information and assistance to the Council in relation to any such Data Security Breach, complaint, notice or communication at no cost to the Council; • upon termination of this Provider Agreement, at the discretion of and at no cost to the Council, delete securely or return all Personal Data to the Council and delete all existing copies of the Personal Data unless and to the extent that the Service Provider is required to retain copies of the Personal Data in accordance with applicable laws. • make available to the Council at no cost to the Council all information necessary to demonstrate compliance with the obligations set out in this clause and, upon request, allow the Council, the Information Commissioner’s Office and its representatives access to the Service Provider’s Premises, records and Personnel for the purposes of assessing the Service Provider’s compliance with its obligations under clause; and • indemnify the Council from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages and other liabilities or whatever nature (whether contractual, tortious or otherwise) suffered or incurred by the Council and arising out of or in connection with any breach by the Service Provider or any sub-contractor of this clause. For the avoidance of doubt, the Council shall provide documentary evidence to the Service Provider before it can make a claim under this clause in relation to any third-party action. • The provisions of this clause shall apply during the continuance of the Provider Agreement and indefinitely after its expiry or termination.

Data Processor Obligations. 19.3.1 With respect to the Parties’ rights and obligations under this Provider Agreement, the Parties agree that the Council is the Data Controller and that the Service Provider is the Data Processor. A description of the Personal Data processed by the Service Provider and the processing activities undertaken by the Service Provider is set out in the Data Processing Activities set out in clause 19.1. • 19.20. 19.3.2 In respect of Personal Data that the Service Provider processes on behalf of the Council in connection with this Provider Agreement, the Service Provider shall and shall procure that its representatives shall: 19.3.1 19.3.2.1 solely process the Personal Data for the purposes of fulfilling its obligations under this Provider Agreement and in compliance with the Council’s written instructions as set out in this Provider Agreement and as may be specified from time to time in writing by the Council; 19.3.2 19.3.2.2 notify the Council immediately if any instructions of the Council relating to the processing of Personal Data are unlawful; 19.3.3 19.3.2.3 not transfer to or access any Personal Data from a country outside of the United Kingdom without the prior written consent of the Council; 19.3.4 19.3.2.4 comply with the Council’s instructions in relation to transfers of Personal Data to a country outside of the United Kingdom unless the Service Provider is required pursuant to applicable laws to transfer Personal Data outside the United Kingdom, in which case the Service Provider shall inform the Council in writing of the relevant legal requirement before any such transfer occurs unless the relevant law prohibits such notification on important grounds of public interest; 19.3.5 19.3.2.5 take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data and ensure that all Staff used by the Service Provider to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data; 19.3.6 19.3.2.6 ensure that none of the Service Provider’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Council; 19.3.7 19.3.2.7 not engage any sub-contractor to carry out any processing of Personal Data without the prior written consent of the Council provided that notwithstanding any such consent the Service Provider shall remain liable for compliance with all the requirements of this Provider Agreement including in relation to the processing of Personal Data; 19.3.8 19.3.2.8 ensure that obligations equivalent to the obligations set out in this clause 19 are included in all Provider Agreements between the Service Provider and permitted sub-contractor who will be processing Personal Data and who have been approved in accordance with clause; 19.3.9 19.3.2.9 take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with the Data Protection Legislation; 19.3.10 19.3.2.10 upon request provide a written description of the technical and organisational measures employed by the Service Provider (within the timescales required by the Council) and if the Council does not consider that such measures are adequate to enable compliance with the Data Protection Legislation, implement such additional measures as may be specified by the Council (acting reasonably) to ensure compliance; 19.3.11 19.3.2.11 taking into account the nature of the data processing activities undertaken by the Service Provider, provide, at no cost to the Council, all possible assistance and co-operation (including without limitation putting in place appropriate technical and organisational measures) to enable the Council to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation, including (without limitation): 19.3.12 19.3.2.11.1 notifying the Council within two (2) Working Days, of receiving any request from a Data Subject exercising their rights under the Data Protection Legislation; 19.3.13 19.3.2.11.2 complying with the Council’s instructions in relation to complying with the Data Subject’s rights under the Data Protection Legislation, which may include (without limitation) providing notices to Data Subjects in a format specified by the Council, rectifying inaccurate Personal Data, ceasing or restricting processing of Personal Data, providing access to Personal Data, permanently deleting or securely destroying Personal Data and providing copies of Personal Data in a format specified by the Council; 19.3.14 maintain a record of the Service Provider’s processing activities in accordance with the requirements of the Data Protection Legislation; 19.3.15 assist the Council, at no cost to the Council, in ensuring compliance with the obligations set out in Articles 32 to 36 (inclusive) of the GDPR (or any equivalent legislation in the UK or any subsequent legislation) taking into account the nature of the data processing undertaken by the Service Provider and the information available to the Service Provider, including (without limitation): 19.3.15.1 providing information and assistance upon request to enable the Council to notify Data Security Breaches to the Information Commissioner’s and/or to affected individuals and/or to any other regulators to whom the Council is required to notify any Data Security Breaches; and 19.3.15.2 providing input into and carrying out Data Protection Impact Assessments in relation to the Service Provider’s data processing activities; 19.3.16 ensure that it has in place appropriate technical and organisational measures to ensure that processing of Personal Data carried out by the Service Provider in connection with this Provider Agreement meets the requirements of the Data Protection Legislation and ensures protection of the rights of individuals under the Data Protection Legislation; 19.3.17 notify the Council immediately and in any event within twenty-four (24) hours in writing if: 19.3.17.1 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data; or 19.3.17.2 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation, and in each case the Service Provider shall provide full co-operation, information and assistance to the Council in relation to any such Data Security Breach, complaint, notice or communication at no cost to the Council; • upon termination of this Provider Agreement, at the discretion of and at no cost to the Council, delete securely or return all Personal Data to the Council and delete all existing copies of the Personal Data unless and to the extent that the Service Provider is required to retain copies of the Personal Data in accordance with applicable laws. • make available to the Council at no cost to the Council all information necessary to demonstrate compliance with the obligations set out in this clause and, upon request, allow the Council, the Information Commissioner’s Office and its representatives access to the Service Provider’s Premises, records and Personnel for the purposes of assessing the Service Provider’s compliance with its obligations under clause; and • indemnify the Council from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages and other liabilities or whatever nature (whether contractual, tortious or otherwise) suffered or incurred by the Council and arising out of or in connection with any breach by the Service Provider or any sub-contractor of this clause. For the avoidance of doubt, the Council shall provide documentary evidence to the Service Provider before it can make a claim under this clause in relation to any third-party action. • The provisions of this clause shall apply during the continuance of the Provider Agreement and indefinitely after its expiry or termination.

Data Processor Obligations. 19.4.1 With respect to the Parties’ rights and obligations under this Provider Agreement, the Parties agree that the Council is the Data Controller and that the Service Provider is the Data Processor. A description of the Personal Data processed by the Service Provider and the processing activities undertaken by the Service Provider is set out in the Data Processing Activities set out in clause 19.1. • 19.20. 19.4.2 In respect of Personal Data that the Service Provider processes on behalf of the Council in connection with this Provider Agreement, the Service Provider shall and shall procure that its representatives shall: 19.3.1 19.4.2.1 solely process the Personal Data for the purposes of fulfilling its obligations under this Provider Agreement and in compliance with the Council’s written instructions as set out in this Provider Agreement and as may be specified from time to time in writing by the Council; 19.3.2 19.4.2.2 notify the Council immediately if any instructions of the Council relating to the processing of Personal Data are unlawful; 19.3.3 19.4.2.3 not transfer to or access any Personal Data from a country outside of the United Kingdom without the prior written consent of the Council; 19.3.4 19.4.2.4 comply with the Council’s instructions in relation to transfers of Personal Data to a country outside of the United Kingdom unless the Service Provider is required pursuant to applicable laws to transfer Personal Data outside the United Kingdom, in which case the Service Provider shall inform the Council in writing of the relevant legal requirement before any such transfer occurs unless the relevant law prohibits such notification on important grounds of public interest; 19.3.5 19.4.2.5 take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data and ensure that all Staff used by the Service Provider to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data; 19.3.6 19.4.2.6 ensure that none of the Service Provider’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Council; 19.3.7 19.4.2.7 not engage any sub-contractor to carry out any processing of Personal Data without the prior written consent of the Council provided that notwithstanding any such consent the Service Provider shall remain liable for compliance with all the requirements of this Provider Agreement including in relation to the processing of Personal Data; 19.3.8 19.4.2.8 ensure that obligations equivalent to the obligations set out in this clause 19 are included in all Provider Agreements between the Service Provider and permitted sub-contractor who will be processing Personal Data and who have been approved in accordance with clause; 19.3.9 19.4.2.9 take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with the Data Protection Legislation; 19.3.10 19.4.2.10 upon request provide a written description of the technical and organisational measures employed by the Service Provider (within the timescales required by the Council) and if the Council does not consider that such measures are adequate to enable compliance with the Data Protection Legislation, implement such additional measures as may be specified by the Council (acting reasonably) to ensure compliance; 19.3.11 19.4.2.11 taking into account the nature of the data processing activities undertaken by the Service Provider, provide, at no cost to the Council, all possible assistance and co-operation (including without limitation putting in place appropriate technical and organisational measures) to enable the Council to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation, including (without limitation): 19.3.12 19.4.2.12 notifying the Council within two (2) Working Days, of receiving any request from a Data Subject exercising their rights under the Data Protection Legislation; 19.3.13 19.4.2.13 complying with the Council’s instructions in relation to complying with the Data Subject’s rights under the Data Protection Legislation, which may include (without limitation) providing notices to Data Subjects in a format specified by the Council, rectifying inaccurate Personal Data, ceasing or restricting processing of Personal Data, providing access to Personal Data, permanently deleting or securely destroying Personal Data and providing copies of Personal Data in a format specified by the Council; 19.3.14 maintain a record of the Service Provider’s processing activities in accordance with the requirements of the Data Protection Legislation; 19.3.15 assist the Council, at no cost to the Council, in ensuring compliance with the obligations set out in Articles 32 to 36 (inclusive) of the GDPR (or any equivalent legislation in the UK or any subsequent legislation) taking into account the nature of the data processing undertaken by the Service Provider and the information available to the Service Provider, including (without limitation): 19.3.15.1 providing information and assistance upon request to enable the Council to notify Data Security Breaches to the Information Commissioner’s and/or to affected individuals and/or to any other regulators to whom the Council is required to notify any Data Security Breaches; and 19.3.15.2 providing input into and carrying out Data Protection Impact Assessments in relation to the Service Provider’s data processing activities; 19.3.16 ensure that it has in place appropriate technical and organisational measures to ensure that processing of Personal Data carried out by the Service Provider in connection with this Provider Agreement meets the requirements of the Data Protection Legislation and ensures protection of the rights of individuals under the Data Protection Legislation; 19.3.17 notify the Council immediately and in any event within twenty-four (24) hours in writing if: 19.3.17.1 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data; or 19.3.17.2 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation, and in each case the Service Provider shall provide full co-operation, information and assistance to the Council in relation to any such Data Security Breach, complaint, notice or communication at no cost to the Council; • upon termination of this Provider Agreement, at the discretion of and at no cost to the Council, delete securely or return all Personal Data to the Council and delete all existing copies of the Personal Data unless and to the extent that the Service Provider is required to retain copies of the Personal Data in accordance with applicable laws. • make available to the Council at no cost to the Council all information necessary to demonstrate compliance with the obligations set out in this clause and, upon request, allow the Council, the Information Commissioner’s Office and its representatives access to the Service Provider’s Premises, records and Personnel for the purposes of assessing the Service Provider’s compliance with its obligations under clause; and • indemnify the Council from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages and other liabilities or whatever nature (whether contractual, tortious or otherwise) suffered or incurred by the Council and arising out of or in connection with any breach by the Service Provider or any sub-contractor of this clause. For the avoidance of doubt, the Council shall provide documentary evidence to the Service Provider before it can make a claim under this clause in relation to any third-party action. • The provisions of this clause shall apply during the continuance of the Provider Agreement and indefinitely after its expiry or termination.

Data Processor Obligations. With respect to the Parties’ rights and obligations under this Provider Agreement, the Parties agree that the Council is the Data Controller and that the Service Provider is the Data Processor. A description of the Personal Data processed by the Service Provider and the processing activities undertaken by the Service Provider is set out in the Data Processing Activities set out in clause 19.1. • In respect of Personal Data that the Service Provider processes on behalf of the Council in connection with this Provider Agreement, the Service Provider shall and shall procure that its representatives shall: 19.3.1 solely process the Personal Data for the purposes of fulfilling its obligations under this Provider Agreement and in compliance with the Council’s written instructions as set out in this Provider Agreement and as may be specified from time to time in writing by the Council; 19.3.2 notify the Council immediately if any instructions of the Council relating to the processing of Personal Data are unlawful; 19.3.3 not transfer to or access any Personal Data from a country outside of the United Kingdom without the prior written consent of the Council; 19.3.4 comply with the Council’s instructions in relation to transfers of Personal Data to a country outside of the United Kingdom unless the Service Provider is required pursuant to applicable laws to transfer Personal Data outside the United Kingdom, in which case the Service Provider shall inform the Council in writing of the relevant legal requirement before any such transfer occurs unless the relevant law prohibits such notification on important grounds of public interest; 19.3.5 take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data and ensure that all Staff used by the Service Provider to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data; 19.3.6 ensure that none of the Service Provider’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Council; 19.3.7 not engage any sub-contractor to carry out any processing of Personal Data without the prior written consent of the Council provided that notwithstanding any such consent the Service Provider shall remain liable for compliance with all the requirements of this Provider Agreement including in relation to the processing of Personal Data; 19.3.8 ensure that obligations equivalent to the obligations set out in this clause 19 are included in all Provider Agreements between the Service Provider and permitted sub-contractor who will be processing Personal Data and who have been approved in accordance with clause; 19.3.9 take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with the Data Protection Legislation; 19.3.10 upon request provide a written description of the technical and organisational measures employed by the Service Provider (within the timescales required by the Council) and if the Council does not consider that such measures are adequate to enable compliance with the Data Protection Legislation, implement such additional measures as may be specified by the Council (acting reasonably) to ensure compliance; 19.3.11 taking into account the nature of the data processing activities undertaken by the Service Provider, provide, at no cost to the Council, all possible assistance and co-operation (including without limitation putting in place appropriate technical and organisational measures) to enable the Council to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation, including (without limitation): 19.3.12 notifying the Council within two (2) Working Days, of receiving any request from a Data Subject exercising their rights under the Data Protection Legislation; 19.3.13 complying with the Council’s instructions in relation to complying with the Data Subject’s rights under the Data Protection Legislation, which may include (without limitation) providing notices to Data Subjects in a format specified by the Council, rectifying inaccurate Personal Data, ceasing or restricting processing of Personal Data, providing access to Personal Data, permanently deleting or securely destroying Personal Data and providing copies of Personal Data in a format specified by the Council; 19.3.14 maintain a record of the Service Provider’s processing activities in accordance with the requirements of the Data Protection Legislation; 19.3.15 assist the Council, at no cost to the Council, in ensuring compliance with the obligations set out in Articles 32 to 36 (inclusive) of the GDPR (or any equivalent legislation in the UK or any subsequent legislation) taking into account the nature of the data processing undertaken by the Service Provider and the information available to the Service Provider, including (without limitation): 19.3.15.1 providing information and assistance upon request to enable the Council to notify Data Security Breaches to the Information Commissioner’s and/or to affected individuals and/or to any other regulators to whom the Council is required to notify any Data Security Breaches; and 19.3.15.2 providing input into and carrying out Data Protection Impact Assessments in relation to the Service Provider’s data processing activities; 19.3.16 ensure that it has in place appropriate technical and organisational measures to ensure that processing of Personal Data carried out by the Service Provider in connection with this Provider Agreement meets the requirements of the Data Protection Legislation and ensures protection of the rights of individuals under the Data Protection Legislation; 19.3.17 notify the Council immediately and in any event within twenty-four (24) hours in writing if: 19.3.17.1 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data; or 19.3.17.2 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation, and in each case the Service Provider shall provide full co-operation, information and assistance to the Council in relation to any such Data Security Breach, complaint, notice or communication at no cost to the Council; • upon termination of this Provider Agreement, at the discretion of and at no cost to the Council, delete securely or return all Personal Data to the Council and delete all existing copies of the Personal Data unless and to the extent that the Service Provider is required to retain copies of the Personal Data in accordance with applicable laws. • make available to the Council at no cost to the Council all information necessary to demonstrate compliance with the obligations set out in this clause and, upon request, allow the Council, the Information Commissioner’s Office and its representatives access to the Service Provider’s Premises, records and Personnel for the purposes of assessing the Service Provider’s compliance with its obligations under clause; and • indemnify the Council from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages and other liabilities or whatever nature (whether contractual, tortious or otherwise) suffered or incurred by the Council and arising out of or in connection with any breach by the Service Provider or any sub-contractor of this clause. For the avoidance of doubt, the Council shall provide documentary evidence to the Service Provider before it can make a claim under this clause in relation to any third-party action. • The provisions of this clause shall apply during the continuance of the Provider Agreement and indefinitely after its expiry or termination.

Data Processor Obligations. 19.3.1 With respect to the Parties’ rights and obligations under this Provider Agreement, the Parties agree that the Council is the Data Controller and that the Service Provider is the Data Processor. A description of the Personal Data processed by the Service Provider and the processing activities undertaken by the Service Provider is set out in the Data Processing Activities set out in clause 19.1. • . 19.3.2 In respect of Personal Data that the Service Provider processes on behalf of the Council in connection with this Provider Agreement, the Service Provider shall and shall procure that its representatives shall: 19.3.1 19.3.2.1 solely process the Personal Data for the purposes of fulfilling its obligations under this Provider Agreement and in compliance with the Council’s written instructions as set out in this Provider Agreement and as may be specified from time to time in writing by the Council; 19.3.2 19.3.2.2 notify the Council immediately if any instructions of the Council relating to the processing of Personal Data are unlawful; 19.3.3 19.3.2.3 not transfer to or access any Personal Data from a country outside of the United Kingdom without the prior written consent of the Council; 19.3.4 19.3.2.4 comply with the Council’s instructions in relation to transfers of Personal Data to a country outside of the United Kingdom unless the Service Provider is required pursuant to applicable laws to transfer Personal Data outside the United Kingdom, in which case the Service Provider shall inform the Council in writing of the relevant legal requirement before any such transfer occurs unless the relevant law prohibits such notification on important grounds of public interest; 19.3.5 19.3.2.5 take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data and ensure that all Staff used by the Service Provider to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data; 19.3.6 19.3.2.6 ensure that none of the Service Provider’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Council; 19.3.7 19.3.2.7 not engage any sub-contractor to carry out any processing of Personal Data without the prior written consent of the Council provided that notwithstanding any such consent the Service Provider shall remain liable for compliance with all the requirements of this Provider Agreement including in relation to the processing of Personal Data; 19.3.8 19.3.2.8 ensure that obligations equivalent to the obligations set out in this clause 19 are included in all Provider Agreements between the Service Provider and permitted sub-contractor who will be processing Personal Data and who have been approved in accordance with clause; 19.3.9 19.3.2.9 take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with the Data Protection Legislation; 19.3.10 19.3.2.10 upon request provide a written description of the technical and organisational measures employed by the Service Provider (within the timescales required by the Council) and if the Council does not consider that such measures are adequate to enable compliance with the Data Protection Legislation, implement such additional measures as may be specified by the Council (acting reasonably) to ensure compliance; 19.3.11 19.3.2.11 taking into account the nature of the data processing activities undertaken by the Service Provider, provide, at no cost to the Council, all possible assistance and co-operation (including without limitation putting in place appropriate technical and organisational measures) to enable the Council to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation, including (without limitation): 19.3.12 19.3.2.12 notifying the Council within two (2) Working Days, of receiving any request from a Data Subject exercising their rights under the Data Protection Legislation; 19.3.13 19.3.2.13 complying with the Council’s instructions in relation to complying with the Data Subject’s rights under the Data Protection Legislation, which may include (without limitation) providing notices to Data Subjects in a format specified by the Council, rectifying inaccurate Personal Data, ceasing or restricting processing of Personal Data, providing access to Personal Data, permanently deleting or securely destroying Personal Data and providing copies of Personal Data in a format specified by the Council; 19.3.14 maintain a record of the Service Provider’s processing activities in accordance with the requirements of the Data Protection Legislation; 19.3.15 assist the Council, at no cost to the Council, in ensuring compliance with the obligations set out in Articles 32 to 36 (inclusive) of the GDPR (or any equivalent legislation in the UK or any subsequent legislation) taking into account the nature of the data processing undertaken by the Service Provider and the information available to the Service Provider, including (without limitation): 19.3.15.1 providing information and assistance upon request to enable the Council to notify Data Security Breaches to the Information Commissioner’s and/or to affected individuals and/or to any other regulators to whom the Council is required to notify any Data Security Breaches; and 19.3.15.2 providing input into and carrying out Data Protection Impact Assessments in relation to the Service Provider’s data processing activities; 19.3.16 ensure that it has in place appropriate technical and organisational measures to ensure that processing of Personal Data carried out by the Service Provider in connection with this Provider Agreement meets the requirements of the Data Protection Legislation and ensures protection of the rights of individuals under the Data Protection Legislation; 19.3.17 notify the Council immediately and in any event within twenty-four (24) hours in writing if: 19.3.17.1 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data; or 19.3.17.2 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation, and in each case the Service Provider shall provide full co-operation, information and assistance to the Council in relation to any such Data Security Breach, complaint, notice or communication at no cost to the Council; • upon termination of this Provider Agreement, at the discretion of and at no cost to the Council, delete securely or return all Personal Data to the Council and delete all existing copies of the Personal Data unless and to the extent that the Service Provider is required to retain copies of the Personal Data in accordance with applicable laws. • make available to the Council at no cost to the Council all information necessary to demonstrate compliance with the obligations set out in this clause and, upon request, allow the Council, the Information Commissioner’s Office and its representatives access to the Service Provider’s Premises, records and Personnel for the purposes of assessing the Service Provider’s compliance with its obligations under clause; and • indemnify the Council from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages and other liabilities or whatever nature (whether contractual, tortious or otherwise) suffered or incurred by the Council and arising out of or in connection with any breach by the Service Provider or any sub-contractor of this clause. For the avoidance of doubt, the Council shall provide documentary evidence to the Service Provider before it can make a claim under this clause in relation to any third-party action. • The provisions of this clause shall apply during the continuance of the Provider Agreement and indefinitely after its expiry or termination.