Common use of Data Protection Act Clause in Contracts

Data Protection Act. 32.1 The SERVICE PROVIDER shall (and shall procure that its entire Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 32.2 Notwithstanding the general obligation in Clause 6.1.1, where the SERVICE PROVIDER is processing personal data (as defined by the DPA) as a data processor for the CLIENT (as defined by the DPA) the SERVICE PROVIDER shall ensure that it has in place appropriate technical and organisational measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection Principle in Schedule 1 to the DPA; and 32.2.1 provide the CLIENT with such information as the CLIENT may reasonably request to satisfy itself that the SERVICE PROVIDER is complying with its obligations under the DPA; 32.2.2 promptly notify the CLIENT of any breach of the security measures to be put in place pursuant to this Clause; and 32.2.3 ensure that it does not knowingly or negligently do or omit to do anything which places the CLIENT in breach of its obligations under the DPA. 32.2.4 The provisions of this Clause shall apply during the Contract Period and indefinitely after the expiry of the Contract Period. 32.3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 32.4 The SERVICE PROVIDER shall comply with and shall ensure that its Staff comply with, the provisions of:- 32.4.1 the Official Secrets Acts 1911 to 1989; and 32.4.2 Section 182 of the Finance Act 1989. 32.5 In the event that the SERVICE PROVIDER or its Staff fail to comply with this Clause, the CLIENT reserves the right to terminate the Contract by giving notice in writing to the SERVICE PROVIDER.

Data Protection Act. 32.1 7.1 The SERVICE PROVIDER Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 4. The only processing that the Processor is authorised to do is listed in Schedule 4 by the Controller and may not be determined by the Processor. 7.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. 7.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: (a) a systematic description of the envisaged processing operations and shall procure that its entire Staffthe purpose of the processing; (b) comply with an assessment of the necessity and proportionality of the processing operations in relation to the Services; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 7.4 The Processor shall, in relation to any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise Personal Data processed in connection with its obligations under this Contract: (a) process that Personal Data only in accordance with Schedule 4, unless the Contract.Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; 32.2 Notwithstanding the general obligation in Clause 6.1.1, where the SERVICE PROVIDER is processing personal data (as defined by the DPAb) as a data processor for the CLIENT (as defined by the DPA) the SERVICE PROVIDER shall ensure that it has in place Protective Measures, which are appropriate technical to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: (i) nature of the data to be protected; (ii) harm that might result from a Data Loss Event; (iii) state of technological development; and (iv) cost of implementing any measures; (c) ensure that: (i) the Processor Personnel do not process Personal Data except in accordance with this Contract (and organisational measures in particular Schedule 4); (ii) it takes all reasonable steps to ensure the security reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the personal data (and to guard against unauthorised or unlawful processing confidential nature of the personal data Personal Data and against accidental loss do not publish, disclose or destruction of, divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or damage to, the personal data), as required under the Seventh Data Protection Principle in Schedule 1 to the DPAotherwise permitted by this Contract; and 32.2.1 provide (D) have undergone adequate training in the CLIENT use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with such information GDPR Article 46 or LED Article 37) as determined by the CLIENT may reasonably request to satisfy itself that Controller; (ii) the SERVICE PROVIDER is complying Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the DPA; 32.2.2 promptly notify Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the CLIENT of any breach of the security measures to be put Controller in place pursuant to this Clausemeeting its obligations); and 32.2.3 (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Contract unless the Processor is required by Law to retain the Personal Data. 7.5 Subject to clause 7.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 7.6 The Processor’s obligation to notify under clause 7.5 shall include the provision of further information to the Controller in phases, as details become available. 7.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 7.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 7.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 7.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 7.10 Each party shall designate a data protection officer if required by the Data Protection Legislation. 7.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub- processor as the Controller may reasonably require. 7.12 The Processor shall remain fully liable for all acts or omissions of any Sub-processor. 7.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). 7.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this Contract to ensure that it does not knowingly or negligently do or omit to do anything which places complies with any guidance issued by the CLIENT in breach of its obligations under the DPAInformation Commissioner’s Office. 32.2.4 The provisions 7.15 Where the Parties include two or more Joint Controllers as identified in Schedule 4 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Schedule 4 in replacement of this Clause shall apply during Clauses 7.1-7.14 for the Contract Period and indefinitely after the expiry of the Contract PeriodPersonal Data under Joint Control. 32.3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 32.4 The SERVICE PROVIDER shall comply with and shall ensure that its Staff comply with, the provisions of:- 32.4.1 the Official Secrets Acts 1911 to 1989; and 32.4.2 Section 182 of the Finance Act 1989. 32.5 In the event that the SERVICE PROVIDER or its Staff fail to comply with this Clause, the CLIENT reserves the right to terminate the Contract by giving notice in writing to the SERVICE PROVIDER.

Data Protection Act. 32.1 The SERVICE PROVIDER shall (and shall procure that its entire Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 32.2 . Notwithstanding the general obligation in Clause 6.1.1, where the SERVICE PROVIDER is processing personal data (as defined by the DPA) as a data processor for the CLIENT (as defined by the DPA) the SERVICE PROVIDER shall ensure that it has in place appropriate technical and organisational measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection Principle in Schedule 1 to the DPA; and 32.2.1 and provide the CLIENT with such information as the CLIENT may reasonably request to satisfy itself that the SERVICE PROVIDER is complying with its obligations under the DPA; 32.2.2 ; promptly notify the CLIENT of any breach of the security measures to be put in place pursuant to this Clause; and 32.2.3 and ensure that it does not knowingly or negligently do or omit to do anything which places the CLIENT in breach of its obligations under the DPA. 32.2.4 . The provisions of this Clause shall apply during the Contract Period and indefinitely after the expiry of the Contract Period. 32.3 . Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 32.4 1989 The SERVICE PROVIDER shall comply with and shall ensure that its Staff comply with, the provisions of:- 32.4.1 of:- the Official Secrets Acts 1911 to 1989; and 32.4.2 and Section 182 of the Finance Act 1989. 32.5 . In the event that the SERVICE PROVIDER or its Staff fail to comply with this Clause, the CLIENT reserves the right to terminate the Contract by giving notice in writing to the SERVICE PROVIDER.

Data Protection Act. 32.1 The SERVICE PROVIDER shall (and shall procure that its entire Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 32.2 . Notwithstanding the general obligation in Clause 6.1.1, where the SERVICE PROVIDER is processing personal data (as defined by the DPA) as a data processor for the CLIENT (as defined by the DPA) the SERVICE PROVIDER shall ensure that it has in place appropriate technical and organisational measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection Principle in Schedule 1 to the DPA; and 32.2.1 and provide the CLIENT with such information as the CLIENT may reasonably request to satisfy itself that the SERVICE PROVIDER is complying with its obligations under the DPA; 32.2.2 ; promptly notify the CLIENT of any breach of the security measures to be put in place pursuant to this Clause; and 32.2.3 and ensure that it does not knowingly or negligently do or omit to do anything which places the CLIENT in breach of its obligations under the DPA. 32.2.4 . The provisions of this Clause shall apply during the Contract Period and indefinitely after the expiry of the Contract Period. 32.3 . Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 32.4 ▇▇▇ ▇▇▇▇ The SERVICE PROVIDER shall comply with and shall ensure that its Staff comply with, the provisions of:- 32.4.1 of:- the Official Secrets Acts 1911 to 1989; and 32.4.2 and Section 182 of the Finance Act 1989. 32.5 ▇▇▇ ▇▇▇▇. In the event that the SERVICE PROVIDER or its Staff fail to comply with this Clause, the CLIENT reserves the right to terminate the Contract by giving notice in writing to the SERVICE PROVIDER.

Data Protection Act. 32.1 The SERVICE PROVIDER shall (14.1 For the purposes of this clause, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and shall procure that its entire Staff“Processing” have the meanings given in section 1(1) comply of the Data Protection Act 1998. 14.2 Where the Contractor Processes Personal Data as a Data Processor for the Authority the Contractor must: 14.2.1 enter into a data processing agreement in the form set out in Schedule 9 annexed hereto, and process the Personal Data in accordance with any notification requirements under instructions as may be given by the DPA Authority (which may be specific or of a general nature); 14.2.2 process the Personal Data only to the extent, and both Parties will duly observe all their in such manner as is necessary for the performance of the Contractor’s obligations under the DPA which arise in connection with the Contract. 32.2 Notwithstanding the general obligation in Clause 6.1.1, where the SERVICE PROVIDER Framework Agreementor as is processing personal data (as defined required by the DPA) as a data processor for the CLIENT (as defined by the DPA) the SERVICE PROVIDER shall ensure that it has in place law; 14.2.3 implement appropriate technical and organisational measures to ensure the security of the personal data (and to guard protect Personal Data against unauthorised or unlawful processing of the personal data Processing and against accidental loss loss, destruction, damage, alteration or disclosure, such measures being appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction of, or damage to, the personal data), as required under the Seventh Data Protection Principle in Schedule 1 to the DPAPersonal Data and having regard to the nature of the Personal Data which is to be protected; 14.2.4 obtain approval before transferring the Personal Data to any sub-contractor; 14.2.5 not cause or permit the Personal Data to be transferred outside of the European Economic Area without approval; 14.2.6 ensure that all Contractor Representatives accessing the Personal Data are aware of and comply with the obligations set out in this clause; and 32.2.1 provide 14.2.7 not disclose or divulge any of the CLIENT with such information as Personal Data to any third parties unless directed in writing to do so by the CLIENT may reasonably Authority. 14.3 The Contractor must notify the Authority promptly, and in any event within 5 Working Days, if it receives: 14.3.1 a request from a Data Subject to satisfy itself that have access to their Personal Data; 14.3.2 a complaint or request relating to the SERVICE PROVIDER is complying with its Authority’s obligations under the DPA;Data Protection Act 1998. 32.2.2 promptly notify 14.4 Where the CLIENT of any breach Contractor is collecting data the Contractor must comply with all the fair processing provisions under the Data Protection Act 1998, including notification to Data Subjects that the information may be shared with the Authority. 14.5 To comply with section 31(3) of the security measures to Public Services Reform (Scotland) Act 2010, the Authority publishes an annual statement of all payments over £25,000. In addition, in line with openness and transparency, the Scottish Government publishes a monthly report of all payments over £25,000. The Contractor should note that where a payment is made in excess of £25,000 there will be put disclosure (in place pursuant to this Clause; and 32.2.3 ensure that it does not knowingly or negligently do or omit to do anything which places the CLIENT in breach of its obligations under the DPA. 32.2.4 The provisions of this Clause shall apply during the Contract Period and indefinitely after the expiry form of the Contract Period. 32.3 Official Secrets Acts 1911 to 1989, Section 182 name of the Finance Act 1989 32.4 The SERVICE PROVIDER shall comply with and shall ensure that its Staff comply withpayee, the provisions of:- 32.4.1 the Official Secrets Acts 1911 to 1989; and 32.4.2 Section 182 date of the Finance Act 1989. 32.5 In the event that the SERVICE PROVIDER or its Staff fail to comply with this Clausepayment, the CLIENT reserves subject matter and the right to terminate amount of payment) in both the Contract by giving notice in writing to monthly report and the SERVICE PROVIDERannual Public Services Reform (Scotland) Act 2010 statement.

Data Protection Act. 32.1 30.1 The SERVICE PROVIDER shall Service Provider’s attention is hereby drawn to the Data Protection ▇▇▇ ▇▇▇▇ (“the Act”) 30.2 The Service Provider undertakes to comply in all respects with the provisions of the Act and any equivalent or associated Legislation in relation to all Personal Data or Confidential Information collected, generated and/or processed by the Service Provider in the provision of the Services and shall procure not do anything or permit anything to be done which might lead to a breach of that its entire StaffAct or the equivalent or associated Legislation. 30.3 Without prejudice to the foregoing, the Service Provider undertakes:- (a) comply It will only obtain, hold, process, use, store and disclose Personal Data and Confidential Information as is necessary to perform the Services and Service Provider’s obligations under this Contract and for compliance with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract.legal or regulatory obligation(s); 32.2 Notwithstanding the general obligation in Clause 6.1.1, where the SERVICE PROVIDER is processing personal data (as defined by the DPAb) as a data processor for the CLIENT (as defined by the DPA) the SERVICE PROVIDER shall ensure that it has To have in place appropriate technical and organisational measures to ensure the security of the personal data Personal Data and Confidential Information (and to guard against unauthorised or disclosure to any third party, unlawful processing of the personal data such Personal Data or Confidential Information and against accidental loss or destruction of, or damage to, personal data or information); (c) To notify the personal data)Purchaser immediately on becoming aware that any Personal Data or Confidential Information has been lost or damaged; (d) Not to delete, as required under destroy or remove any of the Seventh Data Protection Principle in Schedule 1 to data without the DPA; andprior written consent of the Purchaser; 32.2.1 (e) To provide the CLIENT Purchaser with such information as the CLIENT may is reasonably request required to satisfy itself ensure that the SERVICE PROVIDER Service Provider is complying with its obligations under the DPA;Act; and/or 32.2.2 promptly notify the CLIENT of any breach of the security measures to be put in place pursuant to this Clause; and 32.2.3 (f) To ensure that it does not nothing, knowingly or negligently do or omit to do anything negligently, which places may place the CLIENT Purchaser in breach of its obligations under the DPAAct. 32.2.4 30.4 Nothing in Clauses 6, 7, or 36 of this Schedule shall oblige the Service Provider to provide information to the Purchaser where to do so would constitute a breach of the Service Provider's obligations under the Data Protection ▇▇▇ ▇▇▇▇, provided that the Service Provider shall use all reasonable endeavours to comply with its obligations under such Clauses. 30.5 The provisions of this Clause shall apply during the continuance of the Contract Period and indefinitely after the its expiry of the Contract Periodor termination. 32.3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 32.4 The SERVICE PROVIDER shall comply with and shall ensure that its Staff comply with, the provisions of:- 32.4.1 the Official Secrets Acts 1911 to 1989; and 32.4.2 Section 182 of the Finance Act 1989. 32.5 In the event that the SERVICE PROVIDER or its Staff fail to comply with this Clause, the CLIENT reserves the right to terminate the Contract by giving notice in writing to the SERVICE PROVIDER.

Data Protection Act. 32.1 Information Governance – General Responsibilities 28.1 Clause 28 is to be read in conjunction with Schedule 11 and Schedule 11 – Annex 1. 28.2 For the purposes of this Clause 28, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 28.3 With respect to the Parties' rights and obligations under this Contract, the Parties agree that the Council is the Data Controller and that the Provider is the Data Processor. 28.4 The SERVICE PROVIDER Parties acknowledge their respective obligations arising under the DPA and must assist each other as necessary to enable each other to comply with these obligations. 28.5 The Provider undertakes to: 28.5.1 Treat as confidential all Personal Data which may be derived from or be obtained in the course of the Contract or which may come into the possession of the Provider or an employee, servant or agent or Sub- Contractor of the Provider as a result or in connection with the contract; and; 28.5.2 Provide all necessary precautions to ensure that all such information is treated as confidential by the Provider, his employees, servants, agents or Sub-Contractors; and 28.5.3 Ensure that he, his employees, servants, agents and Sub-Contractors are aware of the provisions of the DPA and that any personal information obtained from the Council shall not be disclosed or used in any unlawful manner; and 28.5.4 Indemnify the Council against any loss arising under the DPA caused by any action, authorised or unauthorised, taken by himself, his employees, servants, agents or Sub-Contractors 28.5.5 Nominate a data protection lead to be responsible for data protection and for providing the Council with regular reports on information security matters, including details of all incidents of data loss and breach of confidence; 28.5.6 Have in place adequate mechanisms to ensure that Sub-Contractors, agents and subsidiaries to whom personal information is disclosed comply with their contractual obligations to keep personal data and information secure and confidential in accordance with data protection requirements; 28.5.7 Ensure that the Council is kept informed at all times of the identities of the data protection lead. 28.6 The Provider as a Data Processor 28.7 The Provider shall (and shall procure ensure that all of its entire Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 32.2 28.8 Notwithstanding the general obligation in Clause 6.1.128.3, where the SERVICE PROVIDER Provider is processing personal data Personal Data as a Data Processor for the Council the Provider shall: 28.8.1 Process the Personal Data only in accordance with instructions from the Council (which may be specific instructions or instructions of a general nature) as defined set out in this Contract or as otherwise notified by the DPA) Contracting Authority; 28.8.2 Comply with all applicable Laws; 28.8.3 Process the Personal Data only to the extent; and in such manner as a data processor is necessary for the CLIENT (provision of the Provider’s obligations under this Contract or as defined is required by the DPA) the SERVICE PROVIDER shall ensure that it has in place Law or any Regulatory Body; 28.8.4 Implement appropriate technical and organisational measures to ensure protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 28.8.5 must be able to demonstrate that employees, servants, or agents associated with the performance of this contract are aware of their personal responsibilities under the DPA to maintain the security of the personal data (Personal Data controlled by the Council; 28.8.6 take reasonable steps to ensure the reliability of its Staff and agents who may have access to guard against unauthorised or unlawful processing the Personal Data; 28.8.7 obtain prior written consent from the Contracting Authority in order to transfer the Personal Data to any Sub-Contractor for the provision of the personal Services; 28.8.8 Personal Data must not be copied for any other purpose than that agreed between the Provider and the Council. 28.8.9 Personal data and against accidental loss or destruction ofshall be returned to the Council at the end of the contract, or damage toon completion of works or when requested by the Council. 28.8.10 The Council is required to comply with Her Majesty’s Government information security standards for the secure destruction of data processed on its behalf. The Provider must provide certificated evidence of secure destruction to the required standards when equipment is decommissioned or retired or at the end of the Contract. 28.9 The Provider shall permit the Council or the Council 's representative (subject to reasonable and appropriate confidentiality requirements ), to inspect and audit, in accordance with Clause 34 (Audit), the personal data)Provider’s data Processing activities (and/or those of its agents, as required subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Council to enable the Council to verify and/or procure that the Provider is in full compliance with its obligations under this Contract; 28.9.1 not Process, cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Council and, where the Council consents to the transfer, to comply with; (a) the obligations of a Data Controller under the Seventh Eighth Data Protection Principle set out in Schedule 1 of the DPA by providing an adequate level of protection to the DPAany Personal Data that is transferred; and 32.2.1 provide (b) any reasonable instructions notified to it by the CLIENT Council; 28.9.2 ensure that all Staff and agents required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with such information as the CLIENT may reasonably obligations set out in this Clause 28; 28.9.3 ensure that none of the Staff and agents publish disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Council; 28.9.4 not disclose Personal Data to any third parties in any circumstances other than with the written consent of the Council or in compliance with a legal obligation imposed upon the Council; and 28.10 notify the Council (within five Working Days) if it receives: 28.10.1 a request from a Data Subject to satisfy itself have access to that person’s Personal Data; or 28.10.2 a complaint or request relating to the SERVICE PROVIDER is complying with its Council’s obligations under the DPA; 32.2.2 promptly notify 28.10.3 The Provider shall comply at all times with the CLIENT Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Council to breach any of its applicable obligations under the Data Protection Legislation. 28.11 The Provider agrees to indemnify and keep indemnified and defend at its own expense the Council against all costs, claims, damages or expenses incurred by the Council or for which the Council may become liable due to any breach failure by the Provider or its employees or agents to comply with any of its obligations under this Contract. 28.12 Subject always to Clause 35 (Transfer and Sub-Contracting) if the Provider is to require any Sub-Contractor to process Personal Data on its behalf, the Provider must: 28.12.1 require that the Sub-Contractor provides sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out, and take reasonable steps to ensure compliance with those measures; 28.12.2 ensure that the Sub-Contractor is engaged under the terms of a written agreement requiring the Sub-Contractor to: (a) process such personal data only in accordance with the Provider 's instructions; (b) comply at all times with obligations equivalent to those imposed on the Provider by virtue of the security measures Seventh Data Protection Principle of the DPA; (c) allow rights of audit and inspection in respect of relevant data handling systems to be put in place pursuant the Provider or to this Clausethe Council or to any person authorised by the Provider or by the Council to act on its behalf; and 32.2.3 ensure that it does not knowingly or negligently do or omit to do anything which places (d) impose on its own Sub-Contractors (in the CLIENT in breach event the Sub- Contractor further Sub-Contracts any of its obligations under the DPASub-Contract) obligations that are substantially equivalent to the obligations imposed on the Sub-Contractor by this Clause 28. 32.2.4 28.13 The provisions provision of this Clause 28 shall apply during the Contract Period and indefinitely after the expiry of the Contract Periodits expiry. 32.3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 32.4 The SERVICE PROVIDER shall comply with and shall ensure that its Staff comply with, the provisions of:- 32.4.1 the Official Secrets Acts 1911 to 1989; and 32.4.2 Section 182 of the Finance Act 1989. 32.5 In the event that the SERVICE PROVIDER or its Staff fail to comply with this Clause, the CLIENT reserves the right to terminate the Contract by giving notice in writing to the SERVICE PROVIDER.

Data Protection Act. 32.1 The SERVICE PROVIDER shall (and shall procure that its entire Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 32.2 Notwithstanding the general obligation in Clause 6.1.1, where the SERVICE PROVIDER is processing personal data (as defined by the DPA) as a data processor for the CLIENT (as defined by the DPA) the SERVICE PROVIDER shall ensure that it has in place appropriate technical and organisational measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection Principle in Schedule 1 to the DPA; and 32.2.1 provide the CLIENT with such information as the CLIENT may reasonably request to satisfy itself that the SERVICE PROVIDER is complying with its obligations under the DPA; 32.2.2 promptly notify the CLIENT of any breach of the security measures to be put in place pursuant to this Clause; and 32.2.3 ensure that it does not knowingly or negligently do or omit to do anything which places the CLIENT in breach of its obligations under the DPA. 32.2.4 The provisions of this Clause shall apply during the Contract Period and indefinitely after the expiry of the Contract Period. 32.3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989▇▇▇ ▇▇▇▇ 32.4 The SERVICE PROVIDER shall comply with and shall ensure that its Staff comply with, the provisions of:- 32.4.1 the Official Secrets Acts 1911 to 1989; and 32.4.2 Section 182 of the Finance Act 1989▇▇▇ ▇▇▇▇. 32.5 In the event that the SERVICE PROVIDER or its Staff fail to comply with this Clause, the CLIENT reserves the right to terminate the Contract by giving notice in writing to the SERVICE PROVIDER.