Data Processor Obligations. The Contractor shall (and shall ensure that its Contract Workers and agents shall): a) implement and maintain appropriate technical and organisational measures and safeguards for protection of personal data, to ensure the rights of data subjects are protected and to ensure that processing will meet the requirements of the General Data Protection Regulation; b) ensure that all employees and subcontractors authorised to process personal data are subject to binding confidentiality obligations in respect of that personal data; c) assist the Purchaser, using appropriate technical and organisational measures, to respond to requests from data subjects including requests for information, requests for deletion and amendments of information and requests for the transfer of data; d) assist the Purchaser in ensuring compliance with its security, data breach notification, impact assessment and consultation obligations under Data Protection Legislation, taking into account the nature of processing and information available to the data processor; e) at the Purchaser’s election, delete or return all personal data and existing copies to the Purchaser (unless Data Protection Legislation requires the data processor to store that personal data); f) make available to the Purchaser all information necessary, and allow for and contribute to audits and inspections conducted by the Purchaser or the Purchaser’s mandated auditor, to demonstrate the data processor’s compliance with its obligations under this agreement; g) immediately inform the Purchaser if, in the data processor’s opinion, any instruction given by the Purchaser to the data processor infringes Data Protection Legislation; h) maintain a written record of all processing activities under its responsibility and of all categories of processing activities carried out on behalf of the Purchaser, that satisfies the requirements of the Data Protection Legislation; i) cooperate on request with any relevant European Union or member state supervisory authority; j) notify the Purchaser without undue delay after becoming aware of a breach of personal data and notify the Purchaser immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state; k) take any further action and execute any further documents and amendments to this Contract as may, in the Purchaser’s reasonable opinion, be required to comply with Data Protection Legislation; l) only process personal data in accordance with the Purchaser’s documented instructions consistent with and in the scope of this Contract (unless required to do so by applicable law, in which case the data processor shall inform the Purchaser of that legal requirement unless prohibited by law on important grounds of public interest); m) only engage another processor to carry out specific processing activities with prior specific or general written authorisation of the Purchaser, and only where that other processor is subject to a written contract imposing on that other processor the same data protection obligations as are imposed on the data processor in this Contract; n) not process or transfer personal data outside the European Economic Area except with the express prior written consent of the Purchaser; and o) nothing within this Contract relieves the processor of its own direct responsibilities and liabilities under the GDPR.
Appears in 4 contracts
Sources: Supply of Goods and Services Agreement, Supply of Goods and Services Agreement, Supply Agreement
Data Processor Obligations. The Contractor Processor shall (and shall ensure that its Contract Workers and agents shall):
a) implement and maintain appropriate technical and organisational measures and safeguards for protection of personal datadata taking into account the nature of processing, to ensure the rights of data subjects are protected and to ensure that processing will meet the requirements of the UK General Data Protection Regulation;. The Technical and organisational measures will meet the conditions in clauses 3.3.b, 3.5. and 3.6 of this agreement.
b) process data as instructed in schedule 3 (Specific instructions for processing), or any set of procedures named in that schedule. Any instructions in schedule 3 supplement, and do not replace, the obligations in clauses 3.3(a), 3.5 and 3.6.
c) ensure that all employees and subcontractors subProcessors authorised to process personal data are subject to binding confidentiality obligations in respect of that personal data;
cd) assist the PurchaserController, using appropriate technical and organisational measures, to fulfil its obligations as controller to respond to requests for exercising of the data subject’s rights laid down by Chapter III (3) of the UK GDPR. Such requests from data subjects including shall include, though not limited to, requests for information, requests for deletion and amendments of information and requests for the transfer of data;
de) assist the Purchaser Controller in ensuring compliance with its security, data breach notification, impact assessment and consultation obligations under Data Protection Legislationin relation to articles 32-36 (inclusive) of the UK GDPR, taking into account the nature of processing and information available to the data processor;. This assistance will include the following obligations; security of processing (article 32), data breach notification to supervisory authorities and data subjects (articles 23 and 34), Data Protection Impact Assessments (article 35) and Prior Consultation (article 36).
ef) at the PurchaserController’s election, delete or at the expiration of the ‘automatic deletion period’ (whichever is sooner), the Processor will Securely Delete or return all (as required by the Controller) to the Controller that personal data (and existing copies copies) relevant to the Purchaser deletion period or request, (unless Data Protection Legislation requires the data processor to store that personal data);
fg) make available to the Purchaser Controller all information necessary, and allow for and contribute to audits and inspections conducted by the Purchaser Controller or the PurchaserController’s mandated auditor, to demonstrate the data processor’s compliance with its obligations under this agreementagreement and article 28 of the UK GDPR;
gh) immediately inform the Purchaser Controller if, in the data processor’s opinion, any instruction given by the Purchaser Controller to the data processor infringes is incompatible with current Data Protection Legislation;
hi) maintain a written record of all processing activities under its responsibility and of all categories of processing activities carried out on behalf of the PurchaserController, that satisfies the requirements of the Data Protection Legislation;
ij) cooperate on request with any relevant European Union or member state the Information Commissioner’s Office (ICO) -the supervisory authority;
jk) notify the Purchaser without undue delay Controller after becoming aware of a breach of any personal data supplied by the Controller or any personal data created, analysed, or processed on behalf of the Controller. Notification of breaches must made to the Controller without undue delay, and in no event later than 48 hours after becoming reasonably aware of the breach.
l) and notify the Purchaser Controller immediately if it is asked to do something infringing the UK GDPR or other data protection law of the EU or a member state;
km) take any further action and execute any further documents and amendments to this Contract as may, in the PurchaserController’s reasonable opinion, be required to comply with current Data Protection Legislation;
ln) only process personal data in accordance with the PurchaserController’s documented instructions consistent with and in the scope of this Contract (unless required to do so by applicable law, in which case the data processor shall inform the Purchaser Controller of that legal requirement before processing unless prohibited by law on important grounds of public interest);
m) only engage another processor to carry out specific processing activities with prior specific or general written authorisation of the Purchaser, and only where that other processor is subject to a written contract imposing on that other processor the same data protection obligations as are imposed on the data processor in this Contract;
no) not process or transfer personal data outside the European Economic Area or, in any way, outside the protections of the UK GDPR (including transfers to international organisations), except with the express prior written consent of the Purchaser; andController. Any application for such a transfer will be accompanied by details of the Processor’s plans for the transfer to comply with Chapter V of the UK GDPR including the lawful basis for transfer and protective mechanism to be engaged.
op) nothing within this Contract relieves the processor of its own direct responsibilities and liabilities under the UK GDPR.
q) The Processor shall cooperate with any remediation that the Controller, in its discretion, determines necessary to address any reporting requirements under Data protection legislation or mitigate any effects, or potential effects, arising from any breach of personal data caused by the Processor, or any of its sub-processors,
r) Must only act on the documented instructions of the Controller; those being the instructions given in this document (including schedules).
Appears in 1 contract
Sources: Data Processing Agreement
Data Processor Obligations. The Contractor shall (and shall ensure that its Contract Workers and agents shall):
a) ): implement and maintain appropriate technical and organisational measures and safeguards for protection of personal data, to ensure the rights of data subjects are protected and to ensure that processing will meet the requirements of the General Data Protection Regulation;
b) ; ensure that all employees and subcontractors authorised to process personal data are subject to binding confidentiality obligations in respect of that personal data;
c) ; assist the Purchaser, using appropriate technical and organisational measures, to respond to requests from data subjects including requests for information, requests for deletion and amendments of information and requests for the transfer of data;
d) ; assist the Purchaser in ensuring compliance with its security, data breach notification, impact assessment and consultation obligations under Data Protection Legislation, taking into account the nature of processing and information available to the data processor;
e) ; at the Purchaser’s election, delete or return all personal data and existing copies to the Purchaser (unless Data Protection Legislation requires the data processor to store that personal data);
f) ; make available to the Purchaser all information necessary, and allow for and contribute to audits and inspections conducted by the Purchaser or the Purchaser’s mandated auditor, to demonstrate the data processor’s compliance with its obligations under this agreement;
g) ; immediately inform the Purchaser if, in the data processor’s opinion, any instruction given by the Purchaser to the data processor infringes Data Protection Legislation;
h) ; maintain a written record of all processing activities under its responsibility and of all categories of processing activities carried out on behalf of the Purchaser, that satisfies the requirements of the Data Protection Legislation;
i) ; cooperate on request with any relevant European Union or member state supervisory authority;
j) ; notify the Purchaser without undue delay after becoming aware of a breach of personal data and notify the Purchaser immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state;
k) ; take any further action and execute any further documents and amendments to this Contract as may, in the Purchaser’s reasonable opinion, be required to comply with Data Protection Legislation;
l) ; only process personal data in accordance with the Purchaser’s documented instructions consistent with and in the scope of this Contract (unless required to do so by applicable law, in which case the data processor shall inform the Purchaser of that legal requirement unless prohibited by law on important grounds of public interest);
m) ; only engage another processor to carry out specific processing activities with prior specific or general written authorisation of the Purchaser, and only where that other processor is subject to a written contract imposing on that other processor the same data protection obligations as are imposed on the data processor in this Contract;
n) ; not process or transfer personal data outside the European Economic Area except with the express prior written consent of the Purchaser; and
o) and nothing within this Contract relieves the processor of its own direct responsibilities and liabilities under the GDPR.. The Contractor agrees that the technical and organisational measures referred to in Clause 22.3(a) above shall ensure a level of security appropriate to the risk, taking into account :- the state of the art, the costs of implementation; the nature, scope, context and purposes of processing and risks of varying likelihood; and severity for the rights and freedoms of individuals. The Contractor agrees that the technical and organisational measures to be implement by them and as referred to in Clause 22.3(a) above shall include, as appropriate:- pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
Appears in 1 contract
Data Processor Obligations. The Contractor Supplier shall (and shall ensure that its Contract Workers and agents shall):
a) 27.2.1 implement and maintain appropriate technical and organisational measures and safeguards for protection of personal data, to ensure the rights of data subjects are protected and to ensure that processing will meet the requirements of the General Data Protection Regulation;
b) 27.2.2 ensure that all employees and subcontractors authorised to process personal data are subject to binding confidentiality obligations in respect of that personal data;
c) 27.2.3 assist the PurchaserBuyer, using appropriate technical and organisational measures, to respond to requests from data subjects including requests for information, requests for deletion and amendments of information and requests for the transfer of data;
d) 27.2.4 assist the Purchaser Buyer in ensuring compliance with its security, data breach notification, impact assessment and consultation obligations under Data Protection Legislation, taking into account the nature of processing and information available to the data processor;
e) 27.2.5 at the PurchaserBuyer’s election, delete or return all personal data and existing copies to the Purchaser Buyer (unless Data Protection Legislation requires the data processor to store that personal data);
f) 27.2.6 make available to the Purchaser Buyer all information necessary, and allow for and contribute to audits and inspections conducted by the Purchaser Buyer or the PurchaserBuyer’s mandated auditor, to demonstrate the data processor’s compliance with its obligations under this agreement;
g) 27.2.7 immediately inform the Purchaser Buyer if, in the data processor’s opinion, any instruction given by the Purchaser Buyer to the data processor infringes Data Protection Legislation;
h) 27.2.8 maintain a written record of all processing activities under its responsibility and of all categories of processing activities carried out on behalf of the PurchaserBuyer, that satisfies the requirements of the Data Protection Legislation;
i) 27.2.9 cooperate on request with any relevant European Union or member state supervisory authority;
j) 27.2.10 notify the Purchaser Buyer without undue delay after becoming aware of a breach of personal data and notify the Purchaser Buyer immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state;
k) 27.2.11 take any further action and execute any further documents and amendments to this Contract as may, in the PurchaserBuyer’s reasonable opinion, be required to comply with Data Protection Legislation;
l) 27.2.12 only process personal data in accordance with the PurchaserBuyer’s documented instructions consistent with and in the scope of this Contract (unless required to do so by applicable law, in which case the data processor shall inform the Purchaser Buyer of that legal requirement unless prohibited by law on important grounds of public interest);
m) 27.2.13 only engage another processor to carry out specific processing activities with prior specific or general written authorisation of the PurchaserBuyer, and only where that other processor is subject to a written contract imposing on that other processor the same data protection obligations as are imposed on the data processor in this Contract;
n) 27.2.14 not process or transfer personal data outside the European Economic Area except with the express prior written consent of the PurchaserBuyer; and
o) 27.2.15 nothing within this Contract relieves the processor of its own direct responsibilities and liabilities under the GDPR.
Appears in 1 contract
Sources: Terms and Conditions of Purchase
Data Processor Obligations. 3.1 The Contractor Supplier shall (and shall ensure that comply with its Contract Workers and agents shall):
a) implement and maintain appropriate technical and organisational measures and safeguards for protection of personal data, to ensure the rights of data subjects are protected and to ensure that processing will meet the requirements of the General obligations as processor under Applicable Data Protection Regulation;Law and the Supplier acknowledges that nothing in this DPA relieves it from its responsibilities and liabilities under Applicable Data Protection Law.
b) ensure that all employees and subcontractors authorised 3.2 The Supplier shall only process personal data as Sky’s processor in accordance with Sky’s lawful Instructions, except where required to process personal data are subject to binding confidentiality obligations comply with EU, EU Member State, or UK Law to which the Supplier is subject, in respect which case it shall notify Sky of the relevant legal requirement before processing unless it is legally prohibited from doing so. The Supplier will notify Sky immediately in the event it reasonably believes any Instruction given by Sky is contrary to Applicable Data Protection Law. The parties agree that this Agreement is comprised of Sky’s main set of Instructions and the Supplier acknowledges that Sky may issue supplemental Instructions in relation to personal data;
c) assist data the PurchaserSupplier processes as Sky’s processor, using appropriate technical and organisational measures, to respond to requests from data subjects including requests for information, requests for deletion and amendments of information and requests for the transfer of data;Supplier to:
d) assist the Purchaser in ensuring compliance with 3.2.1 provide at its security, data breach notification, impact assessment and consultation obligations under Data Protection Legislationcost reasonable assistance to Sky, taking into account the nature of processing and the information available to the Supplier, so that Sky is able to:
(A) access all documents (in full or only in so far as they relate to personal data processed by the Supplier as Sky’s processor) which the Supplier is required to maintain under Applicable Data Protection Law (if any) about such personal data processing;
e(B) at discuss with the PurchaserSupplier’s electiondata protection officer (if appointed) the Supplier’s processing of personal data;
(C) manage and respond to the exercise by any data subject of any of the rights afforded to data subjects under Applicable Data Protection Law;
(D) manage and respond to any notices or questions addressed to ▇▇▇ from the supervisory authority concerned;
(E) evaluate the technical and organisational measures the Supplier is required to implement under clauses 3.3, delete or return all 3.4 and 3.5;
(F) manage, mitigate and resolve any personal data breach, including the preparation and existing copies filing of any notification of any personal data breach to the Purchaser (unless Data Protection Legislation requires the supervisory authority concerned or relevant data processor to store that personal datasubject(s);
f(G) make available carry out data protection impact assessments (at Sky’s discretion) and prior consultations with the supervisory authority concerned (where required under Applicable Data Protection Law) in relation to the Purchaser all information necessary, and personal data the Supplier processes as Sky’s processor; and
(H) demonstrate its compliance with its obligations under Applicable Data Protection Law; and
3.2.2 allow for and contribute reasonably collaborate with (both at the Supplier’s cost) Sky, an auditor mandated by Sky and/or the supervisory authority concerned carrying out desk-based audits, on-site audits and/or inspections of the Supplier, any of its sub-processors and/or any of the facilities and IT systems used to audits and inspections conducted by process personal data on Sky’s behalf from time to time (including before such processing commences) to verify the Purchaser or the Purchaser’s mandated auditor, to demonstrate the data processorSupplier’s compliance with its obligations under this agreementDPA and Applicable Data Protection Law.
3.3 The Supplier shall:
3.3.1 subject to clause 4, keep the personal data it processes as Sky’s processor strictly confidential;
g) immediately inform 3.3.2 ensure that its personnel are bound by appropriate, written and enforceable confidentiality obligations concerning the Purchaser if, in the data processor’s opinion, any instruction given by the Purchaser to the data processor infringes Data Protection Legislation;
h) maintain a written record of all processing activities under its responsibility and of all categories of processing activities carried out on behalf of the Purchaser, that satisfies the requirements of the Data Protection Legislation;
i) cooperate on request with any relevant European Union or member state supervisory authority;
j) notify the Purchaser without undue delay after becoming aware of a breach of personal data and notify that they process such personal data only in accordance with Sky’s Instructions;
3.3.3 subject to clause 4, not allow any third-party access to the Purchaser immediately if it is asked personal data or otherwise transfer the personal data to do something infringing any third party; and
3.3.4 subject to clauses 4-5, not transfer the GDPR or other personal data protection law outside of the EU UK or EEA.
3.4 For the duration the Supplier acts as Sky’s processor under this Agreement, the Supplier shall:
3.4.1 implement and document appropriate technical and organisational measures to ensure a member statelevel of security appropriate to the risk to the rights and freedoms of the data subjects presented by the Supplier processing personal data as Sky’s processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of such processing as well as the varying likelihood and severity of such risk, including measures to:
(A) guard against unauthorised or unlawful processing and personal data breaches;
k(B) take any further action as appropriate, apply pseudonymisation and execute any further documents and amendments encryption to this Contract as may, in the Purchaser’s reasonable opinion, be required to comply with Data Protection Legislationpersonal data;
l(C) only process ensure the ongoing confidentiality, integrity, availability and resilience of the Supplier’s and any sub-processor’s processing systems and services;
(D) restore the availability and access to personal data in accordance a timely manner in the event of a physical or technical incident; and
(E) regularly test, assess and evaluate the effectiveness of such technical and organisational measures;
3.4.2 without prejudice to the generality of clause 3.4.1, comply with the PurchaserSky Supplier Security Standard; and
3.4.3 annually certify its compliance with clauses 3.4.1 and 3.4.2 to Sky in writing.
3.5 For the duration the Supplier acts as Sky’s documented instructions consistent with processor under this Agreement, the Supplier shall implement and document appropriate technical and organisational measures in relation to the scope personal data it processes as Sky’s processor to ensure that it is able to promptly:
3.5.1 provide to Sky any such personal data in a commonly used electronic format, implement the restriction of this Contract (unless required processing of any such personal data, delete any such personal data and/or modify any such personal data if it receives an Instruction to do so by applicable law, in which case the data processor shall inform the Purchaser of that legal requirement unless prohibited by law on important grounds of public interest);
m) only engage another processor to carry out specific processing activities with prior specific or general written authorisation of the Purchaser, and only where that other processor is subject to a written contract imposing on that other processor the same data protection obligations as are imposed on the data processor in this Contract;
n) not process or transfer personal data outside the European Economic Area except with the express prior written consent of the PurchaserSky; and
o3.5.2 identify any data subject requests to exercise any of the rights afforded to data subjects under Applicable Data Protection Law in relation to such personal data.
3.6 The Supplier shall notify Sky:
3.6.1 promptly if it receives any notice, request, query, consultation or complaint from the supervisory authority concerned or any data subject relating to the personal data the Supplier (or any sub-processor) nothing within this Contract relieves processes as Sky’s data (sub)processor (including the processor of its own direct responsibilities and liabilities under the GDPR.requests and/or notices referred to in clause
Appears in 1 contract
Sources: Terms and Conditions for the Purchase of Goods, Licences and Services