Common use of DATA PROTECTION AND SECURITY Clause in Contracts

DATA PROTECTION AND SECURITY. The Supplier must not remove any ownership or security notices in or relating to the Government Data. The Supplier must make accessible back-ups of all Government Data, stored in an agreed off-site location and send the Buyer copies via secure encrypted method upon reasonable request. The Supplier must ensure that any Supplier, Subcontractor, or Subprocessor system holding any Government Data, including back-up data, is a secure system that complies with the security requirements specified in the Order Form or otherwise in writing by the Buyer (where any such requirements have been provided). If at any time the Supplier suspects or has reason to believe that the Government Data is corrupted, lost or sufficiently degraded, then the Supplier must immediately notify the Buyer and suggest remedial action. If the Government Data is corrupted, lost or sufficiently degraded so as to be unusable the Buyer may either or both: tell the Supplier to restore or get restored Government Data as soon as practical but no later than 5 Working Days from the date that the Buyer receives notice, or the Supplier finds out about the issue, whichever is earlier; and/or restore the Government Data itself or using a third party. The Supplier must pay each Party's reasonable costs of complying with clause 14.5 unless the Buyer is at fault. The Supplier: must provide the Buyer with all Government Data in an agreed format (provided it is secure and readable) within 10 Working Days of a written request; must have documented processes to guarantee prompt availability of Government Data if the Supplier stops trading; must securely destroy all storage media that has held Government Data at the end of life of that media using Good Industry Practice, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; securely erase all Government Data and any copies it holds when asked to do so by the Buyer unless required by Law to retain it, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; and indemnifies the Buyer against any and all losses incurred if the Supplier breaches clause 14 or any Data Protection Legislation. The Parties acknowledge that for the purposes of the Data Protection Legislation, the nature of the activity carried out by each of them in relation to their respective obligations under the Contract dictates the status of each party under the DPA 2018. A Party may act as:

DATA PROTECTION AND SECURITY. The Supplier must not remove any ownership or security notices in or relating to the Government Data. The Supplier must make accessible back-ups of all Government Data, stored in an agreed off-site location and send the Buyer copies via secure encrypted method upon reasonable request. The Supplier must ensure that any Supplier, Subcontractor, or Subprocessor system holding any Government Data, including back-up data, is a secure system that complies with the security requirements specified in the Order Form or otherwise in writing by the Buyer (where any such requirements have been provided). If at any time the Supplier suspects or has reason to believe that the Government Data is corrupted, lost or sufficiently degraded, then the Supplier must immediately notify the Buyer and suggest remedial action. If the Government Data is corrupted, lost or sufficiently degraded so as to be unusable the Buyer may either or both: 1 ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/ppn-0223-tackling-modern-slavery-in-government-supply-chains tell the Supplier to restore or get restored Government Data as soon as practical but no later than 5 Working Days from the date that the Buyer receives notice, or the Supplier finds out about the issue, whichever is earlier; and/or restore the Government Data itself or using a third party. The Supplier must pay each Party's reasonable costs of complying with clause 14.5 0 unless the Buyer is at fault. The Supplier: must provide the Buyer with all Government Data in an agreed format (provided it is secure and readable) within 10 Working Days of a written request; must have documented processes to guarantee prompt availability of Government Data if the Supplier stops trading; must securely destroy all storage media that has held Government Data at the end of life of that media using Good Industry Practice, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; securely erase all Government Data and any copies it holds when asked to do so by the Buyer unless required by Law to retain it, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; and indemnifies the Buyer against any and all losses incurred if the Supplier breaches clause 14 0 or any Data Protection Legislation. The Parties acknowledge that for the purposes of the Data Protection Legislation, the nature of the activity carried out by each of them in relation to their respective obligations under the Contract dictates the status of each party under the DPA 2018. A Party may act as:

DATA PROTECTION AND SECURITY. 14.1 The Supplier must not remove any ownership or security notices in or relating to the Government Data. . 14.2 The Supplier must make accessible back-ups of all Government Data, stored in an agreed off-site location and send the Buyer copies via secure encrypted method upon reasonable request. . 14.3 The Supplier must ensure that any Supplier, Subcontractor, or Subprocessor system holding any Government Data, including back-up data, is a secure system that complies with the security requirements specified in the Order Form or otherwise in writing by the Buyer (where any such requirements have been provided). . 14.4 If at any time the Supplier suspects or has reason to believe that the Government Data is corrupted, lost or sufficiently degraded, then the Supplier must immediately notify the Buyer and suggest remedial action. . 14.5 If the Government Data is corrupted, lost or sufficiently degraded so as to be unusable the Buyer may either or both: : 14.5.1 tell the Supplier to restore or get restored Government Data as soon as practical but no later than 5 Working Days from the date that the Buyer receives notice, or the Supplier finds out about the issue, whichever is earlier; and/or and/or 14.5.2 restore the Government Data itself or using a third party. . 14.6 The Supplier must pay each Party's reasonable costs of complying with clause 14.5 unless the Buyer is at fault. . 14.7 The Supplier: 1 ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/ppn-0223-tackling-modern-slavery-in-government-supply-chains 14.7.1 must provide the Buyer with all Government Data in an agreed format (provided it is secure and readable) within 10 Working Days of a written request; ; 14.7.2 must have documented processes to guarantee prompt availability of Government Data if the Supplier stops trading; ; 14.7.3 must securely destroy all storage media that has held Government Data at the end of life of that media using Good Industry Practice, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; ; 14.7.4 securely erase all Government Data and any copies it holds when asked to do so by the Buyer unless required by Law to retain it, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; and and 14.7.5 indemnifies the Buyer against any and all losses incurred if the Supplier breaches clause 14 or any Data Protection Legislation. . 14.8 The Parties acknowledge that for the purposes of the Data Protection Legislation, the nature of the activity carried out by each of them in relation to their respective obligations under the Contract dictates the status of each party under the DPA 2018. A Party may act as:

DATA PROTECTION AND SECURITY. The Supplier must not remove any ownership or security notices in or relating to the Government Data. The Supplier must make accessible back-ups of all Government Data, stored in an agreed off-site location and send the Buyer copies via secure encrypted method upon reasonable request. The Supplier must ensure that any Supplier, Subcontractor, or Subprocessor system holding any Government Data, including back-up data, is a secure system that complies with the security requirements specified in the Order Form or otherwise in writing by the Buyer (where any such requirements have been provided). If at any time the Supplier suspects or has reason to believe that the Government Data is corrupted, lost or sufficiently degraded, then the Supplier must immediately notify the Buyer and suggest remedial action. If the Government Data is corrupted, lost or sufficiently degraded so as to be unusable the Buyer may either or both: 1 ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/ppn-0223-tackling-modern-slavery-in-government-supply-chains tell the Supplier to restore or get restored Government Data as soon as practical but no later than 5 Working Days from the date that the Buyer receives notice, or the Supplier finds out about the issue, whichever is earlier; and/or restore the Government Data itself or using a third party. The Supplier must pay each Party's reasonable costs of complying with clause 14.5 0 unless the Buyer is at fault. The Supplier: must provide the Buyer with all Government Data in an agreed format (provided it is secure and readable) within 10 Working Days of a written request; must have documented processes to guarantee prompt availability of Government Data if the Supplier stops trading; must securely destroy all storage media that has held Government Data at the end of life of that media using Good Industry Practice, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; securely erase all Government Data and any copies it holds when asked to do so by the Buyer unless required by Law to retain it, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; and indemnifies the Buyer against any and all losses incurred if the Supplier breaches clause 14 0 or any Data Protection Legislation. The Parties acknowledge that for the purposes of the Data Protection Legislation, the nature of the activity carried out by each of them in relation to their respective obligations under the Contract dictates the status of each party under the DPA 2018. A Party may act as:

DATA PROTECTION AND SECURITY. ‌ The Supplier must not remove any ownership or security notices in or relating to the Government Data. The Supplier must make accessible back-ups of all Government Data, stored in an agreed off-site location and send the Buyer copies via secure encrypted method upon reasonable request. The Supplier must ensure that any Supplier, Subcontractor, or Subprocessor system holding any Government Data, including back-up data, is a secure system that complies with the security requirements specified in the Order Form or otherwise in writing by the Buyer (where any such requirements have been provided). If at any time the Supplier suspects or has reason to believe that the Government Data is corrupted, lost or sufficiently degraded, then the Supplier must immediately notify the Buyer and suggest remedial action. If the Government Data is corrupted, lost or sufficiently degraded so as to be unusable the Buyer may either or both: both:‌ 1 ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/ppn-0223-tackling-modern-slavery-in-government-supply-chains tell the Supplier to restore or get restored Government Data as soon as practical but no later than 5 Working Days from the date that the Buyer receives notice, or the Supplier finds out about the issue, whichever is earlier; and/or restore the Government Data itself or using a third party. The Supplier must pay each Party's reasonable costs of complying with clause 14.5 unless the Buyer is at fault. The Supplier: must provide the Buyer with all Government Data in an agreed format (provided it is secure and readable) within 10 Working Days of a written request; must have documented processes to guarantee prompt availability of Government Data if the Supplier stops trading; must securely destroy all storage media that has held Government Data at the end of life of that media using Good Industry Practice, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; securely erase all Government Data and any copies it holds when asked to do so by the Buyer unless required by Law to retain it, other than in relation to Government Data which is owned or licenced by the Supplier or in respect of which the Parties are Independent Controllers or Joint Controllers; and indemnifies the Buyer against any and all losses incurred if the Supplier breaches clause 14 or any Data Protection Legislation. Legislation.‌ The Parties acknowledge that for the purposes of the Data Protection Legislation, the nature of the activity carried out by each of them in relation to their respective obligations under the Contract dictates the status of each party under the DPA 2018. A Party may act as: