Common use of Data Protection, Security and Integrity Clause in Contracts

Data Protection, Security and Integrity. 8.1 If you provide any Personal Data to us for processing as part of the Services, you will ensure that you are entitled to do so and that we may lawfully process that Personal Data on your behalf, as envisaged under this Agreement. Should you breach this obligation then you shall be fully liable to us for any costs, losses, damages, expenses and reasonable legal fees incurred or suffered by us and arising from the breach. As part of your obligations, you shall ensure that you have a suitable privacy policy or other notice in place on your Website and/or within the AI Product to comply with your obligations under Data Protection Legislation. 8.2 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 8 is in addition to, and does not relieve, remove, or replace, a party's obligations under the Data Protection Legislation. 8.3 The parties acknowledge that for the purposes of the Data Protection Legislation, you are the Data Controller and we are the Data Processor in relation to your Personal Data provided to us for processing as part of the Services under this Agreement. 8.4 The parties shall set out in Schedule 3 the scope, nature and purpose of processing, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation “Personal Data”) and categories of Data Subject. 8.5 Without prejudice to the generality of clause 8.2: (a) you will ensure that you have all necessary appropriate consents and notices in place and/or a lawful basis to enable lawful transfer of the Personal Data to us for the duration and purposes of this Agreement; and (b) we shall, in relation to any Personal Data processed in connection with our performance of our obligations under this Agreement: (i) process that Personal Data only on your documented written instructions unless processing is required by any law to which we are subject, in which case we shall, to the extent permitted by law, inform you of that legal requirement before performing the relevant processing; (ii) ensure that we have in place appropriate technical and organisational measures, reviewed and approved by you, which are designed to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected (having regard to the state of technological development and the cost of implementing any measures); (iii) ensure that all our personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and (iv) not transfer any Personal Data outside of the European Economic area unless our and your obligations under the Data Protection Legislation are complied with; (c) assist you, at your cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (d) notify you without undue delay on becoming aware of a Personal Data breach (e) at the written direction of you, delete or return Personal Data and copies thereof to you on termination of the Agreement unless required by applicable law to store the Personal Data; (f) submit to audits and inspections in relation to the processing, and provide you with whatever information it needs to ensure that we are both meeting their obligations under article 28 of GDPR; and (g) maintain complete and accurate records and information to demonstrate our compliance with this clause 8. 8.6 Where you consent to us appointing a third-party processor of Personal Data under this Agreement, then the details of the third-party processor shall be set out in Schedule 3 or a separate data processing agreement. We confirm that we will enter a written agreement with the third-party processor incorporating terms which are substantially similar to those set out in clause 8.5. 8.7 Either party may, at any time on not less than 30 days’ notice, revise this clause 8 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this Agreement) or which may form part of the United Kingdom’s divergent laws applying to the processing of personal data after it exits the European Union

Data Protection, Security and Integrity. 8.1 If you provide A PPLIES D OES NOT APPLY The Parties shall comply with their respective obligations under the DPA, and any Personal other applicable data protection laws and regulations (together, the "Data to us for processing as part of the Services, you will ensure that you are entitled to do so and that we may lawfully process that Personal Data on your behalf, as envisaged under Protection Laws") in connection with this Agreement. Should you breach this obligation then you shall be fully liable to us The Parties acknowledge that, in respect of all Personal Data controlled and owned by the Client and Processed by the Contractor for any costs, losses, damages, expenses and reasonable legal fees incurred or suffered by us and arising from the breach. As part of your obligations, you shall ensure that you have a suitable privacy policy or other notice in place on your Website and/or within the AI Product to comply with your obligations under Data Protection Legislation. 8.2 Both parties will comply with all applicable requirements purpose of the Data Protection Legislation. This clause 8 is in addition to, and does not relieve, remove, or replace, a party's obligations under the Data Protection Legislation. 8.3 The parties acknowledge that for the purposes of the Data Protection Legislation, you are the Data Controller and we are the Data Processor in relation to your Personal Data provided to us for processing as part provision of the Services under this Agreement. 8.4 The parties : the Client alone shall set out in Schedule 3 determine the scope, nature and purpose of processing, the duration of the processing purposes for which and the types of personal manner in which such Personal Data will be Processed by the Contractor; the Client shall be the data controller (as defined in the Data Protection Legislation “Laws); and the Contractor shall be the data processor (as defined in the Data Protection Laws). Where, in connection with this Agreement, the Contractor Processes Personal Data”) Data on behalf of the Client as a data processor, the Contractor shall: Process the Personal Data only on the written instructions of the Client and categories of Data Subject. 8.5 Without prejudice to the generality extent reasonably necessary or appropriate for the performance of clause 8.2: (a) you will ensure that you have all necessary appropriate consents and notices in place and/or a lawful basis to enable lawful transfer of this Agreement; not disclose the Personal Data to us for any person except as required or permitted by this Agreement or with the duration Client's written consent; not deal in or with the Personal Data; and purposes of this Agreement; and implement appropriate technical and organisational measures (bincluding those specified by the Client in advance and/or under the Data Protection Laws) we shall, in relation to any protect Client Personal Data processed against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Subject to the Contractor’s obligation to comply with the Data Protection Laws, the Contractor acknowledges: that the Client is relying upon the Contractor's skill and knowledge in connection with our performance of our obligations under this Agreement: (i) process assessing what is "appropriate"; that the technical and organisational measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Client Personal Data only on your documented written instructions unless processing is required by any law to which we are subject, in which case we shall, and having regard to the extent permitted by law, inform you nature of that legal requirement before performing the relevant processing; (ii) ensure that we have in place appropriate Client Personal Data which is to be protected; when implementing and updating technical and organisational measures, reviewed and approved by you, which are designed to protect against unauthorised or unlawful processing have regard to: the sensitive nature of the personal data contained within Client Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the substantial harm that might which would result from the unauthorised or unlawful processing or accidental loss, loss or destruction of or damage to such personal data; and the nature of the data to be protected (having regard to the state of technological development and the cost of implementing such measures; ensure: the reliability and integrity of any measures); (iii) ensure that all our personnel Personnel who have access to and/or process Client Personal Data; that all Contractor Personnel involved in the Processing of Client Personal Data are obliged to keep have undergone adequate training in the care, protection and handling of Client Personal Data; and that all such Personnel perform their duties strictly in compliance with the Data Protection Laws and this Clause 4.11 by treating such Client Personal Data confidentialas Confidential Information; and permit the Client or a Client representative, to inspect and audit the Contractor's data Processing activities (ivand/or those of its agents and subcontractors) and comply with all reasonable requests or directions by the Client to enable the Client to verify and/or procure that the Contractor or subcontractor (as the case may be) is in full compliance with the Data Protection Laws and their obligations under this Agreement; provide a written description of the technical and organisational methods employed by the Contractor or subcontractor (as the case may be) for Processing Client Personal Data (within the timescales required by the Client); not transfer any Process or permit the Processing of the Client Personal Data outside of the European Economic area Area other than with the prior written consent of the Client, and in such case in accordance with the Data Protection Laws and Clause 4.11; where the Client consents to a transfer of Client Personal Data outside the European Economic Area: ensure that Client Personal Data continues to be Processed strictly in compliance with the Data Protection Laws and this Clause 4.11; and promptly and fully inform the Client of any circumstances (including the existence of legislation) that may prevent the Contractor from fulfilling its obligations under this Clause 4.11; and not include Personal Data in any product or service offered by the Contractor or any subcontractor (as the case may be) to third parties unless our it is specifically required as part of the provision of the Services. The Contractor will indemnify and your keep fully and effectively indemnified the Client against all liabilities, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses) suffered or incurred by the Client on demand (arising or incurred anywhere in the world) as a result of any breach of the Data Protection Laws or its obligations under this Clause 4.11. The Contractor shall assist the Client to comply with any obligations under the Data Protection Legislation are complied with; (c) assist you, at your cost, Laws and shall not perform its obligations under this Agreement in responding such a way as to cause the Client to breach any request from a Data Subject and in ensuring compliance with of its applicable obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (d) notify you without undue delay on becoming aware of a Personal Data breach (e) at the written direction of you, delete or return Personal Data and copies thereof to you on termination of the Agreement unless required by applicable law to store the Personal Data; (f) submit to audits and inspections in relation to the processing, and provide you with whatever information it needs to ensure Laws. The Contractor acknowledges that we are both meeting their obligations under article 28 of GDPR; and (g) maintain complete and accurate records and information to demonstrate our compliance with this clause 8. 8.6 Where you consent to us appointing a third-party processor of Personal Data under this Agreement, then the details Clause 4.11 is of the third-party processor shall be set out utmost importance to the Client and that any breach may cause the Client to suffer not only financial losses but also other direct and indirect losses in Schedule 3 or a separate data processing agreement. We confirm that we will enter a written agreement with the third-party processor incorporating terms which are substantially similar to those set out in clause 8.5. 8.7 Either party may, at any time on not less than 30 days’ notice, revise this clause 8 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this Agreement) or which may form part of the United Kingdom’s divergent laws applying to use and application of the processing of personal data after it exits the European UnionContractor Software. The following definitions apply: